home / skills / aj-geddes / useful-ai-prompts / cloud-security-configuration
This skill helps implement comprehensive cloud security across AWS, Azure, and GCP by configuring IAM, encryption, networking, and threat monitoring.
npx playbooks add skill aj-geddes/useful-ai-prompts --skill cloud-security-configurationReview the files below or copy the command above to add this skill to your agents.
---
name: cloud-security-configuration
description: Implement comprehensive cloud security across AWS, Azure, and GCP with IAM, encryption, network security, compliance, and threat detection.
---
# Cloud Security Configuration
## Overview
Cloud security requires comprehensive strategies spanning identity management, encryption, network controls, compliance, and threat detection. Implement defense-in-depth with multiple layers of protection and continuous monitoring.
## When to Use
- Protecting sensitive data in cloud
- Compliance with regulations (GDPR, HIPAA, PCI-DSS)
- Implementing zero-trust security
- Securing multi-cloud environments
- Threat detection and response
- Identity and access management
- Network isolation and segmentation
- Encryption and key management
## Implementation Examples
### 1. **AWS Security Configuration**
```bash
# Enable GuardDuty (threat detection)
aws guardduty create-detector \
--enable \
--finding-publishing-frequency FIFTEEN_MINUTES
# Enable CloudTrail (audit logging)
aws cloudtrail create-trail \
--name organization-trail \
--s3-bucket-name audit-bucket \
--is-multi-region-trail
# Enable S3 bucket encryption by default
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:region:account:key/key-id"
},
"BucketKeyEnabled": true
}]
}'
# Enable VPC Flow Logs
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-12345 \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--log-group-name /aws/vpc/flowlogs
# Configure Security Groups
aws ec2 authorize-security-group-ingress \
--group-id sg-12345 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
# Enable MFA for root account
aws iam get-account-summary
# Create password policy
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password \
--expire-passwords \
--max-password-age 90
```
### 2. **Terraform Security Configuration**
```hcl
# security.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = var.aws_region
}
# KMS key for encryption
resource "aws_kms_key" "main" {
description = "Master encryption key"
deletion_window_in_days = 10
enable_key_rotation = true
tags = { Name = "master-key" }
}
resource "aws_kms_alias" "main" {
name = "alias/master-key"
target_key_id = aws_kms_key.main.key_id
}
# Secrets Manager for sensitive data
resource "aws_secretsmanager_secret" "db_password" {
name_prefix = "db/"
recovery_window_in_days = 7
kms_key_id = aws_kms_key.main.id
}
resource "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
secret_string = random_password.db.result
}
# IAM role with least privilege
resource "aws_iam_role" "app_role" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy" "app_policy" {
role = aws_iam_role.app_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:ListBucket"
]
Resource = [
aws_s3_bucket.data.arn,
"${aws_s3_bucket.data.arn}/*"
]
},
{
Effect = "Allow"
Action = [
"kms:Decrypt",
"kms:DescribeKey"
]
Resource = aws_kms_key.main.arn
},
{
Effect = "Allow"
Action = [
"secretsmanager:GetSecretValue"
]
Resource = aws_secretsmanager_secret.db_password.arn
},
{
Effect = "Allow"
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:*:*:*"
}
]
})
}
# VPC with security
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = { Name = "main-vpc" }
}
# Public subnet
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = data.aws_availability_zones.available.names[0]
map_public_ip_on_launch = false
tags = { Name = "public-subnet" }
}
# Private subnet
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.10.0/24"
availability_zone = data.aws_availability_zones.available.names[0]
tags = { Name = "private-subnet" }
}
# Network ACL for defense in depth
resource "aws_network_acl" "main" {
vpc_id = aws_vpc.main.id
ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 443
to_port = 443
}
ingress {
protocol = "tcp"
rule_no = 110
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 80
to_port = 80
}
egress {
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
}
# Security group
resource "aws_security_group" "app" {
name_prefix = "app-"
vpc_id = aws_vpc.main.id
# Egress rule (deny by default)
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# WAF Web ACL
resource "aws_wafv2_web_acl" "main" {
scope = "REGIONAL"
name = "app-waf"
default_action {
allow {}
}
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 1
action {
block {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "app-waf"
sampled_requests_enabled = true
}
}
# GuardDuty for threat detection
resource "aws_guardduty_detector" "main" {
enable = true
datasources {
flow_logs {
enable = true
}
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
}
}
# CloudTrail for audit logging
resource "aws_cloudtrail" "main" {
name = "organization-trail"
s3_bucket_name = aws_s3_bucket.audit_logs.id
include_global_service_events = true
is_multi_region_trail = true
enable_log_file_validation = true
depends_on = [aws_s3_bucket_policy.audit_logs]
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::*/"]
}
}
}
# Audit logs bucket
resource "aws_s3_bucket" "audit_logs" {
bucket = "audit-logs-${data.aws_caller_identity.current.account_id}"
}
resource "aws_s3_bucket_policy" "audit_logs" {
bucket = aws_s3_bucket.audit_logs.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowCloudTrailAcl"
Effect = "Allow"
Principal = {
Service = "cloudtrail.amazonaws.com"
}
Action = "s3:GetBucketAcl"
Resource = aws_s3_bucket.audit_logs.arn
},
{
Sid = "AllowCloudTrailPutObject"
Effect = "Allow"
Principal = {
Service = "cloudtrail.amazonaws.com"
}
Action = "s3:PutObject"
Resource = "${aws_s3_bucket.audit_logs.arn}/*"
Condition = {
StringEquals = {
"s3:x-amz-acl" = "bucket-owner-full-control"
}
}
}
]
})
}
# Config for compliance monitoring
resource "aws_config_configuration_recorder" "main" {
name = "main"
role_arn = aws_iam_role.config.arn
depends_on = [aws_iam_role_policy_attachment.config]
recording_group {
all_supported = true
include_global = true
}
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.main.name
depends_on = [aws_config_delivery_channel.main]
is_enabled = true
start_recording = true
}
# Config delivery channel
resource "aws_config_delivery_channel" "main" {
name = "main"
s3_bucket_name = aws_s3_bucket.config.id
depends_on = [aws_config_configuration_recorder.main]
}
# CloudWatch for security monitoring
resource "aws_cloudwatch_metric_alarm" "unauthorized_actions" {
alarm_name = "unauthorized-api-calls"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = 1
metric_name = "UnauthorizedOperationCount"
namespace = "CloudTrailMetrics"
period = 300
statistic = "Sum"
threshold = 5
alarm_description = "Alert on unauthorized API calls"
}
# Data source
data "aws_caller_identity" "current" {}
data "aws_availability_zones" "available" {
state = "available"
}
# Random password
resource "random_password" "db" {
length = 16
special = true
}
# IAM role for Config
resource "aws_iam_role" "config" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "config.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "config" {
role = aws_iam_role.config.name
policy_arn = "arn:aws:iam::aws:policy/service-role/ConfigRole"
}
resource "aws_s3_bucket" "config" {
bucket = "config-bucket-${data.aws_caller_identity.current.account_id}"
}
```
### 3. **Azure Security Configuration**
```bash
# Enable Azure Security Center
az security auto-provisioning-setting update \
--auto-provision on
# Enable Azure Defender
az security atp storage update \
--storage-account myaccount \
--is-enabled true
# Configure NSG rules
az network nsg rule create \
--resource-group mygroup \
--nsg-name mynsg \
--name AllowHTTPS \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes '*' \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 443
# Enable Azure Policy
az policy assignment create \
--name EnforceHttps \
--policy /subscriptions/{subscription}/providers/Microsoft.Authorization/policyDefinitions/{policyId}
# Create Key Vault
az keyvault create \
--resource-group mygroup \
--name mykeyvault \
--enable-rbac-authorization
```
### 4. **GCP Security Configuration**
```bash
# Enable Cloud Armor
gcloud compute security-policies create my-policy \
--description "Security policy"
# Add rules
gcloud compute security-policies rules create 100 \
--security-policy=my-policy \
--action "deny-403" \
--expression "origin.country_code == 'CN'"
# Enable Cloud KMS
gcloud kms keyrings create my-keyring --location us-east1
gcloud kms keys create my-key \
--location us-east1 \
--keyring my-keyring \
--purpose encryption
# Set IAM bindings
gcloud projects add-iam-policy-binding MY_PROJECT \
--member=serviceAccount:my-sa@MY_PROJECT.iam.gserviceaccount.com \
--role=roles/container.developer
# Enable Binary Authorization
gcloud container binauthz policy import policy.yaml
# VPC Service Controls
gcloud access-context-manager perimeters create my-perimeter \
--resources=projects/MY_PROJECT
```
## Best Practices
### ✅ DO
- Implement least privilege access
- Enable MFA everywhere
- Use service accounts for applications
- Encrypt data at rest and in transit
- Enable comprehensive logging
- Implement network segmentation
- Use secrets management
- Enable threat detection
- Regular security assessments
- Keep systems patched
### ❌ DON'T
- Use root/default credentials
- Store secrets in code
- Over-permissive security groups
- Disable encryption
- Ignore logs and monitoring
- Share credentials
- Skip compliance requirements
- Trust unverified data sources
## Compliance Standards
- GDPR: Data protection
- HIPAA: Healthcare data
- PCI-DSS: Payment card data
- SOC 2: Security controls
- ISO 27001: Information security
- CIS Benchmarks: Security hardening
## Security Layers
1. **Identity & Access**: IAM, MFA, SSO
2. **Network**: VPCs, Security Groups, WAF
3. **Data**: Encryption, Secrets, DLP
4. **Application**: Input validation, patches
5. **Monitoring**: Logging, Alerting, Threat Detection
## Resources
- [AWS Security Hub](https://docs.aws.amazon.com/securityhub/)
- [Azure Security Benchmark](https://docs.microsoft.com/en-us/azure/security/benchmarks/)
- [GCP Security Best Practices](https://cloud.google.com/security/best-practices)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
- [CIS Cloud Security Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
This skill implements comprehensive cloud security across AWS, Azure, and GCP covering IAM, encryption, network controls, compliance, and threat detection. It delivers practical configuration examples and recommended patterns to enforce defense-in-depth and continuous monitoring. Use it to standardize secure baselines and accelerate secure cloud deployments.
The skill provides concrete configuration steps and IaC examples for identity and access management, key management, network controls, logging, and threat detection across major clouds. It inspects common control areas—MFA, least-privilege roles, encrypted storage, VPC/NSG rules, WAF/Cloud Armor, logging pipelines, and security services—and shows how to enable and wire them together. It also includes Terraform patterns to codify and enforce security baselines and compliance-focused services like Config and Azure Policy.
Does this skill cover multi-cloud consistent controls?
Yes. It highlights equivalent controls and patterns for AWS, Azure, and GCP, and provides Terraform examples to codify consistent baselines across providers.
How do I validate compliance after applying configurations?
Use provider policy and assessment services (AWS Config, Azure Policy, GCP Organization Policy) plus centralized logging and automated alerts to continuously validate controls and produce audit evidence.