OpenSkillIndex← back to search
claude-codeautomation

Claude-skill-registry aws-security-best-practices

Implement comprehensive AWS security controls and compliance

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/aws-security-best-practices" ~/.claude/skills/majiayu000-claude-skill-registry-aws-security-best-practices && rm -rf "$T"
manifest: skills/data/aws-security-best-practices/SKILL.md
tags
#aws#security#compliance#cloudformation#automation
source content

AWS Security Best Practices Skill

Implement defense-in-depth security for AWS workloads.

Quick Reference

AttributeValue
AWS ServicesKMS, WAF, GuardDuty, Security Hub
ComplexityMedium-High
Est. Time30-60 min
PrerequisitesAdmin access

Parameters

Required

ParameterTypeDescriptionValidation
compliance_frameworkstringTarget frameworkSOC2, HIPAA, PCI-DSS, CIS
scopearrayResource types["EC2", "S3", "RDS"]

Optional

ParameterTypeDefaultDescription
enable_guarddutybooltrueEnable GuardDuty
enable_securityhubbooltrueEnable Security Hub
encryption_key_typestringAWS_MANAGEDAWS_MANAGED or CMK
log_retention_daysint365CloudTrail log retention

Security Checklist by Service

S3 Security

mandatory:
  - Block Public Access: enabled (account + bucket level)
  - Default Encryption: SSE-S3 or SSE-KMS
  - Access Logging: enabled
  - Versioning: enabled for critical data

recommended:
  - Object Lock: for compliance
  - MFA Delete: for versioned buckets
  - Lifecycle Rules: auto-delete old versions

EC2 Security

mandatory:
  - IMDSv2: required (HttpTokens=required)
  - EBS Encryption: default enabled
  - Security Groups: no 0.0.0.0/0 for SSH/RDP
  - Systems Manager: for patching

recommended:
  - Inspector: vulnerability scanning
  - No public IPs: use bastion or SSM
  - Instance profiles: no access keys on instances

RDS Security

mandatory:
  - No Public Access: publicly_accessible=false
  - Encryption at Rest: storage_encrypted=true
  - SSL/TLS: required for connections
  - Security Groups: app-tier only access

recommended:
  - IAM Authentication: enabled
  - Audit Logging: enabled
  - Automated Backups: encrypted

Implementation

Enable GuardDuty

# Enable GuardDuty
aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES \
  --features '[{"Name":"S3_DATA_EVENTS","Status":"ENABLED"},{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'

Enable Security Hub

# Enable Security Hub with standards
aws securityhub enable-security-hub \
  --enable-default-standards

# Enable additional standards
aws securityhub batch-enable-standards \
  --standards-subscription-requests '[{"StandardsArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"}]'

KMS Key Setup

# Create CMK with rotation
aws kms create-key \
  --description "RDS encryption key" \
  --key-spec SYMMETRIC_DEFAULT \
  --key-usage ENCRYPT_DECRYPT \
  --tags TagKey=Purpose,TagValue=RDS

# Enable rotation
aws kms enable-key-rotation --key-id $KEY_ID

WAF Rule Example

# Create WAF rule for SQL injection
aws wafv2 create-rule-group \
  --name SQLiProtection \
  --scope REGIONAL \
  --capacity 100 \
  --rules '[{
    "Name": "SQLiRule",
    "Priority": 1,
    "Statement": {
      "SqliMatchStatement": {
        "FieldToMatch": {"Body": {}},
        "TextTransformations": [{"Priority": 0, "Type": "URL_DECODE"}]
      }
    },
    "Action": {"Block": {}},
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "SQLiRule"
    }
  }]'

Compliance Mapping

FrameworkKey AWS Controls
SOC 2CloudTrail, Config, GuardDuty, IAM
HIPAAKMS, CloudWatch, VPC, WAF, Macie
PCI-DSSKMS, WAF, CloudTrail, VPC, Config
CISSecurity Hub CIS Benchmark, Config
GDPRKMS, Macie, Data lifecycle policies

Troubleshooting

Common Issues

SymptomCauseSolution
Access DeniedIAM/resource policyCheck both policies
KMS errorKey policyVerify key grants
WAF blocking legitRule too strictUse count mode first
GuardDuty findingSecurity issueInvestigate finding

Debug Checklist

  • CloudTrail enabled in all regions?
  • GuardDuty enabled with all features?
  • Security Hub standards enabled?
  • AWS Config recording?
  • VPC Flow Logs enabled?
  • KMS keys have rotation?

Security Finding Triage

Critical: Immediate action required
├── Unauthorized access detected
├── Data exfiltration attempt
└── Compromised credentials

High: Action within 24 hours
├── Exposed credentials
├── Open security groups
└── Unencrypted data

Medium: Action within 7 days
├── Missing encryption
├── Logging gaps
└── Outdated software

Test Template

def test_s3_security_controls():
    # Arrange
    bucket = "test-bucket"

    # Act - Check Block Public Access
    response = s3.get_public_access_block(Bucket=bucket)
    config = response['PublicAccessBlockConfiguration']

    # Assert
    assert config['BlockPublicAcls'] == True
    assert config['IgnorePublicAcls'] == True
    assert config['BlockPublicPolicy'] == True
    assert config['RestrictPublicBuckets'] == True

    # Act - Check Encryption
    enc_response = s3.get_bucket_encryption(Bucket=bucket)

    # Assert encryption enabled
    assert 'ServerSideEncryptionConfiguration' in enc_response

Assets

  • assets/security-checklist.yaml
    - Security audit checklist

References