Security specialty

Cloud Security

Browse every cataloged workflow for cloud security, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

66 skills

cybersecuritySkill

Analyzing Cloud Storage Access Patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

Cloud Security
aws-s3azure-blob-storagecloud-securitycloudtrail+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsAI RMF, 3 mappings
cybersecuritySkill

Analyzing Office 365 Audit Logs for Compromise

Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.

Cloud Security
audit-logsbecemail-compromiseinbox-rules+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Auditing AWS S3 Bucket Permissions

Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.

Cloud Security
access-controlawsbucket-permissionscloud-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Auditing Azure Active Directory Configuration

Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.

Cloud Security
active-directoryazurecloud-securityconditional-access+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Auditing Cloud with CIS Benchmarks

This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.

Cloud Security
cis-benchmarkscloud-auditcompliance-assessmentprowler+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsAI RMF, 3 mappings
cybersecuritySkill

Auditing GCP IAM Permissions

Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.

Cloud Security
cloud-securitygcpiampermissions-audit+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Auditing Kubernetes Cluster RBAC

Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.

Cloud Security
access-controlakscloud-securityeks+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Auditing Terraform Infrastructure for Security

Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.

Cloud Security
checkovcloud-securityinfrastructure-as-codepolicy-as-code+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Cloud SIEM with Sentinel

This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.

Cloud Security
cloud-siemkql-queriesmicrosoft-sentinelsoar-automation+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Conducting Cloud Penetration Testing

This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and reporting findings aligned to MITRE ATT&CK Cloud matrix.

Cloud Security
aws-exploitationcloud-pentestingmitre-attack-cloudoffensive-security+1
ATT&CK, 7 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Detecting AWS CloudTrail Anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

Cloud Security
anomaly-detectionawsboto3cloud-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting AWS Credential Exposure with TruffleHog

Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using TruffleHog, git-secrets, and AWS-native detection mechanisms to prevent credential theft and unauthorized account access.

Cloud Security
awscloud-securitycredential-exposuredevsecops+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting AWS GuardDuty Findings Automation

Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time incident response, automatic quarantine of compromised resources, and security notification workflows.

Cloud Security
automationawseventbridgeguardduty+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting AWS IAM Privilege Escalation

Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations

Cloud Security
awsboto3cloudsplainingiam+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Azure Lateral Movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

Cloud Security
azurecloud-securityentra-idgraph-api+4
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Azure Service Principal Abuse

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.

Cloud Security
azurecredential-abusedetectionentra-id+4
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Azure Storage Account Misconfigurations

Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK.

Cloud Security
adlsazureazure-mgmt-storageblob-storage+5
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Detecting Cloud Threats with GuardDuty

This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda.

Cloud Security
amazon-guarddutyaws-securitycloud-socruntime-monitoring+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Compromised Cloud Credentials

Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection.

Cloud Security
anomaly-detectioncloud-securitycredential-compromiseguardduty+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Cryptomining in Cloud

This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation workloads.

Cloud Security
cloud-abusecost-anomalycryptomining-detectionguardduty-crypto+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Misconfigured Azure Storage

Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption settings, overly permissive SAS tokens, disabled logging, and network access violations using Azure CLI, PowerShell, and Microsoft Defender for Storage.

Cloud Security
azureblob-storagecloud-securitydata-protection+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Detecting OAuth Token Theft

Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra ID (Azure AD) token protection, conditional access policies, and sign-in anomaly detection. Covers access token theft, refresh token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates for requests involving OAuth token theft detection, token replay prevention, Azure AD conditional access token protection, or cloud identity attack investigation.

Cloud Security
azure-adconditional-accessentra-ididentity-security+4
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting S3 Data Exfiltration Attempts

Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account data transfers.

Cloud Security
awscloud-securitydata-exfiltrationguardduty+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Serverless Function Injection

Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions) through event source poisoning, malicious layer injection, runtime command execution, and IAM privilege escalation via function modification. The analyst combines static analysis of function code, CloudTrail event correlation, runtime behavior monitoring, and IAM policy auditing to identify injection vectors across the expanded serverless attack surface including API Gateway, S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates for requests involving Lambda security assessment, serverless injection detection, function event poisoning analysis, or serverless privilege escalation investigation.

Cloud Security
cloudtrailevent-source-poisoningiam-escalationlambda-injection+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Shadow IT Cloud Usage

Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.

Cloud Security
cloud-securitydns-analysisnetflowpandas+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Suspicious OAuth Application Consent

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.

Cloud Security
application-permissionsazure-adcloud-securityentra-id+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Emulating Cloud Attacks with Stratus Red Team

Detonate granular AWS, Azure, GCP, and Kubernetes attack techniques to validate detections with Stratus Red Team.

Cloud Security
adversary-emulationawscloud-securitydetection-validation+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Enumerating Cloud with CloudFox

Map AWS and Azure attack paths and find exploitable misconfigurations with CloudFox.

Cloud Security
attack-pathsawsazurecloud-pentest+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Exploiting AWS with Pacu

Use Pacu modules for AWS privilege escalation, persistence, and backdooring.

Cloud Security
awscloud-pentestiam-abuseoffensive-security+4
ATT&CK, 6 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Implementing AWS Config Rules for Compliance

Implementing AWS Config rules for continuous compliance monitoring of AWS resources, deploying managed and custom rules aligned to CIS and PCI DSS frameworks, configuring automatic remediation with SSM Automation, and aggregating compliance data across accounts.

Cloud Security
automationawscloud-securitycompliance+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing AWS Macie for Data Classification

Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine learning and pattern matching for PII, financial data, and credentials detection.

Cloud Security
awscompliancedata-classificationdlp+4
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsAI RMF, 5 mappings
cybersecuritySkill

Implementing AWS Nitro Enclave Security

Implements AWS Nitro Enclave-based confidential computing environments with cryptographic attestation, KMS policy integration using PCR-based condition keys, and secure vsock communication channels. The practitioner builds enclave images, configures attestation-aware KMS policies, validates attestation documents against the AWS Nitro PKI root of trust, and establishes isolated computation pipelines for processing sensitive data such as PII, cryptographic keys, and healthcare records. Activates for requests involving Nitro Enclave setup, enclave attestation validation, confidential computing on AWS, or KMS enclave policy configuration.

Cloud Security
attestationaws-nitro-enclavesconfidential-computingenclave-isolation+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing AWS Security Hub

This skill covers deploying AWS Security Hub as a centralized cloud security posture management platform that aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. It details enabling security standards like CIS AWS Foundations Benchmark, configuring automated remediation, and building executive dashboards for compliance tracking across multi-account AWS organizations.

Cloud Security
aws-security-hubcompliance-automationcspmfinding-aggregation+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing AWS Security Hub Compliance

Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security insights for organizational risk management.

Cloud Security
awscis-benchmarkcloud-securitycompliance+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Azure Defender for Cloud

Implementing Microsoft Defender for Cloud to enable cloud security posture management, workload protection across VMs, containers, databases, and storage, configure security recommendations, and set up adaptive security controls with automated remediation.

Cloud Security
azurecloud-securitycspmcwpp+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Implementing Cloud DLP for Data Protection

Implementing Cloud Data Loss Prevention (DLP) using Amazon Macie, Azure Information Protection, and Google Cloud DLP API to discover, classify, and protect sensitive data across cloud storage, databases, and data pipelines.

Cloud Security
cloud-securitydata-classificationdata-protectiondlp+2
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 5 mappings
cybersecuritySkill

Implementing Cloud Security Posture Management

Implementing Cloud Security Posture Management (CSPM) to continuously monitor multi-cloud environments for misconfigurations, compliance violations, and security risks using Prowler, ScoutSuite, AWS Security Hub, Azure Defender, and GCP Security Command Center.

Cloud Security
cloud-securitycompliancecspmmulti-cloud+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Cloud WAF Rules

This skill covers deploying and tuning Web Application Firewall rules on AWS WAF, Azure WAF, and Cloudflare to protect cloud-hosted applications against OWASP Top 10 attacks. It details configuring managed rule sets, creating custom rules for business logic protection, implementing rate limiting, deploying bot management, and reducing false positives through rule tuning and logging analysis.

Cloud Security
aws-wafazure-wafcloud-wafcloudflare-waf+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Cloud Workload Protection

Implements cloud workload protection using boto3 and google-cloud APIs for runtime security monitoring, process anomaly detection, and file integrity checking on EC2/GCE instances. Scans for cryptomining, reverse shells, and unauthorized binaries. Use when building runtime security controls for cloud compute workloads.

Cloud Security
boto3cloud-securitycwppprocess-anomaly-detection+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing CloudTrail Log Analysis

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

Cloud Security
awscloud-securitycloudtrailforensics+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing GCP Binary Authorization

Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested container images are deployed to Google Kubernetes Engine and Cloud Run.

Cloud Security
attestationbinary-authorizationcloud-runcontainer-security+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing GCP Organization Policy Constraints

Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.

Cloud Security
cloud-securitycomplianceconstraintsgcp+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing GCP VPC Firewall Rules

Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC Flow Logs.

Cloud Security
cloud-securityfirewall-rulesgcpnetwork-security+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Secrets Management with Vault

This skill covers deploying HashiCorp Vault for centralized secrets management across cloud environments, including dynamic secret generation for databases and cloud providers, transit encryption, PKI certificate management, and Kubernetes integration. It addresses eliminating hardcoded credentials from application code and CI/CD pipelines by implementing short-lived, automatically rotated secrets.

Cloud Security
credential-rotationdynamic-secretshashicorp-vaultsecrets-management+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Zero Trust in Cloud

This skill guides organizations through implementing zero trust architecture in cloud environments following NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, and GCP environments.

Cloud Security
beyondcorpcontinuous-verificationidentity-aware-proxymicro-segmentation+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Zero Trust Network Access

Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.

Cloud Security
beyondcorpcloud-securityidentity-aware-proxymicro-segmentation+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Managing Cloud Identity with Okta

This skill covers implementing Okta as a centralized identity provider for cloud environments, configuring SSO integration with AWS, Azure, and GCP, deploying phishing- resistant MFA with Okta FastPass, managing lifecycle automation for user provisioning and deprovisioning, and enforcing adaptive access policies based on device posture and risk signals.

Cloud Security
cloud-identityidentity-lifecycleoktaphishing-resistant-mfa+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing AWS Account Enumeration with ScoutSuite

Perform comprehensive security posture assessment of AWS accounts using ScoutSuite to enumerate resources, identify misconfigurations, and generate actionable security reports.

Cloud Security
awscloud-securitycspmenumeration+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing AWS Privilege Escalation Assessment

Performing authorized privilege escalation assessments in AWS environments to identify IAM misconfigurations that allow users or roles to elevate their permissions using Pacu, CloudFox, Principal Mapper, and manual IAM policy analysis techniques.

Cloud Security
awscloud-securityiamoffensive-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Cloud Asset Inventory with Cartography

Perform comprehensive cloud asset inventory and relationship mapping using Cartography to build a Neo4j security graph of infrastructure assets, IAM permissions, and attack paths across AWS, GCP, and Azure.

Cloud Security
asset-inventoryattack-pathcartographycloud-security+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Cloud Forensics with AWS CloudTrail

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

Cloud Security
awsboto3cloud-securitycloudtrail+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Cloud Log Forensics with AWS Athena

Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic workflows at scale.

Cloud Security
albathenaawscloud+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Cloud Native Forensics with Falco

Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalation. Manages Falco rules via the Falco gRPC API and parses Falco alert output. Use when building container runtime security or investigating k8s cluster compromises.

Cloud Security
cloud-securitycontainer-forensicsfalcokubernetes-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Cloud Penetration Testing with Pacu

Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation framework, to enumerate IAM configurations, discover privilege escalation paths, test credential harvesting, and validate security controls through systematic attack simulation.

Cloud Security
awscloud-securityiam-exploitationoffensive-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Cloud-Native Threat Hunting with AWS Detective

Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses.

Cloud Security
awsaws-detectivebehavior-graphcloud-security+5
ATT&CK, 14 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing GCP Penetration Testing with GCPBucketBrute

Perform GCP security testing using GCPBucketBrute for storage bucket enumeration, gcloud IAM privilege escalation path analysis, and service account permission auditing

Cloud Security
bucket-enumerationcloud-pentestinggcpgcpbucketbrute+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Performing GCP Security Assessment with Forseti

Performing comprehensive security assessments of Google Cloud Platform environments using Forseti Security, Security Command Center, and gcloud CLI to audit IAM policies, firewall rules, storage permissions, and compliance against CIS GCP Foundations Benchmark.

Cloud Security
cis-benchmarkcloud-securityforsetigcp+2
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 5 mappings
cybersecuritySkill

Performing Serverless Function Security Review

Performing security reviews of serverless functions across AWS Lambda, Azure Functions, and GCP Cloud Functions to identify overly permissive execution roles, insecure environment variables, injection vulnerabilities, and missing runtime protections.

Cloud Security
azure-functionscloud-functionscloud-securitylambda+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Remediating S3 Bucket Misconfiguration

This skill provides step-by-step procedures for identifying and remediating Amazon S3 bucket misconfigurations that expose sensitive data to unauthorized access. It covers enabling S3 Block Public Access at account and bucket levels, auditing bucket policies and ACLs, enforcing encryption, configuring access logging, and deploying automated remediation using AWS Config and Lambda.

Cloud Security
aws-configbucket-misconfigurationdata-exposurepublic-access-block+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing API Gateway with AWS WAF

Securing API Gateway endpoints with AWS WAF by configuring managed rule groups for OWASP Top 10 protection, creating custom rate limiting rules, implementing bot control, setting up IP reputation filtering, and monitoring WAF metrics for security effectiveness.

Cloud Security
api-gatewayawsbot-protectioncloud-security+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing AWS IAM Permissions

This skill guides practitioners through hardening AWS Identity and Access Management configurations to enforce least privilege access across cloud accounts. It covers IAM policy scoping, permission boundaries, Access Analyzer integration, and credential rotation strategies to reduce the blast radius of compromised identities.

Cloud Security
access-analyzeraws-iamcloud-identityleast-privilege+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing AWS Lambda Execution Roles

Securing AWS Lambda execution roles by implementing least-privilege IAM policies, applying permission boundaries, restricting resource-based policies, using IAM Access Analyzer to validate permissions, and enforcing role scoping through SCPs.

Cloud Security
awscloud-securityexecution-rolesiam+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing Azure with Microsoft Defender

This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender portal for centralized threat management.

Cloud Security
azure-securitycloud-workload-protectioncnappmicrosoft-defender+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Securing Container Registry Images

Securing container registry images by implementing vulnerability scanning with Trivy and Grype, enforcing image signing with Cosign and Sigstore, configuring registry access controls, and building CI/CD pipelines that prevent deploying unscanned or unsigned images.

Cloud Security
cloud-securitycontainerscosignimage-scanning+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing Kubernetes on Cloud

This skill covers hardening managed Kubernetes clusters on EKS, AKS, and GKE by implementing Pod Security Standards, network policies, workload identity, RBAC scoping, image admission controls, and runtime security monitoring. It addresses cloud-specific security features including IRSA for EKS, Workload Identity for GKE, and Managed Identities for AKS.

Cloud Security
akscontainer-runtimeeksgke+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing Serverless Functions

This skill covers security hardening for serverless compute platforms including AWS Lambda, Azure Functions, and Google Cloud Functions. It addresses least privilege IAM roles, dependency vulnerability scanning, secrets management integration, input validation, function URL authentication, and runtime monitoring to protect against injection attacks, credential theft, and supply chain compromises.

Cloud Security
aws-lambdaazure-functionsfunction-hardeningserverless-security+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings