mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
5.3 KiB
5.3 KiB
API Reference: AWS Cloud Incident Containment
Libraries Used
| Library | Purpose |
|---|---|
boto3 |
AWS SDK for EC2, IAM, Security Groups, and CloudTrail |
json |
Parse and log containment actions |
datetime |
Timestamp containment events |
Installation
pip install boto3
Authentication
import boto3
import os
session = boto3.Session(
aws_access_key_id=os.environ.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=os.environ.get("AWS_SECRET_ACCESS_KEY"),
region_name=os.environ.get("AWS_REGION", "us-east-1"),
)
ec2 = session.client("ec2")
iam = session.client("iam")
Containment Actions
Isolate EC2 Instance (Security Group Quarantine)
def isolate_instance(instance_id):
"""Replace instance security groups with a quarantine SG that blocks all traffic."""
# Create quarantine SG if it doesn't exist
vpc_id = ec2.describe_instances(
InstanceIds=[instance_id]
)["Reservations"][0]["Instances"][0]["VpcId"]
try:
quarantine_sg = ec2.create_security_group(
GroupName="quarantine-no-access",
Description="IR Quarantine — blocks all inbound/outbound",
VpcId=vpc_id,
)
sg_id = quarantine_sg["GroupId"]
# Revoke default outbound rule
ec2.revoke_security_group_egress(
GroupId=sg_id,
IpPermissions=[{"IpProtocol": "-1", "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}],
)
except ec2.exceptions.ClientError:
# SG already exists
sgs = ec2.describe_security_groups(
Filters=[{"Name": "group-name", "Values": ["quarantine-no-access"]}]
)
sg_id = sgs["SecurityGroups"][0]["GroupId"]
# Apply quarantine SG (replaces all existing SGs)
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=[sg_id],
)
return {"instance_id": instance_id, "quarantine_sg": sg_id, "action": "isolated"}
Disable IAM Access Keys
def disable_user_access_keys(username):
"""Disable all access keys for a compromised IAM user."""
keys = iam.list_access_keys(UserName=username)
disabled = []
for key in keys["AccessKeyMetadata"]:
if key["Status"] == "Active":
iam.update_access_key(
UserName=username,
AccessKeyId=key["AccessKeyId"],
Status="Inactive",
)
disabled.append(key["AccessKeyId"])
return {"username": username, "keys_disabled": disabled}
Revoke IAM Role Sessions
def revoke_role_sessions(role_name):
"""Revoke all active sessions for an IAM role."""
iam.put_role_policy(
RoleName=role_name,
PolicyName="RevokeOlderSessions",
PolicyDocument=json.dumps({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
}
}
}]
}),
)
return {"role": role_name, "action": "sessions_revoked"}
Snapshot EBS Volume for Forensics
def snapshot_instance_volumes(instance_id):
"""Create forensic snapshots of all attached EBS volumes."""
instance = ec2.describe_instances(InstanceIds=[instance_id])
volumes = instance["Reservations"][0]["Instances"][0].get("BlockDeviceMappings", [])
snapshots = []
for vol in volumes:
vol_id = vol["Ebs"]["VolumeId"]
snap = ec2.create_snapshot(
VolumeId=vol_id,
Description=f"IR forensic snapshot — {instance_id} — {vol_id}",
TagSpecifications=[{
"ResourceType": "snapshot",
"Tags": [
{"Key": "Purpose", "Value": "incident-response"},
{"Key": "SourceInstance", "Value": instance_id},
]
}],
)
snapshots.append({"volume_id": vol_id, "snapshot_id": snap["SnapshotId"]})
return snapshots
Stop Instance (Preserve State)
def stop_instance(instance_id):
"""Stop instance without terminating to preserve memory and disk."""
ec2.stop_instances(InstanceIds=[instance_id])
return {"instance_id": instance_id, "action": "stopped"}
Block Public S3 Bucket Access
s3 = session.client("s3")
def block_public_bucket(bucket_name):
s3.put_public_access_block(
Bucket=bucket_name,
PublicAccessBlockConfiguration={
"BlockPublicAcls": True,
"IgnorePublicAcls": True,
"BlockPublicPolicy": True,
"RestrictPublicBuckets": True,
},
)
return {"bucket": bucket_name, "action": "public_access_blocked"}
Output Format
{
"incident_id": "IR-2025-001",
"containment_time": "2025-01-15T10:30:00Z",
"actions_taken": [
{"action": "isolate_instance", "target": "i-0abc123", "status": "success"},
{"action": "disable_access_keys", "target": "compromised-user", "keys_disabled": 2},
{"action": "snapshot_volumes", "target": "i-0abc123", "snapshots": 2},
{"action": "stop_instance", "target": "i-0abc123", "status": "success"}
]
}