home / skills / a5c-ai / babysitter / aws-security-scanner

aws-security-scanner skill

safe

/plugins/babysitter/skills/babysit/process/specializations/security-compliance/skills/aws-security-scanner

This skill helps automate AWS security scanning and hardening across accounts using Prowler, Security Hub, and Config for continuous compliance.

npx playbooks add skill a5c-ai/babysitter --skill aws-security-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

5.7 KB

---
name: aws-security-scanner
description: AWS security configuration scanning and hardening using Prowler, Security Hub, and AWS Config
allowed-tools:
  - Bash
  - Read
  - Write
  - Glob
  - Grep
  - WebFetch
---

# AWS Security Scanner Skill

## Purpose

Automated AWS security configuration scanning and hardening to identify misconfigurations, compliance violations, and security risks across AWS accounts and organizations.

## Capabilities

### Prowler Security Assessments
- Run comprehensive Prowler security scans
- Execute CIS AWS Foundations Benchmark checks
- Run AWS Well-Architected security pillar assessments
- Check PCI DSS, HIPAA, GDPR compliance
- Generate multi-format reports (HTML, CSV, JSON)

### IAM Security Analysis
- Analyze IAM policies for over-permissive access
- Check for unused credentials and access keys
- Identify IAM users without MFA
- Review cross-account access configurations
- Detect privilege escalation paths
- Analyze service control policies (SCPs)

### S3 Bucket Security
- Identify publicly accessible buckets
- Check bucket encryption configurations
- Review bucket policies and ACLs
- Verify access logging enabled
- Check for sensitive data exposure
- Validate versioning and replication

### Network Security Analysis
- Review security group configurations
- Analyze Network ACLs
- Check VPC flow log enablement
- Identify public-facing resources
- Validate VPC endpoint configurations
- Check for overly permissive rules

### Encryption Verification
- Verify EBS volume encryption
- Check RDS encryption settings
- Validate S3 encryption configurations
- Review KMS key policies
- Check secrets manager configurations
- Verify certificate validity

### Logging and Monitoring
- Validate CloudTrail configuration
- Check CloudWatch log retention
- Verify GuardDuty enablement
- Review Security Hub findings
- Check Config rule compliance
- Validate alarm configurations

### Compliance Mapping
- Map findings to CIS Benchmarks
- Generate SOC 2 evidence
- Track PCI DSS compliance
- Document HIPAA controls
- Map to NIST frameworks

## AWS Services Covered

| Category | Services |
|----------|----------|
| Identity | IAM, SSO, Organizations |
| Compute | EC2, Lambda, ECS, EKS |
| Storage | S3, EBS, EFS, Glacier |
| Database | RDS, DynamoDB, Redshift |
| Network | VPC, CloudFront, Route53 |
| Security | Security Hub, GuardDuty, KMS |
| Monitoring | CloudTrail, CloudWatch, Config |

## Integrations

- **Prowler**: Open-source AWS security tool
- **AWS Security Hub**: Centralized security findings
- **AWS Config**: Configuration compliance
- **AWS CloudTrail**: API activity logging
- **AWS GuardDuty**: Threat detection
- **AWS IAM Access Analyzer**: Access analysis

## Target Processes

- Cloud Security Architecture Review
- Compliance Monitoring
- Security Posture Assessment
- AWS Account Hardening

## Input Schema

```json
{
  "type": "object",
  "properties": {
    "scanType": {
      "type": "string",
      "enum": ["full", "cis", "pci", "hipaa", "gdpr", "custom"],
      "description": "Type of security scan"
    },
    "awsAccounts": {
      "type": "array",
      "items": { "type": "string" },
      "description": "AWS account IDs to scan"
    },
    "regions": {
      "type": "array",
      "items": { "type": "string" },
      "description": "AWS regions to scan"
    },
    "services": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Specific services to scan"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["critical", "high", "medium", "low", "informational"]
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "PCI-DSS", "HIPAA", "GDPR", "SOC2", "NIST"]
      }
    },
    "excludeChecks": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Check IDs to exclude"
    }
  },
  "required": ["scanType"]
}
```

## Output Schema

```json
{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "accountsScanned": {
      "type": "array"
    },
    "regionsScanned": {
      "type": "array"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalChecks": { "type": "integer" },
        "passed": { "type": "integer" },
        "failed": { "type": "integer" },
        "warnings": { "type": "integer" }
      }
    },
    "findingsBySeverity": {
      "type": "object",
      "properties": {
        "critical": { "type": "integer" },
        "high": { "type": "integer" },
        "medium": { "type": "integer" },
        "low": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "service": { "type": "string" },
          "region": { "type": "string" },
          "resourceId": { "type": "string" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "complianceStatus": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    },
    "reportPaths": {
      "type": "object",
      "properties": {
        "html": { "type": "string" },
        "csv": { "type": "string" },
        "json": { "type": "string" }
      }
    }
  }
}
```

## Usage Example

```javascript
skill: {
  name: 'aws-security-scanner',
  context: {
    scanType: 'cis',
    awsAccounts: ['123456789012'],
    regions: ['us-east-1', 'us-west-2'],
    complianceFrameworks: ['CIS', 'SOC2'],
    severityThreshold: 'medium'
  }
}
```

Overview

This skill performs automated AWS security configuration scanning and hardening using Prowler, AWS Security Hub, and AWS Config. It identifies misconfigurations, compliance gaps, and risky exposures across accounts and regions and produces actionable, mapped findings and multi-format reports. Use it to baseline security posture, produce compliance evidence, or drive remediation tasks.

How this skill works

The skill orchestrates Prowler scans and aggregates findings from Security Hub, Config, GuardDuty, CloudTrail, and IAM Access Analyzer to build a unified assessment. It analyzes IAM policies, S3 settings, network controls, encryption, logging, and monitoring, then maps results to common frameworks (CIS, PCI-DSS, HIPAA, NIST, SOC2). Outputs include a structured summary, severity breakdown, detailed findings with remediation steps, and HTML/CSV/JSON reports for evidence or automation.

When to use it

Before a production launch to validate account hardening and least-privilege controls
During periodic compliance checks to generate SOC2, PCI, or CIS evidence
After account onboarding or organizational changes to detect regressions
When responding to a security incident to quickly identify risky misconfigurations
To prioritize remediation by severity across multiple AWS accounts and regions

Best practices

Run full scans in a non-peak window and use targeted scans for rapid checks
Set a severity threshold to focus on critical and high findings first
Exclude expected deviations with documented exceptions to reduce noise
Integrate reports into ticketing or CI/CD pipelines for tracked remediation
Enable cross-account roles and least-privilege scanning principals for organization-wide visibility

Example use cases

Generate a CIS benchmark report for a single AWS account and deliver HTML/JSON evidence
Scan multiple accounts and regions to produce a prioritized remediation plan for critical exposures
Audit IAM to find over-permissive roles, unused keys, and missing MFA for privileged accounts
Validate S3 encryption, logging, and public access settings after a storage configuration change
Map Security Hub findings to PCI-DSS controls and export a CSV for auditor review

FAQ

What scan types are supported?

Supported scan types include full, CIS, PCI, HIPAA, GDPR and custom scans driven by the input schema.

What output formats are available?

The skill produces structured JSON results plus optional HTML and CSV report exports for human review or tooling ingestion.

Can it scan multiple AWS accounts and regions?

Yes. Provide account IDs and regions in the input schema and the skill will aggregate findings across the specified scope.