一键导入
aws-scan-security
Evaluate IAM posture, public exposure, and security service status of the current AWS account.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Evaluate IAM posture, public exposure, and security service status of the current AWS account.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Conduct a decision-tree interview with the user to lock in requirements, motivation, scope, and non-goals before planning.
Stage 3 of three-stage planning pipeline. Produce a file-level implementation plan via detail-planner/detail-reviewer loop, then get user approval. Inputs are confirmed intent (<session-id>-intent.md) and outline (<session-id>-outline.md) from prior stages.
Edit source code for the current task. Delegates editing and lint/typecheck/self-repair to a subagent.
Plan and write test cases with high reasoning effort. Test iteration runs in a subagent to minimize confirmations.
Explore the codebase to understand existing patterns, constraints, and relevant files before planning.
Investigate git history, docs/history.md, and GitHub issue/PR timeline since the relevant issue opened, to surface changes that may invalidate the issue's premises.
| name | aws-scan-security |
| description | Evaluate IAM posture, public exposure, and security service status of the current AWS account. |
| model | opus |
| effort | high |
| context | fork |
ASE-1. Verify prerequisites.
ASE-2. IAM posture (pass --profile $AWS_PROFILE --region $AWS_DEFAULT_REGION):
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'aws iam list-virtual-mfa-devices --assignment-status Unassignedaws iam list-attached-user-policies per user, flag AdministratorAccessaws iam list-access-keys, check CreateDate
ASE-3. Public exposure:aws s3api get-bucket-acl + aws s3api get-bucket-policy-status per bucketaws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=0.0.0.0/0aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible==\true`]'ASE-4. Security services: CloudTrail, GuardDuty, AWS Config, Security Hub (describe/list/get commands) ASE-5. Write raw findings to$AWS_STATE_DIR/security-.json(severity: critical/high/medium/low). ASE-6. Write human-readable summary to$AWS_STATE_DIR/security-.md`:Skip if $AWS_STATE_DIR/security-<YYYYMMDD>.json exists and is less than 4 hours old.