admin/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-02-17 19:53:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bc0520c6c19b1cb96127754eeb3dfebfb1db2264
everything-claude-code/skills/security-review/cloud-infrastructure-security.md
Panger Lkr 2bfd2fbbee feat: add cloud infrastructure security skill (#44) 
Adds cloud infrastructure security skill with AWS/Vercel/Railway patterns
2026-01-25 15:45:24 -08:00

10 KiB
Raw Blame History

name description
cloud-infrastructure-security Use this skill when deploying to cloud platforms, configuring infrastructure, managing IAM policies, setting up logging/monitoring, or implementing CI/CD pipelines. Provides cloud security checklist aligned with best practices.

Cloud & Infrastructure Security Skill

This skill ensures cloud infrastructure, CI/CD pipelines, and deployment configurations follow security best practices and comply with industry standards.

When to Activate

  • Deploying applications to cloud platforms (AWS, Vercel, Railway, Cloudflare)
  • Configuring IAM roles and permissions
  • Setting up CI/CD pipelines
  • Implementing infrastructure as code (Terraform, CloudFormation)
  • Configuring logging and monitoring
  • Managing secrets in cloud environments
  • Setting up CDN and edge security
  • Implementing disaster recovery and backup strategies

Cloud Security Checklist

1. IAM & Access Control

Principle of Least Privilege

# ✅ CORRECT: Minimal permissions
iam_role:
  permissions:
    - s3:GetObject  # Only read access
    - s3:ListBucket
  resources:
    - arn:aws:s3:::my-bucket/*  # Specific bucket only

# ❌ WRONG: Overly broad permissions
iam_role:
  permissions:
    - s3:*  # All S3 actions
  resources:
    - "*"  # All resources

Multi-Factor Authentication (MFA)

# ALWAYS enable MFA for root/admin accounts
aws iam enable-mfa-device \
  --user-name admin \
  --serial-number arn:aws:iam::123456789:mfa/admin \
  --authentication-code1 123456 \
  --authentication-code2 789012

Verification Steps

  • No root account usage in production
  • MFA enabled for all privileged accounts
  • Service accounts use roles, not long-lived credentials
  • IAM policies follow least privilege
  • Regular access reviews conducted
  • Unused credentials rotated or removed

2. Secrets Management

Cloud Secrets Managers

// ✅ CORRECT: Use cloud secrets manager
import { SecretsManager } from '@aws-sdk/client-secrets-manager';

const client = new SecretsManager({ region: 'us-east-1' });
const secret = await client.getSecretValue({ SecretId: 'prod/api-key' });
const apiKey = JSON.parse(secret.SecretString).key;

// ❌ WRONG: Hardcoded or in environment variables only
const apiKey = process.env.API_KEY; // Not rotated, not audited

Secrets Rotation

# Set up automatic rotation for database credentials
aws secretsmanager rotate-secret \
  --secret-id prod/db-password \
  --rotation-lambda-arn arn:aws:lambda:region:account:function:rotate \
  --rotation-rules AutomaticallyAfterDays=30

Verification Steps

  • All secrets stored in cloud secrets manager (AWS Secrets Manager, Vercel Secrets)
  • Automatic rotation enabled for database credentials
  • API keys rotated at least quarterly
  • No secrets in code, logs, or error messages
  • Audit logging enabled for secret access

3. Network Security

VPC and Firewall Configuration

# ✅ CORRECT: Restricted security group
resource "aws_security_group" "app" {
  name = "app-sg"
  
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]  # Internal VPC only
  }
  
  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # Only HTTPS outbound
  }
}

# ❌ WRONG: Open to the internet
resource "aws_security_group" "bad" {
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # All ports, all IPs!
  }
}

Verification Steps

  • Database not publicly accessible
  • SSH/RDP ports restricted to VPN/bastion only
  • Security groups follow least privilege
  • Network ACLs configured
  • VPC flow logs enabled

4. Logging & Monitoring

CloudWatch/Logging Configuration

// ✅ CORRECT: Comprehensive logging
import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';

const logSecurityEvent = async (event: SecurityEvent) => {
  await cloudwatch.putLogEvents({
    logGroupName: '/aws/security/events',
    logStreamName: 'authentication',
    logEvents: [{
      timestamp: Date.now(),
      message: JSON.stringify({
        type: event.type,
        userId: event.userId,
        ip: event.ip,
        result: event.result,
        // Never log sensitive data
      })
    }]
  });
};

Verification Steps

  • CloudWatch/logging enabled for all services
  • Failed authentication attempts logged
  • Admin actions audited
  • Log retention configured (90+ days for compliance)
  • Alerts configured for suspicious activity
  • Logs centralized and tamper-proof

5. CI/CD Pipeline Security

Secure Pipeline Configuration

# ✅ CORRECT: Secure GitHub Actions workflow
name: Deploy

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: read  # Minimal permissions
      
    steps:
      - uses: actions/checkout@v4
      
      # Scan for secrets
      - name: Secret scanning
        uses: trufflesecurity/trufflehog@main
        
      # Dependency audit
      - name: Audit dependencies
        run: npm audit --audit-level=high
        
      # Use OIDC, not long-lived tokens
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
          aws-region: us-east-1

Supply Chain Security

// package.json - Use lock files and integrity checks
{
  "scripts": {
    "install": "npm ci",  // Use ci for reproducible builds
    "audit": "npm audit --audit-level=moderate",
    "check": "npm outdated"
  }
}

Verification Steps

  • OIDC used instead of long-lived credentials
  • Secrets scanning in pipeline
  • Dependency vulnerability scanning
  • Container image scanning (if applicable)
  • Branch protection rules enforced
  • Code review required before merge
  • Signed commits enforced

6. Cloudflare & CDN Security

Cloudflare Security Configuration

// ✅ CORRECT: Cloudflare Workers with security headers
export default {
  async fetch(request: Request): Promise<Response> {
    const response = await fetch(request);
    
    // Add security headers
    const headers = new Headers(response.headers);
    headers.set('X-Frame-Options', 'DENY');
    headers.set('X-Content-Type-Options', 'nosniff');
    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
    headers.set('Permissions-Policy', 'geolocation=(), microphone=()');
    
    return new Response(response.body, {
      status: response.status,
      headers
    });
  }
};

WAF Rules

# Enable Cloudflare WAF managed rules
# - OWASP Core Ruleset
# - Cloudflare Managed Ruleset
# - Rate limiting rules
# - Bot protection

Verification Steps

  • WAF enabled with OWASP rules
  • Rate limiting configured
  • Bot protection active
  • DDoS protection enabled
  • Security headers configured
  • SSL/TLS strict mode enabled

7. Backup & Disaster Recovery

Automated Backups

# ✅ CORRECT: Automated RDS backups
resource "aws_db_instance" "main" {
  allocated_storage     = 20
  engine               = "postgres"
  
  backup_retention_period = 30  # 30 days retention
  backup_window          = "03:00-04:00"
  maintenance_window     = "mon:04:00-mon:05:00"
  
  enabled_cloudwatch_logs_exports = ["postgresql"]
  
  deletion_protection = true  # Prevent accidental deletion
}

Verification Steps

  • Automated daily backups configured
  • Backup retention meets compliance requirements
  • Point-in-time recovery enabled
  • Backup testing performed quarterly
  • Disaster recovery plan documented
  • RPO and RTO defined and tested

Pre-Deployment Cloud Security Checklist

Before ANY production cloud deployment:

  • IAM: Root account not used, MFA enabled, least privilege policies
  • Secrets: All secrets in cloud secrets manager with rotation
  • Network: Security groups restricted, no public databases
  • Logging: CloudWatch/logging enabled with retention
  • Monitoring: Alerts configured for anomalies
  • CI/CD: OIDC auth, secrets scanning, dependency audits
  • CDN/WAF: Cloudflare WAF enabled with OWASP rules
  • Encryption: Data encrypted at rest and in transit
  • Backups: Automated backups with tested recovery
  • Compliance: GDPR/HIPAA requirements met (if applicable)
  • Documentation: Infrastructure documented, runbooks created
  • Incident Response: Security incident plan in place

Common Cloud Security Misconfigurations

S3 Bucket Exposure

# ❌ WRONG: Public bucket
aws s3api put-bucket-acl --bucket my-bucket --acl public-read

# ✅ CORRECT: Private bucket with specific access
aws s3api put-bucket-acl --bucket my-bucket --acl private
aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json

RDS Public Access

# ❌ WRONG
resource "aws_db_instance" "bad" {
  publicly_accessible = true  # NEVER do this!
}

# ✅ CORRECT
resource "aws_db_instance" "good" {
  publicly_accessible = false
  vpc_security_group_ids = [aws_security_group.db.id]
}

Resources

Remember: Cloud misconfigurations are the leading cause of data breaches. A single exposed S3 bucket or overly permissive IAM policy can compromise your entire infrastructure. Always follow the principle of least privilege and defense in depth.

Reference in New Issue View Git Blame Copy Permalink