技能 aws-compliance-checker
📦

aws-compliance-checker

低风险 ⚙️ 外部命令🌐 网络访问

根据行业标准检查 AWS 合规性

手动针对 CIS、PCI-DSS、HIPAA 和 SOC 2 标准审计 AWS 环境既耗时又容易出错。AWS 合规性检查器技能通过运行 AWS API 检查并生成详细的合规报告来自动化合规性验证。

支持: Claude Codex Code(CC)
⚠️ 63
1

下载技能 ZIP

2

在 Claude 中上传

前往 设置 → 功能 → 技能 → 上传技能

3

开启并开始使用

测试它

正在使用“aws-compliance-checker”。 Run CIS AWS Foundations compliance check

预期结果:

CIS IAM Compliance Checks
1.1: Root password last used: 2024-01-15T10:30:00Z
1.2: Root MFA enabled: true
1.3: Checking for unused credentials (>90 days)...
⚠️ user-1: Key AKIAIOSFODNN7EXAMPLE is 120 days old
1.4: Checking access key age...
⚠️ admin-user: Key AKIAJZ7EXAMPLE is 95 days old
1.5-1.11: Checking password policy...
✓ Password policy exists

CIS Logging Compliance Checks
2.1: Checking CloudTrail...
Trail: main-trail
Multi-region: true
Log validation: true
Is logging: true
2.3: Checking CloudTrail S3 bucket access...
✓ my-cloudtrail-bucket: Not public

Score: 85%

正在使用“aws-compliance-checker”。 Check security groups for public access

预期结果:

Security Group Audit Results:
⚠️ sg-0123456789abcdef0: web-server allows SSH from 0.0.0.0/0
⚠️ sg-0abcdef1234567890: database allows RDP from 0.0.0.0/0
✓ default: No overly permissive rules
✓ sg-0fedcba9876543210: api-server restricted to specific CIDR

Summary: 2 security groups with public access issues found

安全审计

低风险
v1 • 2/24/2026

Static analysis flagged 83 potential issues but manual review confirms all are false positives. External commands are legitimate AWS CLI invocations for compliance checks. Network patterns are standard CIDR notation (0.0.0.0/0) for security group auditing and legitimate documentation URLs. C2 keywords and weak crypto flags are triggered by normal security compliance terminology. This is a defensive security tool for AWS compliance auditing.

1
已扫描文件
517
分析行数
7
发现项
1
审计总数

高风险问题 (3)

SKILL.md:48-117SKILL.md:117-121SKILL.md:121-151SKILL.md:151-218SKILL.md:218-222SKILL.md:222-267SKILL.md:267-271SKILL.md:271-303SKILL.md:303-307SKILL.md:307-370SKILL.md:370-374SKILL.md:374-399SKILL.md:399-406SKILL.md:406-416SKILL.md:416-420SKILL.md:420-486SKILL.md:486-507SKILL.md:507-510
External Command Execution (False Positive)
42 instances of shell command execution flagged by static analyzer. All are legitimate AWS CLI commands used for compliance auditing. The skill provides example bash scripts that use 'aws' CLI to check IAM, CloudTrail, Security Groups, etc. This is expected functionality for a compliance checking tool.
SKILL.md:207SKILL.md:209SKILL.md:279SKILL.md:288SKILL.md:297SKILL.md:316SKILL.md:323SKILL.md:334SKILL.md:398
C2 Keywords Flag (False Positive)
Static analyzer flagged 'C2 keywords' at multiple lines. Manual review shows these are normal security compliance terms like 'check', 'command', 'control', 'console' used in legitimate compliance checking context.
SKILL.md:3SKILL.md:129-131SKILL.md:150SKILL.md:159SKILL.md:173SKILL.md:186-187SKILL.md:207-209SKILL.md:246-248SKILL.md:255-257SKILL.md:279SKILL.md:288SKILL.md:297SKILL.md:323SKILL.md:334SKILL.md:352SKILL.md:388SKILL.md:398SKILL.md:405
Weak Cryptographic Algorithm Flag (False Positive)
Static analyzer flagged 'weak cryptographic algorithm' at multiple lines. Manual review shows these are recommendations for strong encryption (TLS 1.2+, proper encryption) in compliance checks.
中风险问题 (2)
SKILL.md:514SKILL.md:515SKILL.md:516
Network URL References
Hardcoded URLs at lines 514-516 point to CIS, AWS Security Hub, and AWS Compliance documentation. These are legitimate reference links, not malicious network activity.
SKILL.md:277SKILL.md:283SKILL.md:284SKILL.md:286SKILL.md:292SKILL.md:293SKILL.md:327
CIDR Notation in Security Group Checks
Lines 277-293 contain 0.0.0.0/0 CIDR notation used to detect overly permissive security groups. This is standard compliance checking practice, not actual hardcoded IPs.

风险因素

⚙️ 外部命令 (42)
SKILL.md:48-117 SKILL.md:117-121 SKILL.md:121-151 SKILL.md:151-218 SKILL.md:218-222 SKILL.md:222-267 SKILL.md:267-271 SKILL.md:271-303 SKILL.md:303-307 SKILL.md:307-370 SKILL.md:370-374 SKILL.md:374-399 SKILL.md:399-406 SKILL.md:406-416 SKILL.md:416-420 SKILL.md:420-486 SKILL.md:486-507 SKILL.md:507-510 SKILL.md:56-57 SKILL.md:62-63 SKILL.md:88 SKILL.md:88 SKILL.md:97 SKILL.md:129-131 SKILL.md:142-143 SKILL.md:162-163 SKILL.md:186-187 SKILL.md:199 SKILL.md:209-211 SKILL.md:246-248 SKILL.md:255-257 SKILL.md:388 SKILL.md:48-117 SKILL.md:121-151 SKILL.md:151-218 SKILL.md:222-267 SKILL.md:374-399 SKILL.md:49 SKILL.md:122 SKILL.md:223 SKILL.md:272 SKILL.md:375
🌐 网络访问 (10)
SKILL.md:514 SKILL.md:515 SKILL.md:516 SKILL.md:277 SKILL.md:283 SKILL.md:284 SKILL.md:286 SKILL.md:292 SKILL.md:293 SKILL.md:327
审计者: claude

质量评分

38
架构
100
可维护性
85
内容
50
社区
50
安全
78
规范符合性

你能构建什么

审计前合规性验证

在外部审计之前运行全面合规性检查,主动识别和修复问题。

持续合规性监控

集成到 CI/CD 管道或计划任务中,以维护持续的合规态势。

多框架合规性报告

在单次运行中生成涵盖 CIS、PCI-DSS、HIPAA 和 SOC 2 的统一报告。

试试这些提示

运行 CIS 基准检查 
运行 CIS AWS 基础合规性检查
生成 PCI-DSS 报告 
为我的 AWS 环境生成 PCI-DSS 合规性报告
检查 HIPAA 合规性 
检查我的 AWS 账户的 HIPAA 合规性,重点关注加密和访问控制
审计安全组 
审计我的 AWS 账户中的所有安全组,找出过于宽松的规则并生成报告

最佳实践

  • 定期运行合规性检查(每周或每月),及早发现配置漂移
  • 使用 AWS Organizations 在组织中的所有账户运行检查
  • 为任何失败的检查记录例外情况和修复计划
  • 集成 AWS Security Hub 以获取集中式合规性仪表板

避免

  • 仅在审计前运行一次检查,而不是持续监控
  • 忽略关于未使用凭证或过于宽松访问权限的警告
  • 仅依赖自动化检查而不进行手动安全审查
  • 不维护审计跟踪的证据文档

常见问题

运行这些检查需要哪些 AWS 权限?
该技能需要对 IAM、EC2、CloudTrail、CloudWatch、S3 和 AWS Config 的只读访问权限。使用 IAM 只读策略或 AWS 托管的 SecurityAudit 策略。
此技能是否自动修复合规性问题?
不,此技能仅检测和报告合规性问题。修复需要手动操作或单独的自动化脚本。
支持哪些合规性框架?
目前支持 CIS AWS 基础基准、PCI-DSS、HIPAA 和 SOC 2。每个框架都有代表性检查,涵盖关键要求。
合规性检查应该多久运行一次?
是的,您可以使用 AWS Organizations 跨账户角色或在每个账户中单独运行检查并汇总结果。
如果 AWS API 调用在检查期间失败会发生什么?
最佳实践是至少每周运行一次检查,对于生产环境通过 AWS Config Rules 进行持续监控。

开发者详情

作者

sickn33

许可证

MIT

仓库

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/security/aws-compliance-checker

引用

main

文件结构

📄 SKILL.md