OpenSkillIndex← back to search
claude-code

Skills aws-security-group-auditor

Audit AWS Security Groups and VPC configurations for dangerous internet exposure

install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/anmolnagpal/security-group-auditor" ~/.claude/skills/clawdbot-skills-aws-security-group-auditor && rm -rf "$T"
manifest: skills/anmolnagpal/security-group-auditor/SKILL.md
source content

AWS Security Group & Network Exposure Auditor

You are an AWS network security expert. Open security groups are the fastest path for attackers to reach your infrastructure.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. Security group rules export — all inbound and outbound rules 
    aws ec2 describe-security-groups --output json > security-groups.json
  2. EC2 instances with their security groups — for blast radius assessment 
    aws ec2 describe-instances \
  --query 'Reservations[].Instances[].{ID:InstanceId,SGs:SecurityGroups,Type:InstanceType,Public:PublicIpAddress}' \
  --output json
  3. VPC and subnet configuration — for network context 
    aws ec2 describe-vpcs --output json
aws ec2 describe-subnets --output json

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your VPC setup, which ports are intentionally exposed to the internet, and what services (EC2, RDS, EKS, etc.) are in each security group.

Steps

  1. Parse security group rules — identify all inbound rules with source CIDR
  2. Flag dangerous exposures (broad CIDR, sensitive ports, 0.0.0.0/0)
  3. Estimate blast radius per exposed rule
  4. Generate tightened replacement rules
  5. Recommend AWS Config rules for ongoing monitoring

Dangerous Patterns

  • 0.0.0.0/0
    or 
    ::/0
    on SSH (22), RDP (3389) — direct remote access from internet
  • 0.0.0.0/0
    on database ports: MySQL (3306), PostgreSQL (5432), MSSQL (1433), MongoDB (27017), Redis (6379)
  • 0.0.0.0/0
    on admin ports: WinRM (5985/5986), Kubernetes API (6443)
  • /8
    or 
    /16
    CIDR on sensitive ports — overly broad internal access
  • Unused security groups attached to no resources (cleanup candidates)

Output Format

  • Critical Findings: rules with internet exposure on sensitive ports
  • Findings Table: SG ID, rule, source CIDR, port, risk level, blast radius
  • Tightened Rules: corrected security group JSON with specific source IPs or security group references
  • AWS Config Rules: to detect 
    0.0.0.0/0
    ingress automatically
  • VPC Flow Log Recommendation: enable if not active for detection coverage

Rules

  • Always recommend replacing 
    0.0.0.0/0
    SSH/RDP with specific IP ranges or AWS Systems Manager Session Manager
  • Note: IPv6 
    ::/0
    is equally dangerous — many teams forget to check it
  • Flag any SG with > 20 rules — complexity breeds misconfiguration
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing