iblai-security-cloud-audit
Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.
Best use case
iblai-security-cloud-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.
Teams using iblai-security-cloud-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/iblai-security-cloud-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How iblai-security-cloud-audit Compares
| Feature / Agent | iblai-security-cloud-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# /iblai-security-cloud-audit Audit AWS, GCP, and Azure infrastructure for misconfigurations, excessive permissions, public exposure, and compliance gaps. Do NOT touch accounts or projects the user doesn't have access to. Do NOT exploit findings — produce remediation, not attacks. ## Step 0: Scope the Audit 1. Cloud provider(s) and account(s). 2. Regions in scope. 3. CLI access (`aws`, `gcloud`, `az`) or IaC files (Terraform, CloudFormation, Pulumi). ## Audit Categories ### Identity and Access Management **AWS:** ```bash aws iam get-account-summary aws iam list-users aws iam generate-credential-report && aws iam get-credential-report --output text --query Content | base64 -d ``` Check for: root account usage without MFA, access keys older than 90 days, unused credentials, wildcard permissions (`"Action": "*"`), overprivileged roles. **GCP:** ```bash gcloud projects get-iam-policy $PROJECT_ID gcloud iam service-accounts list ``` Check for: primitive roles (Owner/Editor) on too many principals, unused service accounts, service account keys instead of workload identity. **Azure:** ```bash az role assignment list --all az ad user list ``` Check for: excessive Owner/Contributor assignments, guest users with high privileges. **IaC review:** Grep Terraform/CloudFormation for `"Action": "*"`, `"Resource": "*"`, hardcoded secrets, overly broad trust policies. ### Network Security Flag: - Security groups or firewall rules allowing `0.0.0.0/0` ingress - Unrestricted SSH (port 22) or RDP (port 3389) from the internet - VPC flow logs disabled - Databases in public subnets - Missing network segmentation between tiers ### Storage **AWS S3:** ```bash aws s3api list-buckets aws s3api get-public-access-block --bucket <name> aws s3api get-bucket-policy --bucket <name> aws s3api get-bucket-encryption --bucket <name> ``` Check for: public buckets, missing encryption, no versioning, no lifecycle policies, overly permissive bucket policies. **GCP/Azure:** Equivalent checks for Cloud Storage and Blob Storage — look for `allUsers`/`allAuthenticatedUsers` access or anonymous blob access. ### Compute - IMDSv2 enforced? (AWS: `HttpTokens = required`) - Unencrypted EBS volumes or disks - Public IPs on instances that don't need them - Outdated AMIs or images (check patch age) - Privileged containers, missing security contexts in Kubernetes ### Logging and Monitoring - CloudTrail / Cloud Audit Logs / Activity Log enabled across all regions - Log storage: encrypted, immutable, adequate retention - GuardDuty / Security Command Center / Defender for Cloud enabled - Alerting configured for: root login, IAM changes, security group changes, large data transfers - VPC Flow Logs and DNS query logs enabled ### Secrets Management - Hardcoded secrets in source, environment variables, or IaC - Secrets Manager / Key Vault used for sensitive values - KMS key rotation configured ## Output Format ```markdown # Cloud Security Audit Report ## Account(s): [account ID(s)] ## Provider: [AWS/GCP/Azure] ## Regions: [audited regions] ## Date: [date] ### Summary - Total findings: X - Critical: X | High: X | Medium: X | Low: X ### Findings #### [SEVERITY] [Category]: [Title] **Resource:** [resource ARN/ID] **Region:** [region] **Issue:** [What the misconfiguration is] **Risk:** [What an attacker could do] **Evidence:** [CLI output or IaC snippet] **Remediation:** [Specific fix command or IaC change] --- ### Prioritized Action Plan 1. [Critical — immediate] 2. [High — this week] 3. [Medium — this month] 4. [Low — next quarter] ``` ## Boundaries - Audit only accounts or projects the user has access to. - Never reach into other accounts or tenants. - Every finding gets remediation. - Flag fixes that might impact availability (e.g., tightening a security group can break connectivity). - Surface any evidence of active compromise found during the audit. - Refuse requests to exploit found misconfigurations on others' infrastructure. ## References - CIS Benchmarks for AWS/GCP/Azure - AWS Well-Architected Security Pillar - ScoutSuite (multi-cloud auditing tool)