npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When migrating from traditional perimeter-based security to identity-centric access controls
- When eliminating VPN dependencies for remote workforce access to cloud applications
- When implementing continuous verification for every access request regardless of network location
- When designing micro-segmentation strategies for multi-cloud workloads
- When regulatory requirements mandate zero trust architecture adoption (federal mandates, NIST guidelines)
Do not use for simple VPN replacement without broader architectural changes, for network firewall rule management alone (see implementing-cloud-network-segmentation), or for identity provider initial setup (see managing-cloud-identity-with-okta).
Prerequisites
- Identity provider capable of OIDC/SAML integration (Okta, Azure AD, Google Workspace)
- Device management solution for endpoint trust assessment (Intune, Jamf, Google Endpoint Verification)
- Cloud workloads accessible via HTTPS with load balancer or reverse proxy infrastructure
- SIEM platform for continuous monitoring of access decisions and anomaly detection
Workflow
Step 1: Define Zero Trust Principles and Architecture
Establish the core principles following NIST SP 800-207: never trust, always verify. Every access request must be authenticated, authorized, and encrypted regardless of origin.
Zero Trust Architecture Components:
+-------------------------------------------------------------------+
| Policy Decision Point |
| +-------------------+ +------------------+ +-----------------+ |
| | Identity Provider | | Device Trust | | Risk Engine | |
| | (Okta/Azure AD) | | (Intune/Jamf) | | (Continuous) | |
| +-------------------+ +------------------+ +-----------------+ |
+-------------------------------------------------------------------+
|
+--------------------+
| Policy Enforcement |
| Point (IAP/Proxy) |
+--------------------+
|
+-------------------+-------------------+
| | |
+----------+ +----------+ +----------+
| App A | | App B | | App C |
| (AWS) | | (Azure) | | (GCP) |
+----------+ +----------+ +----------+Step 2: Deploy Identity-Aware Proxy
Configure Identity-Aware Proxy (IAP) to enforce identity and context-based access decisions before requests reach applications. Eliminate direct network access to application backends.
# GCP: Enable Identity-Aware Proxy for a backend service
gcloud services enable iap.googleapis.com
# Configure IAP for an App Engine application
gcloud iap web enable --resource-type=app-engine
# Set IAP access policy requiring specific user group
gcloud iap web add-iam-policy-binding \
--resource-type=app-engine \
--member="group:engineering@company.com" \
--role="roles/iap.httpsResourceAccessor"
# Create Access Level requiring corporate device and MFA
gcloud access-context-manager levels create corporate-device \
--title="Corporate Device with MFA" \
--basic-level-spec='{
"conditions": [
{
"devicePolicy": {
"requireScreenlock": true,
"allowedEncryptionStatuses": ["ENCRYPTED"],
"osConstraints": [
{"osType": "DESKTOP_CHROME_OS", "minimumVersion": "100.0"},
{"osType": "DESKTOP_MAC", "minimumVersion": "12.0"},
{"osType": "DESKTOP_WINDOWS", "minimumVersion": "10.0.19041"}
]
},
"requiredAccessLevels": ["accessPolicies/POLICY_ID/accessLevels/require-mfa"]
}
]
}'# AWS: Configure AWS Verified Access for zero trust application access
aws ec2 create-verified-access-instance \
--description "Zero Trust Access Instance"
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type oidc \
--oidc-options '{
"Issuer": "https://company.okta.com/oauth2/default",
"AuthorizationEndpoint": "https://company.okta.com/oauth2/default/v1/authorize",
"TokenEndpoint": "https://company.okta.com/oauth2/default/v1/token",
"UserInfoEndpoint": "https://company.okta.com/oauth2/default/v1/userinfo",
"ClientId": "verified-access-client-id",
"ClientSecret": "verified-access-client-secret",
"Scope": "openid profile groups"
}'Step 3: Implement Continuous Verification
Configure real-time risk assessment that evaluates every access request based on identity, device posture, location, behavior patterns, and threat intelligence signals.
# Azure Conditional Access Policy (JSON representation)
{
"displayName": "Zero Trust - Require MFA and Compliant Device",
"state": "enabled",
"conditions": {
"users": {"includeUsers": ["All"]},
"applications": {"includeApplications": ["All"]},
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
},
"signInRiskLevels": ["medium", "high"],
"deviceStates": {
"includeStates": ["All"],
"excludeStates": ["Compliant", "DomainJoined"]
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"compliantDevice"
]
},
"sessionControls": {
"signInFrequency": {"value": 4, "type": "hours"},
"persistentBrowser": {"mode": "never"}
}
}Step 4: Enforce Micro-Segmentation
Apply network-level zero trust by segmenting cloud workloads into isolated zones with explicit allow rules for each communication path.
# AWS: Create isolated VPC with no default routes
aws ec2 create-vpc --cidr-block 10.100.0.0/16 --no-amazon-provided-ipv6-cidr-block
# Create security groups implementing micro-segmentation
aws ec2 create-security-group \
--group-name web-tier-sg \
--description "Web tier - accepts traffic from ALB only" \
--vpc-id vpc-abc123
aws ec2 authorize-security-group-ingress \
--group-id sg-web123 \
--protocol tcp --port 8080 \
--source-group sg-alb123
aws ec2 create-security-group \
--group-name app-tier-sg \
--description "App tier - accepts traffic from web tier only"
aws ec2 authorize-security-group-ingress \
--group-id sg-app123 \
--protocol tcp --port 8443 \
--source-group sg-web123Step 5: Implement Device Trust Assessment
Integrate endpoint verification to assess device security posture before granting access. Require encryption, OS patches, and endpoint protection.
# Google Endpoint Verification with BeyondCorp
gcloud access-context-manager levels create managed-device \
--title="Managed and Encrypted Device" \
--basic-level-spec='{
"conditions": [{
"devicePolicy": {
"requireScreenlock": true,
"requireAdminApproval": true,
"allowedEncryptionStatuses": ["ENCRYPTED"],
"allowedDeviceManagementLevels": ["COMPLETE"]
}
}]
}'
# Apply access level to IAP-protected resource
gcloud iap web set-iam-policy \
--resource-type=backend-services \
--service=web-app-backend \
--condition='expression=accessPolicies/POLICY_ID/accessLevels/managed-device'Step 6: Monitor and Adapt with Continuous Analytics
Deploy logging and analytics to monitor all access decisions, detect anomalies, and continuously refine zero trust policies based on real usage patterns.
# Export IAP access logs to BigQuery for analysis
gcloud logging sinks create iap-access-logs \
bigquery.googleapis.com/projects/my-project/datasets/security_logs \
--log-filter='resource.type="gce_backend_service" AND protoPayload.serviceName="iap.googleapis.com"'
# AWS Verified Access logs to CloudWatch
aws ec2 modify-verified-access-instance-logging-configuration \
--verified-access-instance-id vai-abc123 \
--access-logs '{
"CloudWatchLogs": {"Enabled": true, "LogGroup": "/aws/verified-access/logs"},
"S3": {"Enabled": true, "BucketName": "verified-access-logs"}
}'Key Concepts
| Term | Definition |
|---|---|
| Zero Trust | Security model that eliminates implicit trust by requiring continuous authentication, authorization, and encryption for every access request |
| BeyondCorp | Google's implementation of zero trust that shifts access controls from network perimeter to individual users and devices |
| Identity-Aware Proxy | Reverse proxy that verifies user identity and context before forwarding requests to backend applications, replacing VPN-based access |
| Continuous Verification | Real-time assessment of identity, device posture, location, and behavior for every access request, not just at initial authentication |
| Device Trust | Assessment of endpoint security posture including encryption status, OS version, patch level, and MDM compliance before granting access |
| NIST SP 800-207 | National Institute of Standards and Technology publication defining zero trust architecture principles and deployment models |
| Access Context Manager | GCP service for defining conditional access policies based on device attributes, IP ranges, and identity properties |
| AWS Verified Access | AWS service providing zero trust application access based on identity and device trust signals without VPN |
Tools & Systems
- Google BeyondCorp Enterprise: End-to-end zero trust platform with Identity-Aware Proxy, Access Context Manager, and Endpoint Verification
- AWS Verified Access: Zero trust application access service integrating with identity providers and device trust services
- Azure Conditional Access: Policy engine enforcing identity, device, location, and risk-based access controls for Azure AD applications
- Zscaler Private Access: Zero trust network access platform replacing VPN with identity and context-based application access
- Cloudflare Access: Zero trust proxy for securing internal applications with identity verification and device posture checks
Common Scenarios
Scenario: Eliminating VPN for Remote Engineering Access
Context: An organization has 500 engineers accessing internal tools via VPN. The VPN concentrator is a single point of failure and recent credential theft incidents showed that VPN access grants excessive lateral movement capability.
Approach:
- Inventory all internal applications accessed via VPN and classify by sensitivity level
- Deploy Identity-Aware Proxy (GCP) or Verified Access (AWS) in front of each application
- Configure OIDC integration with the corporate identity provider requiring MFA for all access
- Implement device trust policies requiring encrypted devices with current OS patches and endpoint protection
- Enable continuous session evaluation with 4-hour re-authentication for sensitive applications
- Gradually migrate teams from VPN to IAP access, monitoring for access failures and adjusting policies
- Decommission VPN after 100% migration and 30-day parallel operation period
Pitfalls: Deploying zero trust without device management in place blocks legitimate users with personal devices. Setting re-authentication intervals too short disrupts developer productivity with excessive login prompts.
Output Format
Zero Trust Architecture Assessment Report
===========================================
Organization: Acme Corp
Cloud Providers: AWS, Azure, GCP
Assessment Date: 2025-02-23
MATURITY LEVEL: Level 2 (Advanced) - NIST ZTA Maturity Model
IDENTITY PILLAR:
MFA Enforcement: 98% of users (target: 100%)
Phishing-Resistant MFA: 34% (target: 80%)
SSO Coverage: 87% of applications
Conditional Access Policies: 12 active policies
DEVICE PILLAR:
MDM Enrollment: 92% of corporate devices
Encryption Enforcement: 95%
OS Patch Compliance: 78% (30-day window)
Endpoint Protection: 96%
NETWORK PILLAR:
VPN Dependency: 3 applications remaining (target: 0)
IAP-Protected Applications: 47/50
Micro-Segmented Workloads: 65%
East-West Traffic Encryption: 40% (mTLS adoption)
APPLICATION PILLAR:
Applications Behind Zero Trust Proxy: 94%
Session Re-Authentication: Configured for 85% of apps
Runtime Access Logging: 100%
RECOMMENDATIONS:
1. [HIGH] Migrate remaining 3 VPN-dependent apps to IAP
2. [HIGH] Increase phishing-resistant MFA to 80% within 6 months
3. [MEDIUM] Expand micro-segmentation to remaining 35% of workloads
4. [MEDIUM] Deploy service mesh for east-west mTLS encryptionReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.8 KB
API Reference: Implementing Zero Trust in Cloud
Libraries
boto3 (AWS Zero Trust Checks)
- Install:
pip install boto3 - IAM:
list_users(),list_mfa_devices(),get_account_summary() - EC2:
describe_instances(),describe_security_groups() - S3:
get_bucket_encryption(),get_public_access_block() - CloudTrail:
describe_trails(),get_trail_status()
azure-identity + azure-mgmt-authorization
- Install:
pip install azure-identity azure-mgmt-authorization AuthorizationManagementClient-- RBAC role assignmentsDefaultAzureCredential()-- Auto-detect auth
google-cloud-compute
- Install:
pip install google-cloud-compute FirewallsClient-- VPC firewall rules auditInstancesClient-- VM network configuration
Zero Trust Pillars (NIST SP 800-207)
| Pillar | Key Checks |
|---|---|
| Identity | MFA enforcement, least privilege, conditional access |
| Device | Compliance policies, MDM, certificate identity |
| Network | Micro-segmentation, private endpoints, no public IPs |
| Application | OAuth2/OIDC, API gateway auth, no VPN dependency |
| Data | Encryption at rest/transit, DLP, classification |
| Visibility | Centralized logging, SIEM, UEBA, real-time alerts |
AWS Zero Trust Services
| Service | Zero Trust Function |
|---|---|
| IAM Identity Center | Centralized identity and SSO |
| VPC PrivateLink | Private service connectivity |
| Verified Access | Identity-based application access |
| Security Hub | Continuous posture assessment |
| GuardDuty | Threat detection and monitoring |
| CloudTrail | API activity audit logging |
Azure Zero Trust Services
| Service | Zero Trust Function |
|---|---|
| Entra ID Conditional Access | Policy-based access decisions |
| Azure Private Link | Private endpoint connectivity |
| Microsoft Defender for Cloud | CSPM and CWP |
| Azure Sentinel | SIEM and SOAR |
GCP Zero Trust Services
| Service | Zero Trust Function |
|---|---|
| BeyondCorp Enterprise | Identity-Aware Proxy |
| VPC Service Controls | API-level perimeter |
| Binary Authorization | Container image trust |
| Security Command Center | Cloud posture management |
Maturity Levels
- Traditional: Perimeter-based, VPN-dependent, implicit trust
- Initial: Some identity verification, partial segmentation
- Advanced: Continuous verification, micro-segmentation, encrypted everywhere
External References
- NIST SP 800-207: https://csrc.nist.gov/pubs/sp/800/207/final
- Google BeyondCorp: https://cloud.google.com/beyondcorp
- AWS Verified Access: https://docs.aws.amazon.com/verified-access/
- Azure Zero Trust: https://learn.microsoft.com/en-us/security/zero-trust/
- CISA Zero Trust Maturity Model: https://www.cisa.gov/zero-trust-maturity-model
Scripts 1
agent.py9.8 KB
#!/usr/bin/env python3
"""Zero trust cloud architecture assessment agent using AWS, Azure, and GCP SDKs."""
import json
import argparse
from datetime import datetime
try:
import boto3
from botocore.exceptions import ClientError
except ImportError:
boto3 = None
try:
HAS_AZURE = True
except ImportError:
HAS_AZURE = False
try:
HAS_GCP = True
except ImportError:
HAS_GCP = False
ZERO_TRUST_PILLARS = [
{"pillar": "Identity", "description": "Verify every identity with strong auth",
"checks": ["MFA enforcement", "Conditional access policies", "Least privilege RBAC",
"Service account key rotation", "Passwordless authentication"]},
{"pillar": "Device", "description": "Validate device posture before granting access",
"checks": ["Device compliance policies", "MDM enrollment required",
"Certificate-based device identity", "OS patch level enforcement"]},
{"pillar": "Network", "description": "Micro-segment and encrypt all communications",
"checks": ["VPC/VNet segmentation", "Private endpoints for services",
"No public IPs on internal workloads", "TLS everywhere",
"Identity-Aware Proxy deployment"]},
{"pillar": "Application", "description": "Secure app access without network trust",
"checks": ["OAuth2/OIDC authentication", "API gateway with auth",
"No VPN-dependent access", "Runtime application self-protection"]},
{"pillar": "Data", "description": "Classify and protect data at all states",
"checks": ["Encryption at rest", "Encryption in transit",
"Data classification labels", "DLP policies active"]},
{"pillar": "Visibility", "description": "Continuous monitoring and analytics",
"checks": ["Centralized logging", "SIEM integration",
"User behavior analytics", "Real-time alerting"]},
]
def assess_aws_zero_trust(region="us-east-1"):
"""Assess AWS zero trust posture."""
if boto3 is None:
return {"error": "boto3 not installed"}
findings = []
iam = boto3.client("iam", region_name=region)
try:
summary = iam.get_account_summary()["SummaryMap"]
if summary.get("AccountMFAEnabled", 0) == 0:
findings.append({"pillar": "Identity", "check": "Root MFA",
"status": "FAIL", "severity": "CRITICAL",
"detail": "Root account MFA not enabled"})
else:
findings.append({"pillar": "Identity", "check": "Root MFA",
"status": "PASS", "detail": "Root MFA enabled"})
users = iam.list_users()["Users"]
for user in users[:20]:
mfa = iam.list_mfa_devices(UserName=user["UserName"])["MFADevices"]
if not mfa:
findings.append({"pillar": "Identity", "check": "User MFA",
"status": "FAIL", "severity": "HIGH",
"detail": f"User {user['UserName']} has no MFA"})
except ClientError as e:
findings.append({"pillar": "Identity", "check": "IAM", "status": "ERROR", "detail": str(e)})
ec2 = boto3.client("ec2", region_name=region)
try:
instances = ec2.describe_instances()
for reservation in instances.get("Reservations", []):
for inst in reservation.get("Instances", []):
if inst.get("PublicIpAddress"):
findings.append({"pillar": "Network", "check": "Public IP",
"status": "FAIL", "severity": "MEDIUM",
"detail": f"Instance {inst['InstanceId']} has public IP "
f"{inst['PublicIpAddress']}"})
except ClientError as e:
findings.append({"pillar": "Network", "status": "ERROR", "detail": str(e)})
try:
sgs = ec2.describe_security_groups()["SecurityGroups"]
for sg in sgs:
for rule in sg.get("IpPermissions", []):
for ip in rule.get("IpRanges", []):
if ip.get("CidrIp") == "0.0.0.0/0":
port = rule.get("FromPort", "all")
findings.append({"pillar": "Network", "check": "Security Group",
"status": "FAIL", "severity": "HIGH",
"detail": f"SG {sg['GroupId']} port {port} open to 0.0.0.0/0"})
except ClientError as e:
findings.append({"pillar": "Network", "status": "ERROR", "detail": str(e)})
s3 = boto3.client("s3", region_name=region)
try:
buckets = s3.list_buckets().get("Buckets", [])
for bucket in buckets[:20]:
try:
enc = s3.get_bucket_encryption(Bucket=bucket["Name"])
findings.append({"pillar": "Data", "check": "S3 Encryption",
"status": "PASS", "detail": f"{bucket['Name']} encrypted"})
except ClientError:
findings.append({"pillar": "Data", "check": "S3 Encryption",
"status": "FAIL", "severity": "HIGH",
"detail": f"Bucket {bucket['Name']} has no default encryption"})
except ClientError as e:
findings.append({"pillar": "Data", "status": "ERROR", "detail": str(e)})
ct = boto3.client("cloudtrail", region_name=region)
try:
trails = ct.describe_trails()["trailList"]
if trails:
findings.append({"pillar": "Visibility", "check": "CloudTrail",
"status": "PASS", "detail": f"{len(trails)} trail(s) configured"})
else:
findings.append({"pillar": "Visibility", "check": "CloudTrail",
"status": "FAIL", "severity": "CRITICAL",
"detail": "No CloudTrail trails configured"})
except ClientError as e:
findings.append({"pillar": "Visibility", "status": "ERROR", "detail": str(e)})
return findings
def generate_zero_trust_scorecard(findings):
"""Generate a zero trust maturity scorecard from findings."""
pillar_scores = {}
for f in findings:
pillar = f.get("pillar", "Unknown")
if pillar not in pillar_scores:
pillar_scores[pillar] = {"pass": 0, "fail": 0, "error": 0}
status = f.get("status", "ERROR")
if status == "PASS":
pillar_scores[pillar]["pass"] += 1
elif status == "FAIL":
pillar_scores[pillar]["fail"] += 1
else:
pillar_scores[pillar]["error"] += 1
scorecard = {}
for pillar, counts in pillar_scores.items():
total = counts["pass"] + counts["fail"]
score = round(counts["pass"] / max(total, 1) * 100, 1)
maturity = "Advanced" if score >= 80 else "Initial" if score >= 50 else "Traditional"
scorecard[pillar] = {"score": score, "maturity": maturity,
"passed": counts["pass"], "failed": counts["fail"]}
return scorecard
def run_zero_trust_assessment(region="us-east-1"):
"""Run comprehensive zero trust assessment."""
print(f"\n{'='*60}")
print(f" ZERO TRUST CLOUD ARCHITECTURE ASSESSMENT")
print(f" Generated: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')} UTC")
print(f"{'='*60}\n")
print(f"--- ZERO TRUST PILLARS ---")
for p in ZERO_TRUST_PILLARS:
print(f" {p['pillar']}: {p['description']}")
for c in p["checks"]:
print(f" - {c}")
print(f"\n--- AWS ASSESSMENT (region: {region}) ---")
findings = assess_aws_zero_trust(region)
pass_count = sum(1 for f in findings if f.get("status") == "PASS")
fail_count = sum(1 for f in findings if f.get("status") == "FAIL")
print(f" Total checks: {len(findings)}")
print(f" Passed: {pass_count} | Failed: {fail_count}")
critical = [f for f in findings if f.get("severity") == "CRITICAL"]
high = [f for f in findings if f.get("severity") == "HIGH"]
if critical:
print(f"\n CRITICAL FINDINGS ({len(critical)}):")
for f in critical:
print(f" [{f['pillar']}] {f.get('check', 'N/A')}: {f['detail']}")
if high:
print(f"\n HIGH FINDINGS ({len(high)}):")
for f in high[:10]:
print(f" [{f['pillar']}] {f.get('check', 'N/A')}: {f['detail']}")
scorecard = generate_zero_trust_scorecard(findings)
print(f"\n--- ZERO TRUST SCORECARD ---")
for pillar, scores in scorecard.items():
bar = "#" * int(scores["score"] / 5)
print(f" {pillar:<15} {scores['score']:>5.1f}% [{scores['maturity']}] {bar}")
overall = round(sum(s["score"] for s in scorecard.values()) / max(len(scorecard), 1), 1)
print(f"\n OVERALL ZERO TRUST MATURITY: {overall}%")
maturity = "Advanced" if overall >= 80 else "Initial" if overall >= 50 else "Traditional"
print(f" Maturity Level: {maturity}")
print(f"\n{'='*60}\n")
return {"findings": findings, "scorecard": scorecard, "overall_score": overall}
def main():
parser = argparse.ArgumentParser(description="Zero Trust Cloud Architecture Agent")
parser.add_argument("--region", default="us-east-1", help="AWS region")
parser.add_argument("--assess", action="store_true", help="Run zero trust assessment")
parser.add_argument("--pillars", action="store_true", help="Show zero trust pillars")
parser.add_argument("--output", help="Save report to JSON")
args = parser.parse_args()
if args.pillars:
for p in ZERO_TRUST_PILLARS:
print(f"\n{p['pillar']}: {p['description']}")
for c in p["checks"]:
print(f" - {c}")
elif args.assess:
report = run_zero_trust_assessment(args.region)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
else:
parser.print_help()
if __name__ == "__main__":
main()