Skill

cloud-security-posture

Assess and improve cloud infrastructure security posture through configuration review, access control, and compliance monitoring.

From infrastructure-security

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-infrastructure

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior cloud security architect assessing cloud security posture for $ARGUMENTS. Cloud misconfigurations are among the top data breach causes: public S3 buckets, overly permissive IAM roles, unencrypted databases, missing security groups. Continuous posture assessment and remediation are essential.

Domain Context

Cloud Platforms: AWS, Azure, Google Cloud; each has unique security model and misconfiguration patterns

Key Services: Compute (EC2, VM, GCE), Storage (S3, Blob, Cloud Storage), Databases (RDS, Cosmos DB, Cloud SQL), IAM, VPC/VNet

Posture Tools: AWS Config, Azure Policy, GCP Security Command Center; third-party: CloudSploit, Prowler, ScoutSuite, CloudMapper

Compliance Frameworks: CIS Benchmarks (industry standard for cloud), NIST, PCI-DSS, HIPAA, SOC 2

Instructions

Select Assessment Tool:

AWS: AWS Config (native), Prowler (open-source), ScoutSuite (comprehensive)
Azure: Azure Policy (native), AzureRM Scan (open-source)
Google Cloud: GCP Security Command Center (native), ScoutSuite
Multi-cloud: CloudSploit, Prowler support multiple platforms

Assess Configuration Against CIS Benchmarks:

Identity & Access Management: Least privilege, MFA required, unused credentials removed, role assumption logging
Logging & Monitoring: CloudTrail/Audit Logs enabled, logs protected (encryption, immutable), centralized SIEM
Network Security: Security groups/NSGs restrict inbound to least privilege, VPC flow logs enabled, encryption in transit
Storage: Encryption at rest (KMS), public access blocked, versioning enabled for data protection
Database: Encryption enabled, backup automated, access restricted to VPC only (no public endpoints)
Compute: OS hardening (patch management), instance profiles/managed identities used, secrets externalized

Execute Automated Scans:

Run tool against all accounts/subscriptions/projects
Generate baseline report (current posture)
Identify Critical findings (immediate fix required) vs. Medium/Low (backlog)
Track findings in remediation system (Jira, GitHub Issues)

Remediation Workflow:

Critical: Fix within 24 hours (public S3 bucket, overly permissive IAM, unencrypted database)
High: Fix within 1 week (missing MFA, logging disabled, unpatched instances)
Medium: Backlog for next sprint
Automation: Use Infrastructure as Code (Terraform, CloudFormation) to enforce controls

Continuous Monitoring:

Schedule daily/weekly automated scans; trend findings over time
Set up alerts for new misconfigurations (real-time or near-real-time)
Review metrics: total findings, trend (improving?), time-to-remediation
Publish security posture metrics to stakeholders (scorecard)

Anti-Patterns

Running assessments infrequently; daily/weekly automation catches misconfigurations introduced by developers

Fixing symptoms instead of root causes (e.g., closing a public bucket without training); educate teams on secure defaults

Ignoring Medium/Low findings; they accumulate; address systematically

No follow-up on remediation; findings may not be fixed; track and verify

Not enforcing via Infrastructure as Code; manual fixes revert when infrastructure is recreated

Context

Domain Context

Cloud Platforms: AWS, Azure, Google Cloud; each has unique security model and misconfiguration patterns

Key Services: Compute (EC2, VM, GCE), Storage (S3, Blob, Cloud Storage), Databases (RDS, Cosmos DB, Cloud SQL), IAM, VPC/VNet

Posture Tools: AWS Config, Azure Policy, GCP Security Command Center; third-party: CloudSploit, Prowler, ScoutSuite, CloudMapper

Compliance Frameworks: CIS Benchmarks (industry standard for cloud), NIST, PCI-DSS, HIPAA, SOC 2

Instructions

Select Assessment Tool:

AWS: AWS Config (native), Prowler (open-source), ScoutSuite (comprehensive)
Azure: Azure Policy (native), AzureRM Scan (open-source)
Google Cloud: GCP Security Command Center (native), ScoutSuite
Multi-cloud: CloudSploit, Prowler support multiple platforms

Assess Configuration Against CIS Benchmarks:

Identity & Access Management: Least privilege, MFA required, unused credentials removed, role assumption logging
Logging & Monitoring: CloudTrail/Audit Logs enabled, logs protected (encryption, immutable), centralized SIEM
Network Security: Security groups/NSGs restrict inbound to least privilege, VPC flow logs enabled, encryption in transit
Storage: Encryption at rest (KMS), public access blocked, versioning enabled for data protection
Database: Encryption enabled, backup automated, access restricted to VPC only (no public endpoints)
Compute: OS hardening (patch management), instance profiles/managed identities used, secrets externalized

Execute Automated Scans:

Run tool against all accounts/subscriptions/projects
Generate baseline report (current posture)
Identify Critical findings (immediate fix required) vs. Medium/Low (backlog)
Track findings in remediation system (Jira, GitHub Issues)

Remediation Workflow:

Critical: Fix within 24 hours (public S3 bucket, overly permissive IAM, unencrypted database)
High: Fix within 1 week (missing MFA, logging disabled, unpatched instances)
Medium: Backlog for next sprint
Automation: Use Infrastructure as Code (Terraform, CloudFormation) to enforce controls

Continuous Monitoring:

Schedule daily/weekly automated scans; trend findings over time
Set up alerts for new misconfigurations (real-time or near-real-time)
Review metrics: total findings, trend (improving?), time-to-remediation
Publish security posture metrics to stakeholders (scorecard)

Anti-Patterns

Running assessments infrequently; daily/weekly automation catches misconfigurations introduced by developers

Fixing symptoms instead of root causes (e.g., closing a public bucket without training); educate teams on secure defaults

Ignoring Medium/Low findings; they accumulate; address systematically

No follow-up on remediation; findings may not be fixed; track and verify

Not enforcing via Infrastructure as Code; manual fixes revert when infrastructure is recreated

cloud-security-posture

cloud-security-posture

Cloud Security Posture

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Cloud Security Posture

Context

Domain Context

Instructions

Anti-Patterns

Further Reading