Stats
Actions
Tags
Performs cloud-native incident containment in AWS, Azure, and GCP: isolates compromised resources, revokes credentials, preserves forensic evidence, applies security groups to prevent lateral movement.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-cloud-incident-containment-proceduresThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
云事件遏制需要采用与传统本地响应截然不同的云原生方法。遏制程序必须利用平台特定的控制措施,包括安全组、IAM 策略、网络 ACL 和服务级隔离,以限制受攻陷资源同时保全取证证据。2025 年 Unit 42 全球事件响应报告指出,响应云事件需要理解共享责任模型、短暂基础设施和 API 驱动的操作。有效的遏制包括凭据撤销、资源隔离、证据快照创建以及自动化响应 Playbook 执行。
云事件遏制需要采用与传统本地响应截然不同的云原生方法。遏制程序必须利用平台特定的控制措施,包括安全组、IAM 策略、网络 ACL 和服务级隔离,以限制受攻陷资源同时保全取证证据。2025 年 Unit 42 全球事件响应报告指出,响应云事件需要理解共享责任模型、短暂基础设施和 API 驱动的操作。有效的遏制包括凭据撤销、资源隔离、证据快照创建以及自动化响应 Playbook 执行。
# 禁用受攻陷 IAM 用户的访问密钥
aws iam update-access-key --user-name compromised-user \
--access-key-id AKIA... --status Inactive
# 列出并禁用用户的所有访问密钥
aws iam list-access-keys --user-name compromised-user
aws iam delete-access-key --user-name compromised-user --access-key-id AKIA...
# 向受攻陷用户附加拒绝所有策略
aws iam put-user-policy --user-name compromised-user \
--policy-name DenyAll \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}'
# 撤销 IAM 角色的所有活跃会话
aws iam put-role-policy --role-name compromised-role \
--policy-name RevokeOldSessions \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {"aws:TokenIssueTime": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}
}
}]
}'
# 通过更新角色信任策略使临时凭据失效
aws iam update-assume-role-policy --role-name compromised-role \
--policy-document '{"Version":"2012-10-17","Statement":[]}'
# 创建隔离安全组(无入站、无出站)
aws ec2 create-security-group --group-name quarantine-sg \
--description "Quarantine - No traffic allowed" --vpc-id vpc-xxxxx
# 删除隔离 SG 的所有规则(默认允许出站)
aws ec2 revoke-security-group-egress --group-id sg-quarantine \
--ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]'
# 遏制前先创建取证快照
aws ec2 create-snapshot --volume-id vol-xxxxx \
--description "Forensic snapshot - IR Case 2025-001" \
--tag-specifications 'ResourceType=snapshot,Tags=[{Key=IR-Case,Value=2025-001}]'
# 将隔离安全组应用到受攻陷实例
aws ec2 modify-instance-attribute --instance-id i-xxxxx \
--groups sg-quarantine
# 将实例标记为已攻陷
aws ec2 create-tags --resources i-xxxxx \
--tags Key=IR-Status,Value=Contained Key=IR-Case,Value=2025-001
# 采集内存(如果 SSM Agent 可用)
aws ssm send-command --instance-ids i-xxxxx \
--document-name "AWS-RunShellScript" \
--parameters 'commands=["dd if=/dev/mem of=/tmp/memory.dump bs=1M"]'
# 阻断所有公共访问
aws s3api put-public-access-block --bucket compromised-bucket \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
# 应用拒绝策略到存储桶
aws s3api put-bucket-policy --bucket compromised-bucket \
--policy '{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllExceptForensics",
"Effect": "Deny",
"NotPrincipal": {"AWS": "arn:aws:iam::ACCOUNT:role/IR-Forensics"},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::compromised-bucket","arn:aws:s3:::compromised-bucket/*"]
}]
}'
# 启用版本控制以保全证据
aws s3api put-bucket-versioning --bucket compromised-bucket \
--versioning-configuration Status=Enabled
# 为证据保全启用对象锁定
aws s3api put-object-lock-configuration --bucket evidence-bucket \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {"DefaultRetention": {"Mode": "COMPLIANCE", "Days": 365}}
}'
# 将预留并发设置为 0(停止所有调用)
aws lambda put-function-concurrency --function-name compromised-function \
--reserved-concurrent-executions 0
# 删除所有事件源映射
aws lambda list-event-source-mappings --function-name compromised-function
aws lambda delete-event-source-mapping --uuid mapping-uuid
# 撤销所有用户会话
Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id"
# 禁用用户账号
Set-AzureADUser -ObjectId "user-object-id" -AccountEnabled $false
# 重置用户密码
Set-AzureADUserPassword -ObjectId "user-object-id" -Password (
ConvertTo-SecureString "TempP@ss!" -AsPlainText -Force
) -ForceChangePasswordNextLogin $true
# 通过条件访问阻断登录(紧急策略)
# 创建策略阻止用户访问所有云应用
# 撤销 Azure AD 应用授权
Remove-AzureADServiceAppRoleAssignment -ObjectId "sp-object-id" \
-AppRoleAssignmentId "assignment-id"
# 创建带拒绝所有规则的网络安全组
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName "rg" -Location "eastus" `
-Name "quarantine-nsg" `
-SecurityRules @(
New-AzNetworkSecurityRuleConfig -Name "DenyAllInbound" -Protocol * `
-Direction Inbound -Priority 100 -SourceAddressPrefix * `
-SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange * -Access Deny,
New-AzNetworkSecurityRuleConfig -Name "DenyAllOutbound" -Protocol * `
-Direction Outbound -Priority 100 -SourceAddressPrefix * `
-SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange * -Access Deny
)
# 创建取证磁盘快照
$vm = Get-AzVM -ResourceGroupName "rg" -Name "compromised-vm"
$snapshotConfig = New-AzSnapshotConfig -SourceUri $vm.StorageProfile.OsDisk.ManagedDisk.Id `
-Location "eastus" -CreateOption Copy
New-AzSnapshot -ResourceGroupName "rg" -SnapshotName "forensic-snap" -Snapshot $snapshotConfig
# 将隔离 NSG 应用到 VM NIC
$nic = Get-AzNetworkInterface -ResourceGroupName "rg" -Name "compromised-nic"
$nic.NetworkSecurityGroup = $nsg
Set-AzNetworkInterface -NetworkInterface $nic
# 删除网络访问
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "rg" `
-Name "storageaccount" -DefaultAction Deny
# 重新生成访问密钥
New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key1
New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key2
# 通过轮换密钥撤销所有 SAS 令牌
# 为证据保全启用不可变性
# 删除受攻陷服务账号的所有 IAM 绑定
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json
# 编辑 policy.json 删除受攻陷账号的绑定
gcloud projects set-iam-policy PROJECT_ID policy.json
# 禁用服务账号
gcloud iam service-accounts disable SA_EMAIL
# 删除服务账号密钥
gcloud iam service-accounts keys list --iam-account SA_EMAIL
gcloud iam service-accounts keys delete KEY_ID --iam-account SA_EMAIL
# 创建取证快照
gcloud compute disks snapshot compromised-disk \
--snapshot-names forensic-snap-$(date +%Y%m%d) \
--zone us-central1-a
# 应用防火墙规则拒绝所有流量
gcloud compute firewall-rules create quarantine-deny-all \
--network default --action DENY --rules all \
--target-tags quarantine --priority 0
# 标记受攻陷实例
gcloud compute instances add-tags compromised-instance \
--tags quarantine --zone us-central1-a
# 删除外部 IP
gcloud compute instances delete-access-config compromised-instance \
--access-config-name "External NAT" --zone us-central1-a
| 技术 | 遏制措施 |
|---|---|
| T1078 - 有效账号 | 禁用账号、撤销令牌 |
| T1530 - 云存储数据 | 锁定存储桶/存储策略 |
| T1537 - 转移到云账号 | 阻断跨账号访问 |
| T1578 - 修改云计算 | 隔离实例、快照磁盘 |
| T1552 - 不安全凭据 | 轮换所有访问密钥和 Secret |
npx claudepluginhub killvxk/cybersecurity-skills-zhExecutes cloud incident containment across AWS, Azure, GCP: isolates compromised resources, revokes credentials, preserves forensic evidence, applies security group restrictions.
Execute cloud-native incident containment across AWS, Azure, and GCP by isolating resources, revoking credentials, preserving evidence, and applying security group restrictions.
Contains cloud incidents across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.