a5c-ai/aws-security-scanner
library/specializations/security-compliance/skills/aws-security-scanner/SKILL.md
AWS security configuration scanning and hardening using Prowler, Security Hub, and AWS Config
$ install --global
skillsauthnpx skillsauth add a5c-ai/babysitter aws-security-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 1:58 PM63.3s2 files scanned
SKILL.md
- name:
- aws-security-scanner
- description:
- AWS security configuration scanning and hardening using Prowler, Security Hub, and AWS Config
AWS Security Scanner Skill
Purpose
Automated AWS security configuration scanning and hardening to identify misconfigurations, compliance violations, and security risks across AWS accounts and organizations.
Capabilities
Prowler Security Assessments
- Run comprehensive Prowler security scans
- Execute CIS AWS Foundations Benchmark checks
- Run AWS Well-Architected security pillar assessments
- Check PCI DSS, HIPAA, GDPR compliance
- Generate multi-format reports (HTML, CSV, JSON)
IAM Security Analysis
- Analyze IAM policies for over-permissive access
- Check for unused credentials and access keys
- Identify IAM users without MFA
- Review cross-account access configurations
- Detect privilege escalation paths
- Analyze service control policies (SCPs)
S3 Bucket Security
- Identify publicly accessible buckets
- Check bucket encryption configurations
- Review bucket policies and ACLs
- Verify access logging enabled
- Check for sensitive data exposure
- Validate versioning and replication
Network Security Analysis
- Review security group configurations
- Analyze Network ACLs
- Check VPC flow log enablement
- Identify public-facing resources
- Validate VPC endpoint configurations
- Check for overly permissive rules
Encryption Verification
- Verify EBS volume encryption
- Check RDS encryption settings
- Validate S3 encryption configurations
- Review KMS key policies
- Check secrets manager configurations
- Verify certificate validity
Logging and Monitoring
- Validate CloudTrail configuration
- Check CloudWatch log retention
- Verify GuardDuty enablement
- Review Security Hub findings
- Check Config rule compliance
- Validate alarm configurations
Compliance Mapping
- Map findings to CIS Benchmarks
- Generate SOC 2 evidence
- Track PCI DSS compliance
- Document HIPAA controls
- Map to NIST frameworks
AWS Services Covered
| Category | Services | |----------|----------| | Identity | IAM, SSO, Organizations | | Compute | EC2, Lambda, ECS, EKS | | Storage | S3, EBS, EFS, Glacier | | Database | RDS, DynamoDB, Redshift | | Network | VPC, CloudFront, Route53 | | Security | Security Hub, GuardDuty, KMS | | Monitoring | CloudTrail, CloudWatch, Config |
Integrations
- Prowler: Open-source AWS security tool
- AWS Security Hub: Centralized security findings
- AWS Config: Configuration compliance
- AWS CloudTrail: API activity logging
- AWS GuardDuty: Threat detection
- AWS IAM Access Analyzer: Access analysis
Target Processes
- Cloud Security Architecture Review
- Compliance Monitoring
- Security Posture Assessment
- AWS Account Hardening
Input Schema
{
"type": "object",
"properties": {
"scanType": {
"type": "string",
"enum": ["full", "cis", "pci", "hipaa", "gdpr", "custom"],
"description": "Type of security scan"
},
"awsAccounts": {
"type": "array",
"items": { "type": "string" },
"description": "AWS account IDs to scan"
},
"regions": {
"type": "array",
"items": { "type": "string" },
"description": "AWS regions to scan"
},
"services": {
"type": "array",
"items": { "type": "string" },
"description": "Specific services to scan"
},
"severityThreshold": {
"type": "string",
"enum": ["critical", "high", "medium", "low", "informational"]
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["CIS", "PCI-DSS", "HIPAA", "GDPR", "SOC2", "NIST"]
}
},
"excludeChecks": {
"type": "array",
"items": { "type": "string" },
"description": "Check IDs to exclude"
}
},
"required": ["scanType"]
}
Output Schema
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"accountsScanned": {
"type": "array"
},
"regionsScanned": {
"type": "array"
},
"summary": {
"type": "object",
"properties": {
"totalChecks": { "type": "integer" },
"passed": { "type": "integer" },
"failed": { "type": "integer" },
"warnings": { "type": "integer" }
}
},
"findingsBySeverity": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"checkId": { "type": "string" },
"severity": { "type": "string" },
"service": { "type": "string" },
"region": { "type": "string" },
"resourceId": { "type": "string" },
"description": { "type": "string" },
"remediation": { "type": "string" },
"complianceMapping": { "type": "array" }
}
}
},
"complianceStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
},
"reportPaths": {
"type": "object",
"properties": {
"html": { "type": "string" },
"csv": { "type": "string" },
"json": { "type": "string" }
}
}
}
}
Usage Example
skill: {
name: 'aws-security-scanner',
context: {
scanType: 'cis',
awsAccounts: ['123456789012'],
regions: ['us-east-1', 'us-west-2'],
complianceFrameworks: ['CIS', 'SOC2'],
severityThreshold: 'medium'
}
}
Related Skills
a5c-ai/model-card-generator
development
VerifiedTrustedCommunity
Model documentation skill for generating model cards following Google's model card framework.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/mlflow-experiment-tracker
development
VerifiedTrustedCommunity
MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/lime-explainer
data-ai
VerifiedTrustedCommunity
LIME-based local explanation skill for individual predictions across tabular, text, and image data.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/kubeflow-pipeline-executor
devops
VerifiedTrustedCommunity
Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.
680SKILL.mdUpdated Apr 28, 2026