// AWS security posture assessment and incident response — covers IAM analysis (overprivileged roles, unused credentials, MFA gaps), Security Hub findings, GuardDuty threats, Inspector vulnerabilities, S3 public access, SG/NACL misconfigurations, KMS key rotation, WAF rules, Config compliance, and CloudTrail integrity.
Kubernetes administration and troubleshooting — covers pod debugging (CrashLoopBackOff, OOMKilled, ImagePullBackOff, Pending), node issues, CNI/networking, CoreDNS, PVC/storage, HPA/VPA autoscaling, and EKS-specific patterns. Includes decision trees for common failure modes.
Read and analyze documents — PDF, DOCX, Markdown, HTML, CSV, XLSX, JSON, YAML. Provides read_document tool with no output truncation and page-range support for PDFs. Use when the user shares a document or asks to explain, summarize, or extract information from files.
Fetch open web data — cloud status pages, documentation, API endpoints, changelogs, and CVE databases. Provides web_fetch tool for HTTP GET with security controls (private IP blocking, size limits, timeout). Use for checking service status pages, reading upstream documentation, or fetching public API data during investigation.
Send notifications and distribute formatted reports to channels (Feishu, Slack, Email, SES, SNS, DingTalk, WeCom, Webhook). Supports batch multi-channel delivery with format-aware conversion (HTML, PDF, Markdown). Activate to gain send and distribute tools.
Distributed trace analysis via Jaeger — cross-service causal chain construction, latency bottleneck identification, error propagation tracking. Provides 4 trace query tools and decision trees for investigating cascading failures across microservices.
Local filesystem operations — read configs, tail logs, search files, list directories, inspect file metadata, and write files. Provides secure access to local operational artifacts (Terraform, CloudFormation, Kubernetes manifests, systemd units, nginx configs, application properties, log files). Includes security blocklists for sensitive files.
| name | security-engineer |
| description | AWS security posture assessment and incident response — covers IAM analysis (overprivileged roles, unused credentials, MFA gaps), Security Hub findings, GuardDuty threats, Inspector vulnerabilities, S3 public access, SG/NACL misconfigurations, KMS key rotation, WAF rules, Config compliance, and CloudTrail integrity. |
| metadata | {"author":"agenticops","version":"1.0","domain":"security"} |
Credential Hygiene
aws iam generate-credential-report then aws iam get-credential-reportOverprivileged Roles/Users
aws iam list-attached-user-policies --user-name USERaws iam list-attached-role-policies --role-name ROLEAdministratorAccess, PowerUserAccess, *:* in inline policiesaws accessanalyzer list-findings --analyzer-arn ARN → external access findingsaws iam generate-service-last-accessed-details --arn ARNCross-Account Trust
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument]'Principal: {"AWS": "*"} → anyone can assumeCondition absence on cross-account trusts → no external ID protectionIAM Issue Detected
|
+-- Stale credentials (>90 days)?
| +-- Access key → disable/rotate key
| +-- Console password → force reset
|
+-- Overprivileged?
| +-- Admin policy on user → move to role, scope down
| +-- Wildcard (*:*) → replace with least-privilege
|
+-- No MFA?
| +-- Root → CRITICAL, enable hardware MFA immediately
| +-- User → HIGH, enforce MFA via policy condition
|
+-- Cross-account trust too broad?
+-- Principal: * → restrict to specific account IDs
+-- No ExternalId → add condition for ExternalId
aws securityhub get-findings --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}],"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}'GeneratorId (rule source: CIS, PCI-DSS, Best Practices)Top CIS Benchmark Failures:
| Control | Impact | Quick Fix |
|---|---|---|
| 1.4 Root MFA | CRITICAL | Enable hardware MFA on root |
| 1.10 MFA for console | HIGH | IAM policy with aws:MultiFactorAuthPresent |
| 2.1 CloudTrail enabled | CRITICAL | Enable multi-region trail |
| 2.6 S3 access logging | MEDIUM | Enable server access logging |
| 2.9 VPC flow logs | HIGH | Enable flow logs per VPC |
| 3.x CloudTrail alarm filters | MEDIUM | CloudWatch log metric filters |
| 4.1-4.3 SG open ports | HIGH | Restrict 0.0.0.0/0 ingress |
aws guardduty list-detectors → get detector IDaws guardduty list-findings --detector-id DID --finding-criteria '{"Criterion":{"severity":{"Gte":7}}}'aws guardduty get-findings --detector-id DID --finding-ids [IDs]Finding Type Categories:
| Prefix | Category | Typical Severity |
|---|---|---|
Recon: | Reconnaissance (port scan, API enum) | MEDIUM |
UnauthorizedAccess: | Credential abuse, unusual API | HIGH-CRITICAL |
Trojan: / Backdoor: | Malware indicators | CRITICAL |
CryptoCurrency: | Crypto mining | HIGH |
Exfiltration: | Data exfiltration patterns | CRITICAL |
Impact: | Resource abuse (DoS, mining) | HIGH |
CredentialAccess: | Credential compromise | CRITICAL |
GuardDuty Finding
|
+-- Severity >= 8 (CRITICAL)?
| +-- UnauthorizedAccess:IAMUser → rotate creds NOW, check CloudTrail
| +-- Trojan/Backdoor → isolate instance, forensic snapshot
| +-- CryptoCurrency → terminate instance, audit IAM
|
+-- Severity 4-7 (HIGH/MEDIUM)?
| +-- Recon → check SG rules, enable VPC flow logs
| +-- UnauthorizedAccess:EC2 → check instance profile, SSM access
|
+-- Severity < 4 (LOW)?
+-- Usually informational → review weekly
aws inspector2 list-findings --filter-criteria '{"findingStatus":[{"comparison":"EQUALS","value":"ACTIVE"}],"severity":[{"comparison":"EQUALS","value":"CRITICAL"}]}'Priority Matrix:
| CVSS | Network Reachable | Exploit Available | Priority |
|---|---|---|---|
| ≥9.0 | Yes | Yes | P0 — patch NOW |
| ≥9.0 | No | Yes | P1 — patch this sprint |
| ≥7.0 | Yes | Yes | P1 |
| ≥7.0 | No | No | P2 — plan patch |
| <7.0 | * | * | P3 — backlog |
aws s3api get-public-access-block --bucket BUCKET → check all 4 flagsaws s3api get-bucket-policy --bucket BUCKET → check for "Principal": "*"aws s3api get-bucket-acl --bucket BUCKET → check for AllUsers or AuthenticatedUsersaws s3control get-public-access-block --account-id ACCTS3 Public Access
|
+-- Account-level block disabled?
| +-- CRITICAL → enable account-level public access block
|
+-- Bucket policy allows Principal: *?
| +-- With Condition (IP/VPC restriction) → MEDIUM, review restriction
| +-- Without Condition → CRITICAL, restrict immediately
|
+-- ACL grants AllUsers?
| +-- READ → HIGH, remove public read
| +-- WRITE → CRITICAL, remove immediately
|
+-- Bucket-level block disabled?
+-- Enable all 4 block settings unless there's a documented exception
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, \0.0.0.0/0`)]]'`aws ec2 describe-network-acls --query 'NetworkAcls[?Entries[?RuleAction==\allow` && CidrBlock==`0.0.0.0/0`]]'`High-Risk Open Ports:
| Port | Service | 0.0.0.0/0 Risk |
|---|---|---|
| 22 | SSH | CRITICAL — brute force target |
| 3389 | RDP | CRITICAL — ransomware vector |
| 3306 | MySQL | CRITICAL — data exposure |
| 5432 | PostgreSQL | CRITICAL — data exposure |
| 6379 | Redis | CRITICAL — no auth by default |
| 27017 | MongoDB | CRITICAL — no auth by default |
| 9200 | Elasticsearch | HIGH — data exposure |
| 8080/8443 | App server | MEDIUM — depends on app |
KMS Key Rotation
aws kms list-keys then aws kms get-key-rotation-status --key-id KEYaws kms describe-key --key-id KEY → check KeyState, OriginEBS Encryption
aws ec2 describe-volumes --query 'Volumes[?!Encrypted]' → unencrypted volumesaws ec2 get-ebs-encryption-by-default → check account defaultRDS Encryption
aws rds describe-db-instances --query 'DBInstances[?!StorageEncrypted]' → unencrypted instancesS3 Default Encryption
aws s3api get-bucket-encryption --bucket BUCKETaws cloudtrail describe-trails → ensure multi-region trail existsaws cloudtrail get-trail-status --name TRAIL → check IsLogging == trueaws cloudtrail get-trail --name TRAIL → LogFileValidationEnabledaws configservice describe-compliance-by-config-ruleaws configservice get-compliance-details-by-config-rule --config-rule-name RULEs3-bucket-public-read-prohibited, iam-root-access-key-check,
restricted-ssh, rds-storage-encrypted, cloudtrail-enabled# Security Hub summary
aws securityhub get-findings --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
--query 'Findings[].{Title:Title,Severity:Severity.Label,Resource:Resources[0].Id}' \
--max-items 20
# GuardDuty high-severity findings
aws guardduty list-detectors --query 'DetectorIds[0]' --output text | \
xargs -I{} aws guardduty list-findings --detector-id {} \
--finding-criteria '{"Criterion":{"severity":{"Gte":7}}}' --max-results 10
# Open security groups (0.0.0.0/0 on sensitive ports)
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) && (FromPort==`22` || FromPort==`3389` || FromPort==`3306` || FromPort==`5432`)]]' \
--output table
# IAM credential report
aws iam generate-credential-report && sleep 5 && \
aws iam get-credential-report --query Content --output text | base64 -d
# Isolate compromised EC2 instance (replace SG with empty one)
aws ec2 create-security-group --group-name quarantine --description "Incident quarantine" --vpc-id VPC
aws ec2 modify-instance-attribute --instance-id INSTANCE --groups sg-quarantine-id
# Disable compromised IAM user
aws iam update-login-profile --user-name USER --no-password-reset-required
aws iam list-access-keys --user-name USER
aws iam update-access-key --user-name USER --access-key-id KEY --status Inactive
# Create forensic snapshot before terminating instance
aws ec2 create-snapshot --volume-id VOL --description "Forensic snapshot - incident YYYY-MM-DD"
| Metric | Warning | Critical | Notes |
|---|---|---|---|
| IAM users without MFA | > 0 | Root without MFA | CIS 1.4, 1.10 |
| Access keys > 90 days | > 5 users | > 20% of users | CIS 1.3, 1.4 |
| Security Hub CRITICAL findings | > 0 | > 10 | Active critical findings |
| GuardDuty HIGH/CRITICAL | > 0 | > 5 | Active threat findings |
| Open SGs (0.0.0.0/0 on 22,3389) | > 0 | > 5 | Direct attack surface |
| Unencrypted EBS volumes | > 0 | > 10 | Data-at-rest compliance |
| S3 buckets with public access | > 0 | Any | Data exposure risk |
| CloudTrail logging disabled | > 0 | Multi-region trail missing | Audit trail |
| Inspector CRITICAL CVEs | > 0 | > 10 (network reachable) | Exploitable vulns |