Skip to main content
ClaudeWave
Skill279 repo starsupdated 6d ago

aws-cloudformation-security

This CloudFormation skill provides production-ready templates for implementing AWS security infrastructure, including KMS encryption keys, Secrets Manager configurations, IAM least privilege policies, VPC security controls, ACM certificates, and secure cross-stack references. Use it when building security-hardened AWS environments that require encryption at rest and in transit, secrets management with automatic rotation, defense-in-depth network isolation, and compliance-ready infrastructure patterns.

View sourceRepository: developer-kit
Install in Claude Code
Copy
git clone --depth 1 https://github.com/giuseppe-trisciuoglio/developer-kit /tmp/aws-cloudformation-security && cp -r /tmp/aws-cloudformation-security/plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-security ~/.claude/skills/aws-cloudformation-security
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# AWS CloudFormation Security Infrastructure

## Overview

Create production-ready security infrastructure using AWS CloudFormation templates. This skill covers KMS encryption, Secrets Manager, IAM security with least privilege, VPC security configurations, ACM certificates, parameter security, secure outputs, cross-stack references, CloudWatch Logs encryption, defense in depth strategies, and security best practices.

## When to Use

- Implementing KMS encryption at rest and in transit
- Managing secrets with Secrets Manager and automatic rotation
- Applying IAM least privilege policies and permission boundaries
- Securing VPC with security groups, NACLs, and VPC endpoints
- Managing TLS/SSL certificates with ACM
- Encrypting CloudWatch Logs and S3 buckets
- Creating secure cross-stack references and outputs

## Instructions

Follow these steps to create security infrastructure with CloudFormation:

### 1. Define KMS Encryption Keys

Create customer-managed keys for encryption:

```yaml
Resources:
  EncryptionKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Customer-managed key for data encryption
      KeyPolicy:
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey
            Resource: "*"
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action:
              - kms:*
            Resource: "*"

  KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub "${AWS::StackName}/encryption-key"
      TargetKeyId: !Ref EncryptionKey
```

**Validate:** `aws kms get-key-policy --key-id <key-id> --output text`

### 2. Manage Secrets with Secrets Manager

Store and retrieve sensitive data securely:

```yaml
Resources:
  DatabaseSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub "${AWS::StackName}/database"
      Description: Database credentials
      SecretString: !Sub |
        {
          "username": "admin",
          "password": "${DatabasePassword}",
          "engine": "mysql",
          "host": "${DatabaseEndpoint}",
          "port": 3306
        }
      KmsKeyId: !Ref EncryptionKey

  SecretRotationSchedule:
    Type: AWS::SecretsManager::RotationSchedule
    Properties:
      SecretId: !Ref DatabaseSecret
      RotationLambdaARN: !Ref RotationLambda.Arn
      RotationRules:
        AutomaticallyAfterDays: 30
```

**Validate:** `aws secretsmanager describe-secret --secret-id <secret-name>`

### 3. Apply IAM Least Privilege

Create roles and policies with minimal required permissions:

```yaml
Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: SpecificPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource: !Sub "${DataBucket.Arn}/*"
```

**Validate:** `aws iam simulate-principal-policy --policy-source-arn <role-arn> --action-names s3:GetObject --resource-arns <bucket-arn>`

### 4. Secure VPC Configuration

Implement network security with security groups and NACLs:

```yaml
Resources:
  ApplicationSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Application security group
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

  ApplicationNACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref VPC

  NACLEntry:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref ApplicationNACL
      RuleNumber: 100
      Protocol: "6"
      RuleAction: allow
      Egress: false
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: 443
        To: 443
```

**Validate:** `aws ec2 describe-security-groups --group-ids <sg-id> --query 'SecurityGroups[0].IpPermissions'`

### 5. Request ACM Certificates

Manage TLS/SSL certificates for secure communication:

```yaml
Resources:
  Certificate:
    Type: AWS::ACM::Certificate
    Properties:
      DomainName: !Ref DomainName
      SubjectAlternativeNames:
        - !Sub "www.${DomainName}"
        - !Sub "api.${DomainName}"
      DomainValidationOptions:
        - DomainName: !Ref DomainName
          ValidationDomain: !Ref DomainName
      Tags:
        - Key: Environment
          Value: !Ref Environment

  # DNS validation record
  DnsValidationRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneName: !Ref HostedZone
      Name: !Sub "_${DomainName}."
      Type: CNAME
      TTL: 300
      ResourceRecords:
        - !Ref Certificate
```

**Validate:** `aws acm describe-certificate --certificate-arn <arn> --query 'Certificate.Status'`

### 6. Implement Secure Parameters

Use SecureString for sensitive parameter values:

```yaml
Resources:
  DatabasePasswordParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub "/${AWS::StackName}/database/password"
      Type: SecureString
      Value: !Ref DatabasePassword
      Description: Database master password
      KmsKeyId: !Ref EncryptionKey

  # Reference in other resources
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      MasterUsername: admin
      MasterUserPassword: !Ref DatabasePasswordParameter
```

**Validate:** `aws ssm get-parameter --name <param-name> --with-decryption --query
More from this repository
chunking-strategySkill

Provides chunking strategies for RAG systems. Generates chunk size recommendations (256-1024 tokens), overlap percentages (10-20%), and semantic boundary detection methods. Validates semantic coherence and evaluates retrieval precision/recall metrics. Use when building retrieval-augmented generation systems, vector databases, or processing large documents.

prompt-engineeringSkill

>

ragSkill

Implements document chunking, embedding generation, vector storage, and retrieval pipelines for Retrieval-Augmented Generation systems. Use when building RAG applications, creating document Q&A systems, or integrating AI with knowledge bases.

aws-cloudformation-auto-scalingSkill

Provides AWS CloudFormation patterns for Auto Scaling including EC2, ECS, and Lambda. Use when creating Auto Scaling groups, launch configurations, launch templates, scaling policies, lifecycle hooks, and predictive scaling. Covers template structure with Parameters, Outputs, Mappings, Conditions, cross-stack references, and best practices for high availability and cost optimization.

aws-cloudformation-bedrockSkill

Provides AWS CloudFormation patterns for Amazon Bedrock resources including agents, knowledge bases, data sources, guardrails, prompts, flows, and inference profiles. Use when creating Bedrock agents with action groups, implementing RAG with knowledge bases, configuring vector stores, setting up content moderation guardrails, managing prompts, orchestrating workflows with flows, and configuring inference profiles for model optimization.

aws-cloudformation-cloudfrontSkill

Provides AWS CloudFormation patterns for CloudFront distributions, origins (ALB, S3, Lambda@Edge, VPC Origins), CacheBehaviors, Functions, SecurityHeaders, parameters, Outputs and cross-stack references. Use when creating CloudFront distributions with CloudFormation, configuring multiple origins, implementing caching strategies, managing custom domains with ACM, configuring WAF, and optimizing performance.

aws-cloudformation-cloudwatchSkill

Provides AWS CloudFormation patterns for CloudWatch monitoring, metrics, alarms, dashboards, logs, and observability. Use when creating CloudWatch metrics, alarms, dashboards, log groups, log subscriptions, anomaly detection, synthesized canaries, Application Signals, and implementing template structure with Parameters, Outputs, Mappings, Conditions, cross-stack references, and CloudWatch best practices for monitoring production infrastructure.

aws-cloudformation-dynamodbSkill

Provides AWS CloudFormation patterns for DynamoDB tables, GSIs, LSIs, auto-scaling, and streams. Use when creating DynamoDB tables with CloudFormation, configuring primary keys, local/global secondary indexes, capacity modes (on-demand/provisioned), point-in-time recovery, encryption, TTL, and implementing template structure with Parameters, Outputs, Mappings, Conditions, cross-stack references.