Loading...
Loading...
Configure AWS Security Agent for the current workspace — provision or reuse an agent space, IAM service role, and S3 bucket. Use when the user asks to "set up security agent", "configure security scanner", "is security agent configured", or on first-time use before any scan or pentest.
npx skill4agent add aws/agent-toolkit-for-aws setup-security-agent.security-agent/config.json{ "agent_space_id": "as-...", "region": "us-east-1", "code_reviews": { "<abs_path>": "cr-..." } }code_reviewsscans.json{ scan_id, code_review_id, job_id, agent_space_id, scan_type, title, started_at, status, path }pentests.json.gitignore*findings-{scan_id}.mdconfig.json.gitignoreconfig.json| Value | Convention |
|---|---|
| |
| |
| |
| |
agent_space_id.security-agent/config.jsonexport ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
export REGION="${AWS_REGION:-us-east-1}"config.agent_space_idaws securityagent batch-get-agent-spaces --agent-space-ids <id>aws securityagent list-agent-spacesagentSpaceIdaws securityagent create-agent-space --name security-scansagentSpaceIdSecurityAgentScanRolearn:aws:iam::$ACCOUNT:role/SecurityAgentScanRoleaws iam get-role --role-name SecurityAgentScanRoleNoSuchEntitycreate-roleEntityAlreadyExistsupdate-assume-role-policy# Trust policy — includes aws:SourceAccount confused-deputy guard
cat > /tmp/sa-trust.json <<EOF
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"securityagent.amazonaws.com"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"aws:SourceAccount":"${ACCOUNT}"}}}]}
EOF
# Permissions policy (S3 + CloudWatch Logs)
cat > /tmp/sa-perms.json <<EOF
{"Version":"2012-10-17","Statement":[
{"Effect":"Allow","Action":["s3:GetObject","s3:GetObjectVersion","s3:ListBucket"],"Resource":["arn:aws:s3:::security-agent-scans-${ACCOUNT}-${REGION}","arn:aws:s3:::security-agent-scans-${ACCOUNT}-${REGION}/*"]},
{"Effect":"Allow","Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],"Resource":"arn:aws:logs:*:${ACCOUNT}:log-group:/aws/securityagent/*"}
]}
EOF
aws iam create-role --role-name SecurityAgentScanRole --assume-role-policy-document file:///tmp/sa-trust.json
# if EntityAlreadyExists:
aws iam update-assume-role-policy --role-name SecurityAgentScanRole --policy-document file:///tmp/sa-trust.json
# always (re)apply permissions:
aws iam put-role-policy --role-name SecurityAgentScanRole --policy-name SecurityAgentCodeReviewAccess --policy-document file:///tmp/sa-perms.jsonsecurity-agent-scans-$ACCOUNT-$REGIONBUCKET="security-agent-scans-${ACCOUNT}-${REGION}"
aws s3api head-bucket --bucket "$BUCKET"# us-east-1: no LocationConstraint
aws s3api create-bucket --bucket "$BUCKET"
# other regions:
aws s3api create-bucket --bucket "$BUCKET" --create-bucket-configuration LocationConstraint="$REGION"aws s3api put-public-access-block --bucket "$BUCKET" \
--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
cat > /tmp/sa-lifecycle.json <<'EOF'
{"Rules":[{"ID":"AutoDeleteUploads","Status":"Enabled","Filter":{"Prefix":""},"Expiration":{"Days":30}}]}
EOF
aws s3api put-bucket-lifecycle-configuration --bucket "$BUCKET" --lifecycle-configuration file:///tmp/sa-lifecycle.jsonaws securityagent batch-get-agent-spaces --agent-space-ids <id>agentSpaces[0].awsResources.iamRolesawsResources.s3Bucketsaws securityagent update-agent-space --agent-space-id <id> --name <existing-name> \
--aws-resources iamRoles=[<arn1>,<arn2>...],s3Buckets=[<bucket1>,<bucket2>...].security-agent/config.json{
"agent_space_id": "as-xxxxx",
"region": "us-east-1"
}mkdir -p .security-agent
echo '*' > .security-agent/.gitignoresecurityagent.amazonaws.comaws:SourceAccountSecurityAgentScanRolesecurity-agent-scans-${ACCOUNT}-${REGION}config.jsonAccessDeniediam:CreateRoleiam:CreateRoleiam:PutRolePolicyAccessDenieds3api create-buckets3:CreateBucketupdate-assume-role-policy