Stats
Actions
Tags
Implements multi-cloud CSPM for vulnerability and misconfiguration detection using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-cloud-vulnerability-posture-managementThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
云安全态势管理(Cloud Security Posture Management,CSPM)持续监控云基础设施中的错误配置、合规违规和安全风险。与传统漏洞扫描不同,CSPM 专注于云原生风险:IAM 过度授权、暴露的存储桶、未加密数据、缺失的网络控制以及服务错误配置。本技能涵盖使用 AWS Security Hub、Azure Defender for Cloud 以及 Prowler、ScoutSuite 等开源工具进行多云 CSPM 管理。
云安全态势管理(Cloud Security Posture Management,CSPM)持续监控云基础设施中的错误配置、合规违规和安全风险。与传统漏洞扫描不同,CSPM 专注于云原生风险:IAM 过度授权、暴露的存储桶、未加密数据、缺失的网络控制以及服务错误配置。本技能涵盖使用 AWS Security Hub、Azure Defender for Cloud 以及 Prowler、ScoutSuite 等开源工具进行多云 CSPM 管理。
boto3、azure-identity、azure-mgmt-security# 启用 AWS Security Hub 并使用默认标准
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# 启用特定标准
aws securityhub batch-enable-standards \
--standards-subscription-requests \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
# 获取发现摘要
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
--max-items 10
| 标准 | 说明 |
|---|---|
| AWS 基础安全最佳实践 | AWS 推荐的基线控制 |
| CIS AWS 基准 1.4 | CIS 加固要求 |
| PCI DSS v3.2.1 | 支付卡行业控制 |
| NIST SP 800-53 Rev 5 | 联邦安全控制 |
# 启用 Defender for Cloud 免费层
az security pricing create \
--name CloudPosture \
--tier standard
# 检查安全评分
az security secure-score list \
--query "[].{Name:displayName,Score:current,Max:max}" \
--output table
# 获取安全建议
az security assessment list \
--query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
--output table
# 获取告警
az security alert list \
--query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
--output table
# 安装 Prowler
pip install prowler
# 运行完整 AWS 扫描
prowler aws --output-formats json-ocsf,csv,html
# 运行特定检查
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
# 针对特定 AWS Profile 和区域运行
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
# 运行 CIS 基准合规检查
prowler aws --compliance cis_1.5_aws
# 运行 PCI DSS 合规检查
prowler aws --compliance pci_3.2.1_aws
# 扫描 Azure 环境
prowler azure --subscription-ids "sub-id-here"
# 扫描 GCP 环境
prowler gcp --project-ids "project-id-here"
| 类别 | 示例 |
|---|---|
| IAM | Root MFA、密码策略、访问密钥轮换 |
| S3 | 公开访问、加密、版本控制 |
| EC2 | 安全组、EBS 加密、元数据服务 |
| RDS | 公开访问、加密、备份保留 |
| CloudTrail | 已启用、已加密、日志验证 |
| VPC | 流量日志、默认安全组限制 |
| Lambda | 公开访问、运行时版本 |
| EKS | 公开端点、Secret 加密 |
# 安装 ScoutSuite
pip install scoutsuite
# 运行 AWS 评估
scout aws --profile production
# 运行 Azure 评估
scout azure --cli
# 运行 GCP 评估
scout gcp --project-id my-project
# 结果以交互式 HTML 报告形式输出
# 在浏览器中打开 scout-report/report.html
import json
import subprocess
from datetime import datetime, timezone
def run_prowler_scan(provider, output_dir, compliance=None):
"""对云提供商运行 Prowler 扫描。"""
cmd = ["prowler", provider, "--output-formats", "json-ocsf",
"--output-directory", output_dir]
if compliance:
cmd.extend(["--compliance", compliance])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
return result.returncode == 0
def aggregate_findings(prowler_dirs):
"""聚合多次 Prowler 扫描的发现结果。"""
all_findings = []
for scan_dir in prowler_dirs:
json_files = list(Path(scan_dir).glob("*.json"))
for jf in json_files:
with open(jf, "r") as f:
for line in f:
try:
finding = json.loads(line.strip())
all_findings.append(finding)
except json.JSONDecodeError:
continue
# 按严重性排序
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
all_findings.sort(key=lambda f: severity_order.get(
f.get("severity", "informational").lower(), 5
))
return all_findings
def generate_posture_report(findings, output_path):
"""生成云安全态势报告。"""
report = {
"generated_at": datetime.now(timezone.utc).isoformat(),
"total_findings": len(findings),
"by_severity": {},
"by_provider": {},
"by_service": {},
}
for f in findings:
sev = f.get("severity", "unknown")
provider = f.get("cloud_provider", "unknown")
service = f.get("service_name", "unknown")
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
report["by_service"][service] = report["by_service"].get(service, 0) + 1
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
return report
npx claudepluginhub killvxk/cybersecurity-skills-zhImplements multi-cloud Cloud Security Posture Management (CSPM) using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite to detect misconfigurations, compliance issues, and vulnerabilities.
Implements multi-cloud Cloud Security Posture Management (CSPM) using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite to detect misconfigurations, compliance issues, and vulnerabilities.
Implements multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, Prowler, and ScoutSuite for misconfiguration detection and compliance monitoring.