Habilidades aws-compliance-checker
📦

aws-compliance-checker

Riesgo bajo ⚙️ Comandos externos🌐 Acceso a red

Check AWS Compliance Against Industry Standards

Manually auditing AWS environments against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks is time-consuming and error-prone. The AWS Compliance Checker skill automates compliance validation by running AWS API checks and generating detailed compliance reports.

Soporta: Claude Codex Code(CC)
⚠️ 63 Deficiente
1

Descargar el ZIP de la skill

2

Subir en Claude

Ve a Configuración → Capacidades → Skills → Subir skill

3

Activa y empieza a usar

Pruébalo

Usando "aws-compliance-checker". Run CIS AWS Foundations compliance check

Resultado esperado:

CIS IAM Compliance Checks
1.1: Root password last used: 2024-01-15T10:30:00Z
1.2: Root MFA enabled: true
1.3: Checking for unused credentials (>90 days)...
⚠️ user-1: Key AKIAIOSFODNN7EXAMPLE is 120 days old
1.4: Checking access key age...
⚠️ admin-user: Key AKIAJZ7EXAMPLE is 95 days old
1.5-1.11: Checking password policy...
✓ Password policy exists

CIS Logging Compliance Checks
2.1: Checking CloudTrail...
Trail: main-trail
Multi-region: true
Log validation: true
Is logging: true
2.3: Checking CloudTrail S3 bucket access...
✓ my-cloudtrail-bucket: Not public

Score: 85%

Usando "aws-compliance-checker". Check security groups for public access

Resultado esperado:

Security Group Audit Results:
⚠️ sg-0123456789abcdef0: web-server allows SSH from 0.0.0.0/0
⚠️ sg-0abcdef1234567890: database allows RDP from 0.0.0.0/0
✓ default: No overly permissive rules
✓ sg-0fedcba9876543210: api-server restricted to specific CIDR

Summary: 2 security groups with public access issues found

Auditoría de seguridad

Riesgo bajo
v1 • 2/24/2026

Static analysis flagged 83 potential issues but manual review confirms all are false positives. External commands are legitimate AWS CLI invocations for compliance checks. Network patterns are standard CIDR notation (0.0.0.0/0) for security group auditing and legitimate documentation URLs. C2 keywords and weak crypto flags are triggered by normal security compliance terminology. This is a defensive security tool for AWS compliance auditing.

1
Archivos escaneados
517
Líneas analizadas
7
hallazgos
1
Auditorías totales

Problemas de riesgo alto (3)

SKILL.md:48-117SKILL.md:117-121SKILL.md:121-151SKILL.md:151-218SKILL.md:218-222SKILL.md:222-267SKILL.md:267-271SKILL.md:271-303SKILL.md:303-307SKILL.md:307-370SKILL.md:370-374SKILL.md:374-399SKILL.md:399-406SKILL.md:406-416SKILL.md:416-420SKILL.md:420-486SKILL.md:486-507SKILL.md:507-510
External Command Execution (False Positive)
42 instances of shell command execution flagged by static analyzer. All are legitimate AWS CLI commands used for compliance auditing. The skill provides example bash scripts that use 'aws' CLI to check IAM, CloudTrail, Security Groups, etc. This is expected functionality for a compliance checking tool.
SKILL.md:207SKILL.md:209SKILL.md:279SKILL.md:288SKILL.md:297SKILL.md:316SKILL.md:323SKILL.md:334SKILL.md:398
C2 Keywords Flag (False Positive)
Static analyzer flagged 'C2 keywords' at multiple lines. Manual review shows these are normal security compliance terms like 'check', 'command', 'control', 'console' used in legitimate compliance checking context.
SKILL.md:3SKILL.md:129-131SKILL.md:150SKILL.md:159SKILL.md:173SKILL.md:186-187SKILL.md:207-209SKILL.md:246-248SKILL.md:255-257SKILL.md:279SKILL.md:288SKILL.md:297SKILL.md:323SKILL.md:334SKILL.md:352SKILL.md:388SKILL.md:398SKILL.md:405
Weak Cryptographic Algorithm Flag (False Positive)
Static analyzer flagged 'weak cryptographic algorithm' at multiple lines. Manual review shows these are recommendations for strong encryption (TLS 1.2+, proper encryption) in compliance checks.
Problemas de riesgo medio (2)
SKILL.md:514SKILL.md:515SKILL.md:516
Network URL References
Hardcoded URLs at lines 514-516 point to CIS, AWS Security Hub, and AWS Compliance documentation. These are legitimate reference links, not malicious network activity.
SKILL.md:277SKILL.md:283SKILL.md:284SKILL.md:286SKILL.md:292SKILL.md:293SKILL.md:327
CIDR Notation in Security Group Checks
Lines 277-293 contain 0.0.0.0/0 CIDR notation used to detect overly permissive security groups. This is standard compliance checking practice, not actual hardcoded IPs.

Factores de riesgo

⚙️ Comandos externos (42)
SKILL.md:48-117 SKILL.md:117-121 SKILL.md:121-151 SKILL.md:151-218 SKILL.md:218-222 SKILL.md:222-267 SKILL.md:267-271 SKILL.md:271-303 SKILL.md:303-307 SKILL.md:307-370 SKILL.md:370-374 SKILL.md:374-399 SKILL.md:399-406 SKILL.md:406-416 SKILL.md:416-420 SKILL.md:420-486 SKILL.md:486-507 SKILL.md:507-510 SKILL.md:56-57 SKILL.md:62-63 SKILL.md:88 SKILL.md:88 SKILL.md:97 SKILL.md:129-131 SKILL.md:142-143 SKILL.md:162-163 SKILL.md:186-187 SKILL.md:199 SKILL.md:209-211 SKILL.md:246-248 SKILL.md:255-257 SKILL.md:388 SKILL.md:48-117 SKILL.md:121-151 SKILL.md:151-218 SKILL.md:222-267 SKILL.md:374-399 SKILL.md:49 SKILL.md:122 SKILL.md:223 SKILL.md:272 SKILL.md:375
🌐 Acceso a red (10)
SKILL.md:514 SKILL.md:515 SKILL.md:516 SKILL.md:277 SKILL.md:283 SKILL.md:284 SKILL.md:286 SKILL.md:292 SKILL.md:293 SKILL.md:327
Auditado por: claude

Puntuación de calidad

38
Arquitectura
100
Mantenibilidad
85
Contenido
50
Comunidad
50
Seguridad
78
Cumplimiento de la especificación

Lo que puedes crear

Pre-Audit Compliance Validation

Run full compliance checks before external audits to identify and fix issues proactively.

Continuous Compliance Monitoring

Integrate into CI/CD pipelines or scheduled jobs to maintain ongoing compliance posture.

Multi-Framework Compliance Reporting

Generate unified reports covering CIS, PCI-DSS, HIPAA, and SOC 2 in a single run.

Prueba estos prompts

Run CIS Benchmark Check 
Run CIS AWS Foundations compliance check on my AWS account
Generate PCI-DSS Report 
Generate a PCI-DSS compliance report for my AWS environment
Check HIPAA Compliance 
Check HIPAA compliance for my AWS account, focusing on encryption and access controls
Audit Security Groups 
Audit all security groups in my AWS account for overly permissive rules and generate a report

Mejores prácticas

  • Run compliance checks regularly (weekly or monthly) to catch configuration drift early
  • Use AWS Organizations to run checks across all accounts in your organization
  • Document exceptions and remediation plans for any failed checks
  • Integrate with AWS Security Hub for centralized compliance dashboards

Evitar

  • Running checks only once before audits instead of continuously monitoring
  • Ignoring warnings about unused credentials or overly permissive access
  • Relying solely on automated checks without manual security reviews
  • Not maintaining evidence documentation for audit trails

Preguntas frecuentes

What AWS permissions are needed to run these checks?
The skill requires read-only access to IAM, EC2, CloudTrail, CloudWatch, S3, and AWS Config. Use IAM read-only policies or the SecurityAudit AWS managed policy.
Does this skill automatically fix compliance issues?
No, this skill only detects and reports compliance issues. Remediation requires manual action or separate automation scripts.
Which compliance frameworks are supported?
Currently supports CIS AWS Foundations Benchmark, PCI-DSS, HIPAA, and SOC 2. Each framework has representative checks covering key requirements.
Can I run checks across multiple AWS accounts?
Yes, you can use AWS Organizations with cross-account roles or run the checks separately in each account and aggregate results.
How often should compliance checks be run?
Best practice is to run checks at least weekly, with continuous monitoring via AWS Config Rules for production environments.
What happens if AWS API calls fail during a check?
The check will report partial results with error messages indicating which checks could not complete due to permission issues or service unavailability.

Detalles del desarrollador

Autor

sickn33

Licencia

MIT

Repositorio

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/security/aws-compliance-checker

Ref.

main

Estructura de archivos

📄 SKILL.md