Cloud Security
Run structured CSPM and IAM checks across AWS, Azure, and GCP before you ship or while you harden production cloud accounts.
Overview
Cloud Security is an agent skill most often used in Ship (also Operate, Build) that applies multi-cloud CSPM check matrices and IAM remediation guidance when reviewing AWS, Azure, and GCP posture.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill cloud-securityWhat is this skill?
- Complete CSPM check matrices spanning AWS, Azure, and GCP
- Per-finding condition, severity, MITRE ATT&CK technique, and remediation column
- AWS IAM checks for critical combos: admin wildcards, public principals, PassRole with Lambda/EC2/CloudFormation
- Privilege-escalation patterns: self-attach policies, policy version backdoors, service-level wildcards
- Reference-style checker your agent can apply during policy review without replacing a live CSPM SaaS
- CSPM check matrices cover AWS, Azure, and GCP
- AWS IAM table includes 8 documented checks with MITRE ATT&CK and remediation columns
Adoption & trust: 540 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping or operating on AWS, Azure, or GCP but lack a consistent checklist to catch critical IAM misconfigs and map findings to MITRE techniques and fixes.
Who is it for?
Solo builders running SaaS or APIs on one or more public clouds who want agent-guided IAM and CSPM reviews aligned to MITRE ATT&CK.
Skip if: Teams with no cloud footprint, purely local or static sites, or builders who only need application-level SAST/DAST without IAM posture reference material.
When should I use this skill?
Reviewing or hardening cloud IAM policies, investigating CSPM-style misconfigurations, or pre-ship security checks on AWS, Azure, or GCP.
What do I get? / Deliverables
You get prioritized CSPM-style findings with severity, attack technique context, and scoped remediation steps you can apply to IAM policies before deploy or during production hardening.
- Prioritized finding list with severity and MITRE technique labels
- Scoped IAM remediation recommendations per check row
- Documented misconfiguration conditions to re-test after policy changes
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
The skill is a security posture reference for cloud misconfigurations, which solo builders most often invoke during pre-launch hardening and release gates in the Ship phase. Security is the canonical shelf for CSPM matrices, IAM escalation patterns, and remediation guidance—not launch distribution or grow analytics.
Where it fits
Gate a production deploy by scanning draft IAM policies for Critical PassRole and wildcard admin patterns before merge.
Triage recurring CSPM alerts on live accounts and match each finding to the matrix remediation column.
Shape least-privilege roles for a new Lambda or EC2 workload using service-scoped policies instead of iam:* or s3:*.
Document required cloud security controls and IAM boundaries before committing to a multi-cloud architecture.
How it compares
Use as an in-agent CSPM and IAM checker reference, not as a hosted cloud scanner or MCP replacement for live account APIs.
Common Questions / FAQ
Who is cloud-security for?
It is for solo and indie builders (and small teams) shipping on AWS, Azure, or GCP who want structured CSPM and IAM checks while coding with Claude Code, Cursor, Codex, or similar agents.
When should I use cloud-security?
Use it during Ship security reviews before production cutover, in Operate when remediating posture drift or escalation risks, and in Build when drafting backend IAM policies—especially for PassRole combos, wildcards, and public principals.
Is cloud-security safe to install?
Treat it like any third-party agent skill: review the Security Audits panel on this Prism page and your org policy before enabling network or API access in your agent; the skill itself is reference guidance, not a guarantee of account safety.
SKILL.md
READMESKILL.md - Cloud Security
# CSPM Check Reference Complete check matrices for cloud security posture management across AWS, Azure, and GCP. Each check includes finding condition, severity, MITRE ATT&CK technique, and remediation guidance. --- ## AWS IAM Checks | Check | Finding Condition | Severity | MITRE | Remediation | |-------|------------------|----------|-------|-------------| | Full admin wildcard | `Action: *` + `Resource: *` in Allow statement | Critical | T1078.004 | Replace with service-specific scoped policies | | Public principal | `Principal: *` in Allow statement | Critical | T1190 | Restrict to specific account ARNs + aws:PrincipalOrgID condition | | Lambda PassRole combo | `iam:PassRole` + `lambda:CreateFunction` | Critical | T1078.004 | Remove iam:PassRole or restrict to specific function ARNs | | EC2 PassRole combo | `iam:PassRole` + `ec2:RunInstances` | Critical | T1078.004 | Remove iam:PassRole or restrict to specific instance profile ARNs | | CloudFormation PassRole | `iam:PassRole` + `cloudformation:CreateStack` | Critical | T1078.004 | Restrict PassRole to specific service role ARNs | | Self-attach escalation | `iam:AttachUserPolicy` + `sts:GetCallerIdentity` | Critical | T1484.001 | Remove iam:AttachUserPolicy from non-admin policies | | Policy version backdoor | `iam:CreatePolicyVersion` + `iam:ListPolicies` | Critical | T1484.001 | Restrict CreatePolicyVersion to named policy ARNs | | Service-level wildcard | `iam:*`, `s3:*`, `ec2:*`, etc. | High | T1078.004 | Replace with specific required actions | | Credential harvesting | `iam:CreateAccessKey` + `iam:ListUsers` | High | T1098.001 | Separate roles; restrict CreateAccessKey to self only | | Data exfil on wildcard | `s3:GetObject` on `Resource: *` | High | T1530 | Restrict to specific bucket ARNs | | Secrets exfil on wildcard | `secretsmanager:GetSecretValue` on `Resource: *` | High | T1552 | Restrict to specific secret ARNs | --- ## AWS S3 Checks | Check | Finding Condition | Severity | MITRE | Remediation | |-------|------------------|----------|-------|-------------| | Public access block missing | Any of four flags = false or absent | High | T1530 | Enable all four flags at bucket and account level | | Bucket ACL public-read-write | ACL = public-read-write | Critical | T1530 | Set ACL = private; use bucket policy for access control | | Bucket ACL public-read | ACL = public-read or authenticated-read | High | T1530 | Set ACL = private | | Bucket policy Principal:* | Statement with Effect=Allow, Principal=* | Critical | T1190 | Restrict Principal to specific ARNs + aws:PrincipalOrgID | | No default encryption | No ServerSideEncryptionConfiguration | High | T1530 | Add default encryption rule (AES256 or aws:kms) | | Non-standard encryption | SSEAlgorithm not in {AES256, aws:kms, aws:kms:dsse} | Medium | T1530 | Switch to standard SSE algorithm | | Versioning disabled | VersioningConfiguration = Suspended or absent | Medium | T1485 | Enable versioning to protect against ransomware deletion | | Access logging disabled | LoggingEnabled absent | Low | T1530 | Enable server access logging for audit trail | --- ## AWS Security Group Checks | Check | Finding Condition | Severity | MITRE | Remediation | |-------|------------------|----------|-------|-------------| | All traffic open | Protocol=-1 (all) from 0.0.0.0/0 or ::/0 | Critical | T1190 | Remove rule; add specific required ports only | | SSH open | Port 22 from 0.0.0.0/0 or ::/0 | Critical | T1110 | Restrict to VPN CIDR or use AWS Systems Manager Session Manager | | RDP open | Port 3389 from 0.0.0.0/0 or ::/0 | Critical | T1110 | Restrict to VPN CIDR or use AWS Fleet Manager | | MySQL open | Port 3306 from 0.0.0.0/0 or ::/0 | High | T1190 | Move DB to private subnet; allow only from app tier SG | | PostgreSQL open | Port 5432 from 0.0.0.0/0 or ::/0 | High | T1190 | Move DB to private subnet; allow only from app tier SG | | MSSQL open | Port 1433 from 0.0.0.0/0 or ::/0 | High | T1190 | Move DB to private subnet; allo