mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
This commit is contained in:
@@ -0,0 +1,74 @@
|
||||
# API Reference: Building Cloud Security Posture Management
|
||||
|
||||
## boto3 - AWS CSPM Checks
|
||||
|
||||
### S3 Public Access
|
||||
|
||||
```python
|
||||
s3 = boto3.client("s3")
|
||||
pab = s3.get_public_access_block(Bucket="my-bucket")
|
||||
config = pab["PublicAccessBlockConfiguration"]
|
||||
```
|
||||
|
||||
### Unencrypted EBS Volumes
|
||||
|
||||
```python
|
||||
ec2 = boto3.client("ec2")
|
||||
for vol in ec2.describe_volumes()["Volumes"]:
|
||||
if not vol["Encrypted"]:
|
||||
print(f"Unencrypted: {vol['VolumeId']}")
|
||||
```
|
||||
|
||||
### Open Security Groups
|
||||
|
||||
```python
|
||||
for sg in ec2.describe_security_groups()["SecurityGroups"]:
|
||||
for rule in sg["IpPermissions"]:
|
||||
for ip in rule.get("IpRanges", []):
|
||||
if ip["CidrIp"] == "0.0.0.0/0":
|
||||
print(f"OPEN: {sg['GroupId']} port {rule['FromPort']}")
|
||||
```
|
||||
|
||||
### IAM Users Without MFA
|
||||
|
||||
```python
|
||||
iam = boto3.client("iam")
|
||||
for user in iam.list_users()["Users"]:
|
||||
mfa = iam.list_mfa_devices(UserName=user["UserName"])["MFADevices"]
|
||||
if not mfa:
|
||||
print(f"No MFA: {user['UserName']}")
|
||||
```
|
||||
|
||||
### Public RDS Instances
|
||||
|
||||
```python
|
||||
rds = boto3.client("rds")
|
||||
for db in rds.describe_db_instances()["DBInstances"]:
|
||||
if db["PubliclyAccessible"]:
|
||||
print(f"Public RDS: {db['DBInstanceIdentifier']}")
|
||||
```
|
||||
|
||||
## Key CSPM Checks
|
||||
|
||||
| Check | Service | boto3 Method |
|
||||
|-------|---------|-------------|
|
||||
| Public S3 | S3 | `get_public_access_block()` |
|
||||
| Unencrypted EBS | EC2 | `describe_volumes()` |
|
||||
| Open SGs | EC2 | `describe_security_groups()` |
|
||||
| No MFA | IAM | `list_mfa_devices()` |
|
||||
| Public RDS | RDS | `describe_db_instances()` |
|
||||
| CloudTrail | CloudTrail | `describe_trails()` |
|
||||
|
||||
## Steampipe (SQL-Based CSPM)
|
||||
|
||||
```sql
|
||||
select name, region, server_side_encryption_configuration
|
||||
from aws_s3_bucket
|
||||
where server_side_encryption_configuration is null;
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/
|
||||
- Prowler: https://github.com/prowler-cloud/prowler
|
||||
- Steampipe: https://steampipe.io/
|
||||
Reference in New Issue
Block a user