Runs AWS Security Agent threat model reviews on spec/design documents using STRIDE methodology to identify security-posture changes.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-agents-for-devsecops:threat-modeling-with-aws-security-agentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze spec documents (`requirements.md`, `design.md`) against the source code to identify security-posture changes using STRIDE methodology. No prior scan needed.
Analyze spec documents (requirements.md, design.md) against the source code to identify security-posture changes using STRIDE methodology. No prior scan needed.
Read .security-agent/config.json for agent_space_id and region. If missing, run the setup-security-agent workflow inline first.
| Placeholder | How to resolve |
|---|---|
<id> (agent space) | config.agent_space_id |
<region> | config.region (default us-east-1) |
<account> | aws sts get-caller-identity --query Account --output text |
<role-arn> | arn:aws:iam::<account>:role/SecurityAgentScanRole |
<bucket> | security-agent-scans-<account>-<region> |
Pre-checks. Read config, verify agent space, resolve values.
Collect spec files. Identify the requirements.md and/or design.md the user is working on. Use absolute paths. Ask if unclear which files to review.
Zip the workspace (same exclusions as code scan):
cd <absolute-workspace-path>
zip -r /tmp/source.zip . \
-x ".git/*" -x ".security-agent/*" -x "node_modules/*" \
-x "__pycache__/*" -x ".venv/*" -x "venv/*" \
-x "dist/*" -x "build/*" -x "target/*" \
-x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \
-x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc"
Upload source zip:
SCAN_ID="tm-$(date +%s)-$(openssl rand -hex 3)"
WORKSPACE_ID=$(printf '%s' "$(pwd)" | md5sum | cut -c1-12)
aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip
Upload spec files:
aws s3 cp /path/to/requirements.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/requirements.md
aws s3 cp /path/to/design.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/design.md
Create threat model:
aws securityagent create-threat-model --agent-space-id <id> --title <title> \
--service-role <role-arn> \
--assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip}] \
--scope-docs '[{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/requirements.md"},{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/design.md"}]'
Capture threatModelId.
Start threat model job:
aws securityagent start-threat-model-job --agent-space-id <id> --threat-model-id <tm-id>
Capture threatJobId.
Persist to scans.json with scan_type: "THREAT_MODEL".
Tell user: "Threat model review started. Runtime varies with workspace size. I'll check every 2 minutes — say 'stop polling' to opt out."
Poll every 2 minutes:
aws securityagent batch-get-threat-model-jobs --agent-space-id <id> --threat-model-job-ids <tj-id>
Only respond when status changes.
On COMPLETED → fetch threats:
aws securityagent list-threats --agent-space-id <id> --threat-job-id <tj-id>
If nextToken, paginate with --next-token.
Each threat includes: statement, severity, stride category, threatImpact, recommendation, impactedAssets.
🟣 CRITICAL: {statement}
STRIDE: {stride}
Impact: {threatImpact}
Assets: {impactedAssets}
Recommendation: {recommendation}
🔴 HIGH: {statement}
...
Write full report to .security-agent/findings-{scan_id}.md. Call out any threat that represents a regression from the prior design.
threat-model-<feature-name> (no spaces)5plugins reuse this skill
First indexed Jun 18, 2026
claude plugin install aws-agents-for-devsecops@claude-plugins-officialProduces a structured STRIDE-based threat model covering assets, trust boundaries, threat enumeration, risk scores, mitigation controls, and residual risk sign-off.
Conducts STRIDE-based threat modeling on software architectures for web, cloud, IoT, and mobile systems to identify vulnerabilities and propose mitigations.
Generates structured STRIDE threat models and architecture reviews for new features, APIs, auth changes, or design decisions before coding. Includes LINDDUN for privacy.