From 2bfd2fbbee215e9bce820637300a2a0666cd4078 Mon Sep 17 00:00:00 2001 From: Panger Lkr <73515951+pangerlkr@users.noreply.github.com> Date: Mon, 26 Jan 2026 05:15:24 +0530 Subject: [PATCH] feat: add cloud infrastructure security skill (#44) Adds cloud infrastructure security skill with AWS/Vercel/Railway patterns --- .../cloud-infrastructure-security.md | 361 ++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 skills/security-review/cloud-infrastructure-security.md diff --git a/skills/security-review/cloud-infrastructure-security.md b/skills/security-review/cloud-infrastructure-security.md new file mode 100644 index 0000000..24e9ec2 --- /dev/null +++ b/skills/security-review/cloud-infrastructure-security.md @@ -0,0 +1,361 @@ +| name | description | +|------|-------------| +| cloud-infrastructure-security | Use this skill when deploying to cloud platforms, configuring infrastructure, managing IAM policies, setting up logging/monitoring, or implementing CI/CD pipelines. Provides cloud security checklist aligned with best practices. | + +# Cloud & Infrastructure Security Skill + +This skill ensures cloud infrastructure, CI/CD pipelines, and deployment configurations follow security best practices and comply with industry standards. + +## When to Activate + +- Deploying applications to cloud platforms (AWS, Vercel, Railway, Cloudflare) +- Configuring IAM roles and permissions +- Setting up CI/CD pipelines +- Implementing infrastructure as code (Terraform, CloudFormation) +- Configuring logging and monitoring +- Managing secrets in cloud environments +- Setting up CDN and edge security +- Implementing disaster recovery and backup strategies + +## Cloud Security Checklist + +### 1. IAM & Access Control + +#### Principle of Least Privilege + +```yaml +# ✅ CORRECT: Minimal permissions +iam_role: + permissions: + - s3:GetObject # Only read access + - s3:ListBucket + resources: + - arn:aws:s3:::my-bucket/* # Specific bucket only + +# ❌ WRONG: Overly broad permissions +iam_role: + permissions: + - s3:* # All S3 actions + resources: + - "*" # All resources +``` + +#### Multi-Factor Authentication (MFA) + +```bash +# ALWAYS enable MFA for root/admin accounts +aws iam enable-mfa-device \ + --user-name admin \ + --serial-number arn:aws:iam::123456789:mfa/admin \ + --authentication-code1 123456 \ + --authentication-code2 789012 +``` + +#### Verification Steps + +- [ ] No root account usage in production +- [ ] MFA enabled for all privileged accounts +- [ ] Service accounts use roles, not long-lived credentials +- [ ] IAM policies follow least privilege +- [ ] Regular access reviews conducted +- [ ] Unused credentials rotated or removed + +### 2. Secrets Management + +#### Cloud Secrets Managers + +```typescript +// ✅ CORRECT: Use cloud secrets manager +import { SecretsManager } from '@aws-sdk/client-secrets-manager'; + +const client = new SecretsManager({ region: 'us-east-1' }); +const secret = await client.getSecretValue({ SecretId: 'prod/api-key' }); +const apiKey = JSON.parse(secret.SecretString).key; + +// ❌ WRONG: Hardcoded or in environment variables only +const apiKey = process.env.API_KEY; // Not rotated, not audited +``` + +#### Secrets Rotation + +```bash +# Set up automatic rotation for database credentials +aws secretsmanager rotate-secret \ + --secret-id prod/db-password \ + --rotation-lambda-arn arn:aws:lambda:region:account:function:rotate \ + --rotation-rules AutomaticallyAfterDays=30 +``` + +#### Verification Steps + +- [ ] All secrets stored in cloud secrets manager (AWS Secrets Manager, Vercel Secrets) +- [ ] Automatic rotation enabled for database credentials +- [ ] API keys rotated at least quarterly +- [ ] No secrets in code, logs, or error messages +- [ ] Audit logging enabled for secret access + +### 3. Network Security + +#### VPC and Firewall Configuration + +```terraform +# ✅ CORRECT: Restricted security group +resource "aws_security_group" "app" { + name = "app-sg" + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/16"] # Internal VPC only + } + + egress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # Only HTTPS outbound + } +} + +# ❌ WRONG: Open to the internet +resource "aws_security_group" "bad" { + ingress { + from_port = 0 + to_port = 65535 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # All ports, all IPs! + } +} +``` + +#### Verification Steps + +- [ ] Database not publicly accessible +- [ ] SSH/RDP ports restricted to VPN/bastion only +- [ ] Security groups follow least privilege +- [ ] Network ACLs configured +- [ ] VPC flow logs enabled + +### 4. Logging & Monitoring + +#### CloudWatch/Logging Configuration + +```typescript +// ✅ CORRECT: Comprehensive logging +import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs'; + +const logSecurityEvent = async (event: SecurityEvent) => { + await cloudwatch.putLogEvents({ + logGroupName: '/aws/security/events', + logStreamName: 'authentication', + logEvents: [{ + timestamp: Date.now(), + message: JSON.stringify({ + type: event.type, + userId: event.userId, + ip: event.ip, + result: event.result, + // Never log sensitive data + }) + }] + }); +}; +``` + +#### Verification Steps + +- [ ] CloudWatch/logging enabled for all services +- [ ] Failed authentication attempts logged +- [ ] Admin actions audited +- [ ] Log retention configured (90+ days for compliance) +- [ ] Alerts configured for suspicious activity +- [ ] Logs centralized and tamper-proof + +### 5. CI/CD Pipeline Security + +#### Secure Pipeline Configuration + +```yaml +# ✅ CORRECT: Secure GitHub Actions workflow +name: Deploy + +on: + push: + branches: [main] + +jobs: + deploy: + runs-on: ubuntu-latest + permissions: + contents: read # Minimal permissions + + steps: + - uses: actions/checkout@v4 + + # Scan for secrets + - name: Secret scanning + uses: trufflesecurity/trufflehog@main + + # Dependency audit + - name: Audit dependencies + run: npm audit --audit-level=high + + # Use OIDC, not long-lived tokens + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole + aws-region: us-east-1 +``` + +#### Supply Chain Security + +```json +// package.json - Use lock files and integrity checks +{ + "scripts": { + "install": "npm ci", // Use ci for reproducible builds + "audit": "npm audit --audit-level=moderate", + "check": "npm outdated" + } +} +``` + +#### Verification Steps + +- [ ] OIDC used instead of long-lived credentials +- [ ] Secrets scanning in pipeline +- [ ] Dependency vulnerability scanning +- [ ] Container image scanning (if applicable) +- [ ] Branch protection rules enforced +- [ ] Code review required before merge +- [ ] Signed commits enforced + +### 6. Cloudflare & CDN Security + +#### Cloudflare Security Configuration + +```typescript +// ✅ CORRECT: Cloudflare Workers with security headers +export default { + async fetch(request: Request): Promise { + const response = await fetch(request); + + // Add security headers + const headers = new Headers(response.headers); + headers.set('X-Frame-Options', 'DENY'); + headers.set('X-Content-Type-Options', 'nosniff'); + headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); + headers.set('Permissions-Policy', 'geolocation=(), microphone=()'); + + return new Response(response.body, { + status: response.status, + headers + }); + } +}; +``` + +#### WAF Rules + +```bash +# Enable Cloudflare WAF managed rules +# - OWASP Core Ruleset +# - Cloudflare Managed Ruleset +# - Rate limiting rules +# - Bot protection +``` + +#### Verification Steps + +- [ ] WAF enabled with OWASP rules +- [ ] Rate limiting configured +- [ ] Bot protection active +- [ ] DDoS protection enabled +- [ ] Security headers configured +- [ ] SSL/TLS strict mode enabled + +### 7. Backup & Disaster Recovery + +#### Automated Backups + +```terraform +# ✅ CORRECT: Automated RDS backups +resource "aws_db_instance" "main" { + allocated_storage = 20 + engine = "postgres" + + backup_retention_period = 30 # 30 days retention + backup_window = "03:00-04:00" + maintenance_window = "mon:04:00-mon:05:00" + + enabled_cloudwatch_logs_exports = ["postgresql"] + + deletion_protection = true # Prevent accidental deletion +} +``` + +#### Verification Steps + +- [ ] Automated daily backups configured +- [ ] Backup retention meets compliance requirements +- [ ] Point-in-time recovery enabled +- [ ] Backup testing performed quarterly +- [ ] Disaster recovery plan documented +- [ ] RPO and RTO defined and tested + +## Pre-Deployment Cloud Security Checklist + +Before ANY production cloud deployment: + +- [ ] **IAM**: Root account not used, MFA enabled, least privilege policies +- [ ] **Secrets**: All secrets in cloud secrets manager with rotation +- [ ] **Network**: Security groups restricted, no public databases +- [ ] **Logging**: CloudWatch/logging enabled with retention +- [ ] **Monitoring**: Alerts configured for anomalies +- [ ] **CI/CD**: OIDC auth, secrets scanning, dependency audits +- [ ] **CDN/WAF**: Cloudflare WAF enabled with OWASP rules +- [ ] **Encryption**: Data encrypted at rest and in transit +- [ ] **Backups**: Automated backups with tested recovery +- [ ] **Compliance**: GDPR/HIPAA requirements met (if applicable) +- [ ] **Documentation**: Infrastructure documented, runbooks created +- [ ] **Incident Response**: Security incident plan in place + +## Common Cloud Security Misconfigurations + +### S3 Bucket Exposure + +```bash +# ❌ WRONG: Public bucket +aws s3api put-bucket-acl --bucket my-bucket --acl public-read + +# ✅ CORRECT: Private bucket with specific access +aws s3api put-bucket-acl --bucket my-bucket --acl private +aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json +``` + +### RDS Public Access + +```terraform +# ❌ WRONG +resource "aws_db_instance" "bad" { + publicly_accessible = true # NEVER do this! +} + +# ✅ CORRECT +resource "aws_db_instance" "good" { + publicly_accessible = false + vpc_security_group_ids = [aws_security_group.db.id] +} +``` + +## Resources + +- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/) +- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services) +- [Cloudflare Security Documentation](https://developers.cloudflare.com/security/) +- [OWASP Cloud Security](https://owasp.org/www-project-cloud-security/) +- [Terraform Security Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/) + +**Remember**: Cloud misconfigurations are the leading cause of data breaches. A single exposed S3 bucket or overly permissive IAM policy can compromise your entire infrastructure. Always follow the principle of least privilege and defense in depth.