Implements multi-cloud CSPM for vulnerability and misconfiguration detection using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
云安全态势管理(Cloud Security Posture Management,CSPM)持续监控云基础设施中的错误配置、合规违规和安全风险。与传统漏洞扫描不同,CSPM 专注于云原生风险:IAM 过度授权、暴露的存储桶、未加密数据、缺失的网络控制以及服务错误配置。本技能涵盖使用 AWS Security Hub、Azure Defender for Cloud 以及 Prowler、ScoutSuite 等开源工具进行多云 CSPM 管理。
Implements multi-cloud Cloud Security Posture Management (CSPM) using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite to detect misconfigurations, compliance issues, and vulnerabilities.
Implements multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite to detect misconfigurations, compliance issues, and vulnerabilities.
Deploys CSPM in AWS, Azure, GCP using Prowler, ScoutSuite, Security Hub, Defender, and Security Command Center to monitor misconfigurations, compliance violations, and risks.
Share bugs, ideas, or general feedback.
云安全态势管理(Cloud Security Posture Management,CSPM)持续监控云基础设施中的错误配置、合规违规和安全风险。与传统漏洞扫描不同,CSPM 专注于云原生风险:IAM 过度授权、暴露的存储桶、未加密数据、缺失的网络控制以及服务错误配置。本技能涵盖使用 AWS Security Hub、Azure Defender for Cloud 以及 Prowler、ScoutSuite 等开源工具进行多云 CSPM 管理。
boto3、azure-identity、azure-mgmt-security# 启用 AWS Security Hub 并使用默认标准
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# 启用特定标准
aws securityhub batch-enable-standards \
--standards-subscription-requests \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
# 获取发现摘要
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
--max-items 10
| 标准 | 说明 |
|---|---|
| AWS 基础安全最佳实践 | AWS 推荐的基线控制 |
| CIS AWS 基准 1.4 | CIS 加固要求 |
| PCI DSS v3.2.1 | 支付卡行业控制 |
| NIST SP 800-53 Rev 5 | 联邦安全控制 |
# 启用 Defender for Cloud 免费层
az security pricing create \
--name CloudPosture \
--tier standard
# 检查安全评分
az security secure-score list \
--query "[].{Name:displayName,Score:current,Max:max}" \
--output table
# 获取安全建议
az security assessment list \
--query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
--output table
# 获取告警
az security alert list \
--query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
--output table
# 安装 Prowler
pip install prowler
# 运行完整 AWS 扫描
prowler aws --output-formats json-ocsf,csv,html
# 运行特定检查
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
# 针对特定 AWS Profile 和区域运行
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
# 运行 CIS 基准合规检查
prowler aws --compliance cis_1.5_aws
# 运行 PCI DSS 合规检查
prowler aws --compliance pci_3.2.1_aws
# 扫描 Azure 环境
prowler azure --subscription-ids "sub-id-here"
# 扫描 GCP 环境
prowler gcp --project-ids "project-id-here"
| 类别 | 示例 |
|---|---|
| IAM | Root MFA、密码策略、访问密钥轮换 |
| S3 | 公开访问、加密、版本控制 |
| EC2 | 安全组、EBS 加密、元数据服务 |
| RDS | 公开访问、加密、备份保留 |
| CloudTrail | 已启用、已加密、日志验证 |
| VPC | 流量日志、默认安全组限制 |
| Lambda | 公开访问、运行时版本 |
| EKS | 公开端点、Secret 加密 |
# 安装 ScoutSuite
pip install scoutsuite
# 运行 AWS 评估
scout aws --profile production
# 运行 Azure 评估
scout azure --cli
# 运行 GCP 评估
scout gcp --project-id my-project
# 结果以交互式 HTML 报告形式输出
# 在浏览器中打开 scout-report/report.html
import json
import subprocess
from datetime import datetime, timezone
def run_prowler_scan(provider, output_dir, compliance=None):
"""对云提供商运行 Prowler 扫描。"""
cmd = ["prowler", provider, "--output-formats", "json-ocsf",
"--output-directory", output_dir]
if compliance:
cmd.extend(["--compliance", compliance])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
return result.returncode == 0
def aggregate_findings(prowler_dirs):
"""聚合多次 Prowler 扫描的发现结果。"""
all_findings = []
for scan_dir in prowler_dirs:
json_files = list(Path(scan_dir).glob("*.json"))
for jf in json_files:
with open(jf, "r") as f:
for line in f:
try:
finding = json.loads(line.strip())
all_findings.append(finding)
except json.JSONDecodeError:
continue
# 按严重性排序
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
all_findings.sort(key=lambda f: severity_order.get(
f.get("severity", "informational").lower(), 5
))
return all_findings
def generate_posture_report(findings, output_path):
"""生成云安全态势报告。"""
report = {
"generated_at": datetime.now(timezone.utc).isoformat(),
"total_findings": len(findings),
"by_severity": {},
"by_provider": {},
"by_service": {},
}
for f in findings:
sev = f.get("severity", "unknown")
provider = f.get("cloud_provider", "unknown")
service = f.get("service_name", "unknown")
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
report["by_service"][service] = report["by_service"].get(service, 0) + 1
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
return report