Agent-Skills.md

Agent Skills: AWS Security Best Practices Skill

Implement comprehensive AWS security controls and compliance

UncategorizedID: pluginagentmarketplace/custom-plugin-aws/aws-security-best-practices

Repository

pluginagentmarketplace/custom-plugin-aws
pluginagentmarketplaceLicense: NOASSERTION
1

Skill Files

Browse the full folder contents for aws-security-best-practices.

Download Skill

Loading file tree…

skills/aws-security-best-practices/SKILL.md

Skill Metadata

Name
aws-security-best-practices
Description
Implement comprehensive AWS security controls and compliance

AWS Security Best Practices Skill

Implement defense-in-depth security for AWS workloads.

Quick Reference

| Attribute | Value | |-----------|-------| | AWS Services | KMS, WAF, GuardDuty, Security Hub | | Complexity | Medium-High | | Est. Time | 30-60 min | | Prerequisites | Admin access |

Parameters

Required

| Parameter | Type | Description | Validation | |-----------|------|-------------|------------| | compliance_framework | string | Target framework | SOC2, HIPAA, PCI-DSS, CIS | | scope | array | Resource types | ["EC2", "S3", "RDS"] |

Optional

| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | enable_guardduty | bool | true | Enable GuardDuty | | enable_securityhub | bool | true | Enable Security Hub | | encryption_key_type | string | AWS_MANAGED | AWS_MANAGED or CMK | | log_retention_days | int | 365 | CloudTrail log retention |

Security Checklist by Service

S3 Security

mandatory:
  - Block Public Access: enabled (account + bucket level)
  - Default Encryption: SSE-S3 or SSE-KMS
  - Access Logging: enabled
  - Versioning: enabled for critical data

recommended:
  - Object Lock: for compliance
  - MFA Delete: for versioned buckets
  - Lifecycle Rules: auto-delete old versions

EC2 Security

mandatory:
  - IMDSv2: required (HttpTokens=required)
  - EBS Encryption: default enabled
  - Security Groups: no 0.0.0.0/0 for SSH/RDP
  - Systems Manager: for patching

recommended:
  - Inspector: vulnerability scanning
  - No public IPs: use bastion or SSM
  - Instance profiles: no access keys on instances

RDS Security

mandatory:
  - No Public Access: publicly_accessible=false
  - Encryption at Rest: storage_encrypted=true
  - SSL/TLS: required for connections
  - Security Groups: app-tier only access

recommended:
  - IAM Authentication: enabled
  - Audit Logging: enabled
  - Automated Backups: encrypted

Implementation

Enable GuardDuty

# Enable GuardDuty
aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES \
  --features '[{"Name":"S3_DATA_EVENTS","Status":"ENABLED"},{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'

Enable Security Hub

# Enable Security Hub with standards
aws securityhub enable-security-hub \
  --enable-default-standards

# Enable additional standards
aws securityhub batch-enable-standards \
  --standards-subscription-requests '[{"StandardsArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"}]'

KMS Key Setup

# Create CMK with rotation
aws kms create-key \
  --description "RDS encryption key" \
  --key-spec SYMMETRIC_DEFAULT \
  --key-usage ENCRYPT_DECRYPT \
  --tags TagKey=Purpose,TagValue=RDS

# Enable rotation
aws kms enable-key-rotation --key-id $KEY_ID

WAF Rule Example

# Create WAF rule for SQL injection
aws wafv2 create-rule-group \
  --name SQLiProtection \
  --scope REGIONAL \
  --capacity 100 \
  --rules '[{
    "Name": "SQLiRule",
    "Priority": 1,
    "Statement": {
      "SqliMatchStatement": {
        "FieldToMatch": {"Body": {}},
        "TextTransformations": [{"Priority": 0, "Type": "URL_DECODE"}]
      }
    },
    "Action": {"Block": {}},
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "SQLiRule"
    }
  }]'

Compliance Mapping

| Framework | Key AWS Controls | |-----------|-----------------| | SOC 2 | CloudTrail, Config, GuardDuty, IAM | | HIPAA | KMS, CloudWatch, VPC, WAF, Macie | | PCI-DSS | KMS, WAF, CloudTrail, VPC, Config | | CIS | Security Hub CIS Benchmark, Config | | GDPR | KMS, Macie, Data lifecycle policies |

Troubleshooting

Common Issues

| Symptom | Cause | Solution | |---------|-------|----------| | Access Denied | IAM/resource policy | Check both policies | | KMS error | Key policy | Verify key grants | | WAF blocking legit | Rule too strict | Use count mode first | | GuardDuty finding | Security issue | Investigate finding |

Debug Checklist

  • [ ] CloudTrail enabled in all regions?
  • [ ] GuardDuty enabled with all features?
  • [ ] Security Hub standards enabled?
  • [ ] AWS Config recording?
  • [ ] VPC Flow Logs enabled?
  • [ ] KMS keys have rotation?

Security Finding Triage

Critical: Immediate action required
├── Unauthorized access detected
├── Data exfiltration attempt
└── Compromised credentials

High: Action within 24 hours
├── Exposed credentials
├── Open security groups
└── Unencrypted data

Medium: Action within 7 days
├── Missing encryption
├── Logging gaps
└── Outdated software

Test Template

def test_s3_security_controls():
    # Arrange
    bucket = "test-bucket"

    # Act - Check Block Public Access
    response = s3.get_public_access_block(Bucket=bucket)
    config = response['PublicAccessBlockConfiguration']

    # Assert
    assert config['BlockPublicAcls'] == True
    assert config['IgnorePublicAcls'] == True
    assert config['BlockPublicPolicy'] == True
    assert config['RestrictPublicBuckets'] == True

    # Act - Check Encryption
    enc_response = s3.get_bucket_encryption(Bucket=bucket)

    # Assert encryption enabled
    assert 'ServerSideEncryptionConfiguration' in enc_response

Assets

  • assets/security-checklist.yaml - Security audit checklist

References