Skill323 estrellas del repoactualizado today
cis-aws-compute-5.9
This skill audits AWS Lightsail storage buckets to verify that public read access is disabled. Use it to identify buckets configured with "All objects are public" or "Individual objects can be public" settings, then apply the provided remediation steps via AWS Console or CLI to restrict all objects to private access only.
Instalar en Claude Code
Copiargit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-5.9 && cp -r /tmp/cis-aws-compute-5.9/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-5.9 ~/.claude/skills/cis-aws-compute-5.9Después abre una sesión nueva de Claude Code; el skill carga automáticamente.
Definición
SKILL.md
# 5.9 Ensure that your Lightsail buckets are not publicly accessible (Manual)
## Description
You can make all objects private, public (read-only) or private while making individual objects public (read-only). By default when creating a bucket the permissions are set to "All objects are private".
## Rationale
When the Bucket access permissions are set to All objects are public (read-only) - All objects in the bucket are readable by anyone on the internet through the URL of the bucket.
## Impact
N/A
## Audit Procedure
### Using AWS Console
1. Login to AWS Console using https://console.aws.amazon.com
2. Click `All services`, click `Lightsail` under Compute.
3. This will open up the Lightsail console.
4. Select `Storage`.
5. All Lightsail buckets are listed here.
6. Underneath the bucket name and size there are 3 possible statements:
```
All objects are private
All objects are public (read-Only)
Individual objects can be public
```
7. If any buckets are set to `All objects are public (read-Only)` and or 'Individual objects can be public' refer to the remediation below.
### Using AWS CLI
1. Run `aws lightsail get-buckets`
```bash
aws lightsail get-buckets
```
This command will provide a list of Buckets tied to Lightsail.
2. Review the accessRules, getobject and allowPublicOverrides.
```json
"accessRules": {
"getObject": "private",
"allowPublicOverrides": false
}
```
4. If it reads "getObject": "public" or "allowPublicOverrides": true please make note "name" of the bucket also listed in the output.
5. Then refer to the remediation below.
## Expected Result
All Lightsail buckets should have access rules set to `"getObject": "private"` and `"allowPublicOverrides": false`, meaning all objects are private.
## Remediation
### Using AWS Console
1. Login to AWS Console using https://console.aws.amazon.com
2. Click `All services`, click `Lightsail` under Compute.
3. This will open up the Lightsail console.
4. Select `Storage`.
5. All Lightsail buckets are listed here.
6. Click on the bucket name that has `All objects are public (read-Only)` listed.
7. Click on `Permissions`
8. Click on `Change permissions`
9. Select `All objects are private`
10. Click `Save`
11. Repeat for any other Buckets within Lightsail that are set with `All objects are public (read-Only)` and/or `Individual objects can be made public and read only`
### Using AWS CLI
1. Run `aws lightsail update-bucket`
```bash
aws lightsail update-bucket --bucket-name <name from list in audit> --access-rules getObject="private",allowPublicOverrides=false
```
2. The confirmation that the change was made will print out after running that command.
3. Repeat for any other buckets listed in the audit.
## Default Value
By default when creating a bucket the permissions are set to "All objects are private".
## References
1. https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-understanding-bucket-permissions
## CIS Controls
| Controls Version | Control | IG 1 | IG 2 | IG 3 |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ---- | ---- |
| v8 | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x | x | x |
| v7 | 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. | x | x | x |
## Profile
Level 1 | ManualDel mismo repositorio
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates