Provisions or reuses an AWS Security Agent space, IAM service role, and S3 bucket for the current workspace. Run before scanning or pentesting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-agents-for-devsecops:setup-security-agentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill handles ONE thing: making sure the workspace has a working agent space, IAM service role, and S3 bucket linked together. Scans and pentests live in separate skills and assume this is done.
This skill handles ONE thing: making sure the workspace has a working agent space, IAM service role, and S3 bucket linked together. Scans and pentests live in separate skills and assume this is done.
All Security Agent skills share workspace-local state at .security-agent/:
config.json — { "agent_space_id": "as-...", "region": "us-east-1", "code_reviews": { "<abs_path>": "cr-..." } }. Account ID, role ARN, and bucket name are derived by convention. The code_reviews map lets scans reuse the same CodeReview for a workspace.scans.json — array of { scan_id, code_review_id, job_id, agent_space_id, scan_type, title, started_at, status, path } (keep last 50)pentests.json — same shape, for pentest jobs.gitignore — contents * so this directory stays untrackedfindings-{scan_id}.md — written by the scan skill after each scan completesThis skill's job is to populate config.json and create .gitignore.
Other skills compute these on each invocation rather than reading them from config.json:
| Value | Convention |
|---|---|
ACCOUNT | aws sts get-caller-identity --query Account --output text |
REGION | config.region (default us-east-1) |
service_role_arn | arn:aws:iam::${ACCOUNT}:role/SecurityAgentScanRole |
s3_bucket | security-agent-scans-${ACCOUNT}-${REGION} |
Why minimal config: the role name and bucket name are deterministic, so storing them adds drift risk (a user re-creating a role manually would silently use a stale path). Only agent_space_id is stored because users may have multiple agent spaces and we don't want to ask which one every session.
Check existing state: read .security-agent/config.json if it exists.
Caller identity + region:
export ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
export REGION="${AWS_REGION:-us-east-1}"
Agent space:
If config.agent_space_id is set, verify with:
aws securityagent batch-get-agent-spaces --agent-space-ids <id>
If the response shows it doesn't exist, treat as missing.
If missing, list existing:
aws securityagent list-agent-spaces
If any exist → show them to the user with name + id and ask: "Would you like to reuse one of these, or should I create a new one?" Wait for the answer. Do not auto-select.
If user picks one, use that agentSpaceId.
If user wants new, or none exist:
aws securityagent create-agent-space --name security-scans
Capture returned agentSpaceId.
Service role (SecurityAgentScanRole, ARN arn:aws:iam::$ACCOUNT:role/SecurityAgentScanRole):
Probe:
aws iam get-role --role-name SecurityAgentScanRole
If NoSuchEntity is returned, create the role. Idempotency note: create-role will fail with EntityAlreadyExists if the role already exists. If that happens, fall through to update-assume-role-policy to ensure the trust policy is correct.
# Trust policy — includes aws:SourceAccount confused-deputy guard
cat > /tmp/sa-trust.json <<EOF
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"securityagent.amazonaws.com"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"aws:SourceAccount":"${ACCOUNT}"}}}]}
EOF
# Permissions policy (S3 + CloudWatch Logs)
cat > /tmp/sa-perms.json <<EOF
{"Version":"2012-10-17","Statement":[
{"Effect":"Allow","Action":["s3:GetObject","s3:GetObjectVersion","s3:ListBucket"],"Resource":["arn:aws:s3:::security-agent-scans-${ACCOUNT}-${REGION}","arn:aws:s3:::security-agent-scans-${ACCOUNT}-${REGION}/*"]},
{"Effect":"Allow","Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],"Resource":"arn:aws:logs:*:${ACCOUNT}:log-group:/aws/securityagent/*"}
]}
EOF
aws iam create-role --role-name SecurityAgentScanRole --assume-role-policy-document file:///tmp/sa-trust.json
# if EntityAlreadyExists:
aws iam update-assume-role-policy --role-name SecurityAgentScanRole --policy-document file:///tmp/sa-trust.json
# always (re)apply permissions:
aws iam put-role-policy --role-name SecurityAgentScanRole --policy-name SecurityAgentCodeReviewAccess --policy-document file:///tmp/sa-perms.json
S3 bucket (security-agent-scans-$ACCOUNT-$REGION):
Probe:
BUCKET="security-agent-scans-${ACCOUNT}-${REGION}"
aws s3api head-bucket --bucket "$BUCKET"
If 404, create:
# us-east-1: no LocationConstraint
aws s3api create-bucket --bucket "$BUCKET"
# other regions:
aws s3api create-bucket --bucket "$BUCKET" --create-bucket-configuration LocationConstraint="$REGION"
Always (re)apply public access block + 30-day lifecycle:
aws s3api put-public-access-block --bucket "$BUCKET" \
--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
cat > /tmp/sa-lifecycle.json <<'EOF'
{"Rules":[{"ID":"AutoDeleteUploads","Status":"Enabled","Filter":{"Prefix":""},"Expiration":{"Days":30}}]}
EOF
aws s3api put-bucket-lifecycle-configuration --bucket "$BUCKET" --lifecycle-configuration file:///tmp/sa-lifecycle.json
Register role + bucket on the agent space (idempotent):
Read existing resources:
aws securityagent batch-get-agent-spaces --agent-space-ids <id>
Look at agentSpaces[0].awsResources.iamRoles and awsResources.s3Buckets.
If the role ARN or the bucket name is missing from those lists, merge and update:
aws securityagent update-agent-space --agent-space-id <id> --name <existing-name> \
--aws-resources iamRoles=[<arn1>,<arn2>...],s3Buckets=[<bucket1>,<bucket2>...]
Persist to .security-agent/config.json (minimal — account/role/bucket are derived):
{
"agent_space_id": "as-xxxxx",
"region": "us-east-1"
}
Create gitignore if missing:
mkdir -p .security-agent
echo '*' > .security-agent/.gitignore
Confirm to user: "Setup complete. You can run security scans or pentests now."
securityagent.amazonaws.com (production service principal) and include the aws:SourceAccount confused-deputy guardSecurityAgentScanRole / security-agent-scans-${ACCOUNT}-${REGION}). Either accept those defaults or extend the skill — the other skills derive these names rather than reading them from config.config.json is missing — first-time users don't need to run setup separately.AccessDenied calling iam:CreateRole → user lacks IAM permissions. Ask them to run setup with their own role ARN, or to grant iam:CreateRole + iam:PutRolePolicy.AccessDenied on s3api create-bucket → either the bucket name is taken globally, or the user lacks s3:CreateBucket. Suggest using an existing bucket they own and pass it explicitly.update-assume-role-policy (step 4 fallback). If they don't want that role updated, ask them for a different role ARN.npx claudepluginhub spencerx/agent-toolkit-for-aws --plugin aws-agents-for-devsecops5plugins reuse this skill
First indexed Jun 18, 2026
Provisions or reuses an AWS Security Agent space, IAM service role, and S3 bucket for the current workspace. Run before scanning or pentesting.
Enumerate AWS resources and identify misconfigurations using ScoutSuite, generating interactive HTML security reports for security posture assessment.
Audits AWS infrastructure code (CDK, Terraform, CloudFormation, SAM) for security misconfigurations in IAM, networking, data protection, and logging.