pinkpixel-dev/implementing-cloud-vulnerability-posture-management
SKILLS/implementing-cloud-vulnerability-posture-management/SKILL.md
Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-2 implementing-cloud-vulnerability-posture-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 1:50 AM4.4s7 files scanned
SKILL.md
- name:
- implementing-cloud-vulnerability-posture-management
- description:
- Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.
- domain:
- cybersecurity
- subdomain:
- vulnerability-management
- tags:
- [cspm, cloud-security, aws-security-hub, azure-defender, prowler, scoutsuite, misconfiguration, cnapp]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing Cloud Vulnerability Posture Management
Overview
Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This skill covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.
When to Use
- When deploying or configuring implementing cloud vulnerability posture management capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- AWS CLI configured with SecurityAudit IAM policy
- Azure CLI with Security Reader role
- Python 3.9+ with
boto3,azure-identity,azure-mgmt-security - Prowler (https://github.com/prowler-cloud/prowler)
- ScoutSuite (https://github.com/nccgroup/ScoutSuite)
AWS Security Hub
Enable Security Hub
# Enable AWS Security Hub with default standards
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# Enable specific standards
aws securityhub batch-enable-standards \
--standards-subscription-requests \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
'{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
# Get findings summary
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
--max-items 10
Security Hub Standards
| Standard | Description | |----------|------------| | AWS Foundational Security Best Practices | AWS-recommended baseline controls | | CIS AWS Foundations Benchmark 1.4 | CIS hardening requirements | | PCI DSS v3.2.1 | Payment card industry controls | | NIST SP 800-53 Rev 5 | Federal security controls |
Azure Defender for Cloud
Enable Defender CSPM
# Enable Defender for Cloud free tier
az security pricing create \
--name CloudPosture \
--tier standard
# Check secure score
az security secure-score list \
--query "[].{Name:displayName,Score:current,Max:max}" \
--output table
# Get security recommendations
az security assessment list \
--query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
--output table
# Get alerts
az security alert list \
--query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
--output table
Open-Source: Prowler
Installation and Execution
# Install Prowler
pip install prowler
# Run full AWS scan
prowler aws --output-formats json-ocsf,csv,html
# Run specific checks
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
# Run against specific AWS profile and region
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
# Run CIS Benchmark compliance check
prowler aws --compliance cis_1.5_aws
# Run PCI DSS compliance
prowler aws --compliance pci_3.2.1_aws
# Scan Azure environment
prowler azure --subscription-ids "sub-id-here"
# Scan GCP environment
prowler gcp --project-ids "project-id-here"
Prowler Check Categories
| Category | Examples | |----------|---------| | IAM | Root MFA, password policy, access key rotation | | S3 | Public access, encryption, versioning | | EC2 | Security groups, EBS encryption, metadata service | | RDS | Public access, encryption, backup retention | | CloudTrail | Enabled, encrypted, log validation | | VPC | Flow logs, default SG restrictions | | Lambda | Public access, runtime versions | | EKS | Public endpoint, secrets encryption |
Open-Source: ScoutSuite
# Install ScoutSuite
pip install scoutsuite
# Run AWS assessment
scout aws --profile production
# Run Azure assessment
scout azure --cli
# Run GCP assessment
scout gcp --project-id my-project
# Results available as interactive HTML report
# Open scout-report/report.html in browser
Multi-Cloud Aggregation
import json
import subprocess
from datetime import datetime, timezone
def run_prowler_scan(provider, output_dir, compliance=None):
"""Run Prowler scan for a cloud provider."""
cmd = ["prowler", provider, "--output-formats", "json-ocsf",
"--output-directory", output_dir]
if compliance:
cmd.extend(["--compliance", compliance])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
return result.returncode == 0
def aggregate_findings(prowler_dirs):
"""Aggregate findings from multiple Prowler scans."""
all_findings = []
for scan_dir in prowler_dirs:
json_files = list(Path(scan_dir).glob("*.json"))
for jf in json_files:
with open(jf, "r") as f:
for line in f:
try:
finding = json.loads(line.strip())
all_findings.append(finding)
except json.JSONDecodeError:
continue
# Sort by severity
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
all_findings.sort(key=lambda f: severity_order.get(
f.get("severity", "informational").lower(), 5
))
return all_findings
def generate_posture_report(findings, output_path):
"""Generate cloud security posture report."""
report = {
"generated_at": datetime.now(timezone.utc).isoformat(),
"total_findings": len(findings),
"by_severity": {},
"by_provider": {},
"by_service": {},
}
for f in findings:
sev = f.get("severity", "unknown")
provider = f.get("cloud_provider", "unknown")
service = f.get("service_name", "unknown")
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
report["by_service"][service] = report["by_service"].get(service, 0) + 1
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
return report
References
- AWS Security Hub
- Azure Defender for Cloud
- Prowler
- ScoutSuite
- CIS Benchmarks
Related Skills
pinkpixel-dev/implementing-rapid7-insightvm-for-scanning
development
VerifiedTrustedCommunity
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-kill-switch-detection
testing
VerifiedTrustedCommunity
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-backup-strategy
testing
VerifiedTrustedCommunity
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-purdue-model-network-segmentation
testing
VerifiedTrustedCommunity
Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.
1SKILL.mdUpdated May 29, 2026