vulnerability management

Implementing Cloud Vulnerability Posture Management

Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.

aws-security-hubazure-defendercloud-securitycnappcspmmisconfigurationprowlerscoutsuite
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This skill covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.

When to Use

  • When deploying or configuring implementing cloud vulnerability posture management capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

AWS Security Hub

Enable Security Hub

# Enable AWS Security Hub with default standards
aws securityhub enable-security-hub \
  --enable-default-standards \
  --region us-east-1
 
# Enable specific standards
aws securityhub batch-enable-standards \
  --standards-subscription-requests \
    '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
    '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'
 
# Get findings summary
aws securityhub get-findings \
  --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --max-items 10

Security Hub Standards

Standard Description
AWS Foundational Security Best Practices AWS-recommended baseline controls
CIS AWS Foundations Benchmark 1.4 CIS hardening requirements
PCI DSS v3.2.1 Payment card industry controls
NIST SP 800-53 Rev 5 Federal security controls

Azure Defender for Cloud

Enable Defender CSPM

# Enable Defender for Cloud free tier
az security pricing create \
  --name CloudPosture \
  --tier standard
 
# Check secure score
az security secure-score list \
  --query "[].{Name:displayName,Score:current,Max:max}" \
  --output table
 
# Get security recommendations
az security assessment list \
  --query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
  --output table
 
# Get alerts
az security alert list \
  --query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
  --output table

Open-Source: Prowler

Installation and Execution

# Install Prowler
pip install prowler
 
# Run full AWS scan
prowler aws --output-formats json-ocsf,csv,html
 
# Run specific checks
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet
 
# Run against specific AWS profile and region
prowler aws --profile production --region us-east-1 --output-formats json-ocsf
 
# Run CIS Benchmark compliance check
prowler aws --compliance cis_1.5_aws
 
# Run PCI DSS compliance
prowler aws --compliance pci_3.2.1_aws
 
# Scan Azure environment
prowler azure --subscription-ids "sub-id-here"
 
# Scan GCP environment
prowler gcp --project-ids "project-id-here"

Prowler Check Categories

Category Examples
IAM Root MFA, password policy, access key rotation
S3 Public access, encryption, versioning
EC2 Security groups, EBS encryption, metadata service
RDS Public access, encryption, backup retention
CloudTrail Enabled, encrypted, log validation
VPC Flow logs, default SG restrictions
Lambda Public access, runtime versions
EKS Public endpoint, secrets encryption

Open-Source: ScoutSuite

# Install ScoutSuite
pip install scoutsuite
 
# Run AWS assessment
scout aws --profile production
 
# Run Azure assessment
scout azure --cli
 
# Run GCP assessment
scout gcp --project-id my-project
 
# Results available as interactive HTML report
# Open scout-report/report.html in browser

Multi-Cloud Aggregation

import json
import subprocess
from datetime import datetime, timezone
 
def run_prowler_scan(provider, output_dir, compliance=None):
    """Run Prowler scan for a cloud provider."""
    cmd = ["prowler", provider, "--output-formats", "json-ocsf",
           "--output-directory", output_dir]
    if compliance:
        cmd.extend(["--compliance", compliance])
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
    return result.returncode == 0
 
def aggregate_findings(prowler_dirs):
    """Aggregate findings from multiple Prowler scans."""
    all_findings = []
    for scan_dir in prowler_dirs:
        json_files = list(Path(scan_dir).glob("*.json"))
        for jf in json_files:
            with open(jf, "r") as f:
                for line in f:
                    try:
                        finding = json.loads(line.strip())
                        all_findings.append(finding)
                    except json.JSONDecodeError:
                        continue
    # Sort by severity
    severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
    all_findings.sort(key=lambda f: severity_order.get(
        f.get("severity", "informational").lower(), 5
    ))
    return all_findings
 
def generate_posture_report(findings, output_path):
    """Generate cloud security posture report."""
    report = {
        "generated_at": datetime.now(timezone.utc).isoformat(),
        "total_findings": len(findings),
        "by_severity": {},
        "by_provider": {},
        "by_service": {},
    }
    for f in findings:
        sev = f.get("severity", "unknown")
        provider = f.get("cloud_provider", "unknown")
        service = f.get("service_name", "unknown")
        report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
        report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
        report["by_service"][service] = report["by_service"].get(service, 0) + 1
 
    with open(output_path, "w") as f:
        json.dump(report, f, indent=2)
    return report

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.7 KB

API Reference: Cloud Security Posture Management Agent

Dependencies

Library Version Purpose
boto3 >=1.28 AWS SDK for Security Hub findings and compliance
prowler >=4.0 Open-source cloud security scanner (optional, via subprocess)

CLI Usage

python scripts/agent.py \
  --profile security-audit \
  --region us-east-1 \
  --output-dir /reports/ \
  --output cspm_report.json

Functions

get_securityhub_client(profile, region)

Creates boto3 Security Hub client.

get_findings_summary(client, max_results) -> dict

Calls client.get_findings() filtered to NEW/ACTIVE findings, groups by severity.

get_compliance_summary(client) -> list

Calls client.get_enabled_standards() then describe_standards_controls() per standard. Returns compliance percentages.

run_prowler_scan(profile, region) -> dict

Executes prowler aws --output-formats json via subprocess with 10-minute timeout.

generate_report(client, profile, region) -> dict

Combines Security Hub and Prowler results into unified CSPM report.

boto3 Security Hub Methods

Method Purpose
get_findings(Filters, MaxResults) Retrieve active findings
get_enabled_standards() List enabled compliance standards
describe_standards_controls(StandardsSubscriptionArn) Control-level compliance

Output Schema

{
  "summary": {"finding_counts": {"CRITICAL": 3, "HIGH": 12}, "total_findings": 45},
  "compliance_standards": [{"standard": "cis-aws-foundations-benchmark", "compliance_pct": 78.5}],
  "recommendations": ["Remediate 3 CRITICAL findings immediately"]
}
standards.md1.6 KB

Standards and References - Cloud Vulnerability Posture Management

Cloud Security Standards

CIS Benchmarks for Cloud

NIST SP 800-53 Rev 5

CSA Cloud Controls Matrix (CCM) v4

AWS Well-Architected Security Pillar

Azure Security Benchmark v3

Tools

Tool Provider License URL
AWS Security Hub AWS Pay-per-use https://aws.amazon.com/security-hub/
Azure Defender for Cloud Microsoft Free + Standard tiers https://azure.microsoft.com/en-us/products/defender-for-cloud
Prowler Open Source Apache 2.0 https://github.com/prowler-cloud/prowler
ScoutSuite NCC Group GPL-2.0 https://github.com/nccgroup/ScoutSuite
Steampipe Turbot AGPL-3.0 https://github.com/turbot/steampipe
CloudSploit Aqua Security GPL-3.0 https://github.com/aquasecurity/cloudsploit
workflows.md1.3 KB

Workflows - Cloud Vulnerability Posture Management

Workflow 1: Daily Cloud Posture Assessment

  1. Prowler scans all cloud accounts (AWS, Azure, GCP) on daily schedule
  2. Results exported as JSON-OCSF and uploaded to central SIEM
  3. New critical/high findings trigger Slack notifications
  4. Findings compared against previous day for delta analysis
  5. New misconfigurations create Jira tickets for cloud team

Workflow 2: Compliance Baseline Assessment

  1. Select compliance framework (CIS, PCI DSS, NIST 800-53, SOC 2)
  2. Run Prowler with compliance flag against each cloud account
  3. Generate compliance-specific report with pass/fail per control
  4. Map failed controls to remediation actions
  5. Track compliance posture score over time

Workflow 3: Remediation and Verification

  1. Cloud engineer receives Jira ticket for misconfiguration
  2. Engineer applies fix via Terraform/CloudFormation/ARM template
  3. Targeted Prowler re-scan validates fix
  4. Jira ticket auto-closed on pass
  5. Infrastructure-as-code updated to prevent recurrence

Workflow 4: Multi-Cloud Executive Report

  1. Aggregate findings from all providers
  2. Calculate posture scores by account, region, and service
  3. Trend analysis showing improvement or degradation
  4. Risk heat map by cloud service category
  5. Present to security leadership monthly

Scripts 2

agent.py5.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Cloud Security Posture Management agent using boto3 for AWS Security Hub and Prowler."""

import argparse
import json
import logging
import os
import subprocess
import sys
from datetime import datetime
from typing import List

try:
    import boto3
    from botocore.exceptions import ClientError
except ImportError:
    sys.exit("boto3 required: pip install boto3")

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)


def get_securityhub_client(profile: str = "", region: str = "us-east-1"):
    """Create Security Hub client."""
    session = boto3.Session(profile_name=profile) if profile else boto3.Session()
    return session.client("securityhub", region_name=region)


def get_findings_summary(client, max_results: int = 100) -> dict:
    """Get Security Hub findings grouped by severity."""
    try:
        resp = client.get_findings(
            Filters={"WorkflowStatus": [{"Value": "NEW", "Comparison": "EQUALS"}],
                     "RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}]},
            MaxResults=max_results,
        )
        findings = resp.get("Findings", [])
        by_severity = {"CRITICAL": [], "HIGH": [], "MEDIUM": [], "LOW": []}
        for f in findings:
            sev = f.get("Severity", {}).get("Label", "LOW")
            if sev in by_severity:
                by_severity[sev].append({
                    "title": f.get("Title", ""),
                    "resource": f.get("Resources", [{}])[0].get("Id", ""),
                    "standard": f.get("ProductName", ""),
                    "created": f.get("CreatedAt", ""),
                })
        return {sev: items for sev, items in by_severity.items()}
    except ClientError as exc:
        return {"error": str(exc)}


def get_compliance_summary(client) -> List[dict]:
    """Get compliance status across enabled security standards."""
    try:
        resp = client.get_enabled_standards()
        standards = []
        for sub in resp.get("StandardsSubscriptions", []):
            arn = sub.get("StandardsSubscriptionArn", "")
            controls = client.describe_standards_controls(StandardsSubscriptionArn=arn, MaxResults=100)
            total = len(controls.get("Controls", []))
            passed = sum(1 for c in controls.get("Controls", [])
                         if c.get("ComplianceStatus") == "PASSED")
            standards.append({
                "standard": sub.get("StandardsArn", "").split("/")[-1],
                "status": sub.get("StandardsStatus", ""),
                "total_controls": total,
                "passed": passed,
                "failed": total - passed,
                "compliance_pct": round(passed / total * 100, 1) if total else 0,
            })
        return standards
    except ClientError as exc:
        return [{"error": str(exc)}]


def run_prowler_scan(profile: str = "", region: str = "us-east-1") -> dict:
    """Run Prowler security scan via subprocess."""
    cmd = ["prowler", "aws", "--output-formats", "json", "-M", "json-ocsf"]
    if profile:
        cmd.extend(["--profile", profile])
    if region:
        cmd.extend(["--region", region])
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
        if result.stdout:
            lines = result.stdout.strip().split("\n")
            findings = [json.loads(line) for line in lines if line.strip()]
            return {"findings_count": len(findings), "findings": findings[:50]}
    except (FileNotFoundError, subprocess.TimeoutExpired):
        logger.warning("Prowler not available or timed out")
    return {}


def generate_report(client, profile: str, region: str) -> dict:
    """Generate CSPM report combining Security Hub and Prowler."""
    report = {"analysis_date": datetime.utcnow().isoformat(), "region": region}
    report["security_hub_findings"] = get_findings_summary(client)
    report["compliance_standards"] = get_compliance_summary(client)
    counts = {sev: len(items) for sev, items in report["security_hub_findings"].items()
              if isinstance(items, list)}
    report["summary"] = {
        "finding_counts": counts,
        "total_findings": sum(counts.values()),
        "standards_assessed": len(report["compliance_standards"]),
    }
    report["recommendations"] = []
    if counts.get("CRITICAL", 0) > 0:
        report["recommendations"].append(
            f"Remediate {counts['CRITICAL']} CRITICAL findings immediately")
    return report


def main():
    parser = argparse.ArgumentParser(description="Cloud Security Posture Management Agent")
    parser.add_argument("--profile", default="")
    parser.add_argument("--region", default="us-east-1")
    parser.add_argument("--output-dir", default=".")
    parser.add_argument("--output", default="cspm_report.json")
    args = parser.parse_args()

    os.makedirs(args.output_dir, exist_ok=True)
    client = get_securityhub_client(args.profile, args.region)
    report = generate_report(client, args.profile, args.region)
    out_path = os.path.join(args.output_dir, args.output)
    with open(out_path, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("Report saved to %s", out_path)
    print(json.dumps(report["summary"], indent=2))


if __name__ == "__main__":
    main()
process.py7.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Cloud Vulnerability Posture Management Tool.

Orchestrates multi-cloud security posture assessments using Prowler,
aggregates findings, and generates compliance reports.
"""

import argparse
import json
import os
import subprocess
import sys
from datetime import datetime, timezone
from pathlib import Path

try:
    import boto3
except ImportError:
    boto3 = None


def run_prowler_aws(profile=None, region=None, compliance=None, output_dir="./prowler_output"):
    """Execute Prowler scan against AWS account."""
    cmd = ["prowler", "aws", "--output-formats", "json-ocsf,csv", "--output-directory", output_dir]
    if profile:
        cmd.extend(["--profile", profile])
    if region:
        cmd.extend(["--region", region])
    if compliance:
        cmd.extend(["--compliance", compliance])
    print(f"[*] Running Prowler AWS scan...")
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
    if result.returncode == 0:
        print("[+] Prowler AWS scan completed successfully")
    else:
        print(f"[-] Prowler AWS scan failed: {result.stderr[:500]}")
    return result.returncode == 0


def run_prowler_azure(subscription_id=None, output_dir="./prowler_output"):
    """Execute Prowler scan against Azure subscription."""
    cmd = ["prowler", "azure", "--output-formats", "json-ocsf,csv", "--output-directory", output_dir]
    if subscription_id:
        cmd.extend(["--subscription-ids", subscription_id])
    print(f"[*] Running Prowler Azure scan...")
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
    if result.returncode == 0:
        print("[+] Prowler Azure scan completed successfully")
    else:
        print(f"[-] Prowler Azure scan failed: {result.stderr[:500]}")
    return result.returncode == 0


def get_aws_security_hub_findings(region="us-east-1", severity="CRITICAL"):
    """Fetch findings from AWS Security Hub."""
    if not boto3:
        print("[-] boto3 not installed")
        return []
    client = boto3.client("securityhub", region_name=region)
    findings = []
    paginator = client.get_paginator("get_findings")
    for page in paginator.paginate(
        Filters={
            "SeverityLabel": [{"Value": severity, "Comparison": "EQUALS"}],
            "RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}],
        },
        MaxResults=100,
    ):
        findings.extend(page.get("Findings", []))
    print(f"[+] Retrieved {len(findings)} {severity} findings from Security Hub")
    return findings


def parse_prowler_output(output_dir):
    """Parse Prowler JSON-OCSF output files."""
    findings = []
    output_path = Path(output_dir)
    for json_file in output_path.rglob("*.ocsf.json"):
        with open(json_file, "r", encoding="utf-8") as f:
            for line in f:
                line = line.strip()
                if not line:
                    continue
                try:
                    finding = json.loads(line)
                    findings.append({
                        "provider": finding.get("cloud", {}).get("provider", "unknown"),
                        "account": finding.get("cloud", {}).get("account", {}).get("uid", ""),
                        "region": finding.get("cloud", {}).get("region", ""),
                        "service": finding.get("resources", [{}])[0].get("type", "") if finding.get("resources") else "",
                        "check_id": finding.get("metadata", {}).get("uid", ""),
                        "title": finding.get("finding_info", {}).get("title", ""),
                        "severity": finding.get("severity", "unknown"),
                        "status": finding.get("status", ""),
                        "description": finding.get("finding_info", {}).get("desc", ""),
                        "remediation": finding.get("remediation", {}).get("desc", ""),
                        "resource_uid": finding.get("resources", [{}])[0].get("uid", "") if finding.get("resources") else "",
                    })
                except (json.JSONDecodeError, KeyError, IndexError):
                    continue
    return findings


def generate_posture_report(findings, output_path):
    """Generate cloud security posture report."""
    severity_map = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
    failed = [f for f in findings if f.get("status", "").lower() in ("fail", "failed")]
    passed = [f for f in findings if f.get("status", "").lower() in ("pass", "passed")]

    report = {
        "generated_at": datetime.now(timezone.utc).isoformat(),
        "total_checks": len(findings),
        "passed": len(passed),
        "failed": len(failed),
        "pass_rate": round(len(passed) / max(len(findings), 1) * 100, 1),
        "failed_by_severity": {},
        "failed_by_provider": {},
        "failed_by_service": {},
        "top_findings": [],
    }

    for f in failed:
        sev = str(f.get("severity", "unknown")).lower()
        provider = f.get("provider", "unknown")
        service = f.get("service", "unknown")
        report["failed_by_severity"][sev] = report["failed_by_severity"].get(sev, 0) + 1
        report["failed_by_provider"][provider] = report["failed_by_provider"].get(provider, 0) + 1
        report["failed_by_service"][service] = report["failed_by_service"].get(service, 0) + 1

    critical_high = [f for f in failed if str(f.get("severity", "")).lower() in ("critical", "high")]
    critical_high.sort(key=lambda x: severity_map.get(str(x.get("severity", "")).lower(), 5))
    report["top_findings"] = critical_high[:20]

    with open(output_path, "w", encoding="utf-8") as fh:
        json.dump(report, fh, indent=2)

    print(f"\n[+] Cloud Posture Report: {output_path}")
    print(f"    Total checks: {report['total_checks']}")
    print(f"    Passed: {report['passed']} | Failed: {report['failed']}")
    print(f"    Pass rate: {report['pass_rate']}%")
    print(f"    Failed by severity: {json.dumps(report['failed_by_severity'])}")
    return report


def main():
    parser = argparse.ArgumentParser(description="Cloud Vulnerability Posture Management")
    parser.add_argument("--scan-aws", action="store_true", help="Run Prowler AWS scan")
    parser.add_argument("--scan-azure", action="store_true", help="Run Prowler Azure scan")
    parser.add_argument("--profile", help="AWS profile name")
    parser.add_argument("--region", help="AWS region")
    parser.add_argument("--subscription", help="Azure subscription ID")
    parser.add_argument("--compliance", help="Compliance framework (e.g., cis_1.5_aws)")
    parser.add_argument("--parse", help="Parse Prowler output directory")
    parser.add_argument("--security-hub", action="store_true", help="Fetch from AWS Security Hub")
    parser.add_argument("--output", default="cloud_posture_report.json")
    parser.add_argument("--output-dir", default="./prowler_output")
    args = parser.parse_args()

    if args.scan_aws:
        run_prowler_aws(args.profile, args.region, args.compliance, args.output_dir)
    if args.scan_azure:
        run_prowler_azure(args.subscription, args.output_dir)
    if args.parse:
        findings = parse_prowler_output(args.parse)
        print(f"[*] Parsed {len(findings)} findings")
        generate_posture_report(findings, args.output)
    if args.security_hub:
        findings = get_aws_security_hub_findings(args.region or "us-east-1")
        print(f"[*] Retrieved {len(findings)} Security Hub findings")
    if not any([args.scan_aws, args.scan_azure, args.parse, args.security_hub]):
        parser.print_help()


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.4 KB
Keep exploring