cloud-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cloud Security

云安全

Cloud security posture assessment skill for detecting IAM privilege escalation, public storage exposure, network configuration risks, and infrastructure-as-code misconfigurations. This is NOT incident response for active cloud compromise (see incident-response) or application vulnerability scanning (see security-pen-testing) — this is about systematic cloud configuration analysis to prevent exploitation.

用于检测IAM权限提升、存储公开暴露、网络配置风险以及基础设施即代码（IaC）配置错误的云安全态势评估技能。注意：本技能并非针对活跃云入侵的事件响应（请参考incident-response），也不是应用漏洞扫描（请参考security-pen-testing）——它专注于系统性的云配置分析，以防止被利用。

Overview

概述

What This Skill Does

本技能的作用

This skill provides the methodology and tooling for cloud security posture management (CSPM) — systematically checking cloud configurations for misconfigurations that create exploitable attack surface. It covers IAM privilege escalation paths, storage public exposure, network over-permissioning, and infrastructure code security.

本技能提供**云安全态势管理（CSPM）**的方法论和工具——系统性检查云配置中可能形成可被利用攻击面的错误配置。涵盖IAM权限提升路径、存储公开暴露、网络过度授权以及基础设施代码安全。

Distinction from Other Security Skills

与其他安全技能的区别

Skill	Focus	Approach
cloud-security (this)	Cloud configuration risk	Preventive — assess before exploitation
incident-response	Active cloud incidents	Reactive — triage confirmed cloud compromise
threat-detection	Behavioral anomalies	Proactive — hunt for attacker activity in cloud logs
security-pen-testing	Application vulnerabilities	Offensive — actively exploit found weaknesses

技能	关注点	方法
cloud-security（本技能）	云配置风险	预防性——在被利用前进行评估
incident-response	活跃云事件	响应式——分类处理已确认的云入侵
threat-detection	行为异常	前瞻性——在云日志中搜寻攻击者活动
security-pen-testing	应用漏洞	攻击性——主动利用已发现的弱点

Prerequisites

前置条件

Read access to IAM policy documents, S3 bucket configurations, and security group rules in JSON format. For continuous monitoring, integrate with cloud provider APIs (AWS Config, Azure Policy, GCP Security Command Center).

拥有以JSON格式读取IAM策略文档、S3存储桶配置和安全组规则的权限。如需持续监控，请与云服务商API（AWS Config、Azure Policy、GCP Security Command Center）集成。

Cloud Posture Check Tool

云态势检查工具

The

cloud_posture_check.py

tool runs three types of checks:

iam

(privilege escalation),

s3

(public access), and

sg

(network exposure). It auto-detects the check type from the config file structure or accepts explicit

--check

flags.

bash

undefined

cloud_posture_check.py

工具可运行三类检查：

iam

（权限提升）、

s3

（公开访问）和

sg

（网络暴露）。它会从配置文件结构自动检测检查类型，也可接受显式的

--check

参数。

bash

undefined

Analyze an IAM policy for privilege escalation paths

分析IAM策略中的权限提升路径

python3 scripts/cloud_posture_check.py policy.json --check iam --json

Assess S3 bucket configuration for public access

评估S3存储桶配置的公开访问情况

python3 scripts/cloud_posture_check.py bucket_config.json --check s3 --json

Check security group rules for open admin ports

检查安全组规则中的开放管理端口

python3 scripts/cloud_posture_check.py sg.json --check sg --json

Run all checks with internet-facing severity bump

运行所有检查，并提升面向互联网资源的风险等级

python3 scripts/cloud_posture_check.py config.json --check all
--provider aws --severity-modifier internet-facing --json

Regulated data context (bumps severity by one level for all findings)

受监管数据场景（将所有发现的风险等级提升一级）

python3 scripts/cloud_posture_check.py config.json --check all
--severity-modifier regulated-data --json

Pipe IAM policy from AWS CLI

从AWS CLI管道传入IAM策略

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
--version-id v1 | jq '.PolicyVersion.Document' |
python3 scripts/cloud_posture_check.py - --check iam --json

undefined

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
--version-id v1 | jq '.PolicyVersion.Document' |
python3 scripts/cloud_posture_check.py - --check iam --json

undefined

Exit Codes

退出码

Code	Meaning	Required Action
0	No high/critical findings	No action required
1	High-severity findings	Remediate within 24 hours
2	Critical findings	Remediate immediately — escalate to incident-response if active

代码	含义	必要操作
0	无高/严重风险发现	无需操作
1	高风险发现	24小时内完成修复
2	严重风险发现	立即修复——若存在活跃入侵，升级至事件响应流程

IAM Policy Analysis

IAM策略分析

IAM analysis detects privilege escalation paths, overprivileged grants, public principal exposure, and data exfiltration risk.

IAM分析可检测权限提升路径、过度授权、公开主体暴露以及数据泄露风险。

Privilege Escalation Patterns

权限提升模式

Pattern	Severity	Key Action Combination	MITRE
Lambda PassRole escalation	Critical	iam:PassRole + lambda:CreateFunction	T1078.004
EC2 instance profile abuse	Critical	iam:PassRole + ec2:RunInstances	T1078.004
CloudFormation PassRole	Critical	iam:PassRole + cloudformation:CreateStack	T1078.004
Self-attach policy escalation	Critical	iam:AttachUserPolicy + sts:GetCallerIdentity	T1484.001
Inline policy self-escalation	Critical	iam:PutUserPolicy + sts:GetCallerIdentity	T1484.001
Policy version backdoor	Critical	iam:CreatePolicyVersion + iam:ListPolicies	T1484.001
Credential harvesting	High	iam:CreateAccessKey + iam:ListUsers	T1098.001
Group membership escalation	High	iam:AddUserToGroup + iam:ListGroups	T1098
Password reset attack	High	iam:UpdateLoginProfile + iam:ListUsers	T1098
Service-level wildcard	High	iam:* or s3:* or ec2:*	T1078.004

模式	风险等级	关键操作组合	MITRE
Lambda PassRole提升	严重	iam:PassRole + lambda:CreateFunction	T1078.004
EC2实例配置文件滥用	严重	iam:PassRole + ec2:RunInstances	T1078.004
CloudFormation PassRole	严重	iam:PassRole + cloudformation:CreateStack	T1078.004
自附加策略提升	严重	iam:AttachUserPolicy + sts:GetCallerIdentity	T1484.001
内联策略自提升	严重	iam:PutUserPolicy + sts:GetCallerIdentity	T1484.001
策略版本后门	严重	iam:CreatePolicyVersion + iam:ListPolicies	T1484.001
凭证窃取	高	iam:CreateAccessKey + iam:ListUsers	T1098.001
组成员提升	高	iam:AddUserToGroup + iam:ListGroups	T1098
密码重置攻击	高	iam:UpdateLoginProfile + iam:ListUsers	T1098
服务级通配符	高	iam:* 或 s3:* 或 ec2:*	T1078.004

IAM Finding Severity Guide

IAM发现风险等级指南

Finding Type	Condition	Severity
Full admin wildcard	Action=* Resource=*	Critical
Public principal	Principal: '*'	Critical
Dangerous action combo	Two-action escalation path	Critical
Individual priv-esc actions	On wildcard resource	High
Data exfiltration actions	s3:GetObject, secretsmanager:GetSecretValue on *	High
Service wildcard	service:* action	High
Data actions on named resource	Appropriate scope	Low/Clean

发现类型	条件	风险等级
完全管理员通配符	Action=* Resource=*	严重
公开主体	Principal: '*'	严重
危险操作组合	双操作提升路径	严重
单个权限提升操作	作用于通配符资源	高
数据泄露操作	s3:GetObject、secretsmanager:GetSecretValue 作用于*	高
服务通配符	service:* 操作	高
针对指定资源的数据操作	范围合理	低/合规

Least Privilege Recommendations

最小权限建议

For every critical or high finding, the tool outputs a

least_privilege_suggestion

field with specific remediation guidance:

Replace
```
Action: *
```
with a named list of required actions
Replace
```
Resource: *
```
with specific ARN patterns
Use AWS Access Analyzer to identify actually-used permissions
Separate dangerous action combinations into different roles with distinct trust policies

针对每一项严重或高风险发现，工具会输出

least_privilege_suggestion

字段，提供具体修复指导：

用指定的必要操作列表替换
```
Action: *
```
用具体ARN模式替换
```
Resource: *
```
使用AWS Access Analyzer识别实际使用的权限
将危险操作组合拆分到不同角色中，并配置独立的信任策略

S3 Exposure Assessment

S3暴露评估

S3 assessment checks four dimensions: public access block configuration, bucket ACL, bucket policy principal exposure, and default encryption.

S3评估检查四个维度：公开访问块配置、存储桶ACL、存储桶策略主体暴露以及默认加密。

S3 Configuration Check Matrix

S3配置检查矩阵

Check	Finding Condition	Severity
Public access block	Any of four flags missing/false	High
Bucket ACL	public-read-write	Critical
Bucket ACL	public-read or authenticated-read	High
Bucket policy Principal	"Principal": "*" with Allow	Critical
Default encryption	No ServerSideEncryptionConfiguration	High
Default encryption	Non-standard SSEAlgorithm	Medium
No PublicAccessBlockConfiguration	Status unknown	Medium

检查项	发现条件	风险等级
公开访问块	四个标志中有缺失/设为false	高
存储桶ACL	public-read-write	严重
存储桶ACL	public-read 或 authenticated-read	高
存储桶策略主体	"Principal": "*" 且为Allow	严重
默认加密	无ServerSideEncryptionConfiguration	高
默认加密	非标准SSEAlgorithm	中
无PublicAccessBlockConfiguration	状态未知	中

Recommended S3 Baseline Configuration

Security Group Analysis

安全组分析

Security group analysis flags inbound rules that expose admin ports, database ports, or all traffic to internet CIDRs (0.0.0.0/0, ::/0).

安全组分析会标记将管理端口、数据库端口或所有流量暴露给互联网CIDR（0.0.0.0/0、::/0）的入站规则。

Critical Port Exposure Rules

关键端口暴露规则

Port	Service	Finding Severity	Remediation
22	SSH	Critical	Restrict to VPN CIDR or use AWS Systems Manager Session Manager
3389	RDP	Critical	Restrict to VPN CIDR or use AWS Fleet Manager
0–65535 (all)	All traffic	Critical	Remove rule; add specific required ports only

端口	服务	发现风险等级	修复建议
22	SSH	严重	限制为VPN CIDR，或使用AWS Systems Manager Session Manager
3389	RDP	严重	限制为VPN CIDR，或使用AWS Fleet Manager
0–65535（所有）	所有流量	严重	删除规则；仅添加所需的特定端口

High-Risk Database Port Rules

高风险数据库端口规则

Port	Service	Finding Severity	Remediation
1433	MSSQL	High	Allow from application tier SG only — move to private subnet
3306	MySQL	High	Allow from application tier SG only — move to private subnet
5432	PostgreSQL	High	Allow from application tier SG only — move to private subnet
27017	MongoDB	High	Allow from application tier SG only — move to private subnet
6379	Redis	High	Allow from application tier SG only — move to private subnet
9200	Elasticsearch	High	Allow from application tier SG only — move to private subnet

端口	服务	发现风险等级	修复建议
1433	MSSQL	高	仅允许来自应用层安全组的访问——迁移至私有子网
3306	MySQL	高	仅允许来自应用层安全组的访问——迁移至私有子网
5432	PostgreSQL	高	仅允许来自应用层安全组的访问——迁移至私有子网
27017	MongoDB	高	仅允许来自应用层安全组的访问——迁移至私有子网
6379	Redis	高	仅允许来自应用层安全组的访问——迁移至私有子网
9200	Elasticsearch	高	仅允许来自应用层安全组的访问——迁移至私有子网

Severity Modifiers

风险等级调整参数

Use

--severity-modifier internet-facing

when the assessed resource is directly internet-accessible (load balancer, API gateway, public EC2). Use

--severity-modifier regulated-data

when the resource handles PCI, HIPAA, or GDPR-regulated data. Both modifiers bump each finding's severity by one level.

当评估的资源直接面向互联网（负载均衡器、API网关、公开EC2）时，使用

--severity-modifier internet-facing

。当资源处理PCI、HIPAA或GDPR监管数据时，使用

--severity-modifier regulated-data

。这两个参数都会将每项发现的风险等级提升一级。

IaC Security Review

IaC安全审查

Infrastructure-as-code review catches configuration issues at definition time, before deployment.

基础设施即代码审查可在定义阶段（部署前）发现配置问题。

IaC Check Matrix

IaC检查矩阵

Tool	Check Types	When to Run
Terraform	Resource-level checks (aws_s3_bucket_acl, aws_security_group, aws_iam_policy_document)	Pre-plan, pre-apply, PR gate
CloudFormation	Template property validation (PublicAccessBlockConfiguration, SecurityGroupIngress)	Template lint, deploy gate
Kubernetes manifests	Container privileges, network policies, secret exposure	PR gate, admission controller
Helm charts	Same as Kubernetes	PR gate

工具	检查类型	运行时机
Terraform	资源级检查（aws_s3_bucket_acl、aws_security_group、aws_iam_policy_document）	预规划、预应用、PR门禁
CloudFormation	模板属性验证（PublicAccessBlockConfiguration、SecurityGroupIngress）	模板校验、部署门禁
Kubernetes清单	容器权限、网络策略、密钥暴露	PR门禁、准入控制器
Helm图表	与Kubernetes相同	PR门禁

Terraform IAM Policy Example — Finding vs. Clean

Terraform IAM策略示例——问题配置vs合规配置

hcl

undefined

hcl

undefined

BAD: Will generate critical findings

错误配置：会触发严重风险发现

resource "aws_iam_policy" "bad_policy" { policy = jsonencode({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Action = "" Resource = "" }] }) }

GOOD: Least privilege

合规配置：最小权限

resource "aws_iam_policy" "good_policy" { policy = jsonencode({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Action = ["s3:GetObject", "s3:PutObject"] Resource = "arn:aws:s3:::my-specific-bucket/*" }] }) }


Full CSPM check reference: `references/cspm-checks.md`

---


完整CSPM检查参考：`references/cspm-checks.md`

---

Cloud Provider Coverage Matrix

云服务商覆盖矩阵

Check Type	AWS	Azure	GCP
IAM privilege escalation	Full (IAM policies, trust policies, ESCALATION_COMBOS)	Partial (RBAC assignments, service principal risks)	Partial (IAM bindings, workload identity)
Storage public access	Full (S3 bucket policies, ACLs, public access block)	Partial (Blob SAS tokens, container access levels)	Partial (GCS bucket IAM, uniform bucket-level access)
Network exposure	Full (Security Groups, NACLs, port-level analysis)	Partial (NSG rules, inbound port analysis)	Partial (Firewall rules, VPC firewall)
IaC scanning	Full (Terraform, CloudFormation)	Partial (ARM templates, Bicep)	Partial (Deployment Manager)

检查类型	AWS	Azure	GCP
IAM权限提升	完整支持（IAM策略、信任策略、ESCALATION_COMBOS）	部分支持（RBAC分配、服务主体风险）	部分支持（IAM绑定、工作负载身份）
存储公开访问	完整支持（S3存储桶策略、ACL、公开访问块）	部分支持（Blob SAS令牌、容器访问级别）	部分支持（GCS存储桶IAM、统一存储桶级访问）
网络暴露	完整支持（安全组、NACL、端口级分析）	部分支持（NSG规则、入站端口分析）	部分支持（防火墙规则、VPC防火墙）
IaC扫描	完整支持（Terraform、CloudFormation）	部分支持（ARM模板、Bicep）	部分支持（Deployment Manager）

Workflows

工作流

Workflow 1: Quick Posture Check (20 Minutes)

工作流1：快速态势检查（20分钟）

For a newly provisioned resource or pre-deployment review:

bash

undefined

针对新部署资源或预部署审查：

bash

undefined

1. Export IAM policy document

1. 导出IAM策略文档

aws iam get-policy-version --policy-arn ARN --version-id v1 |
jq '.PolicyVersion.Document' > policy.json python3 scripts/cloud_posture_check.py policy.json --check iam --json

2. Check S3 bucket configuration

2. 检查S3存储桶配置

aws s3api get-bucket-acl --bucket my-bucket > acl.json aws s3api get-public-access-block --bucket my-bucket >> bucket.json python3 scripts/cloud_posture_check.py bucket.json --check s3 --json

3. Review security groups for open admin ports

3. 审查安全组中的开放管理端口

aws ec2 describe-security-groups --group-ids sg-123456 |
jq '.SecurityGroups[0]' > sg.json python3 scripts/cloud_posture_check.py sg.json --check sg --json


**Decision**: Exit code 2 = block deployment and remediate. Exit code 1 = schedule remediation within 24 hours.

aws ec2 describe-security-groups --group-ids sg-123456 |
jq '.SecurityGroups[0]' > sg.json python3 scripts/cloud_posture_check.py sg.json --check sg --json


**决策**：退出码2 = 阻止部署并修复；退出码1 = 24小时内安排修复。

Workflow 2: Full Cloud Security Assessment (Multi-Day)

工作流2：全面云安全评估（多日）

Day 1 — IAM and Identity:

Export all IAM policies attached to production roles
Run cloud_posture_check.py --check iam on each policy
Map all privilege escalation paths found
Identify overprivileged service accounts and roles
Review cross-account trust policies

Day 2 — Storage and Network:

Enumerate all S3 buckets and export configurations
Run cloud_posture_check.py --check s3 --severity-modifier regulated-data for data buckets
Export security group configurations for all VPCs
Run cloud_posture_check.py --check sg for internet-facing resources
Review NACL rules for network segmentation gaps

Day 3 — IaC and Continuous Integration:

Review Terraform/CloudFormation templates in version control
Check CI/CD pipeline for IaC security gates
Validate findings against
```
references/cspm-checks.md
```
Produce remediation plan with priority ordering (Critical → High → Medium)

第1天——IAM与身份：

导出所有附加到生产角色的IAM策略
对每个策略运行cloud_posture_check.py --check iam
映射所有发现的权限提升路径
识别过度授权的服务账户和角色
审查跨账户信任策略

第2天——存储与网络：

枚举所有S3存储桶并导出配置
对数据存储桶运行cloud_posture_check.py --check s3 --severity-modifier regulated-data
导出所有VPC的安全组配置
对面向互联网的资源运行cloud_posture_check.py --check sg
审查NACL规则中的网络分段漏洞

第3天——IaC与持续集成：

审查版本控制中的Terraform/CloudFormation模板
检查CI/CD流水线中的IaC安全门禁
根据
```
references/cspm-checks.md
```
验证发现结果
生成按优先级排序的修复计划（严重→高→中）

Workflow 3: CI/CD Security Gate

工作流3：CI/CD安全门禁

Integrate posture checks into deployment pipelines to prevent misconfigured resources reaching production:

bash

undefined

将态势检查集成到部署流水线，防止配置错误的资源进入生产环境：

bash

undefined

Validate IaC before terraform apply

Terraform应用前验证IaC

terraform show -json plan.json |
jq '[.resource_changes[].change.after | select(. != null)]' > resources.json python3 scripts/cloud_posture_check.py resources.json --check all --json if [ $? -eq 2 ]; then echo "Critical cloud security findings — blocking deployment" exit 1 fi

terraform show -json plan.json |
jq '[.resource_changes[].change.after | select(. != null)]' > resources.json python3 scripts/cloud_posture_check.py resources.json --check all --json if [ $? -eq 2 ]; then echo "发现严重云安全风险——阻止部署" exit 1 fi

Validate existing S3 bucket before modifying

修改前验证现有S3存储桶

aws s3api get-bucket-policy --bucket "${BUCKET}" | jq '.Policy | fromjson' |
python3 scripts/cloud_posture_check.py - --check s3
--severity-modifier regulated-data --json

---

aws s3api get-bucket-policy --bucket "${BUCKET}" | jq '.Policy | fromjson' |
python3 scripts/cloud_posture_check.py - --check s3
--severity-modifier regulated-data --json

---

Anti-Patterns

反模式

Running IAM analysis without checking escalation combos — Individual high-risk actions in isolation may appear low-risk. The danger is in combinations:
```
iam:PassRole
```
alone is not critical, but
```
iam:PassRole + lambda:CreateFunction
```
is a confirmed privilege escalation path. Always analyze the full statement, not individual actions.
Enabling only bucket-level public access block — AWS S3 has both account-level and bucket-level public access block settings. A bucket-level setting can override an account-level setting. Both must be configured. Account-level block alone is insufficient if any bucket has explicit overrides.
Treating
--severity-modifier internet-facing
as optional for public resources — Internet-facing resources have significantly higher exposure than internal resources. High findings on internet-facing infrastructure should be treated as critical. Always apply
```
--severity-modifier internet-facing
```
for DMZ, load balancer, and API gateway configurations.
Checking only administrator policies — Privilege escalation paths frequently originate from non-administrator policies that combine innocuous-looking permissions. All policies attached to production identities must be checked, not just policies with obvious elevated access.
Remediating findings without root cause analysis — Removing a dangerous permission without understanding why it was granted will result in re-addition. Document the business justification for every high-risk permission before removing it, to prevent silent re-introduction.
Ignoring service account over-permissioning — Service accounts are often over-provisioned during development and never trimmed for production. Every service account in production must be audited against AWS Access Analyzer or equivalent to identify and remove unused permissions.
Not applying severity modifiers for regulated data workloads — A high finding in a general-purpose S3 bucket is different from the same finding in a bucket containing PHI or cardholder data. Always use
```
--severity-modifier regulated-data
```
when assessing resources in regulated data environments.

仅分析IAM单个操作而不检查组合提升路径——孤立的高风险操作可能看似低风险，但危险在于组合：
```
iam:PassRole
```
本身并不严重，但
```
iam:PassRole + lambda:CreateFunction
```
是明确的权限提升路径。始终分析完整的策略语句，而非单个操作。
仅启用存储桶级公开访问块——AWS S3同时有账户级和存储桶级的公开访问块设置。存储桶级设置可覆盖账户级设置，两者必须同时配置。仅配置账户级块并不足够，若任何存储桶有显式覆盖设置则无效。
面向互联网资源的
--severity-modifier internet-facing
参数视为可选——面向互联网的资源暴露风险远高于内部资源。面向互联网基础设施的高风险发现应被视为严重风险。对于DMZ、负载均衡器和API网关配置，务必应用
```
--severity-modifier internet-facing
```
。
仅检查管理员策略——权限提升路径常源自非管理员策略，这些策略组合了看似无害的权限。必须检查所有附加到生产身份的策略，而非仅检查具有明显高权限的策略。
不做根因分析直接修复发现结果——不理解危险权限被授予的原因就直接移除，会导致该权限被重新添加。在移除前记录每项高风险权限的业务合理性，防止其被悄悄重新引入。
忽略服务账户过度授权——服务账户在开发阶段常被过度配置，且在生产环境中从未精简。生产环境中的每个服务账户都必须通过AWS Access Analyzer或类似工具进行审计，识别并移除未使用的权限。
不对受监管数据工作负载应用风险等级调整参数——通用S3存储桶中的高风险发现，与包含PHI或持卡人数据的存储桶中的相同发现性质不同。评估受监管数据环境中的资源时，务必使用
```
--severity-modifier regulated-data
```
。

Cross-References

交叉引用

Skill	Relationship
incident-response	Critical findings (public S3, privilege escalation confirmed active) may trigger incident classification
threat-detection	Cloud posture findings create hunting targets — over-permissioned roles are likely lateral movement destinations
red-team	Red team exercises specifically test exploitability of cloud misconfigurations found in posture assessment
security-pen-testing	Cloud posture findings feed into the infrastructure security section of pen test assessments

技能	关系
incident-response	严重风险发现（公开S3、已确认的活跃权限提升）可能触发事件分类
threat-detection	云态势发现结果可作为狩猎目标——过度授权角色很可能是横向移动的目的地
red-team	红队演练专门测试态势评估中发现的云配置错误的可利用性
security-pen-testing	云态势发现结果会纳入渗透测试评估的基础设施安全部分

cloud-security

Original

Translation

Cloud Security

云安全

Table of Contents

目录

Overview

概述

What This Skill Does

本技能的作用

Distinction from Other Security Skills

与其他安全技能的区别

Prerequisites

前置条件

Cloud Posture Check Tool

云态势检查工具

Analyze an IAM policy for privilege escalation paths

分析IAM策略中的权限提升路径

Assess S3 bucket configuration for public access

评估S3存储桶配置的公开访问情况

Check security group rules for open admin ports

检查安全组规则中的开放管理端口

Run all checks with internet-facing severity bump

运行所有检查，并提升面向互联网资源的风险等级

Regulated data context (bumps severity by one level for all findings)

受监管数据场景（将所有发现的风险等级提升一级）

Pipe IAM policy from AWS CLI

从AWS CLI管道传入IAM策略

Exit Codes

退出码

IAM Policy Analysis

IAM策略分析

Privilege Escalation Patterns

权限提升模式

IAM Finding Severity Guide

IAM发现风险等级指南

Least Privilege Recommendations

最小权限建议

S3 Exposure Assessment

S3暴露评估

S3 Configuration Check Matrix

S3配置检查矩阵

Recommended S3 Baseline Configuration

推荐的S3基线配置

Security Group Analysis

安全组分析

Critical Port Exposure Rules

关键端口暴露规则

High-Risk Database Port Rules

高风险数据库端口规则

Severity Modifiers

风险等级调整参数

IaC Security Review

IaC安全审查

IaC Check Matrix

IaC检查矩阵

Terraform IAM Policy Example — Finding vs. Clean

Terraform IAM策略示例——问题配置vs合规配置

BAD: Will generate critical findings

错误配置：会触发严重风险发现

GOOD: Least privilege

合规配置：最小权限

Cloud Provider Coverage Matrix

云服务商覆盖矩阵

Workflows

工作流

Workflow 1: Quick Posture Check (20 Minutes)

工作流1：快速态势检查（20分钟）

1. Export IAM policy document

1. 导出IAM策略文档

2. Check S3 bucket configuration

2. 检查S3存储桶配置

3. Review security groups for open admin ports

3. 审查安全组中的开放管理端口

Workflow 2: Full Cloud Security Assessment (Multi-Day)

工作流2：全面云安全评估（多日）

Workflow 3: CI/CD Security Gate

工作流3：CI/CD安全门禁

Validate IaC before terraform apply