cloud-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCloud Security
云安全
Cloud security posture assessment skill for detecting IAM privilege escalation, public storage exposure, network configuration risks, and infrastructure-as-code misconfigurations. This is NOT incident response for active cloud compromise (see incident-response) or application vulnerability scanning (see security-pen-testing) — this is about systematic cloud configuration analysis to prevent exploitation.
用于检测IAM权限提升、存储公开暴露、网络配置风险以及基础设施即代码(IaC)配置错误的云安全态势评估技能。注意:本技能并非针对活跃云入侵的事件响应(请参考incident-response),也不是应用漏洞扫描(请参考security-pen-testing)——它专注于系统性的云配置分析,以防止被利用。
Table of Contents
目录
Overview
概述
What This Skill Does
本技能的作用
This skill provides the methodology and tooling for cloud security posture management (CSPM) — systematically checking cloud configurations for misconfigurations that create exploitable attack surface. It covers IAM privilege escalation paths, storage public exposure, network over-permissioning, and infrastructure code security.
本技能提供**云安全态势管理(CSPM)**的方法论和工具——系统性检查云配置中可能形成可被利用攻击面的错误配置。涵盖IAM权限提升路径、存储公开暴露、网络过度授权以及基础设施代码安全。
Distinction from Other Security Skills
与其他安全技能的区别
| Skill | Focus | Approach |
|---|---|---|
| cloud-security (this) | Cloud configuration risk | Preventive — assess before exploitation |
| incident-response | Active cloud incidents | Reactive — triage confirmed cloud compromise |
| threat-detection | Behavioral anomalies | Proactive — hunt for attacker activity in cloud logs |
| security-pen-testing | Application vulnerabilities | Offensive — actively exploit found weaknesses |
| 技能 | 关注点 | 方法 |
|---|---|---|
| cloud-security(本技能) | 云配置风险 | 预防性——在被利用前进行评估 |
| incident-response | 活跃云事件 | 响应式——分类处理已确认的云入侵 |
| threat-detection | 行为异常 | 前瞻性——在云日志中搜寻攻击者活动 |
| security-pen-testing | 应用漏洞 | 攻击性——主动利用已发现的弱点 |
Prerequisites
前置条件
Read access to IAM policy documents, S3 bucket configurations, and security group rules in JSON format. For continuous monitoring, integrate with cloud provider APIs (AWS Config, Azure Policy, GCP Security Command Center).
拥有以JSON格式读取IAM策略文档、S3存储桶配置和安全组规则的权限。如需持续监控,请与云服务商API(AWS Config、Azure Policy、GCP Security Command Center)集成。
Cloud Posture Check Tool
云态势检查工具
The tool runs three types of checks: (privilege escalation), (public access), and (network exposure). It auto-detects the check type from the config file structure or accepts explicit flags.
cloud_posture_check.pyiams3sg--checkbash
undefinedcloud_posture_check.pyiams3sg--checkbash
undefinedAnalyze an IAM policy for privilege escalation paths
分析IAM策略中的权限提升路径
python3 scripts/cloud_posture_check.py policy.json --check iam --json
python3 scripts/cloud_posture_check.py policy.json --check iam --json
Assess S3 bucket configuration for public access
评估S3存储桶配置的公开访问情况
python3 scripts/cloud_posture_check.py bucket_config.json --check s3 --json
python3 scripts/cloud_posture_check.py bucket_config.json --check s3 --json
Check security group rules for open admin ports
检查安全组规则中的开放管理端口
python3 scripts/cloud_posture_check.py sg.json --check sg --json
python3 scripts/cloud_posture_check.py sg.json --check sg --json
Run all checks with internet-facing severity bump
运行所有检查,并提升面向互联网资源的风险等级
python3 scripts/cloud_posture_check.py config.json --check all
--provider aws --severity-modifier internet-facing --json
--provider aws --severity-modifier internet-facing --json
python3 scripts/cloud_posture_check.py config.json --check all
--provider aws --severity-modifier internet-facing --json
--provider aws --severity-modifier internet-facing --json
Regulated data context (bumps severity by one level for all findings)
受监管数据场景(将所有发现的风险等级提升一级)
python3 scripts/cloud_posture_check.py config.json --check all
--severity-modifier regulated-data --json
--severity-modifier regulated-data --json
python3 scripts/cloud_posture_check.py config.json --check all
--severity-modifier regulated-data --json
--severity-modifier regulated-data --json
Pipe IAM policy from AWS CLI
从AWS CLI管道传入IAM策略
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
--version-id v1 | jq '.PolicyVersion.Document' |
python3 scripts/cloud_posture_check.py - --check iam --json
--version-id v1 | jq '.PolicyVersion.Document' |
python3 scripts/cloud_posture_check.py - --check iam --json
undefinedaws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
--version-id v1 | jq '.PolicyVersion.Document' |
python3 scripts/cloud_posture_check.py - --check iam --json
--version-id v1 | jq '.PolicyVersion.Document' |
python3 scripts/cloud_posture_check.py - --check iam --json
undefinedExit Codes
退出码
| Code | Meaning | Required Action |
|---|---|---|
| 0 | No high/critical findings | No action required |
| 1 | High-severity findings | Remediate within 24 hours |
| 2 | Critical findings | Remediate immediately — escalate to incident-response if active |
| 代码 | 含义 | 必要操作 |
|---|---|---|
| 0 | 无高/严重风险发现 | 无需操作 |
| 1 | 高风险发现 | 24小时内完成修复 |
| 2 | 严重风险发现 | 立即修复——若存在活跃入侵,升级至事件响应流程 |
IAM Policy Analysis
IAM策略分析
IAM analysis detects privilege escalation paths, overprivileged grants, public principal exposure, and data exfiltration risk.
IAM分析可检测权限提升路径、过度授权、公开主体暴露以及数据泄露风险。
Privilege Escalation Patterns
权限提升模式
| Pattern | Severity | Key Action Combination | MITRE |
|---|---|---|---|
| Lambda PassRole escalation | Critical | iam:PassRole + lambda:CreateFunction | T1078.004 |
| EC2 instance profile abuse | Critical | iam:PassRole + ec2:RunInstances | T1078.004 |
| CloudFormation PassRole | Critical | iam:PassRole + cloudformation:CreateStack | T1078.004 |
| Self-attach policy escalation | Critical | iam:AttachUserPolicy + sts:GetCallerIdentity | T1484.001 |
| Inline policy self-escalation | Critical | iam:PutUserPolicy + sts:GetCallerIdentity | T1484.001 |
| Policy version backdoor | Critical | iam:CreatePolicyVersion + iam:ListPolicies | T1484.001 |
| Credential harvesting | High | iam:CreateAccessKey + iam:ListUsers | T1098.001 |
| Group membership escalation | High | iam:AddUserToGroup + iam:ListGroups | T1098 |
| Password reset attack | High | iam:UpdateLoginProfile + iam:ListUsers | T1098 |
| Service-level wildcard | High | iam:* or s3:* or ec2:* | T1078.004 |
| 模式 | 风险等级 | 关键操作组合 | MITRE |
|---|---|---|---|
| Lambda PassRole提升 | 严重 | iam:PassRole + lambda:CreateFunction | T1078.004 |
| EC2实例配置文件滥用 | 严重 | iam:PassRole + ec2:RunInstances | T1078.004 |
| CloudFormation PassRole | 严重 | iam:PassRole + cloudformation:CreateStack | T1078.004 |
| 自附加策略提升 | 严重 | iam:AttachUserPolicy + sts:GetCallerIdentity | T1484.001 |
| 内联策略自提升 | 严重 | iam:PutUserPolicy + sts:GetCallerIdentity | T1484.001 |
| 策略版本后门 | 严重 | iam:CreatePolicyVersion + iam:ListPolicies | T1484.001 |
| 凭证窃取 | 高 | iam:CreateAccessKey + iam:ListUsers | T1098.001 |
| 组成员提升 | 高 | iam:AddUserToGroup + iam:ListGroups | T1098 |
| 密码重置攻击 | 高 | iam:UpdateLoginProfile + iam:ListUsers | T1098 |
| 服务级通配符 | 高 | iam:* 或 s3:* 或 ec2:* | T1078.004 |
IAM Finding Severity Guide
IAM发现风险等级指南
| Finding Type | Condition | Severity |
|---|---|---|
| Full admin wildcard | Action=* Resource=* | Critical |
| Public principal | Principal: '*' | Critical |
| Dangerous action combo | Two-action escalation path | Critical |
| Individual priv-esc actions | On wildcard resource | High |
| Data exfiltration actions | s3:GetObject, secretsmanager:GetSecretValue on * | High |
| Service wildcard | service:* action | High |
| Data actions on named resource | Appropriate scope | Low/Clean |
| 发现类型 | 条件 | 风险等级 |
|---|---|---|
| 完全管理员通配符 | Action=* Resource=* | 严重 |
| 公开主体 | Principal: '*' | 严重 |
| 危险操作组合 | 双操作提升路径 | 严重 |
| 单个权限提升操作 | 作用于通配符资源 | 高 |
| 数据泄露操作 | s3:GetObject、secretsmanager:GetSecretValue 作用于* | 高 |
| 服务通配符 | service:* 操作 | 高 |
| 针对指定资源的数据操作 | 范围合理 | 低/合规 |
Least Privilege Recommendations
最小权限建议
For every critical or high finding, the tool outputs a field with specific remediation guidance:
least_privilege_suggestion- Replace with a named list of required actions
Action: * - Replace with specific ARN patterns
Resource: * - Use AWS Access Analyzer to identify actually-used permissions
- Separate dangerous action combinations into different roles with distinct trust policies
针对每一项严重或高风险发现,工具会输出字段,提供具体修复指导:
least_privilege_suggestion- 用指定的必要操作列表替换
Action: * - 用具体ARN模式替换
Resource: * - 使用AWS Access Analyzer识别实际使用的权限
- 将危险操作组合拆分到不同角色中,并配置独立的信任策略
S3 Exposure Assessment
S3暴露评估
S3 assessment checks four dimensions: public access block configuration, bucket ACL, bucket policy principal exposure, and default encryption.
S3评估检查四个维度:公开访问块配置、存储桶ACL、存储桶策略主体暴露以及默认加密。
S3 Configuration Check Matrix
S3配置检查矩阵
| Check | Finding Condition | Severity |
|---|---|---|
| Public access block | Any of four flags missing/false | High |
| Bucket ACL | public-read-write | Critical |
| Bucket ACL | public-read or authenticated-read | High |
| Bucket policy Principal | "Principal": "*" with Allow | Critical |
| Default encryption | No ServerSideEncryptionConfiguration | High |
| Default encryption | Non-standard SSEAlgorithm | Medium |
| No PublicAccessBlockConfiguration | Status unknown | Medium |
| 检查项 | 发现条件 | 风险等级 |
|---|---|---|
| 公开访问块 | 四个标志中有缺失/设为false | 高 |
| 存储桶ACL | public-read-write | 严重 |
| 存储桶ACL | public-read 或 authenticated-read | 高 |
| 存储桶策略主体 | "Principal": "*" 且为Allow | 严重 |
| 默认加密 | 无ServerSideEncryptionConfiguration | 高 |
| 默认加密 | 非标准SSEAlgorithm | 中 |
| 无PublicAccessBlockConfiguration | 状态未知 | 中 |
Recommended S3 Baseline Configuration
推荐的S3基线配置
json
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"ServerSideEncryptionConfiguration": {
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:region:account:key/key-id"
},
"BucketKeyEnabled": true
}]
},
"ACL": "private"
}All four public access block settings must be enabled at both the bucket level and the AWS account level. Account-level settings can be overridden by bucket-level settings if not both enforced.
json
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"ServerSideEncryptionConfiguration": {
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:region:account:key/key-id"
},
"BucketKeyEnabled": true
}]
},
"ACL": "private"
}四个公开访问块设置必须同时在存储桶级别和AWS账户级别启用。若未同时强制配置,存储桶级设置可覆盖账户级设置。
Security Group Analysis
安全组分析
Security group analysis flags inbound rules that expose admin ports, database ports, or all traffic to internet CIDRs (0.0.0.0/0, ::/0).
安全组分析会标记将管理端口、数据库端口或所有流量暴露给互联网CIDR(0.0.0.0/0、::/0)的入站规则。
Critical Port Exposure Rules
关键端口暴露规则
| Port | Service | Finding Severity | Remediation |
|---|---|---|---|
| 22 | SSH | Critical | Restrict to VPN CIDR or use AWS Systems Manager Session Manager |
| 3389 | RDP | Critical | Restrict to VPN CIDR or use AWS Fleet Manager |
| 0–65535 (all) | All traffic | Critical | Remove rule; add specific required ports only |
| 端口 | 服务 | 发现风险等级 | 修复建议 |
|---|---|---|---|
| 22 | SSH | 严重 | 限制为VPN CIDR,或使用AWS Systems Manager Session Manager |
| 3389 | RDP | 严重 | 限制为VPN CIDR,或使用AWS Fleet Manager |
| 0–65535(所有) | 所有流量 | 严重 | 删除规则;仅添加所需的特定端口 |
High-Risk Database Port Rules
高风险数据库端口规则
| Port | Service | Finding Severity | Remediation |
|---|---|---|---|
| 1433 | MSSQL | High | Allow from application tier SG only — move to private subnet |
| 3306 | MySQL | High | Allow from application tier SG only — move to private subnet |
| 5432 | PostgreSQL | High | Allow from application tier SG only — move to private subnet |
| 27017 | MongoDB | High | Allow from application tier SG only — move to private subnet |
| 6379 | Redis | High | Allow from application tier SG only — move to private subnet |
| 9200 | Elasticsearch | High | Allow from application tier SG only — move to private subnet |
| 端口 | 服务 | 发现风险等级 | 修复建议 |
|---|---|---|---|
| 1433 | MSSQL | 高 | 仅允许来自应用层安全组的访问——迁移至私有子网 |
| 3306 | MySQL | 高 | 仅允许来自应用层安全组的访问——迁移至私有子网 |
| 5432 | PostgreSQL | 高 | 仅允许来自应用层安全组的访问——迁移至私有子网 |
| 27017 | MongoDB | 高 | 仅允许来自应用层安全组的访问——迁移至私有子网 |
| 6379 | Redis | 高 | 仅允许来自应用层安全组的访问——迁移至私有子网 |
| 9200 | Elasticsearch | 高 | 仅允许来自应用层安全组的访问——迁移至私有子网 |
Severity Modifiers
风险等级调整参数
Use when the assessed resource is directly internet-accessible (load balancer, API gateway, public EC2). Use when the resource handles PCI, HIPAA, or GDPR-regulated data. Both modifiers bump each finding's severity by one level.
--severity-modifier internet-facing--severity-modifier regulated-data当评估的资源直接面向互联网(负载均衡器、API网关、公开EC2)时,使用。当资源处理PCI、HIPAA或GDPR监管数据时,使用。这两个参数都会将每项发现的风险等级提升一级。
--severity-modifier internet-facing--severity-modifier regulated-dataIaC Security Review
IaC安全审查
Infrastructure-as-code review catches configuration issues at definition time, before deployment.
基础设施即代码审查可在定义阶段(部署前)发现配置问题。
IaC Check Matrix
IaC检查矩阵
| Tool | Check Types | When to Run |
|---|---|---|
| Terraform | Resource-level checks (aws_s3_bucket_acl, aws_security_group, aws_iam_policy_document) | Pre-plan, pre-apply, PR gate |
| CloudFormation | Template property validation (PublicAccessBlockConfiguration, SecurityGroupIngress) | Template lint, deploy gate |
| Kubernetes manifests | Container privileges, network policies, secret exposure | PR gate, admission controller |
| Helm charts | Same as Kubernetes | PR gate |
| 工具 | 检查类型 | 运行时机 |
|---|---|---|
| Terraform | 资源级检查(aws_s3_bucket_acl、aws_security_group、aws_iam_policy_document) | 预规划、预应用、PR门禁 |
| CloudFormation | 模板属性验证(PublicAccessBlockConfiguration、SecurityGroupIngress) | 模板校验、部署门禁 |
| Kubernetes清单 | 容器权限、网络策略、密钥暴露 | PR门禁、准入控制器 |
| Helm图表 | 与Kubernetes相同 | PR门禁 |
Terraform IAM Policy Example — Finding vs. Clean
Terraform IAM策略示例——问题配置vs合规配置
hcl
undefinedhcl
undefinedBAD: Will generate critical findings
错误配置:会触发严重风险发现
resource "aws_iam_policy" "bad_policy" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ""
Resource = ""
}]
})
}
resource "aws_iam_policy" "bad_policy" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ""
Resource = ""
}]
})
}
GOOD: Least privilege
合规配置:最小权限
resource "aws_iam_policy" "good_policy" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject"]
Resource = "arn:aws:s3:::my-specific-bucket/*"
}]
})
}
Full CSPM check reference: `references/cspm-checks.md`
---resource "aws_iam_policy" "good_policy" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject"]
Resource = "arn:aws:s3:::my-specific-bucket/*"
}]
})
}
完整CSPM检查参考:`references/cspm-checks.md`
---Cloud Provider Coverage Matrix
云服务商覆盖矩阵
| Check Type | AWS | Azure | GCP |
|---|---|---|---|
| IAM privilege escalation | Full (IAM policies, trust policies, ESCALATION_COMBOS) | Partial (RBAC assignments, service principal risks) | Partial (IAM bindings, workload identity) |
| Storage public access | Full (S3 bucket policies, ACLs, public access block) | Partial (Blob SAS tokens, container access levels) | Partial (GCS bucket IAM, uniform bucket-level access) |
| Network exposure | Full (Security Groups, NACLs, port-level analysis) | Partial (NSG rules, inbound port analysis) | Partial (Firewall rules, VPC firewall) |
| IaC scanning | Full (Terraform, CloudFormation) | Partial (ARM templates, Bicep) | Partial (Deployment Manager) |
| 检查类型 | AWS | Azure | GCP |
|---|---|---|---|
| IAM权限提升 | 完整支持(IAM策略、信任策略、ESCALATION_COMBOS) | 部分支持(RBAC分配、服务主体风险) | 部分支持(IAM绑定、工作负载身份) |
| 存储公开访问 | 完整支持(S3存储桶策略、ACL、公开访问块) | 部分支持(Blob SAS令牌、容器访问级别) | 部分支持(GCS存储桶IAM、统一存储桶级访问) |
| 网络暴露 | 完整支持(安全组、NACL、端口级分析) | 部分支持(NSG规则、入站端口分析) | 部分支持(防火墙规则、VPC防火墙) |
| IaC扫描 | 完整支持(Terraform、CloudFormation) | 部分支持(ARM模板、Bicep) | 部分支持(Deployment Manager) |
Workflows
工作流
Workflow 1: Quick Posture Check (20 Minutes)
工作流1:快速态势检查(20分钟)
For a newly provisioned resource or pre-deployment review:
bash
undefined针对新部署资源或预部署审查:
bash
undefined1. Export IAM policy document
1. 导出IAM策略文档
aws iam get-policy-version --policy-arn ARN --version-id v1 |
jq '.PolicyVersion.Document' > policy.json python3 scripts/cloud_posture_check.py policy.json --check iam --json
jq '.PolicyVersion.Document' > policy.json python3 scripts/cloud_posture_check.py policy.json --check iam --json
aws iam get-policy-version --policy-arn ARN --version-id v1 |
jq '.PolicyVersion.Document' > policy.json python3 scripts/cloud_posture_check.py policy.json --check iam --json
jq '.PolicyVersion.Document' > policy.json python3 scripts/cloud_posture_check.py policy.json --check iam --json
2. Check S3 bucket configuration
2. 检查S3存储桶配置
aws s3api get-bucket-acl --bucket my-bucket > acl.json
aws s3api get-public-access-block --bucket my-bucket >> bucket.json
python3 scripts/cloud_posture_check.py bucket.json --check s3 --json
aws s3api get-bucket-acl --bucket my-bucket > acl.json
aws s3api get-public-access-block --bucket my-bucket >> bucket.json
python3 scripts/cloud_posture_check.py bucket.json --check s3 --json
3. Review security groups for open admin ports
3. 审查安全组中的开放管理端口
aws ec2 describe-security-groups --group-ids sg-123456 |
jq '.SecurityGroups[0]' > sg.json python3 scripts/cloud_posture_check.py sg.json --check sg --json
jq '.SecurityGroups[0]' > sg.json python3 scripts/cloud_posture_check.py sg.json --check sg --json
**Decision**: Exit code 2 = block deployment and remediate. Exit code 1 = schedule remediation within 24 hours.aws ec2 describe-security-groups --group-ids sg-123456 |
jq '.SecurityGroups[0]' > sg.json python3 scripts/cloud_posture_check.py sg.json --check sg --json
jq '.SecurityGroups[0]' > sg.json python3 scripts/cloud_posture_check.py sg.json --check sg --json
**决策**:退出码2 = 阻止部署并修复;退出码1 = 24小时内安排修复。Workflow 2: Full Cloud Security Assessment (Multi-Day)
工作流2:全面云安全评估(多日)
Day 1 — IAM and Identity:
- Export all IAM policies attached to production roles
- Run cloud_posture_check.py --check iam on each policy
- Map all privilege escalation paths found
- Identify overprivileged service accounts and roles
- Review cross-account trust policies
Day 2 — Storage and Network:
- Enumerate all S3 buckets and export configurations
- Run cloud_posture_check.py --check s3 --severity-modifier regulated-data for data buckets
- Export security group configurations for all VPCs
- Run cloud_posture_check.py --check sg for internet-facing resources
- Review NACL rules for network segmentation gaps
Day 3 — IaC and Continuous Integration:
- Review Terraform/CloudFormation templates in version control
- Check CI/CD pipeline for IaC security gates
- Validate findings against
references/cspm-checks.md - Produce remediation plan with priority ordering (Critical → High → Medium)
第1天——IAM与身份:
- 导出所有附加到生产角色的IAM策略
- 对每个策略运行cloud_posture_check.py --check iam
- 映射所有发现的权限提升路径
- 识别过度授权的服务账户和角色
- 审查跨账户信任策略
第2天——存储与网络:
- 枚举所有S3存储桶并导出配置
- 对数据存储桶运行cloud_posture_check.py --check s3 --severity-modifier regulated-data
- 导出所有VPC的安全组配置
- 对面向互联网的资源运行cloud_posture_check.py --check sg
- 审查NACL规则中的网络分段漏洞
第3天——IaC与持续集成:
- 审查版本控制中的Terraform/CloudFormation模板
- 检查CI/CD流水线中的IaC安全门禁
- 根据验证发现结果
references/cspm-checks.md - 生成按优先级排序的修复计划(严重→高→中)
Workflow 3: CI/CD Security Gate
工作流3:CI/CD安全门禁
Integrate posture checks into deployment pipelines to prevent misconfigured resources reaching production:
bash
undefined将态势检查集成到部署流水线,防止配置错误的资源进入生产环境:
bash
undefinedValidate IaC before terraform apply
Terraform应用前验证IaC
terraform show -json plan.json |
jq '[.resource_changes[].change.after | select(. != null)]' > resources.json python3 scripts/cloud_posture_check.py resources.json --check all --json if [ $? -eq 2 ]; then echo "Critical cloud security findings — blocking deployment" exit 1 fi
jq '[.resource_changes[].change.after | select(. != null)]' > resources.json python3 scripts/cloud_posture_check.py resources.json --check all --json if [ $? -eq 2 ]; then echo "Critical cloud security findings — blocking deployment" exit 1 fi
terraform show -json plan.json |
jq '[.resource_changes[].change.after | select(. != null)]' > resources.json python3 scripts/cloud_posture_check.py resources.json --check all --json if [ $? -eq 2 ]; then echo "发现严重云安全风险——阻止部署" exit 1 fi
jq '[.resource_changes[].change.after | select(. != null)]' > resources.json python3 scripts/cloud_posture_check.py resources.json --check all --json if [ $? -eq 2 ]; then echo "发现严重云安全风险——阻止部署" exit 1 fi
Validate existing S3 bucket before modifying
修改前验证现有S3存储桶
aws s3api get-bucket-policy --bucket "${BUCKET}" | jq '.Policy | fromjson' |
python3 scripts/cloud_posture_check.py - --check s3
--severity-modifier regulated-data --json
python3 scripts/cloud_posture_check.py - --check s3
--severity-modifier regulated-data --json
---aws s3api get-bucket-policy --bucket "${BUCKET}" | jq '.Policy | fromjson' |
python3 scripts/cloud_posture_check.py - --check s3
--severity-modifier regulated-data --json
python3 scripts/cloud_posture_check.py - --check s3
--severity-modifier regulated-data --json
---Anti-Patterns
反模式
- Running IAM analysis without checking escalation combos — Individual high-risk actions in isolation may appear low-risk. The danger is in combinations: alone is not critical, but
iam:PassRoleis a confirmed privilege escalation path. Always analyze the full statement, not individual actions.iam:PassRole + lambda:CreateFunction - Enabling only bucket-level public access block — AWS S3 has both account-level and bucket-level public access block settings. A bucket-level setting can override an account-level setting. Both must be configured. Account-level block alone is insufficient if any bucket has explicit overrides.
- Treating as optional for public resources — Internet-facing resources have significantly higher exposure than internal resources. High findings on internet-facing infrastructure should be treated as critical. Always apply
--severity-modifier internet-facingfor DMZ, load balancer, and API gateway configurations.--severity-modifier internet-facing - Checking only administrator policies — Privilege escalation paths frequently originate from non-administrator policies that combine innocuous-looking permissions. All policies attached to production identities must be checked, not just policies with obvious elevated access.
- Remediating findings without root cause analysis — Removing a dangerous permission without understanding why it was granted will result in re-addition. Document the business justification for every high-risk permission before removing it, to prevent silent re-introduction.
- Ignoring service account over-permissioning — Service accounts are often over-provisioned during development and never trimmed for production. Every service account in production must be audited against AWS Access Analyzer or equivalent to identify and remove unused permissions.
- Not applying severity modifiers for regulated data workloads — A high finding in a general-purpose S3 bucket is different from the same finding in a bucket containing PHI or cardholder data. Always use when assessing resources in regulated data environments.
--severity-modifier regulated-data
- 仅分析IAM单个操作而不检查组合提升路径——孤立的高风险操作可能看似低风险,但危险在于组合:本身并不严重,但
iam:PassRole是明确的权限提升路径。始终分析完整的策略语句,而非单个操作。iam:PassRole + lambda:CreateFunction - 仅启用存储桶级公开访问块——AWS S3同时有账户级和存储桶级的公开访问块设置。存储桶级设置可覆盖账户级设置,两者必须同时配置。仅配置账户级块并不足够,若任何存储桶有显式覆盖设置则无效。
- 面向互联网资源的参数视为可选——面向互联网的资源暴露风险远高于内部资源。面向互联网基础设施的高风险发现应被视为严重风险。对于DMZ、负载均衡器和API网关配置,务必应用
--severity-modifier internet-facing。--severity-modifier internet-facing - 仅检查管理员策略——权限提升路径常源自非管理员策略,这些策略组合了看似无害的权限。必须检查所有附加到生产身份的策略,而非仅检查具有明显高权限的策略。
- 不做根因分析直接修复发现结果——不理解危险权限被授予的原因就直接移除,会导致该权限被重新添加。在移除前记录每项高风险权限的业务合理性,防止其被悄悄重新引入。
- 忽略服务账户过度授权——服务账户在开发阶段常被过度配置,且在生产环境中从未精简。生产环境中的每个服务账户都必须通过AWS Access Analyzer或类似工具进行审计,识别并移除未使用的权限。
- 不对受监管数据工作负载应用风险等级调整参数——通用S3存储桶中的高风险发现,与包含PHI或持卡人数据的存储桶中的相同发现性质不同。评估受监管数据环境中的资源时,务必使用。
--severity-modifier regulated-data
Cross-References
交叉引用
| Skill | Relationship |
|---|---|
| incident-response | Critical findings (public S3, privilege escalation confirmed active) may trigger incident classification |
| threat-detection | Cloud posture findings create hunting targets — over-permissioned roles are likely lateral movement destinations |
| red-team | Red team exercises specifically test exploitability of cloud misconfigurations found in posture assessment |
| security-pen-testing | Cloud posture findings feed into the infrastructure security section of pen test assessments |
| 技能 | 关系 |
|---|---|
| incident-response | 严重风险发现(公开S3、已确认的活跃权限提升)可能触发事件分类 |
| threat-detection | 云态势发现结果可作为狩猎目标——过度授权角色很可能是横向移动的目的地 |
| red-team | 红队演练专门测试态势评估中发现的云配置错误的可利用性 |
| security-pen-testing | 云态势发现结果会纳入渗透测试评估的基础设施安全部分 |