home / skills / williamzujkowski / cognitive-toolworks / security-cloud-analyzer
This skill analyzes cloud security posture across aws, azure, and gcp, flagging storage, IAM, and network misconfigurations and recommending remediations.
npx playbooks add skill williamzujkowski/cognitive-toolworks --skill security-cloud-analyzerReview the files below or copy the command above to add this skill to your agents.
---
name: "Cloud Security Posture Analyzer"
slug: "security-cloud-analyzer"
description: "Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation."
capabilities:
- Public storage bucket detection (S3, Azure Storage, GCS)
- IAM overpermissive policy identification
- Encryption at rest and in transit validation
- VPC/network segmentation verification
- Cloud platform security best practices alignment
inputs:
- cloud_platform: "aws | azure | gcp (string, required)"
- resource_scope: "storage | iam | network | compute | all (string, default: all)"
- compliance_check: "cis | well-architected | both | none (string, default: none)"
outputs:
- findings: "JSON array of cloud security findings with platform-specific details"
- compliance_status: "CIS Benchmark or Well-Architected alignment (if requested)"
- remediation_commands: "Platform-specific CLI commands for fixes"
keywords:
- cloud-security
- aws-security
- azure-security
- gcp-security
- iam
- storage-security
- encryption
- network-security
- cis-benchmark
version: "1.0.0"
owner: "cognitive-toolworks"
license: "MIT"
security: "Public; no secrets or PII; safe for open repositories"
links:
- https://aws.amazon.com/architecture/security-identity-compliance/
- https://cloud.google.com/architecture/framework/security
- https://learn.microsoft.com/azure/security/
- https://www.cisecurity.org/cis-benchmarks
---
## Purpose & When-To-Use
**Trigger conditions:**
- Cloud security audit before production deployment
- Compliance requirement (CIS Benchmarks, Well-Architected Framework)
- Post-incident cloud configuration review
- Cloud migration security validation
- Third-party cloud security questionnaire response
**Not for:**
- Application-level security (use security-appsec-validator)
- Container security (use security-container-validator)
- Real-time cloud security monitoring (use CSPM tools)
- Cost optimization (use finops-cost-analyzer skill)
---
## Pre-Checks
**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates
**Input validation:**
- `cloud_platform` must be one of: [aws, azure, gcp]
- `resource_scope` must be one of: [storage, iam, network, compute, all]
- `compliance_check` must be one of: [cis, well-architected, both, none]
**Source freshness:**
- AWS Well-Architected Security Pillar (accessed 2025-10-26T01:33:55-04:00): https://aws.amazon.com/architecture/well-architected/
- Google Cloud Security Framework (accessed 2025-10-26T01:33:55-04:00): https://cloud.google.com/architecture/framework/security
- Azure Security Baseline (accessed 2025-10-26T01:33:55-04:00): https://learn.microsoft.com/azure/security/
- CIS Benchmarks (accessed 2025-10-26T01:33:55-04:00): https://www.cisecurity.org/cis-benchmarks
---
## Procedure
### Step 1: Critical Cloud Security Controls Check
**Storage Security (AWS S3, Azure Storage, GCS):**
1. Public bucket/container exposure check (immediate critical finding if public)
2. Encryption at rest validation (AES-256, customer-managed keys preferred)
3. Versioning enabled for critical buckets
4. Access logging enabled
**IAM Security:**
1. Overpermissive policies (wildcard `*` resource or action)
2. Root account usage (AWS) or high-privilege account activity
3. MFA enforcement on privileged accounts
4. Service account key rotation (90-day max age)
**Network Security:**
1. VPC/VNet segmentation (public vs private subnets)
2. Security group/NSG rules (default deny, minimal ingress)
3. Network flow logging enabled
4. Public IP exposure on sensitive resources
**Compute Security (if scope includes compute):**
1. Unencrypted volumes/disks
2. Overly permissive instance metadata access
3. Missing security patches
4. Publicly accessible management ports (SSH, RDP)
### Step 2: Generate Platform-Specific Remediation
For each finding, provide CLI commands or IaC snippets:
- **AWS:** AWS CLI, CloudFormation, or Terraform
- **Azure:** Azure CLI or ARM templates
- **GCP:** gcloud commands or Terraform
**Token budgets:**
- **T1:** ≤2k tokens (critical findings only)
- **T2:** ≤6k tokens (full scope with remediation)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)
---
## Decision Rules
**Ambiguity thresholds:**
- If cloud account access is unavailable → request read-only credentials or architecture docs
- If resource tagging is incomplete → assess based on resource names/patterns
**Abort conditions:**
- No cloud platform specified → cannot proceed
- Zero resources found in scope → verify account access
**Severity classification:**
- Critical: Public data exposure, overpermissive root access (CVSS 9.0-10.0)
- High: Encryption missing, weak IAM policies (CVSS 7.0-8.9)
- Medium: Logging gaps, network misconfiguration (CVSS 4.0-6.9)
- Low: Best practice deviations (CVSS 0.1-3.9)
---
## Output Contract
**Required fields:**
```json
{
"cloud_platform": "aws|azure|gcp",
"resource_scope": "storage|iam|network|compute|all",
"timestamp": "ISO-8601 with timezone",
"findings": [
{
"id": "unique identifier",
"resource_type": "s3-bucket|iam-role|security-group|...",
"resource_id": "ARN or resource identifier",
"severity": "critical|high|medium|low",
"cvss_score": 0.0,
"title": "brief description",
"description": "detailed finding",
"platform_control": "CIS control ID or Well-Architected pillar",
"remediation": "specific fix steps",
"remediation_command": "CLI command or IaC snippet"
}
],
"compliance_status": {
"framework": "cis|well-architected",
"controls_assessed": ["list"],
"controls_passed": ["list"],
"controls_failed": ["list"]
},
"summary": {
"total_findings": 0,
"critical_count": 0,
"high_count": 0,
"medium_count": 0,
"low_count": 0,
"overall_risk": "critical|high|medium|low"
}
}
```
---
## Examples
**Example: AWS S3 Security Check**
```yaml
# Input
cloud_platform: "aws"
resource_scope: "storage"
compliance_check: "cis"
# Output (abbreviated)
{
"cloud_platform": "aws",
"findings": [
{
"id": "CLOUD-001",
"resource_type": "s3-bucket",
"resource_id": "arn:aws:s3:::public-data-bucket",
"severity": "critical",
"cvss_score": 9.1,
"title": "S3 bucket publicly accessible",
"remediation_command": "aws s3api put-public-access-block --bucket public-data-bucket --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
}
],
"summary": {"critical_count": 1, "overall_risk": "critical"}
}
```
---
## Quality Gates
**Token budgets:**
- T1 ≤2k tokens (critical findings only)
- T2 ≤6k tokens (full scope with remediation commands)
**Safety:**
- No credentials in remediation commands
- No actual resource identifiers in examples
**Auditability:**
- Findings cite CIS Benchmark or Well-Architected controls
- CVSS scores follow CVSSv3.1 methodology
**Determinism:**
- Same cloud state + inputs = consistent findings
---
## Resources
**AWS Security:**
- AWS Well-Architected Security Pillar: https://aws.amazon.com/architecture/well-architected/ (accessed 2025-10-26T01:33:55-04:00)
- AWS Security Best Practices: https://aws.amazon.com/architecture/security-identity-compliance/ (accessed 2025-10-26T01:33:55-04:00)
**Azure Security:**
- Azure Security Baseline: https://learn.microsoft.com/azure/security/ (accessed 2025-10-26T01:33:55-04:00)
- Azure Security Best Practices: https://learn.microsoft.com/azure/security/fundamentals/best-practices-and-patterns (accessed 2025-10-26T01:33:55-04:00)
**GCP Security:**
- Google Cloud Security Framework: https://cloud.google.com/architecture/framework/security (accessed 2025-10-26T01:33:55-04:00)
- GCP Security Best Practices: https://cloud.google.com/security/best-practices (accessed 2025-10-26T01:33:55-04:00)
**Multi-Cloud:**
- CIS Benchmarks (AWS, Azure, GCP): https://www.cisecurity.org/cis-benchmarks (accessed 2025-10-26T01:33:55-04:00)
- Cloud Security Alliance (CSA) Cloud Controls Matrix: https://cloudsecurityalliance.org/research/cloud-controls-matrix (accessed 2025-10-26T01:33:55-04:00)
This skill evaluates cloud security posture across AWS, Azure, and GCP with focused checks for storage exposure, IAM policy issues, network segmentation, and compute configuration gaps. It produces prioritized findings with CVSS-style severity, cites applicable CIS or Well-Architected controls, and returns platform-specific remediation commands or IaC snippets. Outputs follow a strict JSON contract suitable for automation and reporting.
The analyzer inspects selected resource scopes (storage, iam, network, compute, or all) and runs a checklist of critical controls: public storage exposure, encryption at rest, overpermissive IAM policies, MFA enforcement, network segmentation, and compute hardening. For each finding it classifies severity, assigns a CVSS-like score, maps the control to CIS or Well-Architected guidance, and generates CLI or Terraform/ARM/CloudFormation remediation snippets. If account access is unavailable or inputs are ambiguous, it requests read-only credentials or architecture docs before proceeding.
What inputs are required to run a scan?
Provide cloud_platform (aws|azure|gcp), resource_scope (storage|iam|network|compute|all), and the desired compliance_check (cis|well-architected|both|none). Read-only credentials or architecture docs are required if direct account access is unavailable.
How are severities determined?
Findings are classified as critical, high, medium, or low using decision rules tied to public data exposure, encryption gaps, IAM risks, and logging; CVSS-like scores follow CVSSv3.1 methodology.