[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-374cc6c0-d7ff-4f56-9464-20d26dc1abfa":3,"$f8KF1cguxU_AU_hWUBlhwDTyQ8fzKr1B2-oLgsgw-xhk":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"374cc6c0-d7ff-4f56-9464-20d26dc1abfa","aws-compliance-checker","针对CIS、PCI-DSS、HIPAA和SOC 2基准的自动化合规性检查","cat_coding_review","mod_coding","sickn33,coding","---\nname: aws-compliance-checker\ndescription: \"Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks\"\ncategory: security\nrisk: safe\nsource: community\ntags: \"[aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli]\"\ndate_added: \"2026-02-27\"\n---\n\n# AWS Compliance Checker\n\nAutomated compliance validation against industry standards including CIS AWS Foundations, PCI-DSS, HIPAA, and SOC 2.\n\n## When to Use\nUse this skill when you need to validate AWS compliance against industry standards, prepare for audits, or maintain continuous compliance monitoring.\n\n## Supported Frameworks\n\n**CIS AWS Foundations Benchmark**\n- Identity and Access Management\n- Logging and Monitoring\n- Networking\n- Data Protection\n\n**PCI-DSS (Payment Card Industry)**\n- Network security\n- Access controls\n- Encryption\n- Monitoring and logging\n\n**HIPAA (Healthcare)**\n- Access controls\n- Audit controls\n- Data encryption\n- Transmission security\n\n**SOC 2**\n- Security\n- Availability\n- Confidentiality\n- Privacy\n\n## CIS AWS Foundations Checks\n\n### Identity & Access Management (1.x)\n\n```bash\n#!\u002Fbin\u002Fbash\n# cis-iam-checks.sh\n\necho \"=== CIS IAM Compliance Checks ===\"\n\n# 1.1: Root account usage\necho \"1.1: Checking root account usage...\"\nroot_usage=$(aws iam get-credential-report --output text | \\\n  awk -F, 'NR==2 {print $5,$11}')\necho \"  Root password last used: $root_usage\"\n\n# 1.2: MFA on root account\necho \"1.2: Checking root MFA...\"\nroot_mfa=$(aws iam get-account-summary \\\n  --query 'SummaryMap.AccountMFAEnabled' --output text)\necho \"  Root MFA enabled: $root_mfa\"\n\n# 1.3: Unused credentials\necho \"1.3: Checking for unused credentials (>90 days)...\"\naws iam get-credential-report --output text | \\\n  awk -F, 'NR>1 {\n    if ($5 != \"N\u002FA\" && $5 != \"no_information\") {\n      cmd = \"date -d \\\"\" $5 \"\\\" +%s\"\n      cmd | getline last_used\n      close(cmd)\n      now = systime()\n      days = (now - last_used) \u002F 86400\n      if (days > 90) print \"  ⚠️  \" $1 \": \" int(days) \" days inactive\"\n    }\n  }'\n\n# 1.4: Access keys rotated\necho \"1.4: Checking access key age...\"\naws iam list-users --query 'Users[*].UserName' --output text | \\\nwhile read user; do\n  aws iam list-access-keys --user-name \"$user\" \\\n    --query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]' \\\n    --output text | \\\n  while read key_id create_date; do\n    age_days=$(( ($(date +%s) - $(date -d \"$create_date\" +%s)) \u002F 86400 ))\n    if [ $age_days -gt 90 ]; then\n      echo \"  ⚠️  $user: Key $key_id is $age_days days old\"\n    fi\n  done\ndone\n\n# 1.5-1.11: Password policy\necho \"1.5-1.11: Checking password policy...\"\npolicy=$(aws iam get-account-password-policy 2>&1)\nif echo \"$policy\" | grep -q \"NoSuchEntity\"; then\n  echo \"  ❌ No password policy configured\"\nelse\n  echo \"  ✓ Password policy exists\"\n  echo \"$policy\" | jq '.PasswordPolicy | {\n    MinimumPasswordLength,\n    RequireSymbols,\n    RequireNumbers,\n    RequireUppercaseCharacters,\n    RequireLowercaseCharacters,\n    MaxPasswordAge,\n    PasswordReusePrevention\n  }'\nfi\n\n# 1.12-1.14: MFA for IAM users\necho \"1.12-1.14: Checking IAM user MFA...\"\naws iam get-credential-report --output text | \\\n  awk -F, 'NR>1 && $4==\"false\" {print \"  ⚠️  \" $1 \": No MFA\"}'\n```\n\n### Logging (2.x)\n\n```bash\n#!\u002Fbin\u002Fbash\n# cis-logging-checks.sh\n\necho \"=== CIS Logging Compliance Checks ===\"\n\n# 2.1: CloudTrail enabled\necho \"2.1: Checking CloudTrail...\"\ntrails=$(aws cloudtrail describe-trails \\\n  --query 'trailList[*].[Name,IsMultiRegionTrail,LogFileValidationEnabled]' \\\n  --output text)\n\nif [ -z \"$trails\" ]; then\n  echo \"  ❌ No CloudTrail configured\"\nelse\n  echo \"$trails\" | while read name multi_region validation; do\n    echo \"  Trail: $name\"\n    echo \"    Multi-region: $multi_region\"\n    echo \"    Log validation: $validation\"\n    \n    # Check if logging\n    status=$(aws cloudtrail get-trail-status --name \"$name\" \\\n      --query 'IsLogging' --output text)\n    echo \"    Is logging: $status\"\n  done\nfi\n\n# 2.2: CloudTrail log file validation\necho \"2.2: Checking log file validation...\"\naws cloudtrail describe-trails \\\n  --query 'trailList[?LogFileValidationEnabled==`false`].Name' \\\n  --output text | \\\nwhile read trail; do\n  echo \"  ⚠️  $trail: Log validation disabled\"\ndone\n\n# 2.3: S3 bucket for CloudTrail\necho \"2.3: Checking CloudTrail S3 bucket access...\"\naws cloudtrail describe-trails \\\n  --query 'trailList[*].S3BucketName' --output text | \\\nwhile read bucket; do\n  public=$(aws s3api get-bucket-acl --bucket \"$bucket\" 2>&1 | \\\n    grep -c \"AllUsers\")\n  if [ \"$public\" -gt 0 ]; then\n    echo \"  ❌ $bucket: Publicly accessible\"\n  else\n    echo \"  ✓ $bucket: Not public\"\n  fi\ndone\n\n# 2.4: CloudTrail integrated with CloudWatch Logs\necho \"2.4: Checking CloudWatch Logs integration...\"\naws cloudtrail describe-trails \\\n  --query 'trailList[*].[Name,CloudWatchLogsLogGroupArn]' \\\n  --output text | \\\nwhile read name log_group; do\n  if [ \"$log_group\" = \"None\" ]; then\n    echo \"  ⚠️  $name: Not integrated with CloudWatch Logs\"\n  else\n    echo \"  ✓ $name: Integrated with CloudWatch\"\n  fi\ndone\n\n# 2.5: AWS Config enabled\necho \"2.5: Checking AWS Config...\"\nrecorders=$(aws configservice describe-configuration-recorders \\\n  --query 'ConfigurationRecorders[*].name' --output text)\n\nif [ -z \"$recorders\" ]; then\n  echo \"  ❌ AWS Config not enabled\"\nelse\n  echo \"  ✓ AWS Config enabled: $recorders\"\nfi\n\n# 2.6: S3 bucket logging\necho \"2.6: Checking S3 bucket logging...\"\naws s3api list-buckets --query 'Buckets[*].Name' --output text | \\\nwhile read bucket; do\n  logging=$(aws s3api get-bucket-logging --bucket \"$bucket\" 2>&1)\n  if ! echo \"$logging\" | grep -q \"LoggingEnabled\"; then\n    echo \"  ⚠️  $bucket: Access logging disabled\"\n  fi\ndone\n\n# 2.7: VPC Flow Logs\necho \"2.7: Checking VPC Flow Logs...\"\naws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | \\\nwhile read vpc; do\n  flow_logs=$(aws ec2 describe-flow-logs \\\n    --filter \"Name=resource-id,Values=$vpc\" \\\n    --query 'FlowLogs[*].FlowLogId' --output text)\n  if [ -z \"$flow_logs\" ]; then\n    echo \"  ⚠️  $vpc: No flow logs enabled\"\n  else\n    echo \"  ✓ $vpc: Flow logs enabled\"\n  fi\ndone\n```\n\n### Monitoring (3.x)\n\n```bash\n#!\u002Fbin\u002Fbash\n# cis-monitoring-checks.sh\n\necho \"=== CIS Monitoring Compliance Checks ===\"\n\n# Check for required CloudWatch metric filters and alarms\nrequired_filters=(\n  \"unauthorized-api-calls\"\n  \"no-mfa-console-signin\"\n  \"root-usage\"\n  \"iam-changes\"\n  \"cloudtrail-changes\"\n  \"console-signin-failures\"\n  \"cmk-changes\"\n  \"s3-bucket-policy-changes\"\n  \"aws-config-changes\"\n  \"security-group-changes\"\n  \"nacl-changes\"\n  \"network-gateway-changes\"\n  \"route-table-changes\"\n  \"vpc-changes\"\n)\n\nlog_group=$(aws cloudtrail describe-trails \\\n  --query 'trailList[0].CloudWatchLogsLogGroupArn' \\\n  --output text | cut -d: -f7)\n\nif [ -z \"$log_group\" ] || [ \"$log_group\" = \"None\" ]; then\n  echo \"  ❌ CloudTrail not integrated with CloudWatch Logs\"\nelse\n  echo \"Checking metric filters for log group: $log_group\"\n  \n  existing_filters=$(aws logs describe-metric-filters \\\n    --log-group-name \"$log_group\" \\\n    --query 'metricFilters[*].filterName' --output text)\n  \n  for filter in \"${required_filters[@]}\"; do\n    if echo \"$existing_filters\" | grep -q \"$filter\"; then\n      echo \"  ✓ $filter: Configured\"\n    else\n      echo \"  ⚠️  $filter: Missing\"\n    fi\n  done\nfi\n```\n\n### Networking (4.x)\n\n```bash\n#!\u002Fbin\u002Fbash\n# cis-networking-checks.sh\n\necho \"=== CIS Networking Compliance Checks ===\"\n\n# 4.1: No security groups allow 0.0.0.0\u002F0 ingress to port 22\necho \"4.1: Checking SSH access (port 22)...\"\naws ec2 describe-security-groups \\\n  --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \\\n  --output json | \\\njq -r '.[] | select(.[2][]? | \n  select(.FromPort == 22 and .IpRanges[]?.CidrIp == \"0.0.0.0\u002F0\")) | \n  \"  ⚠️  \\(.[0]): \\(.[1]) allows SSH from 0.0.0.0\u002F0\"'\n\n# 4.2: No security groups allow 0.0.0.0\u002F0 ingress to port 3389\necho \"4.2: Checking RDP access (port 3389)...\"\naws ec2 describe-security-groups \\\n  --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \\\n  --output json | \\\njq -r '.[] | select(.[2][]? | \n  select(.FromPort == 3389 and .IpRanges[]?.CidrIp == \"0.0.0.0\u002F0\")) | \n  \"  ⚠️  \\(.[0]): \\(.[1]) allows RDP from 0.0.0.0\u002F0\"'\n\n# 4.3: Default security group restricts all traffic\necho \"4.3: Checking default security groups...\"\naws ec2 describe-security-groups \\\n  --filters Name=group-name,Values=default \\\n  --query 'SecurityGroups[*].[GroupId,IpPermissions,IpPermissionsEgress]' \\\n  --output json | \\\njq -r '.[] | select((.[1] | length) > 0 or (.[2] | length) > 1) | \n  \"  ⚠️  \\(.[0]): Default SG has rules\"'\n```\n\n## PCI-DSS Compliance Checks\n\n```python\n#!\u002Fusr\u002Fbin\u002Fenv python3\n# pci-dss-checker.py\n\nimport boto3\n\ndef check_pci_compliance():\n    \"\"\"Check PCI-DSS requirements\"\"\"\n    \n    ec2 = boto3.client('ec2')\n    rds = boto3.client('rds')\n    s3 = boto3.client('s3')\n    \n    issues = []\n    \n    # Requirement 1: Network security\n    sgs = ec2.describe_security_groups()\n    for sg in sgs['SecurityGroups']:\n        for perm in sg.get('IpPermissions', []):\n            for ip_range in perm.get('IpRanges', []):\n                if ip_range.get('CidrIp') == '0.0.0.0\u002F0':\n                    issues.append(f\"PCI 1.2: {sg['GroupId']} open to internet\")\n    \n    # Requirement 2: Secure configurations\n    # Check for default passwords, etc.\n    \n    # Requirement 3: Protect cardholder data\n    volumes = ec2.describe_volumes()\n    for vol in volumes['Volumes']:\n        if not vol['Encrypted']:\n            issues.append(f\"PCI 3.4: Volume {vol['VolumeId']} not encrypted\")\n    \n    # Requirement 4: Encrypt transmission\n    # Check for SSL\u002FTLS on load balancers\n    \n    # Requirement 8: Access controls\n    iam = boto3.client('iam')\n    users = iam.list_users()\n    for user in users['Users']:\n        mfa = iam.list_mfa_devices(UserName=user['UserName'])\n        if not mfa['MFADevices']:\n            issues.append(f\"PCI 8.3: {user['UserName']} no MFA\")\n    \n    # Requirement 10: Logging\n    cloudtrail = boto3.client('cloudtrail')\n    trails = cloudtrail.describe_trails()\n    if not trails['trailList']:\n        issues.append(\"PCI 10.1: No CloudTrail enabled\")\n    \n    return issues\n\nif __name__ == \"__main__\":\n    print(\"PCI-DSS Compliance Check\")\n    print(\"=\" * 50)\n    \n    issues = check_pci_compliance()\n    \n    if not issues:\n        print(\"✓ No PCI-DSS issues found\")\n    else:\n        print(f\"Found {len(issues)} issues:\\n\")\n        for issue in issues:\n            print(f\"  ⚠️  {issue}\")\n```\n\n## HIPAA Compliance Checks\n\n```bash\n#!\u002Fbin\u002Fbash\n# hipaa-checker.sh\n\necho \"=== HIPAA Compliance Checks ===\"\n\n# Access Controls (164.308(a)(3))\necho \"Access Controls:\"\naws iam get-credential-report --output text | \\\n  awk -F, 'NR>1 && $4==\"false\" {print \"  ⚠️  \" $1 \": No MFA (164.312(a)(2)(i))\"}'\n\n# Audit Controls (164.312(b))\necho \"\"\necho \"Audit Controls:\"\ntrails=$(aws cloudtrail describe-trails --query 'trailList[*].Name' --output text)\nif [ -z \"$trails\" ]; then\n  echo \"  ❌ No CloudTrail (164.312(b))\"\nelse\n  echo \"  ✓ CloudTrail enabled\"\nfi\n\n# Encryption (164.312(a)(2)(iv))\necho \"\"\necho \"Encryption at Rest:\"\naws ec2 describe-volumes \\\n  --query 'Volumes[?Encrypted==`false`].VolumeId' \\\n  --output text | \\\nwhile read vol; do\n  echo \"  ⚠️  $vol: Not encrypted (164.312(a)(2)(iv))\"\ndone\n\naws rds describe-db-instances \\\n  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' \\\n  --output text | \\\nwhile read db; do\n  echo \"  ⚠️  $db: Not encrypted (164.312(a)(2)(iv))\"\ndone\n\n# Transmission Security (164.312(e)(1))\necho \"\"\necho \"Transmission Security:\"\necho \"  Check: All data in transit uses TLS 1.2+\"\n```\n\n## Automated Compliance Reporting\n\n```python\n#!\u002Fusr\u002Fbin\u002Fenv python3\n# compliance-report.py\n\nimport boto3\nimport json\nfrom datetime import datetime\n\ndef generate_compliance_report(framework='cis'):\n    \"\"\"Generate comprehensive compliance report\"\"\"\n    \n    report = {\n        'framework': framework,\n        'generated': datetime.now().isoformat(),\n        'checks': [],\n        'summary': {\n            'total': 0,\n            'passed': 0,\n            'failed': 0,\n            'score': 0\n        }\n    }\n    \n    # Run all checks based on framework\n    if framework == 'cis':\n        checks = run_cis_checks()\n    elif framework == 'pci':\n        checks = run_pci_checks()\n    elif framework == 'hipaa':\n        checks = run_hipaa_checks()\n    \n    report['checks'] = checks\n    report['summary']['total'] = len(checks)\n    report['summary']['passed'] = sum(1 for c in checks if c['status'] == 'PASS')\n    report['summary']['failed'] = report['summary']['total'] - report['summary']['passed']\n    report['summary']['score'] = (report['summary']['passed'] \u002F report['summary']['total']) * 100\n    \n    return report\n\ndef run_cis_checks():\n    # Implement CIS checks\n    return []\n\ndef run_pci_checks():\n    # Implement PCI checks\n    return []\n\ndef run_hipaa_checks():\n    # Implement HIPAA checks\n    return []\n\nif __name__ == \"__main__\":\n    import sys\n    framework = sys.argv[1] if len(sys.argv) > 1 else 'cis'\n    \n    report = generate_compliance_report(framework)\n    \n    print(f\"\\n{framework.upper()} Compliance Report\")\n    print(\"=\" * 50)\n    print(f\"Score: {report['summary']['score']:.1f}%\")\n    print(f\"Passed: {report['summary']['passed']}\u002F{report['summary']['total']}\")\n    print(f\"Failed: {report['summary']['failed']}\u002F{report['summary']['total']}\")\n    \n    # Save to file\n    with open(f'compliance-{framework}-{datetime.now().strftime(\"%Y%m%d\")}.json', 'w') as f:\n        json.dump(report, f, indent=2)\n```\n\n## Example Prompts\n\n- \"Run CIS AWS Foundations compliance check\"\n- \"Generate a PCI-DSS compliance report\"\n- \"Check HIPAA compliance for my AWS account\"\n- \"Audit against SOC 2 requirements\"\n- \"Create a compliance dashboard\"\n\n## Best Practices\n\n- Run compliance checks weekly\n- Automate with Lambda\u002FEventBridge\n- Track compliance trends over time\n- Document exceptions with justification\n- Integrate with AWS Security Hub\n- Use AWS Config Rules for continuous monitoring\n\n## Kiro CLI Integration\n\n```bash\nkiro-cli chat \"Use aws-compliance-checker to run CIS benchmark\"\nkiro-cli chat \"Generate PCI-DSS report with aws-compliance-checker\"\n```\n\n## Additional Resources\n\n- [CIS AWS Foundations Benchmark](https:\u002F\u002Fwww.cisecurity.org\u002Fbenchmark\u002Famazon_web_services)\n- [AWS Security Hub](https:\u002F\u002Faws.amazon.com\u002Fsecurity-hub\u002F)\n- [AWS Compliance Programs](https:\u002F\u002Faws.amazon.com\u002Fcompliance\u002Fprograms\u002F)\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,151,176,"2026-05-16 13:38:11",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"d2b31df0-09fb-4914-a2f8-2c25e3ef4c9e","1.0.0","aws-compliance-checker.zip",5001,"uploads\u002Fskills\u002F374cc6c0-d7ff-4f56-9464-20d26dc1abfa\u002Faws-compliance-checker.zip","ac7361e549a8d8daae324f10fbe8dc94d3f0f3b909ed2e8815a271bd58596020","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":14785}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]