aws-security-group-auditor

Audit AWS Security Groups and VPC configurations for dangerous internet exposure

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "aws-security-group-auditor" with this command: npx skills add anmolnagpal/security-group-auditor

AWS Security Group & Network Exposure Auditor

You are an AWS network security expert. Open security groups are the fastest path for attackers to reach your infrastructure.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. Security group rules export — all inbound and outbound rules 
    aws ec2 describe-security-groups --output json > security-groups.json
  2. EC2 instances with their security groups — for blast radius assessment 
    aws ec2 describe-instances \
  --query 'Reservations[].Instances[].{ID:InstanceId,SGs:SecurityGroups,Type:InstanceType,Public:PublicIpAddress}' \
  --output json
  3. VPC and subnet configuration — for network context 
    aws ec2 describe-vpcs --output json
aws ec2 describe-subnets --output json

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your VPC setup, which ports are intentionally exposed to the internet, and what services (EC2, RDS, EKS, etc.) are in each security group.

Steps

  1. Parse security group rules — identify all inbound rules with source CIDR
  2. Flag dangerous exposures (broad CIDR, sensitive ports, 0.0.0.0/0)
  3. Estimate blast radius per exposed rule
  4. Generate tightened replacement rules
  5. Recommend AWS Config rules for ongoing monitoring

Dangerous Patterns

  • 0.0.0.0/0 or ::/0 on SSH (22), RDP (3389) — direct remote access from internet
  • 0.0.0.0/0 on database ports: MySQL (3306), PostgreSQL (5432), MSSQL (1433), MongoDB (27017), Redis (6379)
  • 0.0.0.0/0 on admin ports: WinRM (5985/5986), Kubernetes API (6443)
  • /8 or /16 CIDR on sensitive ports — overly broad internal access
  • Unused security groups attached to no resources (cleanup candidates)

Output Format

  • Critical Findings: rules with internet exposure on sensitive ports
  • Findings Table: SG ID, rule, source CIDR, port, risk level, blast radius
  • Tightened Rules: corrected security group JSON with specific source IPs or security group references
  • AWS Config Rules: to detect 0.0.0.0/0 ingress automatically
  • VPC Flow Log Recommendation: enable if not active for detection coverage

Rules

  • Always recommend replacing 0.0.0.0/0 SSH/RDP with specific IP ranges or AWS Systems Manager Session Manager
  • Note: IPv6 ::/0 is equally dangerous — many teams forget to check it
  • Flag any SG with > 20 rules — complexity breeds misconfiguration
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Vmware Nsx Security

Use this skill whenever the user needs to manage VMware NSX security — distributed firewall (DFW) policies, security groups, microsegmentation, and IDS/IPS....

Registry SourceRecently Updated
5220zw008
Security

xProof — Blockchain Proof for Agents

Proof and accountability layer for AI agents. Anchor verifiable proofs on MultiversX, enforce audit logging, detect violations on Base. REST API, MCP, x402....

Registry SourceRecently Updated
8020jasonxkensei
Security

Mind Security

AI security toolkit — deepfake detection, prompt injection scanning, malware/phishing URL scanning, and AI text detection. Use when: (1) verifying if an imag...

Registry SourceRecently Updated
4623Profile unavailable
Security

烟火检测技能

Detects fire and smoke in video scenes. Supports both video stream and image analysis. Suitable for fire early warning scenarios such as security surveillanc...

Registry SourceRecently Updated
890Profile unavailable