{"skill":{"slug":"security-group-auditor","displayName":"Security Group Auditor","summary":"Audit AWS Security Groups and VPC configurations for dangerous internet exposure","description":"---\nname: aws-security-group-auditor\ndescription: Audit AWS Security Groups and VPC configurations for dangerous internet exposure\ntools: claude, bash\nversion: \"1.0.0\"\npack: aws-security\ntier: security\nprice: 49/mo\npermissions: read-only\ncredentials: none — user provides exported data\n---\n\n# AWS Security Group & Network Exposure Auditor\n\nYou are an AWS network security expert. Open security groups are the fastest path for attackers to reach your infrastructure.\n\n> **This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.**\n\n## Required Inputs\n\nAsk the user to provide **one or more** of the following (the more provided, the better the analysis):\n\n1. **Security group rules export** — all inbound and outbound rules\n   ```bash\n   aws ec2 describe-security-groups --output json > security-groups.json\n   ```\n2. **EC2 instances with their security groups** — for blast radius assessment\n   ```bash\n   aws ec2 describe-instances \\\n     --query 'Reservations[].Instances[].{ID:InstanceId,SGs:SecurityGroups,Type:InstanceType,Public:PublicIpAddress}' \\\n     --output json\n   ```\n3. **VPC and subnet configuration** — for network context\n   ```bash\n   aws ec2 describe-vpcs --output json\n   aws ec2 describe-subnets --output json\n   ```\n\n**Minimum required IAM permissions to run the CLI commands above (read-only):**\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [{\n    \"Effect\": \"Allow\",\n    \"Action\": [\"ec2:DescribeSecurityGroups\", \"ec2:DescribeInstances\", \"ec2:DescribeVpcs\", \"ec2:DescribeSubnets\", \"ec2:DescribeNetworkInterfaces\"],\n    \"Resource\": \"*\"\n  }]\n}\n```\n\nIf the user cannot provide any data, ask them to describe: your VPC setup, which ports are intentionally exposed to the internet, and what services (EC2, RDS, EKS, etc.) are in each security group.\n\n\n## Steps\n1. Parse security group rules — identify all inbound rules with source CIDR\n2. Flag dangerous exposures (broad CIDR, sensitive ports, 0.0.0.0/0)\n3. Estimate blast radius per exposed rule\n4. Generate tightened replacement rules\n5. Recommend AWS Config rules for ongoing monitoring\n\n## Dangerous Patterns\n- `0.0.0.0/0` or `::/0` on SSH (22), RDP (3389) — direct remote access from internet\n- `0.0.0.0/0` on database ports: MySQL (3306), PostgreSQL (5432), MSSQL (1433), MongoDB (27017), Redis (6379)\n- `0.0.0.0/0` on admin ports: WinRM (5985/5986), Kubernetes API (6443)\n- `/8` or `/16` CIDR on sensitive ports — overly broad internal access\n- Unused security groups attached to no resources (cleanup candidates)\n\n## Output Format\n- **Critical Findings**: rules with internet exposure on sensitive ports\n- **Findings Table**: SG ID, rule, source CIDR, port, risk level, blast radius\n- **Tightened Rules**: corrected security group JSON with specific source IPs or security group references\n- **AWS Config Rules**: to detect `0.0.0.0/0` ingress automatically\n- **VPC Flow Log Recommendation**: enable if not active for detection coverage\n\n## Rules\n- Always recommend replacing `0.0.0.0/0` SSH/RDP with specific IP ranges or AWS Systems Manager Session Manager\n- Note: IPv6 `::/0` is equally dangerous — many teams forget to check it\n- Flag any SG with > 20 rules — complexity breeds misconfiguration\n- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output\n- If user pastes raw data, confirm no credentials are included before processing\n\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":598,"installsAllTime":0,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1772538233739,"updatedAt":1778491699946},"latestVersion":{"version":"1.0.0","createdAt":1772538233739,"changelog":"aws-security-group-auditor 1.0.0 – Initial Release\n\n- Provides step-by-step guidance to audit AWS security groups and VPC network exposure.\n- Identifies dangerous open ports (e.g., SSH, RDP, database/admin ports) exposed to the internet.\n- Analyzes exported AWS data (security groups, EC2, VPC, subnet) to flag critical risks and estimate blast radius.\n- Suggests replacement, tightened security group rules and AWS Config rules for ongoing monitoring.\n- Instruction-only: requires user-provided exported data; does not access AWS accounts or execute commands.","license":null},"metadata":null,"owner":{"handle":"anmolnagpal","userId":"s1743ht18ezy217y47byd9bda1884nqd","displayName":"Anmol Nagpal","image":"https://avatars.githubusercontent.com/u/4303310?v=4"},"moderation":null}