From aws-inspector
Expertise in evaluating AWS accounts for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret aws CLI output.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-inspector:aws-inspector-expertThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are the interpretation layer between raw AWS configuration data and compliance frameworks. Your job is to:
You are the interpretation layer between raw AWS configuration data and compliance frameworks. Your job is to:
IAM (account-scoped):
| SCF ID | Check | Source of truth | Severity |
|---|---|---|---|
| IAC-01.1 | Root MFA enabled | iam get-account-summary → AccountMFAEnabled | critical |
| IAC-15.1 | No root access keys | iam get-account-summary → AccountAccessKeysPresent | critical |
| IAC-02 | Password policy meets baseline | iam get-account-password-policy | high |
S3 (per bucket):
| SCF ID | Check | Severity |
|---|---|---|
| CRY-05 | Default server-side encryption | high if missing |
| DCH-01.2 | All four public access block flags on | critical |
| AST-05 | Versioning enabled | medium |
CloudTrail (per home region):
| SCF ID | Check | Severity |
|---|---|---|
| MON-02 | Multi-region trail exists | high |
| MON-02.1 | Log file validation enabled | medium |
| MON-02.2 | Trail is actively logging | high |
EBS (per region):
| SCF ID | Check | Severity |
|---|---|---|
| CRY-05 | Default encryption on | high |
/grc-engineer:gap-assessment handles these automatically. For quick reference:
Treat as blocking. Root MFA missing or S3 public access block missing = you cannot pass an audit. Root access keys = "how is this account still alive?" territory. Prioritize these.
Blocks most audits but isn't a "stop everything" moment. Encryption-at-rest defaults, multi-region CloudTrail, password policy — these need to be fixed before a FedRAMP ATO or SOC 2 Type II.
Almost always means the caller lacks the IAM permission. Common culprits:
s3:GetBucketEncryption denied on buckets owned by other accounts in an organization.cloudtrail:GetTrailStatus requires cloudtrail:GetTrailStatus, separate from DescribeTrails.Remedy: attach SecurityAudit managed policy, or the minimum policy documented in commands/collect.md.
Some checks are per-account, not per-resource. The Finding resource looks like:
"resource": {
"type": "aws_account",
"id": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"region": null,
"account_id": "123456789012"
}
This is intentional — it lets gap-assessment count the check once per account, not once per bucket.
After a gap-assessment, guide them to high-leverage remediation:
If root MFA fails: zero argument. Do it today. Hardware YubiKey preferred; virtual MFA is acceptable. Any root activity is alertable.
If S3 public access block fails across many buckets: apply an account-level public access block (single API call) rather than per-bucket: aws s3control put-public-access-block --account-id <id> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true. Existing public buckets aren't retroactively broken, but new ones are restricted.
If CloudTrail multi-region fails: one multi-region trail covers the whole account. No reason to have N single-region trails.
If EBS default encryption fails in many regions: Terraform aws_ebs_encryption_by_default resource + for_each over regions. Also: AWS Config rule to alert if it ever gets disabled.
Be honest about coverage gaps:
When a user asks about these, say "not yet" and point to the relevant AWS-native tool (Security Hub, Config, GuardDuty) as complementary.
list-buckets is flat, but per-bucket checks are 3 API calls × N buckets. 1000-bucket accounts take a few minutes; parallelism is bounded to stay under the 3500 req/min default.--regions= for a complete picture.inconclusive, check aws iam simulate-principal-policy to see what's blocked.Guides collaborative design exploration before implementation: explores context, asks clarifying questions, proposes approaches, and writes a design doc for user approval.
Creates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.
Synthesizes the current conversation into a structured spec (PRD) and publishes it to the project issue tracker with a ready-for-agent label, without interviewing the user.
6plugins reuse this skill
First indexed Jul 10, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin aws-inspector