首页 / 技能 / Security Group Auditor — AWS安全组审计

📦 Security Group Auditor — AWS安全组审计

v1.0.0

审计AWS安全组和VPC配置,识别危险的互联网暴露风险。分析导出的安全组、EC2、VPC、子网数据,标记关键风险并评估影响范围,提供安全加固和持续监控建议。

0· 296·0 当前·0 累计
anmolnagpal 头像by @anmolnagpal (Anmol Nagpal)·MIT-0
安全
下载技能包
License
MIT-0
最后更新
2026/3/3
0
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
这是一个纯指令的审计工具,要求用户粘贴只读的AWS CLI导出结果进行分析,不请求凭证或安装代码——其需求和指令与声明的目的相符。
评估建议
这个技能是纯指令式的,不要求提供AWS凭证,这很好。在安装或使用之前:(1) 自己运行列出的aws CLI命令,只分享技能请求的导出JSON,不要分享任何凭证或环境文件。(2) 审查并删除任何不想被分析或暴露的敏感元数据(例如内部主机名、精确的公网IP、账户ID)——指南已警告确认不包含凭证。(3) 如果更注重隐私,只提取需要分析的字段(规则、CIDR、端口、安全组ID),而不是粘贴完整输出。(4) 由于代理可以自主调用(正常默认),在启用任何需要无确认步骤运行的技能时要谨慎考虑;如果希望更严格控制,可将使用限制在交互式/手动会话中。...
详细分析 ▾
用途与能力
名称和描述(审计AWS安全组/VPC)与运行时指令相符:技能要求用户提供导出的AWS EC2/VPC/安全组JSON输出并对其进行分析。它不请求无关的凭证、二进制文件或资源。
指令范围
SKILL.md正确指导用户运行只读的AWS CLI命令并粘贴其输出。这符合声明的目的,但用户提供的导出可能包含敏感元数据(公网/私网IP、实例ID、主机名、可用区、子网ID)。技能明确表示不会执行CLI调用或请求凭证,并要求用户在处理前确认不包含凭证——这是良好的实践。用户仍应清理/删除不想被分析或共享的任何信息。
安装机制
无安装规范和代码文件——技能是纯指令式的,因此不会写入磁盘或下载任何内容。这是最低风险模式,对于处理用户导出数据的审计工具来说是相称的。
凭证需求
技能不请求环境变量、凭证或配置路径。声明的最低IAM权限仅在README中作为指导用户收集导出的参考——它们是只读的describe操作,符合声明的目的。
持久化与权限
技能不请求永久存在(always: false)。允许模型调用(默认),这对于用户可调用的技能是正常的;没有证据表明技能试图修改其他技能或系统级设置。
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/3

aws-security-group-auditor 1.0.0 – 初始版本:提供逐步指导来审计AWS安全组和VPC网络暴露情况;识别危险的开放端口(如SSH、RDP、数据库/管理端口)是否暴露在互联网上;分析导出的AWS数据(安全组、EC2、VPC、子网)以标记关键风险并评估影响范围;建议替换、收紧安全组规则和AWS Config规则用于持续监控;纯指令式:需要用户提供的导出数据,不访问AWS账户或执行命令。

无害

安装命令

点击复制
官方npx clawhub@latest install security-group-auditor
镜像加速npx clawhub@latest install security-group-auditor --registry https://cn.longxiaskill.com

技能文档

You are an AWS network security expert. Open security groups are the fastest path for attackers to reach your infrastructure.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  • Security group rules export — all inbound and outbound rules
aws ec2 describe-security-groups --output json > security-groups.json
  • EC2 instances with their security groups — for blast radius assessment
aws ec2 describe-instances \
  --query 'Reservations[].Instances[].{ID:InstanceId,SGs:SecurityGroups,Type:InstanceType,Public:PublicIpAddress}' \
  --output json
  • VPC and subnet configuration — for network context
aws ec2 describe-vpcs --output json
aws ec2 describe-subnets --output json

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeInstances",
      "ec2:DescribeVpcs",
      "ec2:DescribeSubnets",
      "ec2:DescribeNetworkInterfaces"
    ],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your VPC setup, which ports are intentionally exposed to the internet, and what services (EC2, RDS, EKS, etc.) are in each security group.

Steps

  • Parse security group rules — identify all inbound rules with source CIDR
  • Flag dangerous exposures (broad CIDR, sensitive ports, 0.0.0.0/0)
  • Estimate blast radius per exposed rule
  • Generate tightened replacement rules
  • Recommend AWS Config rules for ongoing monitoring

Dangerous Patterns

  • 0.0.0.0/0 or ::/0 on SSH (22), RDP (3389) — direct remote access from internet
  • 0.0.0.0/0 on database ports: MySQL (3306), PostgreSQL (5432), MSSQL (1433), MongoDB (27017), Redis (6379)
  • 0.0.0.0/0 on admin ports: WinRM (5985/5986), Kubernetes API (6443)
  • /8 or /16 CIDR on sensitive ports — overly broad internal access
  • Unused security groups attached to no resources (cleanup candidates)

Output Format

  • Critical Findings: rules with internet exposure on sensitive ports
  • Findings Table: SG ID, rule, source CIDR, port, risk level, blast radius
  • Tightened Rules: corrected security group JSON with specific source IPs or security group references
  • AWS Config Rules: to detect 0.0.0.0/0 ingress automatically
  • VPC Flow Log Recommendation: enable if not active for detection coverage

Rules

  • Always recommend replacing 0.0.0.0/0 SSH/RDP with specific IP ranges or AWS Systems Manager Session Manager
  • Note: IPv6 ::/0 is equally dangerous — many teams forget to check it
  • Flag any SG with > 20 rules — complexity breeds misconfiguration
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing
数据来源ClawHub ↗ · 中文优化:龙虾技能库