iblai-security-cloud-audit

Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.

12 stars

Best use case

iblai-security-cloud-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.

Teams using iblai-security-cloud-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/iblai-security-cloud-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/iblai/vibe/main/skills/iblai-security-cloud-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/iblai-security-cloud-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How iblai-security-cloud-audit Compares

Feature / Agentiblai-security-cloud-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# /iblai-security-cloud-audit

Audit AWS, GCP, and Azure infrastructure for misconfigurations,
excessive permissions, public exposure, and compliance gaps.

Do NOT touch accounts or projects the user doesn't have access to. Do
NOT exploit findings — produce remediation, not attacks.

## Step 0: Scope the Audit

1. Cloud provider(s) and account(s).
2. Regions in scope.
3. CLI access (`aws`, `gcloud`, `az`) or IaC files (Terraform, CloudFormation, Pulumi).

## Audit Categories

### Identity and Access Management

**AWS:**

```bash
aws iam get-account-summary
aws iam list-users
aws iam generate-credential-report && aws iam get-credential-report --output text --query Content | base64 -d
```

Check for: root account usage without MFA, access keys older than 90 days, unused credentials, wildcard permissions (`"Action": "*"`), overprivileged roles.

**GCP:**

```bash
gcloud projects get-iam-policy $PROJECT_ID
gcloud iam service-accounts list
```

Check for: primitive roles (Owner/Editor) on too many principals, unused service accounts, service account keys instead of workload identity.

**Azure:**

```bash
az role assignment list --all
az ad user list
```

Check for: excessive Owner/Contributor assignments, guest users with high privileges.

**IaC review:** Grep Terraform/CloudFormation for `"Action": "*"`, `"Resource": "*"`, hardcoded secrets, overly broad trust policies.

### Network Security

Flag:

- Security groups or firewall rules allowing `0.0.0.0/0` ingress
- Unrestricted SSH (port 22) or RDP (port 3389) from the internet
- VPC flow logs disabled
- Databases in public subnets
- Missing network segmentation between tiers

### Storage

**AWS S3:**

```bash
aws s3api list-buckets
aws s3api get-public-access-block --bucket <name>
aws s3api get-bucket-policy --bucket <name>
aws s3api get-bucket-encryption --bucket <name>
```

Check for: public buckets, missing encryption, no versioning, no lifecycle policies, overly permissive bucket policies.

**GCP/Azure:** Equivalent checks for Cloud Storage and Blob Storage — look for `allUsers`/`allAuthenticatedUsers` access or anonymous blob access.

### Compute

- IMDSv2 enforced? (AWS: `HttpTokens = required`)
- Unencrypted EBS volumes or disks
- Public IPs on instances that don't need them
- Outdated AMIs or images (check patch age)
- Privileged containers, missing security contexts in Kubernetes

### Logging and Monitoring

- CloudTrail / Cloud Audit Logs / Activity Log enabled across all regions
- Log storage: encrypted, immutable, adequate retention
- GuardDuty / Security Command Center / Defender for Cloud enabled
- Alerting configured for: root login, IAM changes, security group changes, large data transfers
- VPC Flow Logs and DNS query logs enabled

### Secrets Management

- Hardcoded secrets in source, environment variables, or IaC
- Secrets Manager / Key Vault used for sensitive values
- KMS key rotation configured

## Output Format

```markdown
# Cloud Security Audit Report
## Account(s): [account ID(s)]
## Provider: [AWS/GCP/Azure]
## Regions: [audited regions]
## Date: [date]

### Summary
- Total findings: X
- Critical: X | High: X | Medium: X | Low: X

### Findings

#### [SEVERITY] [Category]: [Title]
**Resource:** [resource ARN/ID]
**Region:** [region]

**Issue:** [What the misconfiguration is]

**Risk:** [What an attacker could do]

**Evidence:** [CLI output or IaC snippet]

**Remediation:** [Specific fix command or IaC change]

---

### Prioritized Action Plan
1. [Critical — immediate]
2. [High — this week]
3. [Medium — this month]
4. [Low — next quarter]
```

## Boundaries

- Audit only accounts or projects the user has access to.
- Never reach into other accounts or tenants.
- Every finding gets remediation.
- Flag fixes that might impact availability (e.g., tightening a security group can break connectivity).
- Surface any evidence of active compromise found during the audit.
- Refuse requests to exploit found misconfigurations on others' infrastructure.

## References

- CIS Benchmarks for AWS/GCP/Azure
- AWS Well-Architected Security Pillar
- ScoutSuite (multi-cloud auditing tool)

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.