mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 23:38:57 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,204 @@
|
||||
---
|
||||
name: implementing-cloud-vulnerability-posture-management
|
||||
description: Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.
|
||||
domain: cybersecurity
|
||||
subdomain: vulnerability-management
|
||||
tags: [cspm, cloud-security, aws-security-hub, azure-defender, prowler, scoutsuite, misconfiguration, cnapp]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
|
||||
# Implementing Cloud Vulnerability Posture Management
|
||||
|
||||
## Overview
|
||||
|
||||
Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This skill covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- AWS CLI configured with SecurityAudit IAM policy
|
||||
- Azure CLI with Security Reader role
|
||||
- Python 3.9+ with `boto3`, `azure-identity`, `azure-mgmt-security`
|
||||
- Prowler (https://github.com/prowler-cloud/prowler)
|
||||
- ScoutSuite (https://github.com/nccgroup/ScoutSuite)
|
||||
|
||||
## AWS Security Hub
|
||||
|
||||
### Enable Security Hub
|
||||
```bash
|
||||
# Enable AWS Security Hub with default standards
|
||||
aws securityhub enable-security-hub \
|
||||
--enable-default-standards \
|
||||
--region us-east-1
|
||||
|
||||
# Enable specific standards
|
||||
aws securityhub batch-enable-standards \
|
||||
--standards-subscription-requests \
|
||||
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
|
||||
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
|
||||
|
||||
# Get findings summary
|
||||
aws securityhub get-findings \
|
||||
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
|
||||
--max-items 10
|
||||
```
|
||||
|
||||
### Security Hub Standards
|
||||
| Standard | Description |
|
||||
|----------|------------|
|
||||
| AWS Foundational Security Best Practices | AWS-recommended baseline controls |
|
||||
| CIS AWS Foundations Benchmark 1.4 | CIS hardening requirements |
|
||||
| PCI DSS v3.2.1 | Payment card industry controls |
|
||||
| NIST SP 800-53 Rev 5 | Federal security controls |
|
||||
|
||||
## Azure Defender for Cloud
|
||||
|
||||
### Enable Defender CSPM
|
||||
```bash
|
||||
# Enable Defender for Cloud free tier
|
||||
az security pricing create \
|
||||
--name CloudPosture \
|
||||
--tier standard
|
||||
|
||||
# Check secure score
|
||||
az security secure-score list \
|
||||
--query "[].{Name:displayName,Score:current,Max:max}" \
|
||||
--output table
|
||||
|
||||
# Get security recommendations
|
||||
az security assessment list \
|
||||
--query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
|
||||
--output table
|
||||
|
||||
# Get alerts
|
||||
az security alert list \
|
||||
--query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
|
||||
--output table
|
||||
```
|
||||
|
||||
## Open-Source: Prowler
|
||||
|
||||
### Installation and Execution
|
||||
```bash
|
||||
# Install Prowler
|
||||
pip install prowler
|
||||
|
||||
# Run full AWS scan
|
||||
prowler aws --output-formats json-ocsf,csv,html
|
||||
|
||||
# Run specific checks
|
||||
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
|
||||
|
||||
# Run against specific AWS profile and region
|
||||
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
|
||||
|
||||
# Run CIS Benchmark compliance check
|
||||
prowler aws --compliance cis_1.5_aws
|
||||
|
||||
# Run PCI DSS compliance
|
||||
prowler aws --compliance pci_3.2.1_aws
|
||||
|
||||
# Scan Azure environment
|
||||
prowler azure --subscription-ids "sub-id-here"
|
||||
|
||||
# Scan GCP environment
|
||||
prowler gcp --project-ids "project-id-here"
|
||||
```
|
||||
|
||||
### Prowler Check Categories
|
||||
| Category | Examples |
|
||||
|----------|---------|
|
||||
| IAM | Root MFA, password policy, access key rotation |
|
||||
| S3 | Public access, encryption, versioning |
|
||||
| EC2 | Security groups, EBS encryption, metadata service |
|
||||
| RDS | Public access, encryption, backup retention |
|
||||
| CloudTrail | Enabled, encrypted, log validation |
|
||||
| VPC | Flow logs, default SG restrictions |
|
||||
| Lambda | Public access, runtime versions |
|
||||
| EKS | Public endpoint, secrets encryption |
|
||||
|
||||
## Open-Source: ScoutSuite
|
||||
|
||||
```bash
|
||||
# Install ScoutSuite
|
||||
pip install scoutsuite
|
||||
|
||||
# Run AWS assessment
|
||||
scout aws --profile production
|
||||
|
||||
# Run Azure assessment
|
||||
scout azure --cli
|
||||
|
||||
# Run GCP assessment
|
||||
scout gcp --project-id my-project
|
||||
|
||||
# Results available as interactive HTML report
|
||||
# Open scout-report/report.html in browser
|
||||
```
|
||||
|
||||
## Multi-Cloud Aggregation
|
||||
|
||||
```python
|
||||
import json
|
||||
import subprocess
|
||||
from datetime import datetime, timezone
|
||||
|
||||
def run_prowler_scan(provider, output_dir, compliance=None):
|
||||
"""Run Prowler scan for a cloud provider."""
|
||||
cmd = ["prowler", provider, "--output-formats", "json-ocsf",
|
||||
"--output-directory", output_dir]
|
||||
if compliance:
|
||||
cmd.extend(["--compliance", compliance])
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
|
||||
return result.returncode == 0
|
||||
|
||||
def aggregate_findings(prowler_dirs):
|
||||
"""Aggregate findings from multiple Prowler scans."""
|
||||
all_findings = []
|
||||
for scan_dir in prowler_dirs:
|
||||
json_files = list(Path(scan_dir).glob("*.json"))
|
||||
for jf in json_files:
|
||||
with open(jf, "r") as f:
|
||||
for line in f:
|
||||
try:
|
||||
finding = json.loads(line.strip())
|
||||
all_findings.append(finding)
|
||||
except json.JSONDecodeError:
|
||||
continue
|
||||
# Sort by severity
|
||||
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
|
||||
all_findings.sort(key=lambda f: severity_order.get(
|
||||
f.get("severity", "informational").lower(), 5
|
||||
))
|
||||
return all_findings
|
||||
|
||||
def generate_posture_report(findings, output_path):
|
||||
"""Generate cloud security posture report."""
|
||||
report = {
|
||||
"generated_at": datetime.now(timezone.utc).isoformat(),
|
||||
"total_findings": len(findings),
|
||||
"by_severity": {},
|
||||
"by_provider": {},
|
||||
"by_service": {},
|
||||
}
|
||||
for f in findings:
|
||||
sev = f.get("severity", "unknown")
|
||||
provider = f.get("cloud_provider", "unknown")
|
||||
service = f.get("service_name", "unknown")
|
||||
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
|
||||
report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
|
||||
report["by_service"][service] = report["by_service"].get(service, 0) + 1
|
||||
|
||||
with open(output_path, "w") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
return report
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [AWS Security Hub](https://aws.amazon.com/security-hub/)
|
||||
- [Azure Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/)
|
||||
- [Prowler](https://github.com/prowler-cloud/prowler)
|
||||
- [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
|
||||
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks)
|
||||
@@ -0,0 +1,43 @@
|
||||
# Cloud Security Posture Management - Assessment Template
|
||||
|
||||
## Scope Definition
|
||||
- **Cloud Providers**: [ ] AWS [ ] Azure [ ] GCP
|
||||
- **Accounts/Subscriptions**: [List accounts in scope]
|
||||
- **Compliance Framework**: [ ] CIS Benchmark [ ] PCI DSS [ ] NIST 800-53 [ ] SOC 2
|
||||
- **Assessment Frequency**: [ ] Daily [ ] Weekly [ ] Monthly
|
||||
|
||||
## Critical Checks by Cloud Provider
|
||||
|
||||
### AWS Priority Checks
|
||||
- [ ] S3 buckets not publicly accessible
|
||||
- [ ] Root account MFA enabled
|
||||
- [ ] CloudTrail enabled in all regions
|
||||
- [ ] IAM access keys rotated within 90 days
|
||||
- [ ] Security groups no unrestricted inbound (0.0.0.0/0)
|
||||
- [ ] RDS instances not publicly accessible
|
||||
- [ ] EBS volumes encrypted
|
||||
- [ ] VPC flow logs enabled
|
||||
|
||||
### Azure Priority Checks
|
||||
- [ ] Storage accounts not publicly accessible
|
||||
- [ ] MFA enabled for all privileged accounts
|
||||
- [ ] Activity log alerts configured
|
||||
- [ ] NSG rules reviewed for unrestricted access
|
||||
- [ ] SQL databases encrypted at rest
|
||||
- [ ] Key Vault access policies reviewed
|
||||
- [ ] Defender for Cloud enabled
|
||||
|
||||
### GCP Priority Checks
|
||||
- [ ] Cloud Storage buckets not publicly accessible
|
||||
- [ ] 2FA enforced for all users
|
||||
- [ ] Audit logging enabled
|
||||
- [ ] Firewall rules reviewed
|
||||
- [ ] Cloud SQL instances not publicly accessible
|
||||
- [ ] VPC Service Controls configured
|
||||
|
||||
## Report Deliverables
|
||||
- [ ] Posture score by cloud account
|
||||
- [ ] Failed checks by severity
|
||||
- [ ] Compliance gap analysis
|
||||
- [ ] Remediation priority list
|
||||
- [ ] Month-over-month trend analysis
|
||||
@@ -0,0 +1,34 @@
|
||||
# Standards and References - Cloud Vulnerability Posture Management
|
||||
|
||||
## Cloud Security Standards
|
||||
|
||||
### CIS Benchmarks for Cloud
|
||||
- **AWS**: https://www.cisecurity.org/benchmark/amazon_web_services
|
||||
- **Azure**: https://www.cisecurity.org/benchmark/azure
|
||||
- **GCP**: https://www.cisecurity.org/benchmark/google_cloud_computing_platform
|
||||
- **Relevance**: Prescriptive hardening guidance for cloud service configurations
|
||||
|
||||
### NIST SP 800-53 Rev 5
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
|
||||
- **Key Controls**: AC-6 (Least Privilege), CM-6 (Configuration Settings), SC-7 (Boundary Protection)
|
||||
|
||||
### CSA Cloud Controls Matrix (CCM) v4
|
||||
- **URL**: https://cloudsecurityalliance.org/research/cloud-controls-matrix
|
||||
- **Relevance**: Cloud-specific security control framework aligned with major compliance standards
|
||||
|
||||
### AWS Well-Architected Security Pillar
|
||||
- **URL**: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
|
||||
|
||||
### Azure Security Benchmark v3
|
||||
- **URL**: https://learn.microsoft.com/en-us/security/benchmark/azure/overview
|
||||
|
||||
## Tools
|
||||
|
||||
| Tool | Provider | License | URL |
|
||||
|------|----------|---------|-----|
|
||||
| AWS Security Hub | AWS | Pay-per-use | https://aws.amazon.com/security-hub/ |
|
||||
| Azure Defender for Cloud | Microsoft | Free + Standard tiers | https://azure.microsoft.com/en-us/products/defender-for-cloud |
|
||||
| Prowler | Open Source | Apache 2.0 | https://github.com/prowler-cloud/prowler |
|
||||
| ScoutSuite | NCC Group | GPL-2.0 | https://github.com/nccgroup/ScoutSuite |
|
||||
| Steampipe | Turbot | AGPL-3.0 | https://github.com/turbot/steampipe |
|
||||
| CloudSploit | Aqua Security | GPL-3.0 | https://github.com/aquasecurity/cloudsploit |
|
||||
@@ -0,0 +1,29 @@
|
||||
# Workflows - Cloud Vulnerability Posture Management
|
||||
|
||||
## Workflow 1: Daily Cloud Posture Assessment
|
||||
1. Prowler scans all cloud accounts (AWS, Azure, GCP) on daily schedule
|
||||
2. Results exported as JSON-OCSF and uploaded to central SIEM
|
||||
3. New critical/high findings trigger Slack notifications
|
||||
4. Findings compared against previous day for delta analysis
|
||||
5. New misconfigurations create Jira tickets for cloud team
|
||||
|
||||
## Workflow 2: Compliance Baseline Assessment
|
||||
1. Select compliance framework (CIS, PCI DSS, NIST 800-53, SOC 2)
|
||||
2. Run Prowler with compliance flag against each cloud account
|
||||
3. Generate compliance-specific report with pass/fail per control
|
||||
4. Map failed controls to remediation actions
|
||||
5. Track compliance posture score over time
|
||||
|
||||
## Workflow 3: Remediation and Verification
|
||||
1. Cloud engineer receives Jira ticket for misconfiguration
|
||||
2. Engineer applies fix via Terraform/CloudFormation/ARM template
|
||||
3. Targeted Prowler re-scan validates fix
|
||||
4. Jira ticket auto-closed on pass
|
||||
5. Infrastructure-as-code updated to prevent recurrence
|
||||
|
||||
## Workflow 4: Multi-Cloud Executive Report
|
||||
1. Aggregate findings from all providers
|
||||
2. Calculate posture scores by account, region, and service
|
||||
3. Trend analysis showing improvement or degradation
|
||||
4. Risk heat map by cloud service category
|
||||
5. Present to security leadership monthly
|
||||
@@ -0,0 +1,175 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Cloud Vulnerability Posture Management Tool.
|
||||
|
||||
Orchestrates multi-cloud security posture assessments using Prowler,
|
||||
aggregates findings, and generates compliance reports.
|
||||
"""
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
from datetime import datetime, timezone
|
||||
from pathlib import Path
|
||||
|
||||
try:
|
||||
import boto3
|
||||
except ImportError:
|
||||
boto3 = None
|
||||
|
||||
|
||||
def run_prowler_aws(profile=None, region=None, compliance=None, output_dir="./prowler_output"):
|
||||
"""Execute Prowler scan against AWS account."""
|
||||
cmd = ["prowler", "aws", "--output-formats", "json-ocsf,csv", "--output-directory", output_dir]
|
||||
if profile:
|
||||
cmd.extend(["--profile", profile])
|
||||
if region:
|
||||
cmd.extend(["--region", region])
|
||||
if compliance:
|
||||
cmd.extend(["--compliance", compliance])
|
||||
print(f"[*] Running Prowler AWS scan...")
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
|
||||
if result.returncode == 0:
|
||||
print("[+] Prowler AWS scan completed successfully")
|
||||
else:
|
||||
print(f"[-] Prowler AWS scan failed: {result.stderr[:500]}")
|
||||
return result.returncode == 0
|
||||
|
||||
|
||||
def run_prowler_azure(subscription_id=None, output_dir="./prowler_output"):
|
||||
"""Execute Prowler scan against Azure subscription."""
|
||||
cmd = ["prowler", "azure", "--output-formats", "json-ocsf,csv", "--output-directory", output_dir]
|
||||
if subscription_id:
|
||||
cmd.extend(["--subscription-ids", subscription_id])
|
||||
print(f"[*] Running Prowler Azure scan...")
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
|
||||
if result.returncode == 0:
|
||||
print("[+] Prowler Azure scan completed successfully")
|
||||
else:
|
||||
print(f"[-] Prowler Azure scan failed: {result.stderr[:500]}")
|
||||
return result.returncode == 0
|
||||
|
||||
|
||||
def get_aws_security_hub_findings(region="us-east-1", severity="CRITICAL"):
|
||||
"""Fetch findings from AWS Security Hub."""
|
||||
if not boto3:
|
||||
print("[-] boto3 not installed")
|
||||
return []
|
||||
client = boto3.client("securityhub", region_name=region)
|
||||
findings = []
|
||||
paginator = client.get_paginator("get_findings")
|
||||
for page in paginator.paginate(
|
||||
Filters={
|
||||
"SeverityLabel": [{"Value": severity, "Comparison": "EQUALS"}],
|
||||
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}],
|
||||
},
|
||||
MaxResults=100,
|
||||
):
|
||||
findings.extend(page.get("Findings", []))
|
||||
print(f"[+] Retrieved {len(findings)} {severity} findings from Security Hub")
|
||||
return findings
|
||||
|
||||
|
||||
def parse_prowler_output(output_dir):
|
||||
"""Parse Prowler JSON-OCSF output files."""
|
||||
findings = []
|
||||
output_path = Path(output_dir)
|
||||
for json_file in output_path.rglob("*.ocsf.json"):
|
||||
with open(json_file, "r", encoding="utf-8") as f:
|
||||
for line in f:
|
||||
line = line.strip()
|
||||
if not line:
|
||||
continue
|
||||
try:
|
||||
finding = json.loads(line)
|
||||
findings.append({
|
||||
"provider": finding.get("cloud", {}).get("provider", "unknown"),
|
||||
"account": finding.get("cloud", {}).get("account", {}).get("uid", ""),
|
||||
"region": finding.get("cloud", {}).get("region", ""),
|
||||
"service": finding.get("resources", [{}])[0].get("type", "") if finding.get("resources") else "",
|
||||
"check_id": finding.get("metadata", {}).get("uid", ""),
|
||||
"title": finding.get("finding_info", {}).get("title", ""),
|
||||
"severity": finding.get("severity", "unknown"),
|
||||
"status": finding.get("status", ""),
|
||||
"description": finding.get("finding_info", {}).get("desc", ""),
|
||||
"remediation": finding.get("remediation", {}).get("desc", ""),
|
||||
"resource_uid": finding.get("resources", [{}])[0].get("uid", "") if finding.get("resources") else "",
|
||||
})
|
||||
except (json.JSONDecodeError, KeyError, IndexError):
|
||||
continue
|
||||
return findings
|
||||
|
||||
|
||||
def generate_posture_report(findings, output_path):
|
||||
"""Generate cloud security posture report."""
|
||||
severity_map = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
|
||||
failed = [f for f in findings if f.get("status", "").lower() in ("fail", "failed")]
|
||||
passed = [f for f in findings if f.get("status", "").lower() in ("pass", "passed")]
|
||||
|
||||
report = {
|
||||
"generated_at": datetime.now(timezone.utc).isoformat(),
|
||||
"total_checks": len(findings),
|
||||
"passed": len(passed),
|
||||
"failed": len(failed),
|
||||
"pass_rate": round(len(passed) / max(len(findings), 1) * 100, 1),
|
||||
"failed_by_severity": {},
|
||||
"failed_by_provider": {},
|
||||
"failed_by_service": {},
|
||||
"top_findings": [],
|
||||
}
|
||||
|
||||
for f in failed:
|
||||
sev = str(f.get("severity", "unknown")).lower()
|
||||
provider = f.get("provider", "unknown")
|
||||
service = f.get("service", "unknown")
|
||||
report["failed_by_severity"][sev] = report["failed_by_severity"].get(sev, 0) + 1
|
||||
report["failed_by_provider"][provider] = report["failed_by_provider"].get(provider, 0) + 1
|
||||
report["failed_by_service"][service] = report["failed_by_service"].get(service, 0) + 1
|
||||
|
||||
critical_high = [f for f in failed if str(f.get("severity", "")).lower() in ("critical", "high")]
|
||||
critical_high.sort(key=lambda x: severity_map.get(str(x.get("severity", "")).lower(), 5))
|
||||
report["top_findings"] = critical_high[:20]
|
||||
|
||||
with open(output_path, "w", encoding="utf-8") as fh:
|
||||
json.dump(report, fh, indent=2)
|
||||
|
||||
print(f"\n[+] Cloud Posture Report: {output_path}")
|
||||
print(f" Total checks: {report['total_checks']}")
|
||||
print(f" Passed: {report['passed']} | Failed: {report['failed']}")
|
||||
print(f" Pass rate: {report['pass_rate']}%")
|
||||
print(f" Failed by severity: {json.dumps(report['failed_by_severity'])}")
|
||||
return report
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Cloud Vulnerability Posture Management")
|
||||
parser.add_argument("--scan-aws", action="store_true", help="Run Prowler AWS scan")
|
||||
parser.add_argument("--scan-azure", action="store_true", help="Run Prowler Azure scan")
|
||||
parser.add_argument("--profile", help="AWS profile name")
|
||||
parser.add_argument("--region", help="AWS region")
|
||||
parser.add_argument("--subscription", help="Azure subscription ID")
|
||||
parser.add_argument("--compliance", help="Compliance framework (e.g., cis_1.5_aws)")
|
||||
parser.add_argument("--parse", help="Parse Prowler output directory")
|
||||
parser.add_argument("--security-hub", action="store_true", help="Fetch from AWS Security Hub")
|
||||
parser.add_argument("--output", default="cloud_posture_report.json")
|
||||
parser.add_argument("--output-dir", default="./prowler_output")
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.scan_aws:
|
||||
run_prowler_aws(args.profile, args.region, args.compliance, args.output_dir)
|
||||
if args.scan_azure:
|
||||
run_prowler_azure(args.subscription, args.output_dir)
|
||||
if args.parse:
|
||||
findings = parse_prowler_output(args.parse)
|
||||
print(f"[*] Parsed {len(findings)} findings")
|
||||
generate_posture_report(findings, args.output)
|
||||
if args.security_hub:
|
||||
findings = get_aws_security_hub_findings(args.region or "us-east-1")
|
||||
print(f"[*] Retrieved {len(findings)} Security Hub findings")
|
||||
if not any([args.scan_aws, args.scan_azure, args.parse, args.security_hub]):
|
||||
parser.print_help()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user