ReddRadar
Agent skill
implementing-cloud-vulnerability-posture-management
Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/implementing-cloud-vulnerability-posture-management
SKILL.md
Implementing Cloud Vulnerability Posture Management
Overview
Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This skill covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.
When to Use
- When deploying or configuring implementing cloud vulnerability posture management capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- AWS CLI configured with SecurityAudit IAM policy
- Azure CLI with Security Reader role
- Python 3.9+ with
boto3,azure-identity,azure-mgmt-security - Prowler (https://github.com/prowler-cloud/prowler)
- ScoutSuite (https://github.com/nccgroup/ScoutSuite)
AWS Security Hub
Enable Security Hub
# Enable AWS Security Hub with default standards
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# Enable specific standards
aws securityhub batch-enable-standards \
--standards-subscription-requests \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
# Get findings summary
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
--max-items 10
Security Hub Standards
| Standard | Description |
|---|---|
| AWS Foundational Security Best Practices | AWS-recommended baseline controls |
| CIS AWS Foundations Benchmark 1.4 | CIS hardening requirements |
| PCI DSS v3.2.1 | Payment card industry controls |
| NIST SP 800-53 Rev 5 | Federal security controls |
Azure Defender for Cloud
Enable Defender CSPM
# Enable Defender for Cloud free tier
az security pricing create \
--name CloudPosture \
--tier standard
# Check secure score
az security secure-score list \
--query "[].{Name:displayName,Score:current,Max:max}" \
--output table
# Get security recommendations
az security assessment list \
--query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
--output table
# Get alerts
az security alert list \
--query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
--output table
Open-Source: Prowler
Installation and Execution
# Install Prowler
pip install prowler
# Run full AWS scan
prowler aws --output-formats json-ocsf,csv,html
# Run specific checks
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
# Run against specific AWS profile and region
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
# Run CIS Benchmark compliance check
prowler aws --compliance cis_1.5_aws
# Run PCI DSS compliance
prowler aws --compliance pci_3.2.1_aws
# Scan Azure environment
prowler azure --subscription-ids "sub-id-here"
# Scan GCP environment
prowler gcp --project-ids "project-id-here"
Prowler Check Categories
| Category | Examples |
|---|---|
| IAM | Root MFA, password policy, access key rotation |
| S3 | Public access, encryption, versioning |
| EC2 | Security groups, EBS encryption, metadata service |
| RDS | Public access, encryption, backup retention |
| CloudTrail | Enabled, encrypted, log validation |
| VPC | Flow logs, default SG restrictions |
| Lambda | Public access, runtime versions |
| EKS | Public endpoint, secrets encryption |
Open-Source: ScoutSuite
# Install ScoutSuite
pip install scoutsuite
# Run AWS assessment
scout aws --profile production
# Run Azure assessment
scout azure --cli
# Run GCP assessment
scout gcp --project-id my-project
# Results available as interactive HTML report
# Open scout-report/report.html in browser
Multi-Cloud Aggregation
import json
import subprocess
from datetime import datetime, timezone
def run_prowler_scan(provider, output_dir, compliance=None):
"""Run Prowler scan for a cloud provider."""
cmd = ["prowler", provider, "--output-formats", "json-ocsf",
"--output-directory", output_dir]
if compliance:
cmd.extend(["--compliance", compliance])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
return result.returncode == 0
def aggregate_findings(prowler_dirs):
"""Aggregate findings from multiple Prowler scans."""
all_findings = []
for scan_dir in prowler_dirs:
json_files = list(Path(scan_dir).glob("*.json"))
for jf in json_files:
with open(jf, "r") as f:
for line in f:
try:
finding = json.loads(line.strip())
all_findings.append(finding)
except json.JSONDecodeError:
continue
# Sort by severity
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
all_findings.sort(key=lambda f: severity_order.get(
f.get("severity", "informational").lower(), 5
))
return all_findings
def generate_posture_report(findings, output_path):
"""Generate cloud security posture report."""
report = {
"generated_at": datetime.now(timezone.utc).isoformat(),
"total_findings": len(findings),
"by_severity": {},
"by_provider": {},
"by_service": {},
}
for f in findings:
sev = f.get("severity", "unknown")
provider = f.get("cloud_provider", "unknown")
service = f.get("service_name", "unknown")
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
report["by_service"][service] = report["by_service"].get(service, 0) + 1
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
return report
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?