[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-a065c1cb-da75-4005-afc0-6cdd4e88f9e1":3,"$f0jMVS-KvTNqLHA-PpQH35NM6if6I-5li8mLfoo5MYy4":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"a065c1cb-da75-4005-afc0-6cdd4e88f9e1","aws-security-audit","使用AWS CLI和安全最佳实践进行全面AWS安全态势评估","cat_coding_review","mod_coding","sickn33,coding","---\nname: aws-security-audit\ndescription: \"Comprehensive AWS security posture assessment using AWS CLI and security best practices\"\ncategory: security\nrisk: safe\nsource: community\ntags: \"[aws, security, audit, compliance, kiro-cli, security-assessment]\"\ndate_added: \"2026-02-27\"\n---\n\n# AWS Security Audit\n\nPerform comprehensive security assessments of AWS environments to identify vulnerabilities and misconfigurations.\n\n## When to Use\nUse this skill when you need to audit AWS security posture, identify vulnerabilities, or prepare for compliance assessments.\n\n## Audit Categories\n\n**Identity & Access Management**\n- Overly permissive IAM policies\n- Unused IAM users and roles\n- MFA enforcement gaps\n- Root account usage\n- Access key rotation\n\n**Network Security**\n- Open security groups (0.0.0.0\u002F0)\n- Public S3 buckets\n- Unencrypted data in transit\n- VPC flow logs disabled\n- Network ACL misconfigurations\n\n**Data Protection**\n- Unencrypted EBS volumes\n- Unencrypted RDS instances\n- S3 bucket encryption disabled\n- Backup policies missing\n- KMS key rotation disabled\n\n**Logging & Monitoring**\n- CloudTrail disabled\n- CloudWatch alarms missing\n- VPC Flow Logs disabled\n- S3 access logging disabled\n- Config recording disabled\n\n## Security Audit Commands\n\n### IAM Security Checks\n\n```bash\n# List users without MFA\naws iam get-credential-report --output text | \\\n awk -F, '$4==\"false\" && $1!=\"\u003Croot_account>\" {print $1}'\n\n# Find unused IAM users (no activity in 90 days)\naws iam list-users --query 'Users[*].[UserName]' --output text | \\\nwhile read user; do\n last_used=$(aws iam get-user --user-name \"$user\" \\\n --query 'User.PasswordLastUsed' --output text)\n echo \"$user: $last_used\"\ndone\n\n# List overly permissive policies (AdministratorAccess)\naws iam list-policies --scope Local \\\n --query 'Policies[?PolicyName==`AdministratorAccess`]'\n\n# Find access keys older than 90 days\naws iam list-users --query 'Users[*].UserName' --output text | \\\nwhile read user; do\n aws iam list-access-keys --user-name \"$user\" \\\n --query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]' \\\n --output text\ndone\n\n# Check root account access keys\naws iam get-account-summary \\\n --query 'SummaryMap.AccountAccessKeysPresent'\n```\n\n### Network Security Checks\n\n```bash\n# Find security groups open to the world\naws ec2 describe-security-groups \\\n --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0\u002F0`]]].[GroupId,GroupName]' \\\n --output table\n\n# List public S3 buckets\naws s3api list-buckets --query 'Buckets[*].Name' --output text | \\\nwhile read bucket; do\n acl=$(aws s3api get-bucket-acl --bucket \"$bucket\" 2>\u002Fdev\u002Fnull)\n if echo \"$acl\" | grep -q \"AllUsers\"; then\n echo \"PUBLIC: $bucket\"\n fi\ndone\n\n# Check VPC Flow Logs status\naws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | \\\nwhile read vpc; do\n flow_logs=$(aws ec2 describe-flow-logs \\\n --filter \"Name=resource-id,Values=$vpc\" \\\n --query 'FlowLogs[*].FlowLogId' --output text)\n if [ -z \"$flow_logs\" ]; then\n echo \"No flow logs: $vpc\"\n fi\ndone\n\n# Find RDS instances without encryption\naws rds describe-db-instances \\\n --query 'DBInstances[?StorageEncrypted==`false`].[DBInstanceIdentifier]' \\\n --output table\n```\n\n### Data Protection Checks\n\n```bash\n# Find unencrypted EBS volumes\naws ec2 describe-volumes \\\n --query 'Volumes[?Encrypted==`false`].[VolumeId,Size,State]' \\\n --output table\n\n# Check S3 bucket encryption\naws s3api list-buckets --query 'Buckets[*].Name' --output text | \\\nwhile read bucket; do\n encryption=$(aws s3api get-bucket-encryption \\\n --bucket \"$bucket\" 2>&1)\n if echo \"$encryption\" | grep -q \"ServerSideEncryptionConfigurationNotFoundError\"; then\n echo \"No encryption: $bucket\"\n fi\ndone\n\n# Find RDS snapshots that are public\naws rds describe-db-snapshots \\\n --query 'DBSnapshots[*].[DBSnapshotIdentifier]' --output text | \\\nwhile read snapshot; do\n attrs=$(aws rds describe-db-snapshot-attributes \\\n --db-snapshot-identifier \"$snapshot\" \\\n --query 'DBSnapshotAttributesResult.DBSnapshotAttributes[?AttributeName==`restore`].AttributeValues' \\\n --output text)\n if echo \"$attrs\" | grep -q \"all\"; then\n echo \"PUBLIC SNAPSHOT: $snapshot\"\n fi\ndone\n\n# Check KMS key rotation\naws kms list-keys --query 'Keys[*].KeyId' --output text | \\\nwhile read key; do\n rotation=$(aws kms get-key-rotation-status --key-id \"$key\" \\\n --query 'KeyRotationEnabled' --output text 2>\u002Fdev\u002Fnull)\n if [ \"$rotation\" = \"False\" ]; then\n echo \"Rotation disabled: $key\"\n fi\ndone\n```\n\n### Logging & Monitoring Checks\n\n```bash\n# Check CloudTrail status\naws cloudtrail describe-trails \\\n --query 'trailList[*].[Name,IsMultiRegionTrail,LogFileValidationEnabled]' \\\n --output table\n\n# Verify CloudTrail is logging\naws cloudtrail get-trail-status --name my-trail \\\n --query 'IsLogging'\n\n# Check if AWS Config is enabled\naws configservice describe-configuration-recorders \\\n --query 'ConfigurationRecorders[*].[name,roleARN]' \\\n --output table\n\n# List S3 buckets without access logging\naws s3api list-buckets --query 'Buckets[*].Name' --output text | \\\nwhile read bucket; do\n logging=$(aws s3api get-bucket-logging --bucket \"$bucket\" 2>&1)\n if ! echo \"$logging\" | grep -q \"LoggingEnabled\"; then\n echo \"No access logging: $bucket\"\n fi\ndone\n```\n\n## Automated Security Audit Script\n\n```bash\n#!\u002Fbin\u002Fbash\n# comprehensive-security-audit.sh\n\necho \"=== AWS Security Audit Report ===\"\necho \"Generated: $(date)\"\necho \"\"\n\n# IAM Checks\necho \"## IAM Security\"\necho \"Users without MFA:\"\naws iam get-credential-report --output text | \\\n awk -F, '$4==\"false\" && $1!=\"\u003Croot_account>\" {print \" - \" $1}'\n\necho \"\"\necho \"Root account access keys:\"\naws iam get-account-summary \\\n --query 'SummaryMap.AccountAccessKeysPresent' --output text\n\n# Network Checks\necho \"\"\necho \"## Network Security\"\necho \"Security groups open to 0.0.0.0\u002F0:\"\naws ec2 describe-security-groups \\\n --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0\u002F0`]]].GroupId' \\\n --output text | wc -l\n\n# Data Protection\necho \"\"\necho \"## Data Protection\"\necho \"Unencrypted EBS volumes:\"\naws ec2 describe-volumes \\\n --query 'Volumes[?Encrypted==`false`].VolumeId' \\\n --output text | wc -l\n\necho \"\"\necho \"Unencrypted RDS instances:\"\naws rds describe-db-instances \\\n --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' \\\n --output text | wc -l\n\n# Logging\necho \"\"\necho \"## Logging & Monitoring\"\necho \"CloudTrail status:\"\naws cloudtrail describe-trails \\\n --query 'trailList[*].[Name,IsLogging]' \\\n --output table\n\necho \"\"\necho \"=== End of Report ===\"\n```\n\n## Security Score Calculator\n\n```python\n#!\u002Fusr\u002Fbin\u002Fenv python3\n# security-score.py\n\nimport boto3\nimport json\n\ndef calculate_security_score():\n iam = boto3.client('iam')\n ec2 = boto3.client('ec2')\n s3 = boto3.client('s3')\n \n score = 100\n issues = []\n \n # Check MFA\n try:\n report = iam.get_credential_report()\n users_without_mfa = 0\n # Parse report and count\n if users_without_mfa > 0:\n score -= 10\n issues.append(f\"{users_without_mfa} users without MFA\")\n except:\n pass\n \n # Check open security groups\n sgs = ec2.describe_security_groups()\n open_sgs = 0\n for sg in sgs['SecurityGroups']:\n for perm in sg.get('IpPermissions', []):\n for ip_range in perm.get('IpRanges', []):\n if ip_range.get('CidrIp') == '0.0.0.0\u002F0':\n open_sgs += 1\n break\n \n if open_sgs > 0:\n score -= 15\n issues.append(f\"{open_sgs} security groups open to internet\")\n \n # Check unencrypted volumes\n volumes = ec2.describe_volumes()\n unencrypted = sum(1 for v in volumes['Volumes'] if not v['Encrypted'])\n \n if unencrypted > 0:\n score -= 20\n issues.append(f\"{unencrypted} unencrypted EBS volumes\")\n \n print(f\"Security Score: {score}\u002F100\")\n print(\"\\nIssues Found:\")\n for issue in issues:\n print(f\" - {issue}\")\n \n return score\n\nif __name__ == \"__main__\":\n calculate_security_score()\n```\n\n## Compliance Mapping\n\n**CIS AWS Foundations Benchmark**\n- 1.1: Root account usage\n- 1.2-1.14: IAM policies and MFA\n- 2.1-2.9: Logging (CloudTrail, Config, VPC Flow Logs)\n- 4.1-4.3: Monitoring and alerting\n\n**PCI-DSS**\n- Requirement 1: Network security controls\n- Requirement 2: Secure configurations\n- Requirement 8: Access controls and MFA\n- Requirement 10: Logging and monitoring\n\n**HIPAA**\n- Access controls (IAM)\n- Audit controls (CloudTrail)\n- Encryption (EBS, RDS, S3)\n- Transmission security (TLS\u002FSSL)\n\n## Remediation Priorities\n\n**Critical (Fix Immediately)**\n- Root account access keys\n- Public RDS snapshots\n- Security groups open to 0.0.0.0\u002F0 on sensitive ports\n- CloudTrail disabled\n\n**High (Fix Within 7 Days)**\n- Users without MFA\n- Unencrypted data at rest\n- Missing VPC Flow Logs\n- Overly permissive IAM policies\n\n**Medium (Fix Within 30 Days)**\n- Old access keys (>90 days)\n- Missing S3 access logging\n- Unused IAM users\n- KMS key rotation disabled\n\n## Example Prompts\n\n- \"Run a comprehensive security audit on my AWS account\"\n- \"Check for IAM security issues\"\n- \"Find all unencrypted resources\"\n- \"Generate a security compliance report\"\n- \"Calculate my AWS security score\"\n\n## Best Practices\n\n- Run audits weekly\n- Automate with Lambda\u002FEventBridge\n- Export results to S3 for trending\n- Integrate with SIEM tools\n- Track remediation progress\n- Document exceptions with business justification\n\n## Kiro CLI Integration\n\n```bash\nkiro-cli chat \"Use aws-security-audit to assess my security posture\"\nkiro-cli chat \"Generate a security audit report with aws-security-audit\"\n```\n\n## Additional Resources\n\n- [AWS Security Best Practices](https:\u002F\u002Faws.amazon.com\u002Fsecurity\u002Fbest-practices\u002F)\n- [CIS AWS Foundations Benchmark](https:\u002F\u002Fwww.cisecurity.org\u002Fbenchmark\u002Famazon_web_services)\n- [AWS Security Hub](https:\u002F\u002Faws.amazon.com\u002Fsecurity-hub\u002F)\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,82,834,"2026-05-16 13:38:14",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查,提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"7a71e2c1-9242-4264-90ea-0a086648816d","1.0.0","aws-security-audit.zip",3597,"uploads\u002Fskills\u002Fa065c1cb-da75-4005-afc0-6cdd4e88f9e1\u002Faws-security-audit.zip","10e4aead1940dfd2deea08178c664e2f95d7b5a151c4d5cf711447402a6c81c2","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":10227}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]