- Home
- Skills
- Williamzujkowski
- Cognitive Toolworks
- Security Cloud Analyzer
security-cloud-analyzer_skill
- Python
5
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill security-cloud-analyzer- CHANGELOG.md775 B
- SKILL.md8.2 KB
Overview
This skill evaluates cloud security posture across AWS, Azure, and GCP with focused checks for storage exposure, IAM policy issues, network segmentation, and compute configuration gaps. It produces prioritized findings with CVSS-style severity, cites applicable CIS or Well-Architected controls, and returns platform-specific remediation commands or IaC snippets. Outputs follow a strict JSON contract suitable for automation and reporting.
How this skill works
The analyzer inspects selected resource scopes (storage, iam, network, compute, or all) and runs a checklist of critical controls: public storage exposure, encryption at rest, overpermissive IAM policies, MFA enforcement, network segmentation, and compute hardening. For each finding it classifies severity, assigns a CVSS-like score, maps the control to CIS or Well-Architected guidance, and generates CLI or Terraform/ARM/CloudFormation remediation snippets. If account access is unavailable or inputs are ambiguous, it requests read-only credentials or architecture docs before proceeding.
When to use it
- Pre-production cloud security audit before deployment
- Compliance assessments against CIS Benchmarks or Well-Architected guidance
- Post-incident configuration review to identify exposure vectors
- Security validation during cloud migration or consolidation
- Preparing responses to third-party cloud security questionnaires
Best practices
- Specify cloud_platform and resource_scope explicitly; do not run with 'all' if you need a targeted scan
- Enable read-only account access or provide architecture diagrams when full account access is restricted
- Use the T1 token budget for urgent critical findings only and T2 for full remediation output
- Validate resource tagging and account boundaries to reduce false positives
- Avoid running this skill for real-time monitoring; use a CSPM for continuous checks
Example use cases
- Find and remediate publicly exposed S3/GCS/Azure Storage containers before a data migration
- Audit IAM policies to detect wildcard permissions and enforce MFA on privileged principals
- Validate disk encryption, instance metadata protection, and patch levels for compute fleets
- Check VPC/VNet segmentation, security group/NSG rules, and public IP exposures prior to a production launch
- Generate CLI commands or Terraform snippets to remediate failed CIS or Well-Architected controls
FAQ
Provide cloud_platform (aws|azure|gcp), resource_scope (storage|iam|network|compute|all), and the desired compliance_check (cis|well-architected|both|none). Read-only credentials or architecture docs are required if direct account access is unavailable.
How are severities determined?
Findings are classified as critical, high, medium, or low using decision rules tied to public data exposure, encryption gaps, IAM risks, and logging; CVSS-like scores follow CVSSv3.1 methodology.