- Home
- Skills
- Giuseppe Trisciuoglio
- Developer Kit
- Aws Cloudformation Security
aws-cloudformation-security_skill
- Python
99
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill giuseppe-trisciuoglio/developer-kit --skill aws-cloudformation-security- SKILL.md48.6 KB
Overview
This skill provides reusable CloudFormation patterns to build secure AWS infrastructure focused on encryption, secrets management, and hardened access controls. It bundles best-practice templates and patterns for KMS, Secrets Manager, SSM SecureString, IAM least-privilege roles, VPC security, and TLS configurations. Use it to embed defense-in-depth into templates and to standardize secure parameter and cross-stack reference handling.
How this skill works
The skill supplies CloudFormation resource patterns and guidance that you can paste or adapt into stacks: KMS keys and aliases, S3/RDS encryption settings, Secrets Manager secrets with rotation and resource policies, and SSM SecureString parameters. It also demonstrates IAM role and permission boundary patterns, secure security group configurations, ACM certificate usage, and logging/monitoring hooks like CloudTrail. Examples show how resources reference keys and secrets securely and how to structure templates with parameters, mappings, conditions, and outputs for different environments.
When to use it
- When you need encryption at-rest and in-transit in CloudFormation templates
- When managing credentials with AWS Secrets Manager and enabling rotation
- When creating KMS keys and applying them to S3, RDS, and other services
- When enforcing least-privilege IAM roles and permission boundaries
- When designing secure network access with security groups and TLS certificates
- When implementing secure cross-stack references and production-ready parameter handling
Best practices
- Define dedicated KMS keys per application or purpose and enable key rotation
- Store credentials in Secrets Manager or SSM SecureString; avoid embedding secrets in templates
- Apply least-privilege IAM policies and use permission boundaries for risky roles
- Block public S3 access, enable bucket encryption with KMS, and version critical buckets
- Use CloudTrail and resource logging to monitor key, secret, and API access
- Model parameters and mappings for environments to avoid risky defaults in production
Example use cases
- Create a KMS-backed S3 bucket template with enforced public access blocking and lifecycle rules
- Provision Secrets Manager secrets with rotation Lambda and resource-based policies for Lambda/EC2 access
- Define SSM SecureString parameters consumed by Lambda functions with NoEcho in parameterized stacks
- Deploy IAM roles with tight assume-role conditions and a permissions boundary for serverless workloads
- Compose a base template with environment mappings, security parameter groups, and outputs for cross-stack secure references
FAQ
Yes. The patterns include properties and examples to configure automatic rotation using a rotation Lambda and RotationRules.AutomaticallyAfterDays.
How do I avoid exposing secrets in stack outputs?
Do not output secret values. Use NoEcho for parameters, store secrets in Secrets Manager/SSM SecureString, and reference them by ARN or path instead of printing values.