<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->
npx claudepluginhub frank-luongt/faos-skills-marketplace --plugin faos-security-engineerThis skill uses the workspace's default tool permissions.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Cloud security operates under a shared responsibility model: the cloud provider secures the infrastructure, while the customer secures their workloads, data, and configurations. Misunderstanding this boundary is the root cause of most cloud security incidents.
This skill provides reference architectures and actionable patterns across five security domains:
| Domain | Key Concerns |
|---|---|
| Identity | IAM policies, service accounts, workload identity |
| Network | VPC design, firewalls, private connectivity, WAF |
| Data | Encryption, key management, DLP, data residency |
| Compute | Instance hardening, container security, serverless |
| Logging | Audit trails, monitoring, alerting, forensics |
Provider-specific guidance is included for GCP (primary for FAOS), AWS, and Azure, with emphasis on GCP patterns that directly apply to the FAOS platform.
+-------------------------+------------------------------------------+
| | Customer Responsibility |
| SaaS | Data, access policies, usage config |
+-------------------------+------------------------------------------+
| PaaS / Containers | Applications, data, access, config |
| (GKE, EKS, AKS) | Workload security, network policies |
+-------------------------+------------------------------------------+
| IaaS | OS, network config, firewall, data |
| (GCE, EC2, Azure VMs) | Patching, identity, encryption |
+-------------------------+------------------------------------------+
| Provider | Physical security, hypervisor, global |
| Responsibility | network, hardware, core services |
+-------------------------+------------------------------------------+
Before applying security controls, classify workloads by sensitivity and exposure:
| Classification | Data Types | Security Controls |
|---|---|---|
| Public | Marketing content, docs | Basic: WAF, DDoS protection |
| Internal | Business data, internal APIs | Standard: VPC, IAM, encryption |
| Confidential | Customer PII, financial data | Enhanced: CMEK, DLP, audit logs |
| Restricted | Secrets, keys, auth tokens | Maximum: HSM, dedicated tenancy |
This classification drives decisions for network isolation, encryption, access control, and monitoring.
Implement defense-in-depth through network segmentation:
Internet
|
[Cloud Load Balancer + WAF + Cloud Armor]
|
[Public Subnet / DMZ]
|--- Web tier (frontend, API gateway)
|
[Private Subnet]
|--- Application tier (GKE, compute)
|--- Service mesh (mTLS between services)
|
[Restricted Subnet]
|--- Data tier (Cloud SQL, Redis, storage)
|--- No internet access, VPC-SC perimeter
Key network security patterns:
IAM is the most critical security control in cloud environments. A misconfigured IAM policy can expose an entire organization.
Principle of Least Privilege:
# GCP: Grant minimum required roles
# BAD - overly broad
gcloud projects add-iam-policy-binding $PROJECT \
--member="serviceAccount:app-sa@$PROJECT.iam.gserviceaccount.com" \
--role="roles/editor"
# GOOD - specific to need
gcloud projects add-iam-policy-binding $PROJECT \
--member="serviceAccount:app-sa@$PROJECT.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"
Service Account Patterns:
| Pattern | Use Case | Security Level |
|---|---|---|
| Workload Identity | GKE pods accessing GCP services | Highest |
| Attached SA | GCE instances with scoped roles | High |
| SA Key (JSON) | External systems (avoid if possible) | Medium |
| User credentials | Development only | Low |
Encryption must cover data at rest and in transit:
At Rest:
In Transit:
# GCP: Create a CMEK key ring and key
gcloud kms keyrings create faos-keyring --location=global
gcloud kms keys create faos-data-key \
--location=global \
--keyring=faos-keyring \
--purpose=encryption \
--rotation-period=90d \
--next-rotation-time=$(date -u -d "+90 days" +%Y-%m-%dT%H:%M:%SZ)
Comprehensive logging is non-negotiable for security operations and compliance:
| Log Type | GCP Service | AWS Equivalent | Purpose |
|---|---|---|---|
| Admin Activity | Cloud Audit Logs | CloudTrail | Who changed what |
| Data Access | Cloud Audit Logs | CloudTrail Data | Who accessed what data |
| Network Flows | VPC Flow Logs | VPC Flow Logs | Network traffic analysis |
| Application Logs | Cloud Logging | CloudWatch Logs | App-level events |
| Container Logs | GKE Logging | EKS/CloudWatch | Container stdout/stderr |
| DNS Queries | Cloud DNS Logging | Route 53 Query Logs | DNS-based threat detection |
Enable alert policies for critical events:
# GCP Monitoring alert for IAM policy changes
alertPolicy:
displayName: "IAM Policy Modification"
conditions:
- displayName: "IAM policy changed"
conditionMatchedLog:
filter: |
protoPayload.methodName=("SetIamPolicy" OR "UpdateIamPolicy")
AND protoPayload.serviceName!="k8s.io"
labelExtractors:
principal: "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
notificationChannels:
- projects/my-gcp-project/notificationChannels/security-team
alertStrategy:
autoClose: 604800s # 7 days
This configuration demonstrates GCP security best practices:
# Terraform: Private GKE cluster with Workload Identity
resource "google_container_cluster" "faos_cluster" {
name = "my-gke-cluster"
location = "asia-southeast1-a"
project = "my-gcp-project"
# Private cluster configuration
private_cluster_config {
enable_private_nodes = true
enable_private_endpoint = false # Allow kubectl from authorized networks
master_ipv4_cidr_block = "172.16.0.0/28"
}
# Authorized networks for API server access
master_authorized_networks_config {
cidr_blocks {
cidr_block = "10.0.0.0/8"
display_name = "Internal VPC"
}
}
# Workload Identity for keyless service account access
workload_identity_config {
workload_pool = "my-gcp-project.svc.id.goog"
}
# Binary Authorization for image verification
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY"
}
# Network policy enforcement
network_policy {
enabled = true
provider = "CALICO"
}
# Shielded GKE nodes
node_config {
shielded_instance_config {
enable_secure_boot = true
enable_integrity_monitoring = true
}
workload_metadata_config {
mode = "GKE_METADATA" # Enables Workload Identity on nodes
}
# Use COS-containerd for security
image_type = "COS_CONTAINERD"
# Service account with minimal permissions
service_account = google_service_account.gke_node_sa.email
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
# Enable logging and monitoring
logging_config {
enable_components = ["SYSTEM_COMPONENTS", "WORKLOADS"]
}
monitoring_config {
enable_components = ["SYSTEM_COMPONENTS"]
managed_prometheus { enabled = true }
}
}
# Workload Identity binding for application service account
resource "google_service_account" "app_sa" {
account_id = "my-app-sa"
display_name = "FAOS API Service Account"
project = "my-gcp-project"
}
resource "google_service_account_iam_binding" "workload_identity" {
service_account_id = google_service_account.app_sa.name
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:my-gcp-project.svc.id.goog[my-namespace/my-app-sa]"
]
}
# Kubernetes ServiceAccount annotation for Workload Identity
resource "kubernetes_service_account" "app_sa" {
metadata {
name = "my-app-sa"
namespace = "faos-api"
annotations = {
"iam.gke.io/gcp-service-account" = google_service_account.app_sa.email
}
}
}
#!/bin/bash
# create-least-privilege-sa.sh
# Creates service accounts with minimum required permissions for FAOS components
PROJECT="my-gcp-project"
# API service account: needs Cloud SQL, Secret Manager, Cloud Storage
gcloud iam service-accounts create my-app-sa \
--display-name="FAOS API Service Account" \
--project=$PROJECT
# Grant only specific roles (never roles/editor or roles/owner)
declare -A API_ROLES=(
["roles/cloudsql.client"]="Connect to Cloud SQL instances"
["roles/secretmanager.secretAccessor"]="Read secrets"
["roles/storage.objectViewer"]="Read from Cloud Storage buckets"
["roles/logging.logWriter"]="Write application logs"
["roles/monitoring.metricWriter"]="Write custom metrics"
)
for role in "${!API_ROLES[@]}"; do
echo "Granting ${role}: ${API_ROLES[$role]}"
gcloud projects add-iam-policy-binding $PROJECT \
--member="serviceAccount:my-app-sa@${PROJECT}.iam.gserviceaccount.com" \
--role="$role" \
--condition=None
done
# Worker service account: needs Pub/Sub, Cloud Tasks, limited Cloud SQL
gcloud iam service-accounts create faos-worker-sa \
--display-name="FAOS Worker Service Account" \
--project=$PROJECT
declare -A WORKER_ROLES=(
["roles/pubsub.subscriber"]="Consume messages from Pub/Sub"
["roles/pubsub.publisher"]="Publish messages to Pub/Sub"
["roles/cloudtasks.enqueuer"]="Enqueue Cloud Tasks"
["roles/cloudsql.client"]="Connect to Cloud SQL"
["roles/logging.logWriter"]="Write application logs"
)
for role in "${!WORKER_ROLES[@]}"; do
echo "Granting ${role}: ${WORKER_ROLES[$role]}"
gcloud projects add-iam-policy-binding $PROJECT \
--member="serviceAccount:faos-worker-sa@${PROJECT}.iam.gserviceaccount.com" \
--role="$role" \
--condition=None
done
# Verify: list roles for each service account
echo "=== API SA Roles ==="
gcloud projects get-iam-policy $PROJECT \
--flatten="bindings[].members" \
--filter="bindings.members:my-app-sa@" \
--format="table(bindings.role)"
echo "=== Worker SA Roles ==="
gcloud projects get-iam-policy $PROJECT \
--flatten="bindings[].members" \
--filter="bindings.members:faos-worker-sa@" \
--format="table(bindings.role)"
allUsers or allAuthenticatedUsers access to cloud resources