Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,204 @@
---
name: implementing-cloud-vulnerability-posture-management
description: Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.
domain: cybersecurity
subdomain: vulnerability-management
tags: [cspm, cloud-security, aws-security-hub, azure-defender, prowler, scoutsuite, misconfiguration, cnapp]
version: "1.0"
author: mahipal
license: MIT
---
# Implementing Cloud Vulnerability Posture Management
## Overview
Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This skill covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.
## Prerequisites
- AWS CLI configured with SecurityAudit IAM policy
- Azure CLI with Security Reader role
- Python 3.9+ with `boto3`, `azure-identity`, `azure-mgmt-security`
- Prowler (https://github.com/prowler-cloud/prowler)
- ScoutSuite (https://github.com/nccgroup/ScoutSuite)
## AWS Security Hub
### Enable Security Hub
```bash
# Enable AWS Security Hub with default standards
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# Enable specific standards
aws securityhub batch-enable-standards \
--standards-subscription-requests \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
# Get findings summary
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
--max-items 10
```
### Security Hub Standards
| Standard | Description |
|----------|------------|
| AWS Foundational Security Best Practices | AWS-recommended baseline controls |
| CIS AWS Foundations Benchmark 1.4 | CIS hardening requirements |
| PCI DSS v3.2.1 | Payment card industry controls |
| NIST SP 800-53 Rev 5 | Federal security controls |
## Azure Defender for Cloud
### Enable Defender CSPM
```bash
# Enable Defender for Cloud free tier
az security pricing create \
--name CloudPosture \
--tier standard
# Check secure score
az security secure-score list \
--query "[].{Name:displayName,Score:current,Max:max}" \
--output table
# Get security recommendations
az security assessment list \
--query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
--output table
# Get alerts
az security alert list \
--query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
--output table
```
## Open-Source: Prowler
### Installation and Execution
```bash
# Install Prowler
pip install prowler
# Run full AWS scan
prowler aws --output-formats json-ocsf,csv,html
# Run specific checks
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
# Run against specific AWS profile and region
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
# Run CIS Benchmark compliance check
prowler aws --compliance cis_1.5_aws
# Run PCI DSS compliance
prowler aws --compliance pci_3.2.1_aws
# Scan Azure environment
prowler azure --subscription-ids "sub-id-here"
# Scan GCP environment
prowler gcp --project-ids "project-id-here"
```
### Prowler Check Categories
| Category | Examples |
|----------|---------|
| IAM | Root MFA, password policy, access key rotation |
| S3 | Public access, encryption, versioning |
| EC2 | Security groups, EBS encryption, metadata service |
| RDS | Public access, encryption, backup retention |
| CloudTrail | Enabled, encrypted, log validation |
| VPC | Flow logs, default SG restrictions |
| Lambda | Public access, runtime versions |
| EKS | Public endpoint, secrets encryption |
## Open-Source: ScoutSuite
```bash
# Install ScoutSuite
pip install scoutsuite
# Run AWS assessment
scout aws --profile production
# Run Azure assessment
scout azure --cli
# Run GCP assessment
scout gcp --project-id my-project
# Results available as interactive HTML report
# Open scout-report/report.html in browser
```
## Multi-Cloud Aggregation
```python
import json
import subprocess
from datetime import datetime, timezone
def run_prowler_scan(provider, output_dir, compliance=None):
"""Run Prowler scan for a cloud provider."""
cmd = ["prowler", provider, "--output-formats", "json-ocsf",
"--output-directory", output_dir]
if compliance:
cmd.extend(["--compliance", compliance])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
return result.returncode == 0
def aggregate_findings(prowler_dirs):
"""Aggregate findings from multiple Prowler scans."""
all_findings = []
for scan_dir in prowler_dirs:
json_files = list(Path(scan_dir).glob("*.json"))
for jf in json_files:
with open(jf, "r") as f:
for line in f:
try:
finding = json.loads(line.strip())
all_findings.append(finding)
except json.JSONDecodeError:
continue
# Sort by severity
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
all_findings.sort(key=lambda f: severity_order.get(
f.get("severity", "informational").lower(), 5
))
return all_findings
def generate_posture_report(findings, output_path):
"""Generate cloud security posture report."""
report = {
"generated_at": datetime.now(timezone.utc).isoformat(),
"total_findings": len(findings),
"by_severity": {},
"by_provider": {},
"by_service": {},
}
for f in findings:
sev = f.get("severity", "unknown")
provider = f.get("cloud_provider", "unknown")
service = f.get("service_name", "unknown")
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
report["by_service"][service] = report["by_service"].get(service, 0) + 1
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
return report
```
## References
- [AWS Security Hub](https://aws.amazon.com/security-hub/)
- [Azure Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/)
- [Prowler](https://github.com/prowler-cloud/prowler)
- [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks)
@@ -0,0 +1,43 @@
# Cloud Security Posture Management - Assessment Template
## Scope Definition
- **Cloud Providers**: [ ] AWS [ ] Azure [ ] GCP
- **Accounts/Subscriptions**: [List accounts in scope]
- **Compliance Framework**: [ ] CIS Benchmark [ ] PCI DSS [ ] NIST 800-53 [ ] SOC 2
- **Assessment Frequency**: [ ] Daily [ ] Weekly [ ] Monthly
## Critical Checks by Cloud Provider
### AWS Priority Checks
- [ ] S3 buckets not publicly accessible
- [ ] Root account MFA enabled
- [ ] CloudTrail enabled in all regions
- [ ] IAM access keys rotated within 90 days
- [ ] Security groups no unrestricted inbound (0.0.0.0/0)
- [ ] RDS instances not publicly accessible
- [ ] EBS volumes encrypted
- [ ] VPC flow logs enabled
### Azure Priority Checks
- [ ] Storage accounts not publicly accessible
- [ ] MFA enabled for all privileged accounts
- [ ] Activity log alerts configured
- [ ] NSG rules reviewed for unrestricted access
- [ ] SQL databases encrypted at rest
- [ ] Key Vault access policies reviewed
- [ ] Defender for Cloud enabled
### GCP Priority Checks
- [ ] Cloud Storage buckets not publicly accessible
- [ ] 2FA enforced for all users
- [ ] Audit logging enabled
- [ ] Firewall rules reviewed
- [ ] Cloud SQL instances not publicly accessible
- [ ] VPC Service Controls configured
## Report Deliverables
- [ ] Posture score by cloud account
- [ ] Failed checks by severity
- [ ] Compliance gap analysis
- [ ] Remediation priority list
- [ ] Month-over-month trend analysis
@@ -0,0 +1,34 @@
# Standards and References - Cloud Vulnerability Posture Management
## Cloud Security Standards
### CIS Benchmarks for Cloud
- **AWS**: https://www.cisecurity.org/benchmark/amazon_web_services
- **Azure**: https://www.cisecurity.org/benchmark/azure
- **GCP**: https://www.cisecurity.org/benchmark/google_cloud_computing_platform
- **Relevance**: Prescriptive hardening guidance for cloud service configurations
### NIST SP 800-53 Rev 5
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- **Key Controls**: AC-6 (Least Privilege), CM-6 (Configuration Settings), SC-7 (Boundary Protection)
### CSA Cloud Controls Matrix (CCM) v4
- **URL**: https://cloudsecurityalliance.org/research/cloud-controls-matrix
- **Relevance**: Cloud-specific security control framework aligned with major compliance standards
### AWS Well-Architected Security Pillar
- **URL**: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
### Azure Security Benchmark v3
- **URL**: https://learn.microsoft.com/en-us/security/benchmark/azure/overview
## Tools
| Tool | Provider | License | URL |
|------|----------|---------|-----|
| AWS Security Hub | AWS | Pay-per-use | https://aws.amazon.com/security-hub/ |
| Azure Defender for Cloud | Microsoft | Free + Standard tiers | https://azure.microsoft.com/en-us/products/defender-for-cloud |
| Prowler | Open Source | Apache 2.0 | https://github.com/prowler-cloud/prowler |
| ScoutSuite | NCC Group | GPL-2.0 | https://github.com/nccgroup/ScoutSuite |
| Steampipe | Turbot | AGPL-3.0 | https://github.com/turbot/steampipe |
| CloudSploit | Aqua Security | GPL-3.0 | https://github.com/aquasecurity/cloudsploit |
@@ -0,0 +1,29 @@
# Workflows - Cloud Vulnerability Posture Management
## Workflow 1: Daily Cloud Posture Assessment
1. Prowler scans all cloud accounts (AWS, Azure, GCP) on daily schedule
2. Results exported as JSON-OCSF and uploaded to central SIEM
3. New critical/high findings trigger Slack notifications
4. Findings compared against previous day for delta analysis
5. New misconfigurations create Jira tickets for cloud team
## Workflow 2: Compliance Baseline Assessment
1. Select compliance framework (CIS, PCI DSS, NIST 800-53, SOC 2)
2. Run Prowler with compliance flag against each cloud account
3. Generate compliance-specific report with pass/fail per control
4. Map failed controls to remediation actions
5. Track compliance posture score over time
## Workflow 3: Remediation and Verification
1. Cloud engineer receives Jira ticket for misconfiguration
2. Engineer applies fix via Terraform/CloudFormation/ARM template
3. Targeted Prowler re-scan validates fix
4. Jira ticket auto-closed on pass
5. Infrastructure-as-code updated to prevent recurrence
## Workflow 4: Multi-Cloud Executive Report
1. Aggregate findings from all providers
2. Calculate posture scores by account, region, and service
3. Trend analysis showing improvement or degradation
4. Risk heat map by cloud service category
5. Present to security leadership monthly
@@ -0,0 +1,175 @@
#!/usr/bin/env python3
"""Cloud Vulnerability Posture Management Tool.
Orchestrates multi-cloud security posture assessments using Prowler,
aggregates findings, and generates compliance reports.
"""
import argparse
import json
import os
import subprocess
import sys
from datetime import datetime, timezone
from pathlib import Path
try:
import boto3
except ImportError:
boto3 = None
def run_prowler_aws(profile=None, region=None, compliance=None, output_dir="./prowler_output"):
"""Execute Prowler scan against AWS account."""
cmd = ["prowler", "aws", "--output-formats", "json-ocsf,csv", "--output-directory", output_dir]
if profile:
cmd.extend(["--profile", profile])
if region:
cmd.extend(["--region", region])
if compliance:
cmd.extend(["--compliance", compliance])
print(f"[*] Running Prowler AWS scan...")
result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
if result.returncode == 0:
print("[+] Prowler AWS scan completed successfully")
else:
print(f"[-] Prowler AWS scan failed: {result.stderr[:500]}")
return result.returncode == 0
def run_prowler_azure(subscription_id=None, output_dir="./prowler_output"):
"""Execute Prowler scan against Azure subscription."""
cmd = ["prowler", "azure", "--output-formats", "json-ocsf,csv", "--output-directory", output_dir]
if subscription_id:
cmd.extend(["--subscription-ids", subscription_id])
print(f"[*] Running Prowler Azure scan...")
result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
if result.returncode == 0:
print("[+] Prowler Azure scan completed successfully")
else:
print(f"[-] Prowler Azure scan failed: {result.stderr[:500]}")
return result.returncode == 0
def get_aws_security_hub_findings(region="us-east-1", severity="CRITICAL"):
"""Fetch findings from AWS Security Hub."""
if not boto3:
print("[-] boto3 not installed")
return []
client = boto3.client("securityhub", region_name=region)
findings = []
paginator = client.get_paginator("get_findings")
for page in paginator.paginate(
Filters={
"SeverityLabel": [{"Value": severity, "Comparison": "EQUALS"}],
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}],
},
MaxResults=100,
):
findings.extend(page.get("Findings", []))
print(f"[+] Retrieved {len(findings)} {severity} findings from Security Hub")
return findings
def parse_prowler_output(output_dir):
"""Parse Prowler JSON-OCSF output files."""
findings = []
output_path = Path(output_dir)
for json_file in output_path.rglob("*.ocsf.json"):
with open(json_file, "r", encoding="utf-8") as f:
for line in f:
line = line.strip()
if not line:
continue
try:
finding = json.loads(line)
findings.append({
"provider": finding.get("cloud", {}).get("provider", "unknown"),
"account": finding.get("cloud", {}).get("account", {}).get("uid", ""),
"region": finding.get("cloud", {}).get("region", ""),
"service": finding.get("resources", [{}])[0].get("type", "") if finding.get("resources") else "",
"check_id": finding.get("metadata", {}).get("uid", ""),
"title": finding.get("finding_info", {}).get("title", ""),
"severity": finding.get("severity", "unknown"),
"status": finding.get("status", ""),
"description": finding.get("finding_info", {}).get("desc", ""),
"remediation": finding.get("remediation", {}).get("desc", ""),
"resource_uid": finding.get("resources", [{}])[0].get("uid", "") if finding.get("resources") else "",
})
except (json.JSONDecodeError, KeyError, IndexError):
continue
return findings
def generate_posture_report(findings, output_path):
"""Generate cloud security posture report."""
severity_map = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
failed = [f for f in findings if f.get("status", "").lower() in ("fail", "failed")]
passed = [f for f in findings if f.get("status", "").lower() in ("pass", "passed")]
report = {
"generated_at": datetime.now(timezone.utc).isoformat(),
"total_checks": len(findings),
"passed": len(passed),
"failed": len(failed),
"pass_rate": round(len(passed) / max(len(findings), 1) * 100, 1),
"failed_by_severity": {},
"failed_by_provider": {},
"failed_by_service": {},
"top_findings": [],
}
for f in failed:
sev = str(f.get("severity", "unknown")).lower()
provider = f.get("provider", "unknown")
service = f.get("service", "unknown")
report["failed_by_severity"][sev] = report["failed_by_severity"].get(sev, 0) + 1
report["failed_by_provider"][provider] = report["failed_by_provider"].get(provider, 0) + 1
report["failed_by_service"][service] = report["failed_by_service"].get(service, 0) + 1
critical_high = [f for f in failed if str(f.get("severity", "")).lower() in ("critical", "high")]
critical_high.sort(key=lambda x: severity_map.get(str(x.get("severity", "")).lower(), 5))
report["top_findings"] = critical_high[:20]
with open(output_path, "w", encoding="utf-8") as fh:
json.dump(report, fh, indent=2)
print(f"\n[+] Cloud Posture Report: {output_path}")
print(f" Total checks: {report['total_checks']}")
print(f" Passed: {report['passed']} | Failed: {report['failed']}")
print(f" Pass rate: {report['pass_rate']}%")
print(f" Failed by severity: {json.dumps(report['failed_by_severity'])}")
return report
def main():
parser = argparse.ArgumentParser(description="Cloud Vulnerability Posture Management")
parser.add_argument("--scan-aws", action="store_true", help="Run Prowler AWS scan")
parser.add_argument("--scan-azure", action="store_true", help="Run Prowler Azure scan")
parser.add_argument("--profile", help="AWS profile name")
parser.add_argument("--region", help="AWS region")
parser.add_argument("--subscription", help="Azure subscription ID")
parser.add_argument("--compliance", help="Compliance framework (e.g., cis_1.5_aws)")
parser.add_argument("--parse", help="Parse Prowler output directory")
parser.add_argument("--security-hub", action="store_true", help="Fetch from AWS Security Hub")
parser.add_argument("--output", default="cloud_posture_report.json")
parser.add_argument("--output-dir", default="./prowler_output")
args = parser.parse_args()
if args.scan_aws:
run_prowler_aws(args.profile, args.region, args.compliance, args.output_dir)
if args.scan_azure:
run_prowler_azure(args.subscription, args.output_dir)
if args.parse:
findings = parse_prowler_output(args.parse)
print(f"[*] Parsed {len(findings)} findings")
generate_posture_report(findings, args.output)
if args.security_hub:
findings = get_aws_security_hub_findings(args.region or "us-east-1")
print(f"[*] Retrieved {len(findings)} Security Hub findings")
if not any([args.scan_aws, args.scan_azure, args.parse, args.security_hub]):
parser.print_help()
if __name__ == "__main__":
main()