giuseppe-trisciuoglio/aws-cloudformation-security
plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-security/SKILL.md
Provides AWS CloudFormation patterns for security infrastructure including KMS encryption, Secrets Manager, IAM security, VPC security, ACM certificates, parameter security, outputs, and secure cross-stack references. Use when implementing security best practices, encrypting data, managing secrets, applying least privilege IAM policies, securing VPC configurations, managing TLS/SSL certificates, and implementing defense in depth strategies.
$ install --global
skillsauthnpx skillsauth add giuseppe-trisciuoglio/developer-kit aws-cloudformation-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 1:23 PM14.2s4 files scanned
SKILL.md
- name:
- aws-cloudformation-security
- description:
- Provides AWS CloudFormation patterns for security infrastructure including KMS encryption, Secrets Manager, IAM security, VPC security, ACM certificates, parameter security, outputs, and secure cross-stack references. Use when implementing security best practices, encrypting data, managing secrets, applying least privilege IAM policies, securing VPC configurations, managing TLS/SSL certificates, and implementing defense in depth strategies.
- allowed-tools:
- Read, Write, Bash
AWS CloudFormation Security Infrastructure
Overview
Create production-ready security infrastructure using AWS CloudFormation templates. This skill covers KMS encryption, Secrets Manager, IAM security with least privilege, VPC security configurations, ACM certificates, parameter security, secure outputs, cross-stack references, CloudWatch Logs encryption, defense in depth strategies, and security best practices.
When to Use
- Implementing KMS encryption at rest and in transit
- Managing secrets with Secrets Manager and automatic rotation
- Applying IAM least privilege policies and permission boundaries
- Securing VPC with security groups, NACLs, and VPC endpoints
- Managing TLS/SSL certificates with ACM
- Encrypting CloudWatch Logs and S3 buckets
- Creating secure cross-stack references and outputs
Instructions
Follow these steps to create security infrastructure with CloudFormation:
1. Define KMS Encryption Keys
Create customer-managed keys for encryption:
Resources:
EncryptionKey:
Type: AWS::KMS::Key
Properties:
Description: Customer-managed key for data encryption
KeyPolicy:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action:
- kms:Decrypt
- kms:GenerateDataKey
Resource: "*"
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- kms:*
Resource: "*"
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub "${AWS::StackName}/encryption-key"
TargetKeyId: !Ref EncryptionKey
Validate: aws kms get-key-policy --key-id <key-id> --output text
2. Manage Secrets with Secrets Manager
Store and retrieve sensitive data securely:
Resources:
DatabaseSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}/database"
Description: Database credentials
SecretString: !Sub |
{
"username": "admin",
"password": "${DatabasePassword}",
"engine": "mysql",
"host": "${DatabaseEndpoint}",
"port": 3306
}
KmsKeyId: !Ref EncryptionKey
SecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
Properties:
SecretId: !Ref DatabaseSecret
RotationLambdaARN: !Ref RotationLambda.Arn
RotationRules:
AutomaticallyAfterDays: 30
Validate: aws secretsmanager describe-secret --secret-id <secret-name>
3. Apply IAM Least Privilege
Create roles and policies with minimal required permissions:
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: SpecificPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource: !Sub "${DataBucket.Arn}/*"
Validate: aws iam simulate-principal-policy --policy-source-arn <role-arn> --action-names s3:GetObject --resource-arns <bucket-arn>
4. Secure VPC Configuration
Implement network security with security groups and NACLs:
Resources:
ApplicationSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
ApplicationNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
NACLEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref ApplicationNACL
RuleNumber: 100
Protocol: "6"
RuleAction: allow
Egress: false
CidrBlock: 0.0.0.0/0
PortRange:
From: 443
To: 443
Validate: aws ec2 describe-security-groups --group-ids <sg-id> --query 'SecurityGroups[0].IpPermissions'
5. Request ACM Certificates
Manage TLS/SSL certificates for secure communication:
Resources:
Certificate:
Type: AWS::ACM::Certificate
Properties:
DomainName: !Ref DomainName
SubjectAlternativeNames:
- !Sub "www.${DomainName}"
- !Sub "api.${DomainName}"
DomainValidationOptions:
- DomainName: !Ref DomainName
ValidationDomain: !Ref DomainName
Tags:
- Key: Environment
Value: !Ref Environment
# DNS validation record
DnsValidationRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: !Ref HostedZone
Name: !Sub "_${DomainName}."
Type: CNAME
TTL: 300
ResourceRecords:
- !Ref Certificate
Validate: aws acm describe-certificate --certificate-arn <arn> --query 'Certificate.Status'
6. Implement Secure Parameters
Use SecureString for sensitive parameter values:
Resources:
DatabasePasswordParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/${AWS::StackName}/database/password"
Type: SecureString
Value: !Ref DatabasePassword
Description: Database master password
KmsKeyId: !Ref EncryptionKey
# Reference in other resources
DatabaseInstance:
Type: AWS::RDS::DBInstance
Properties:
MasterUsername: admin
MasterUserPassword: !Ref DatabasePasswordParameter
Validate: aws ssm get-parameter --name <param-name> --with-decryption --query 'Parameter.Type'
7. Create Secure Outputs
Export only non-sensitive values from stacks:
Outputs:
# Safe to export
KMSKeyArn:
Description: KMS Key ARN for encryption
Value: !GetAtt EncryptionKey.Arn
Export:
Name: !Sub "${AWS::StackName}-KMSKeyArn"
SecretArn:
Description: Secret ARN (not the secret value)
Value: !Ref DatabaseSecret
Export:
Name: !Sub "${AWS::StackName}-SecretArn"
# DO NOT export sensitive data
# Incorrect:
# SecretValue:
# Value: !GetAtt DatabaseSecret.SecretString
Validate: aws cloudformation list-exports --query "Exports[?Name=='<stack-name>-KMSKeyArn']"
8. Encrypt CloudWatch Logs
Enable encryption for log groups:
Resources:
EncryptedLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/applications/${ApplicationName}"
RetentionInDays: 30
KmsKeyId: !Ref EncryptionKey
Validate: aws logs describe-log-groups --log-group-name-prefix <prefix> --query 'logGroups[0].kmsKeyId'
Best Practices
- KMS: Use separate keys per data classification; enable annual key rotation; use customer-managed keys for compliance
- Secrets: Rotate automatically (30 days for databases); never store secrets in plain text; use IAM policies for access control
- IAM: Apply least privilege; use roles not access keys; enable MFA; implement permission boundaries
- Network: Prefer security groups over NACLs; use VPC endpoints; restrict by specific CIDR ranges
- Certificates: Use ACM for automatic renewal; DNS validation is faster than email
- Encryption: Encrypt at rest and in transit; TLS 1.2+ required; use SSE-KMS for S3
Examples
Complete KMS and Secrets Stack
Resources:
# KMS Key with proper policy
AppKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: kms:*
Resource: "*"
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action:
- kms:Decrypt
- kms:GenerateDataKey
Resource: "*"
# Secrets Manager with rotation
DbSecret:
Type: AWS::SecretsManager::Secret
Properties:
SecretString: !Sub '{"password":"${DbPassword}"}'
KmsKeyId: !Ref AppKey
RotationRules:
AutomaticallyAfterDays: 30
IAM Least Privilege Role
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AccessPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action: s3:GetObject
Resource: !Sub "${Bucket.Arn}/*"
For comprehensive examples with VPC security groups, ACM certificates, and complete encrypted infrastructure stacks, see examples.md.
Constraints and Warnings
Resource Limits
- Security groups: max 60 inbound + 60 outbound rules
- NACLs: max 20 inbound + 20 outbound rules per subnet
- VPCs: max 5 per region (soft limit)
- Key rotation: annual for KMS customer-managed keys
Security Constraints
- NACLs are stateless: return traffic must be explicitly allowed
- Default security groups cannot be deleted
- Security group references cannot span VPC peering (use CIDR)
- Cross-account access requires both IAM and resource policies
Operational Warnings
- Secrets rotation requires Lambda function with proper IAM permissions
- KMS key deletion requires pending window (7-30 days)
- ACM certificates need DNS validation before issuance
- VPC CIDR blocks cannot overlap with peered VPCs
For detailed constraints including cost considerations and quota management, see constraints.md.
References
For detailed implementation guidance, see:
- examples.md - Complete KMS stacks, Secrets Manager with rotation, IAM least privilege roles, VPC security groups, ACM certificates, and encrypted infrastructure
- constraints.md - Resource limits, security constraints, operational constraints, network constraints, cost considerations, and access control constraints
Related Skills
giuseppe-trisciuoglio/typescript-security-review
development
VerifiedTrustedCommunity
Provides security review capability for TypeScript/Node.js applications, validates code against XSS, injection, CSRF, JWT/OAuth2 flaws, dependency CVEs, and secrets exposure. Use when performing security audits, before deployment, reviewing authentication/authorization implementations, or ensuring OWASP compliance for Express, NestJS, and Next.js. Triggers on "security review", "check for security issues", "TypeScript security audit".
270SKILL.mdUpdated Apr 5, 2026
giuseppe-trisciuoglio/specs-code-cleanup
development
VerifiedTrustedCommunity
Provides final code cleanup after task review approval. Removes debug logs, temporary comments, dead code, optimizes imports, and improves readability. Use when asked to clean up code, polish, finalize, tidy up, remove technical debt, or prepare code for completion after review. Not for refactoring logic or fixing bugs—focused solely on cosmetic and hygiene cleanup.
250SKILL.mdUpdated May 5, 2026
giuseppe-trisciuoglio/ralph-loop
tools
VerifiedTrustedCommunity
Ralph Wiggum-inspired automation loop for specification-driven development. Orchestrates task implementation, review, cleanup, and synchronization using a Python script. Use when: user runs /loop command, user asks to automate task implementation, user wants to iterate through spec tasks step-by-step, or user wants to run development workflow automation with context window management. One step per invocation. State machine: init → choose_task → implementation → review → fix → cleanup → sync → update_done. Supports --from-task and --to-task for task range filtering. State persisted in fix_plan.json.
250SKILL.mdUpdated May 5, 2026
giuseppe-trisciuoglio/constitution
testing
VerifiedTrustedCommunity
Creates, updates, validates, and displays the architectural DNA of a project through two shared documents: docs/specs/architecture.md (technology stack, architectural rules, security constraints, AI guardrails) and docs/specs/ontology.md (domain glossary / Ubiquitous Language). Use BEFORE brainstorm as a project setup step, or at any point in the SDD lifecycle to validate specs/tasks against architecture principles. Triggers on 'create constitution', 'update constitution', 'constitution check', 'validate against constitution', 'project principles', 'architectural guardrails', 'setup project architecture', 'define ontology'.
250SKILL.mdUpdated May 5, 2026