name: aws-security-scanner description: 使用Prowler、Security Hub和AWS Config进行AWS安全配置扫描与加固 allowed-tools:
- Bash
- Read
- Write
- Glob
- Grep
- WebFetch
AWS安全扫描器技能
目的
自动化AWS安全配置扫描与加固,以识别跨AWS账户和组织的错误配置、合规性违规和安全风险。
能力
Prowler安全评估
- 运行全面的Prowler安全扫描
- 执行CIS AWS基础基准检查
- 运行AWS良好架构安全支柱评估
- 检查PCI DSS、HIPAA、GDPR合规性
- 生成多格式报告(HTML、CSV、JSON)
IAM安全分析
- 分析IAM策略的过度许可访问
- 检查未使用的凭证和访问密钥
- 识别未启用MFA的IAM用户
- 审查跨账户访问配置
- 检测权限提升路径
- 分析服务控制策略(SCPs)
S3存储桶安全
- 识别公开可访问的存储桶
- 检查存储桶加密配置
- 审查存储桶策略和ACL
- 验证访问日志是否启用
- 检查敏感数据暴露
- 验证版本控制和复制
网络安全分析
- 审查安全组配置
- 分析网络ACL
- 检查VPC流日志启用情况
- 识别面向公众的资源
- 验证VPC端点配置
- 检查过度宽松的规则
加密验证
- 验证EBS卷加密
- 检查RDS加密设置
- 验证S3加密配置
- 审查KMS密钥策略
- 检查Secrets Manager配置
- 验证证书有效性
日志记录与监控
- 验证CloudTrail配置
- 检查CloudWatch日志保留
- 验证GuardDuty启用情况
- 审查Security Hub发现结果
- 检查Config规则合规性
- 验证告警配置
合规性映射
- 将发现结果映射到CIS基准
- 生成SOC 2证据
- 跟踪PCI DSS合规性
- 记录HIPAA控制措施
- 映射到NIST框架
覆盖的AWS服务
| 类别 | 服务 |
|---|---|
| 身份 | IAM、SSO、Organizations |
| 计算 | EC2、Lambda、ECS、EKS |
| 存储 | S3、EBS、EFS、Glacier |
| 数据库 | RDS、DynamoDB、Redshift |
| 网络 | VPC、CloudFront、Route53 |
| 安全 | Security Hub、GuardDuty、KMS |
| 监控 | CloudTrail、CloudWatch、Config |
集成
- Prowler:开源AWS安全工具
- AWS Security Hub:集中式安全发现结果
- AWS Config:配置合规性
- AWS CloudTrail:API活动日志记录
- AWS GuardDuty:威胁检测
- AWS IAM Access Analyzer:访问分析
目标流程
- 云安全架构审查
- 合规性监控
- 安全态势评估
- AWS账户加固
输入模式
{
"type": "object",
"properties": {
"scanType": {
"type": "string",
"enum": ["full", "cis", "pci", "hipaa", "gdpr", "custom"],
"description": "安全扫描类型"
},
"awsAccounts": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的AWS账户ID"
},
"regions": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的AWS区域"
},
"services": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的特定服务"
},
"severityThreshold": {
"type": "string",
"enum": ["critical", "high", "medium", "low", "informational"]
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["CIS", "PCI-DSS", "HIPAA", "GDPR", "SOC2", "NIST"]
}
},
"excludeChecks": {
"type": "array",
"items": { "type": "string" },
"description": "要排除的检查ID"
}
},
"required": ["scanType"]
}
输出模式
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"accountsScanned": {
"type": "array"
},
"regionsScanned": {
"type": "array"
},
"summary": {
"type": "object",
"properties": {
"totalChecks": { "type": "integer" },
"passed": { "type": "integer" },
"failed": { "type": "integer" },
"warnings": { "type": "integer" }
}
},
"findingsBySeverity": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"checkId": { "type": "string" },
"severity": { "type": "string" },
"service": { "type": "string" },
"region": { "type": "string" },
"resourceId": { "type": "string" },
"description": { "type": "string" },
"remediation": { "type": "string" },
"complianceMapping": { "type": "array" }
}
}
},
"complianceStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
},
"reportPaths": {
"type": "object",
"properties": {
"html": { "type": "string" },
"csv": { "type": "string" },
"json": { "type": "string" }
}
}
}
}
使用示例
skill: {
name: 'aws-security-scanner',
context: {
scanType: 'cis',
awsAccounts: ['123456789012'],
regions: ['us-east-1', 'us-west-2'],
complianceFrameworks: ['CIS', 'SOC2'],
severityThreshold: 'medium'
}
}