Cloud Security Posture

๐Ÿ”ฅ Vibe Prompt

"Set up AWS Security Hub, Config rules, and custom posture management."

AWS Security Hub

resource "aws_securityhub_account" "main" {}

resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

resource "aws_securityhub_standards_subscription" "pci" {
  standards_arn = "arn:aws:securityhub:us-west-2::standards/pci-dss/v/3.2.1"
}

AWS Config Rules

resource "aws_config_config_rule" "s3_public_read" {
  name = "s3-bucket-public-read-prohibited"
  
  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
}

resource "aws_config_config_rule" "encrypted_volumes" {
  name = "ec2-ebs-encryption-enabled"
  
  source {
    owner             = "AWS"
    source_identifier = "ENCRYPTED_VOLUMES"
  }
}

resource "aws_config_config_rule" "mfa_enabled" {
  name = "iam-user-mfa-enabled"
  
  source {
    owner             = "AWS"
    source_identifier = "IAM_USER_MFA_ENABLED"
  }
}

Custom Config Rule (Lambda)

def lambda_handler(event, context):
    config = boto3.client('config')
    
    invoking_event = json.loads(event['invokingEvent'])
    config_item = invoking_event['configurationItem']
    
    resource_type = config_item['resourceType']
    resource_id = config_item['resourceId']
    configuration = config_item['configuration']
    
    # Check: Security group should not allow SSH from 0.0.0.0/0
    if resource_type == 'AWS::EC2::SecurityGroup':
        for permission in configuration.get('ipPermissions', []):
            if permission.get('fromPort') == 22:
                for range in permission.get('ipRanges', []):
                    if range.get('cidrIp') == '0.0.0.0/0':
                        # Non-compliant!
                        config.put_evaluations(
                            Evaluations=[{
                                'ComplianceResourceType': resource_type,
                                'ComplianceResourceId': resource_id,
                                'ComplianceType': 'NON_COMPLIANT',
                                'Annotation': 'SSH open to world (0.0.0.0/0)'
                            }],
                            ResultToken=event['resultToken']
                        )
                        return
    
    # Default: compliant
    config.put_evaluations(
        Evaluations=[{
            'ComplianceResourceType': resource_type,
            'ComplianceResourceId': resource_id,
            'ComplianceType': 'COMPLIANT'
        }],
        ResultToken=event['resultToken']
    )

Security Posture Dashboard

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Security Hub - Overall Score: 78% (GOOD)   โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  CIS Benchmark: 12/18 passed (66%)          โ”‚
โ”‚  โ”œโ”€โ”€ [โœ…] 1.1 - IAM root user MFA          โ”‚
โ”‚  โ”œโ”€โ”€ [โœ…] 1.3 - Unused IAM credentials      โ”‚
โ”‚  โ”œโ”€โ”€ [โŒ] 1.4 - IAM user policy attachment  โ”‚
โ”‚  โ””โ”€โ”€ [โŒ] 2.1 - S3 public access           โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Top Failures:                              โ”‚
โ”‚  1. S3 bucket public access (5 buckets)     โ”‚
โ”‚  2. Security group overly permissive (3 SGs)โ”‚
โ”‚  3. EBS volumes unencrypted (2 volumes)     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Automated Remediation

def remediate_non_compliant(event):
    rule_name = event['configRuleName']
    resource_id = event['resourceId']
    
    if "S3_PUBLIC" in rule_name:
        s3.put_public_access_block(
            Bucket=resource_id,
            BlockPublicAcls=True,
            BlockPublicPolicy=True
        )
    elif "SSH_OPEN" in rule_name:
        ec2.revoke_security_group_ingress(
            GroupId=resource_id,
            IpPermissions=[{
                'IpProtocol': 'tcp',
                'FromPort': 22,
                'ToPort': 22,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }]
        )

Cloud Security Course Complete! ๐ŸŽ‰

  • โœ… Shared Responsibility
  • โœ… CloudTrail & GuardDuty
  • โœ… Secrets & KMS
  • โœ… Container Security
  • โœ… Posture Management

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!