Skip to main content
ClaudeWave
Skill72 repo starsupdated 11d ago

Cloud Security & Container Hardening

AWS/Azure/GCP security auditing, container and Kubernetes hardening, Infrastructure as Code scanning, and cloud compliance assessment

View sourceRepository: Claude-Code-CyberSecurity-Skill
Install in Claude Code
Copy
git clone --depth 1 https://github.com/Masriyan/Claude-Code-CyberSecurity-Skill /tmp/cloud-security-container-hardening && cp -r /tmp/cloud-security-container-hardening/skills/10-cloud-security ~/.claude/skills/cloud-security-container-hardening
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Cloud Security & Container Hardening

## Purpose

Enable Claude to assist with cloud security assessments across AWS, Azure, and GCP, container and Kubernetes security hardening, Infrastructure as Code (Terraform, CloudFormation, Kubernetes manifests) scanning, and cloud compliance reporting against CIS Benchmarks and major frameworks.

---

## Activation Triggers

This skill activates when the user asks about:
- Auditing AWS IAM, S3, security groups, or cloud services
- Reviewing Azure RBAC, storage, NSGs, or Key Vault configuration
- Assessing GCP IAM, Cloud Storage, or GKE security
- Scanning Terraform files, CloudFormation templates, or Kubernetes manifests
- Hardening Docker containers or reviewing Dockerfiles
- Kubernetes RBAC, pod security, or network policies
- Cloud compliance (CIS, SOC2, PCI-DSS, HIPAA)
- Container image vulnerability scanning
- Cloud architecture security review
- IaC security scanning (tfsec, Checkov, Terrascan)

---

## Prerequisites

```bash
pip install pyyaml boto3 requests
```

**Recommended cloud security tools:**
- `AWS CLI` — AWS auditing and management
- `ScoutSuite` — Multi-cloud security audit
- `Prowler` — AWS/Azure/GCP security assessment
- `Checkov` — IaC static analysis
- `tfsec` — Terraform security scanner
- `Trivy` — Container and IaC vulnerability scanner
- `kube-bench` — CIS Kubernetes Benchmark
- `Falco` — Container runtime security

---

## Core Capabilities

### 1. AWS Security Auditing

**When the user asks to audit AWS security:**

**Quick AWS security checks using CLI:**
```bash
# IAM: Find users without MFA
aws iam get-account-summary
aws iam list-users | jq '.Users[].UserName' | xargs -I{} aws iam list-mfa-devices --user-name {}

# Find overly permissive policies
aws iam list-policies --scope Local --only-attached | jq '.Policies[].PolicyName'

# S3: Find public buckets
aws s3api list-buckets --query 'Buckets[].Name' | xargs -I{} aws s3api get-bucket-acl --bucket {}
aws s3api list-buckets --query 'Buckets[].Name' | xargs -I{} aws s3api get-bucket-policy-status --bucket {}

# Security groups: Find wide-open rules
aws ec2 describe-security-groups --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Rules:IpPermissions}'

# CloudTrail: Verify logging
aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name [trail-name]

# Root account check
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'
```

**AWS IAM Security Checklist:**
```
Identity & Access Management:
[ ] Root account has MFA enabled
[ ] Root account has no access keys
[ ] All IAM users have MFA enabled
[ ] No IAM users with AdministratorAccess unless necessary
[ ] All IAM users have individual credentials (no shared)
[ ] Password policy: min 14 chars, complexity, rotation ≤90 days
[ ] Access keys rotated every 90 days
[ ] Unused credentials disabled (>90 days no use)
[ ] No inline policies; use managed policies

S3 Security:
[ ] Block Public Access enabled at account level
[ ] No buckets with public READ ACL
[ ] Server-side encryption enabled (SSE-S3 or SSE-KMS)
[ ] Versioning enabled for critical buckets
[ ] MFA Delete enabled for critical buckets
[ ] Access logging enabled
[ ] Bucket policies use HTTPS-only conditions

Networking:
[ ] No security groups with 0.0.0.0/0 → port 22 (SSH)
[ ] No security groups with 0.0.0.0/0 → port 3389 (RDP)
[ ] VPC Flow Logs enabled
[ ] No default VPC in use for production workloads
[ ] Private subnets for database and application tiers

Monitoring & Detection:
[ ] CloudTrail enabled in all regions
[ ] CloudTrail log file integrity validation enabled
[ ] GuardDuty enabled
[ ] Security Hub enabled and findings reviewed
[ ] Config rules configured for compliance
[ ] CloudWatch alarms for: root login, failed auth, security group changes
```

**Critical AWS Finding Templates:**
```markdown
**CRITICAL: S3 Bucket Publicly Readable**
Bucket: example-data-prod
Finding: GetBucketAcl returns AllUsers:READ
Risk: All objects publicly readable — potential data breach
Fix: aws s3api put-bucket-acl --bucket example-data-prod --acl private
     Enable: aws s3api put-public-access-block --bucket example-data-prod \
       --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

**HIGH: Security Group Allows SSH from Internet**
Group: sg-0abc123 (web-servers)
Rule: Inbound TCP 22 from 0.0.0.0/0
Risk: SSH brute-force, CVE exploitation
Fix: Change source from 0.0.0.0/0 to your VPN/bastion host IP
```

### 2. Azure Security Auditing

**When the user asks to audit Azure:**

```bash
# Login and set subscription
az login
az account set --subscription [subscription-id]

# Check RBAC assignments
az role assignment list --all --include-inherited \
  --query "[?roleDefinitionName=='Owner' || roleDefinitionName=='Contributor'].{Name:principalName,Role:roleDefinitionName}"

# Storage account public access
az storage account list --query "[?allowBlobPublicAccess==true].name"

# NSG rules allowing any source
az network nsg list --query "[*].{NSG:name}" | jq '.[].NSG' | xargs -I{} \
  az network nsg rule list --nsg-name {} --resource-group [rg] \
  --query "[?sourceAddressPrefix=='*'].{Rule:name,Port:destinationPortRange}"

# Key Vault access policies
az keyvault list --query "[*].name" | xargs -I{} az keyvault show --name {} \
  --query 'properties.accessPolicies'
```

**Azure Security Checklist:**
```
Identity:
[ ] Global Administrator role has MFA
[ ] No more than 3-5 Global Administrators
[ ] Privileged Identity Management (PIM) for elevated roles
[ ] Guest accounts reviewed quarterly
[ ] Legacy authentication blocked (Conditional Access)

Storage:
[ ] No public blob containers (allowBlobPublicAccess = false)
[ ] Secure transfer required (HTTPS only)
[ ] Storage accounts use private endpoints
[ ] Storage logs enabled (read/write/delete)
[ ] Customer-managed keys for sensitive data

Networking:
[ ] NSGs restrict
More from this repository
Reconnaissance & OSINT AutomationSkill

Passive and active reconnaissance, subdomain enumeration, DNS analysis, technology fingerprinting, and OSINT data correlation for authorized security assessments

Vulnerability Scanning & AssessmentSkill

Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting

Exploit Development & Payload EngineeringSkill

Proof-of-concept development, payload crafting, shellcode analysis, and exploitation technique research for authorized security testing

Reverse Engineering & Binary AnalysisSkill

Binary analysis, assembly interpretation, disassembly, decompilation, firmware RE, and protocol reverse engineering

Malware Analysis & SandboxingSkill

Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification

Threat Hunting & IOC AnalysisSkill

IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, hunt hypothesis generation, and detection rule creation

Incident Response & Digital ForensicsSkill

IR playbook execution, evidence collection, forensic timeline analysis, memory forensics, and post-incident reporting following NIST SP 800-61 and SANS PICERL methodology

Network Security & Traffic AnalysisSkill

Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection