security-mcp 1.1.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (133) hide show
  1. package/README.md +164 -185
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/control-catalog.json +200 -0
  9. package/defaults/security-policy.json +2 -2
  10. package/dist/cli/index.js +82 -5
  11. package/dist/cli/install.js +36 -6
  12. package/dist/cli/onboarding.js +6 -0
  13. package/dist/gate/baseline.js +82 -7
  14. package/dist/gate/catalog.js +10 -2
  15. package/dist/gate/checks/ai.js +757 -39
  16. package/dist/gate/checks/auth-deep.js +935 -0
  17. package/dist/gate/checks/business-logic.js +751 -0
  18. package/dist/gate/checks/ci-pipeline.js +399 -4
  19. package/dist/gate/checks/crypto.js +423 -2
  20. package/dist/gate/checks/dependencies.js +571 -15
  21. package/dist/gate/checks/graphql.js +201 -19
  22. package/dist/gate/checks/infra.js +246 -1
  23. package/dist/gate/checks/injection-deep.js +848 -0
  24. package/dist/gate/checks/k8s.js +114 -1
  25. package/dist/gate/checks/mobile-android.js +917 -3
  26. package/dist/gate/checks/mobile-ios.js +797 -5
  27. package/dist/gate/checks/required-artifacts.js +194 -0
  28. package/dist/gate/checks/runtime.js +178 -0
  29. package/dist/gate/checks/secrets.js +244 -13
  30. package/dist/gate/checks/supply-chain-deep.js +787 -0
  31. package/dist/gate/checks/web-nextjs.js +572 -48
  32. package/dist/gate/diff.js +17 -5
  33. package/dist/gate/evidence.js +8 -1
  34. package/dist/gate/exceptions.js +131 -9
  35. package/dist/gate/policy.js +282 -129
  36. package/dist/mcp/audit-chain.js +122 -28
  37. package/dist/mcp/auth.js +169 -0
  38. package/dist/mcp/learning.js +129 -4
  39. package/dist/mcp/model-router.js +158 -21
  40. package/dist/mcp/orchestration.js +186 -51
  41. package/dist/mcp/server.js +608 -94
  42. package/dist/repo/fs.js +24 -1
  43. package/dist/repo/search.js +31 -6
  44. package/dist/review/store.js +52 -1
  45. package/package.json +7 -7
  46. package/prompts/SECURITY_PROMPT.md +73 -0
  47. package/skills/_TEMPLATE/SKILL.md +99 -0
  48. package/skills/advanced-dos-tester/SKILL.md +109 -0
  49. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  50. package/skills/ai-llm-redteam/SKILL.md +104 -0
  51. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  52. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  53. package/skills/android-penetration-tester/SKILL.md +455 -46
  54. package/skills/anti-replay-tester/SKILL.md +106 -0
  55. package/skills/appsec-code-auditor/SKILL.md +120 -0
  56. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  57. package/skills/attack-navigator/SKILL.md +467 -8
  58. package/skills/auth-session-hacker/SKILL.md +128 -0
  59. package/skills/aws-penetration-tester/SKILL.md +456 -0
  60. package/skills/azure-penetration-tester/SKILL.md +490 -3
  61. package/skills/binary-auth-validator/SKILL.md +111 -0
  62. package/skills/bot-detection-specialist/SKILL.md +109 -0
  63. package/skills/business-logic-attacker/SKILL.md +231 -0
  64. package/skills/capec-code-mapper/SKILL.md +84 -0
  65. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  66. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  67. package/skills/ciso-orchestrator/SKILL.md +454 -43
  68. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  69. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  70. package/skills/compliance-grc/SKILL.md +85 -0
  71. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  72. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  73. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  74. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  75. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  76. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  77. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  78. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  79. package/skills/dos-resilience-tester/SKILL.md +97 -0
  80. package/skills/dread-scorer/SKILL.md +84 -0
  81. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  82. package/skills/evidence-collector/SKILL.md +98 -0
  83. package/skills/file-upload-attacker/SKILL.md +109 -0
  84. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  85. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  86. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  87. package/skills/incident-responder/SKILL.md +111 -0
  88. package/skills/injection-specialist/SKILL.md +131 -0
  89. package/skills/ios-security-auditor/SKILL.md +282 -0
  90. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  91. package/skills/k8s-container-escaper/SKILL.md +384 -0
  92. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  93. package/skills/kill-switch-engineer/SKILL.md +102 -0
  94. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  95. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  96. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  97. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  98. package/skills/mobile-security-specialist/SKILL.md +85 -0
  99. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  100. package/skills/model-extraction-attacker/SKILL.md +219 -0
  101. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  102. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  103. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  104. package/skills/pentest-infra/SKILL.md +141 -0
  105. package/skills/pentest-social/SKILL.md +201 -0
  106. package/skills/pentest-team/SKILL.md +134 -0
  107. package/skills/pentest-web-api/SKILL.md +151 -0
  108. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  109. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  110. package/skills/quantum-migration-planner/SKILL.md +96 -0
  111. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  112. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  113. package/skills/rotation-validation-agent/SKILL.md +112 -0
  114. package/skills/samm-assessor/SKILL.md +85 -0
  115. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  116. package/skills/senior-security-engineer/SKILL.md +370 -2
  117. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  118. package/skills/session-timeout-tester/SKILL.md +161 -0
  119. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  120. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  121. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  122. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  123. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  124. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  125. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  126. package/skills/threat-modeler/SKILL.md +85 -0
  127. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  128. package/skills/token-reuse-detector/SKILL.md +95 -0
  129. package/skills/trike-risk-modeler/SKILL.md +84 -0
  130. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  131. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  132. package/skills/webhook-security-tester/SKILL.md +102 -0
  133. package/skills/zero-trust-architect/SKILL.md +109 -0
@@ -58,3 +58,459 @@ If internet permitted:
58
58
  - Blast radius: exactly what is accessible if this is exploited
59
59
  - Privilege escalation chain (if applicable)
60
60
  - Fixed Terraform/IAM policy written inline
61
+
62
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
63
+ ```json
64
+ {
65
+ "intelligenceForOtherAgents": {
66
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
67
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
68
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
69
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
70
+ }
71
+ }
72
+ ```
73
+
74
+ ---
75
+
76
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
77
+
78
+ ### 1. IAM Privilege Escalation via `iam:PassRole` + Service Chaining (Rhino Security Labs Technique)
79
+
80
+ **Technique:** An attacker with `iam:PassRole` and `ec2:RunInstances` (or `lambda:CreateFunction`,
81
+ `glue:CreateJob`, `sagemaker:CreateTrainingJob`, etc.) can pass a more-privileged role to a new
82
+ service resource, then execute code under that role — bypassing policy boundaries entirely.
83
+
84
+ **Test:** Search all IAM policies for the combination of `iam:PassRole` co-existing with any
85
+ service creation action. Run:
86
+ ```bash
87
+ grep -r "iam:PassRole" . --include="*.tf" --include="*.json" -l
88
+ ```
89
+ Then for each hit, check whether the same policy or any role it can assume also grants
90
+ `ec2:RunInstances`, `lambda:CreateFunction`, `glue:CreateJob`, `ecs:RunTask`, or
91
+ `sagemaker:CreateTrainingJob`.
92
+
93
+ **Finding:** Any policy where `iam:PassRole` scope is `"Resource": "*"` with no condition
94
+ keys (`aws:RequestedRegion`, `iam:PassedToService`) is an automatic HIGH. If a service creation
95
+ action is co-located, escalate to CRITICAL.
96
+
97
+ **Fix:** Restrict `iam:PassRole` to specific role ARNs and add condition:
98
+ ```json
99
+ "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } }
100
+ ```
101
+
102
+ ---
103
+
104
+ ### 2. EKS Pod Identity / IRSA Token Audience Confusion (CVE-2024-21626 Class)
105
+
106
+ **Technique:** EKS IRSA (IAM Roles for Service Accounts) tokens include an `aud` claim. If the
107
+ OIDC provider trust policy does not pin `sts.amazonaws.com` as the sole audience AND the service
108
+ account annotation is overly broad, a malicious pod in a lower-privilege namespace can forge
109
+ requests to STS using ambient IRSA tokens. Additionally, container escape via `runc` path
110
+ traversal (CVE-2024-21626) can reach the host IRSA token file before it is rotated.
111
+
112
+ **Test:**
113
+ ```bash
114
+ # Check OIDC trust policy audience restriction
115
+ grep -r "oidc.eks" . --include="*.tf" -A10 | grep -E '"aud"|Audience'
116
+ # Verify hop limit enforced (mitigates SSRF → IMDS token theft)
117
+ grep -r "http_tokens" . --include="*.tf" | grep -v "required"
118
+ ```
119
+
120
+ **Finding:** Any IRSA trust policy missing `StringEquals` on `token.actions.githubusercontent.com:aud`
121
+ or without `sub` condition pinned to the specific service account is CRITICAL.
122
+
123
+ ---
124
+
125
+ ### 3. S3 Server-Side Request Forgery to IMDS Credential Theft Chain
126
+
127
+ **Technique:** An application-level SSRF vulnerability that can reach `169.254.169.254` bypasses
128
+ IMDSv1 controls entirely if the EC2 metadata hop limit is set to 2 (default before December 2019).
129
+ The attacker retrieves temporary IAM credentials for the instance profile, then calls STS to
130
+ confirm the role, and escalates.
131
+
132
+ **Test:**
133
+ ```bash
134
+ # Confirm IMDSv2 hop-limit is 1 (mandatory)
135
+ grep -r "http_put_response_hop_limit" . --include="*.tf" | grep -v "= 1"
136
+ grep -r "metadata_options" . --include="*.tf" -A5
137
+ # Grep for missing metadata_options block entirely
138
+ grep -rL "metadata_options" . --include="*.tf" | xargs grep -l "aws_instance"
139
+ ```
140
+
141
+ **Finding:** Any `aws_instance` or `aws_launch_template` without `metadata_options { http_tokens = "required" http_put_response_hop_limit = 1 }` is CRITICAL if the application has any HTTP fetch capability.
142
+
143
+ ---
144
+
145
+ ### 4. AWS CodeBuild / CodePipeline Supply Chain Injection
146
+
147
+ **Technique (Supply Chain / Emerging Threat):** An attacker with write access to a dependency
148
+ source (npm, pip, Maven) that CodeBuild fetches during `buildspec.yml` execution can inject
149
+ malicious code that runs in the CodeBuild environment — which typically holds credentials for
150
+ S3, ECR, and deployment roles. This is the AWS-native form of the SolarWinds / XZ Utils
151
+ supply-chain attack pattern.
152
+
153
+ **Test:**
154
+ ```bash
155
+ # Check buildspec.yml for unpinned dependencies
156
+ find . -name "buildspec.yml" -o -name "buildspec.yaml" | xargs grep -E "npm install|pip install|gem install" | grep -v "@[0-9]"
157
+ # Check CodeBuild role scope
158
+ grep -r "codebuild" . --include="*.tf" -A30 | grep -E "AdministratorAccess|PowerUserAccess|\*"
159
+ ```
160
+
161
+ **Finding:** Any CodeBuild `buildspec.yml` that installs packages without pinned versions AND
162
+ the CodeBuild execution role has IAM write, S3 write, or ECR push permissions is a CRITICAL
163
+ supply-chain risk.
164
+
165
+ **Emerging Threat Context:** AI-generated package names hallucinated by LLM coding assistants
166
+ create phantom package names that attackers register ("AI-assisted dependency confusion"). Check
167
+ all `package.json`, `requirements.txt`, and `pom.xml` for packages with zero download history.
168
+
169
+ ---
170
+
171
+ ### 5. Secrets Manager / Parameter Store Plaintext Logging via CloudWatch
172
+
173
+ **Technique:** When application code retrieves a secret via `GetSecretValue` or `GetParameter`,
174
+ some logging frameworks (especially structured loggers that serialize the entire SDK response
175
+ object) will log the `SecretString` field to CloudWatch Logs. This creates a secondary plaintext
176
+ secret store with longer retention and broader IAM read access than the original secret.
177
+
178
+ **Test:**
179
+ ```bash
180
+ # Find CloudWatch log groups with long or infinite retention
181
+ grep -r "retention_in_days" . --include="*.tf" | grep -v "retention_in_days"
182
+ # Find log group missing encryption
183
+ grep -rL "kms_key_id" . --include="*.tf" | xargs grep -l "aws_cloudwatch_log_group"
184
+ # Find application code that may log full SDK response
185
+ grep -rn "GetSecretValue\|get_secret_value" . --include="*.ts" --include="*.py" --include="*.js" -A3 | grep -i "log\|console\|print"
186
+ ```
187
+
188
+ **Finding:** Any CloudWatch log group without KMS encryption AND retention > 90 days that is
189
+ accessible by a log group with loose IAM read policy is HIGH. Add `kms_key_id` and set
190
+ `retention_in_days = 30` minimum.
191
+
192
+ ---
193
+
194
+ ### 6. Post-Quantum Threat: AWS KMS RSA Key Usage in Long-Lived Signed Artifacts
195
+
196
+ **Technique (Post-Quantum / Emerging Threat):** AWS KMS RSA_2048 and RSA_4096 keys used for
197
+ signing (S3 object signatures, CloudFront signed URLs, JWT RS256 tokens) are vulnerable to
198
+ harvest-now-decrypt-later attacks. An adversary collecting signed tokens today can break the
199
+ signatures when a cryptographically relevant quantum computer (CRQC) is available (estimated
200
+ 2028–2032 per NIST). AWS KMS does not yet offer ML-DSA (FIPS 204) signing keys natively, but
201
+ hybrid approaches using application-layer ML-DSA signatures alongside KMS are available.
202
+
203
+ **Test:**
204
+ ```bash
205
+ # Find all KMS keys configured for SIGN_VERIFY with RSA
206
+ grep -rn "key_usage.*SIGN_VERIFY\|customer_master_key_spec.*RSA" . --include="*.tf"
207
+ # Find CloudFront signed URL configurations
208
+ grep -rn "trusted_key_groups\|trusted_signers" . --include="*.tf"
209
+ # Find JWT libraries using RS256
210
+ grep -rn "RS256\|RS384\|RS512" . --include="*.ts" --include="*.py" --include="*.js"
211
+ ```
212
+
213
+ **Finding:** Any KMS RSA signing key used for tokens or artifacts with validity > 1 year is HIGH
214
+ with a post-quantum risk note. Recommend migration plan to ML-DSA when AWS KMS supports it and
215
+ interim mitigation of shortening token lifetimes to < 24 hours.
216
+
217
+ ---
218
+
219
+ ### 7. GuardDuty Suppression Rules Creating Detection Blind Spots
220
+
221
+ **Technique:** GuardDuty suppression rules (filter rules with auto-archive action) are commonly
222
+ created to suppress noisy findings from trusted CI/CD IP ranges or pentest suites. An attacker
223
+ who discovers a suppressed CIDR block (via leaked Terraform state or CloudFormation outputs) can
224
+ route their attacks through a VPN endpoint in that CIDR to evade GuardDuty detection entirely.
225
+
226
+ **Test:**
227
+ ```bash
228
+ # Find GuardDuty filter/suppression rules in Terraform
229
+ grep -rn "aws_guardduty_filter\|aws_guardduty_publishing_destination" . --include="*.tf" -A20
230
+ # Check for overly broad suppression (entire RFC 1918 ranges)
231
+ grep -rn "criterion\|equal_to\|gte\|lte" . --include="*.tf" | grep -E "10\.|172\.16|192\.168" -A3
232
+ ```
233
+
234
+ **Finding:** Any GuardDuty suppression rule that archives findings by CIDR block broader than /28
235
+ or by `ipAddressV4` containing a public IP range is HIGH. Each suppression rule must be documented
236
+ with a business justification and reviewed quarterly.
237
+
238
+ ---
239
+
240
+ ### 8. AI-Assisted Attack Surface: Bedrock / SageMaker IAM Over-Privilege
241
+
242
+ **Technique (AI-Assisted / Emerging Threat):** AWS Bedrock and SageMaker endpoints are increasingly
243
+ used in production. Their execution roles commonly receive `s3:GetObject` on training data buckets
244
+ or `s3:PutObject` on output buckets. An attacker who achieves prompt injection via a Bedrock Agent
245
+ invocation can exfiltrate the model's execution role credentials via the agent's code interpreter
246
+ tool — a novel SSRF-via-LLM attack class documented in AWS threat research (2024).
247
+
248
+ **Test:**
249
+ ```bash
250
+ # Find Bedrock agent and model execution roles
251
+ grep -rn "bedrock\|sagemaker" . --include="*.tf" -A30 | grep -E "iam_role_arn|role_arn|execution_role"
252
+ # Check if Bedrock agent action groups include code execution
253
+ grep -rn "AMAZON.CodeInterpreter\|action_group_executor" . --include="*.tf" --include="*.json"
254
+ # Verify Bedrock Guardrails configured
255
+ grep -rn "aws_bedrock_guardrail" . --include="*.tf"
256
+ ```
257
+
258
+ **Finding:** Any Bedrock Agent with `AMAZON.CodeInterpreter` action group enabled AND an execution
259
+ role that has `s3:GetObject` or `sts:AssumeRole` on scopes beyond the agent's dedicated bucket is
260
+ CRITICAL — this is an exploitable AI prompt-injection-to-credential-theft chain.
261
+
262
+ ---
263
+
264
+ ## §AWS_PENETRATION_TESTER-CHECKLIST
265
+
266
+ 1. **IAM Wildcard Actions in Customer-Managed Policies**
267
+ Mechanism: `"Action": "*"` or `"Action": "iam:*"` in any non-AWS-managed policy grants full
268
+ admin equivalent. Grep: `grep -rn '"Action": "\*"' . --include="*.tf" --include="*.json"`.
269
+ Finding: Any hit outside `AdministratorAccess` managed policy is CRITICAL.
270
+
271
+ 2. **S3 Block Public Access Disabled at Account Level**
272
+ Mechanism: Account-level Block Public Access can be disabled separately from bucket-level,
273
+ allowing bucket ACLs or policies to re-enable public access. Grep:
274
+ `grep -rn "aws_s3_account_public_access_block" . --include="*.tf"` — absence of this resource
275
+ in the account Terraform is a HIGH finding. All four `block_*` attributes must be `true`.
276
+
277
+ 3. **Lambda Function URLs with AuthType NONE**
278
+ Mechanism: `aws_lambda_function_url` with `authorization_type = "NONE"` exposes the Lambda
279
+ directly to the internet with no IAM authentication. Grep:
280
+ `grep -rn "authorization_type" . --include="*.tf" | grep -i "none"`.
281
+ Finding: Any match is CRITICAL unless the Lambda explicitly implements its own auth layer
282
+ with documented evidence.
283
+
284
+ 4. **EC2 Instance Metadata Service v1 (IMDSv1) Still Accessible**
285
+ Mechanism: IMDSv1 requires no session token, making it trivially reachable from any SSRF.
286
+ Grep: `grep -rn "http_tokens" . --include="*.tf" | grep -v "required"` plus check for
287
+ `aws_instance` resources missing `metadata_options` entirely.
288
+ Finding: Any instance without `http_tokens = "required"` and `http_put_response_hop_limit = 1`
289
+ is CRITICAL.
290
+
291
+ 5. **Cross-Account AssumeRole Without ExternalId Condition**
292
+ Mechanism: A trust policy allowing `sts:AssumeRole` from a foreign account principal without
293
+ `sts:ExternalId` condition enables the confused deputy attack — any AWS service in the trusting
294
+ account can assume the role. Grep:
295
+ `grep -rn "sts:AssumeRole" . --include="*.tf" --include="*.json" -A10 | grep -v ExternalId`.
296
+ Finding: Any cross-account trust without `ExternalId` condition is HIGH.
297
+
298
+ 6. **CloudTrail Multi-Region Trail Disabled or Trail Deleted**
299
+ Mechanism: A single-region CloudTrail misses global service events (IAM, STS, CloudFront).
300
+ An attacker deleting the trail has a 15-minute window of unlogged activity.
301
+ Grep: `grep -rn "is_multi_region_trail" . --include="*.tf" | grep "false"`.
302
+ Finding: `is_multi_region_trail = false` or absence of `enable_log_file_validation = true` is HIGH.
303
+
304
+ 7. **Security Group Ingress from 0.0.0.0/0 on Non-80/443 Ports**
305
+ Mechanism: SSH (22), RDP (3389), database ports (3306, 5432, 1433, 27017, 6379) open to the
306
+ internet provide direct attack surface. Grep:
307
+ `grep -rn "cidr_blocks.*0.0.0.0/0" . --include="*.tf" -B5 | grep -E "from_port|to_port"`.
308
+ Finding: Any non-HTTP/S port open to `0.0.0.0/0` is CRITICAL.
309
+
310
+ 8. **RDS Snapshot Publicly Restorable**
311
+ Mechanism: `aws_db_snapshot` with `shared_accounts = ["all"]` or `publicly_accessible = true`
312
+ on the RDS instance allows any AWS account to restore a full copy of the database.
313
+ Grep: `grep -rn "publicly_accessible" . --include="*.tf" | grep "true"`.
314
+ Finding: Any RDS instance or snapshot with `publicly_accessible = true` is CRITICAL.
315
+
316
+ 9. **KMS Key Rotation Disabled on Customer-Managed Keys**
317
+ Mechanism: Without annual key rotation, a compromised KMS key or HSM breach exposes all
318
+ historical ciphertext. Grep:
319
+ `grep -rn "enable_key_rotation" . --include="*.tf" | grep "false"` plus absence check.
320
+ Finding: Any CMK without `enable_key_rotation = true` is HIGH.
321
+
322
+ 10. **CodeBuild Environment Variable Secrets (Plaintext)**
323
+ Mechanism: Secrets in CodeBuild `environment_variable` blocks with `type = "PLAINTEXT"` appear
324
+ in CloudWatch Logs, build outputs, and AWS Console in cleartext. Grep:
325
+ `grep -rn "PLAINTEXT" . --include="*.tf" -B2 | grep -i "secret\|password\|token\|key\|api"`.
326
+ Finding: Any secret-like environment variable with `type = "PLAINTEXT"` is HIGH; use
327
+ `PARAMETER_STORE` or `SECRETS_MANAGER` type instead.
328
+
329
+ 11. **EKS Cluster Public API Endpoint Without CIDR Restriction**
330
+ Mechanism: `endpoint_public_access = true` with `public_access_cidrs = ["0.0.0.0/0"]` exposes
331
+ the Kubernetes API server to brute force, credential stuffing, and CVE exploitation from anywhere.
332
+ Grep: `grep -rn "endpoint_public_access\|public_access_cidrs" . --include="*.tf"`.
333
+ Finding: Public endpoint without explicit CIDR allowlist (not `0.0.0.0/0`) is HIGH.
334
+
335
+ 12. **SNS / SQS Resource Policy Allowing Any Principal**
336
+ Mechanism: `"Principal": "*"` in an SNS topic or SQS queue resource policy with no
337
+ `aws:SourceAccount` or `aws:SourceArn` condition allows any AWS account to publish/subscribe.
338
+ Grep: `grep -rn '"Principal": "\*"' . --include="*.tf" --include="*.json" -A5 | grep -v Condition`.
339
+ Finding: Any match on SNS/SQS/Secrets Manager resource policy is HIGH.
340
+
341
+ ---
342
+
343
+ ## §POC-REQUIREMENT
344
+
345
+ For every CRITICAL or HIGH finding in this domain:
346
+
347
+ 1. **Write the working PoC FIRST** — exact payload, exact CLI command, observed impact.
348
+ Example for IMDSv1 credential theft:
349
+ ```bash
350
+ # Step 1: Confirm IMDSv1 accessible (from SSRF-vulnerable app or compromised instance)
351
+ curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
352
+ # Expected output: role-name printed
353
+
354
+ # Step 2: Retrieve credentials
355
+ curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>
356
+ # Expected output: {"AccessKeyId":"...","SecretAccessKey":"...","Token":"...","Expiration":"..."}
357
+
358
+ # Step 3: Confirm scope of compromise
359
+ AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... AWS_SESSION_TOKEN=... \
360
+ aws sts get-caller-identity
361
+ # Observed impact: full identity of instance role revealed; attacker can now call any API
362
+ # permitted by that role's attached policies
363
+ ```
364
+
365
+ 2. **Confirm the PoC reproduces the issue** — document the actual API response received.
366
+
367
+ 3. **Write the fix** — e.g., set `http_tokens = "required"` and `http_put_response_hop_limit = 1`
368
+ in the `metadata_options` block of the `aws_instance` resource.
369
+
370
+ 4. **Verify the PoC fails against the fix:**
371
+ ```bash
372
+ # After fix applied and instance refreshed:
373
+ curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
374
+ # Expected: 401 Unauthorized — confirms IMDSv2 enforcement working
375
+ ```
376
+
377
+ 5. **Record in findings JSON:**
378
+ ```json
379
+ {
380
+ "findingId": "AWS-IMDS-001",
381
+ "severity": "CRITICAL",
382
+ "exploitPoC": "curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE> returns live credentials",
383
+ "fixApplied": "http_tokens = required, hop_limit = 1",
384
+ "pocFailsPostFix": true
385
+ }
386
+ ```
387
+
388
+ **PoC skipping = finding severity downgraded to MEDIUM automatically.**
389
+ This is enforced by the orchestrator at findings merge time.
390
+
391
+ ---
392
+
393
+ ## §PROJECT-ESCALATION
394
+
395
+ Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` flag and
396
+ halt normal scan progression when ANY of the following are discovered:
397
+
398
+ 1. **Live AWS credentials present in source code or git history** — any `AKIA`, `ASIA`, or
399
+ `AROA` prefixed string found in `.tf`, `.env`, `.json`, `.ts`, `.py`, or git log output.
400
+ The full run must pause; credentials must be rotated before analysis continues.
401
+
402
+ 2. **IAM policy granting `AdministratorAccess` to a public-facing service role** — e.g., a
403
+ Lambda function URL with `AuthType = NONE` whose execution role has `AdministratorAccess`.
404
+ This is a complete account takeover vector requiring immediate remediation.
405
+
406
+ 3. **S3 bucket containing production data confirmed publicly readable** — any `aws_s3_bucket`
407
+ where Block Public Access is disabled AND a `GetObject` action is permissible by `Principal: *`
408
+ in the bucket policy. Stop and escalate; data may already be exfiltrated.
409
+
410
+ 4. **CloudTrail logging disabled or deleted in all regions** — if the multi-region trail
411
+ is absent or `enable_logging = false`, the account has no forensic record of recent API calls.
412
+ Escalate immediately; this may indicate an active attacker covering tracks.
413
+
414
+ 5. **EKS cluster with `cluster-admin` ClusterRoleBinding to a service account in a non-system namespace** —
415
+ this grants full Kubernetes API access to any pod in that namespace, which combined with any
416
+ container escape CVE is a full cluster compromise path.
417
+
418
+ 6. **AWS SSO / IAM Identity Center permission set with `AdministratorAccess` assigned to more
419
+ than 5 users or a group containing external identities** — over-broad SSO permissions combined
420
+ with identity provider compromise (e.g., Okta breach) gives attackers admin access to every
421
+ account in the AWS Organization.
422
+
423
+ 7. **KMS key deletion scheduled with a pending window of less than 7 days** — active key deletion
424
+ may render encrypted production data permanently inaccessible; confirm this is authorized
425
+ and not an attacker performing destructive ransomware-style action.
426
+
427
+ 8. **AWS Organizations SCP absence** — if no Service Control Policies are attached to any OU,
428
+ individual account IAM policies are the only guardrail. Any account-level IAM misconfiguration
429
+ then has no organizational backstop. Escalate as an architectural CRITICAL.
430
+
431
+ ---
432
+
433
+ ## §EDGE-CASE-MATRIX
434
+
435
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
436
+
437
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
438
+ |---|-----------|----------------------|---------------|
439
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
440
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
441
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
442
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
443
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
444
+
445
+ ---
446
+
447
+ ## §TEMPORAL-THREATS
448
+
449
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
450
+
451
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
452
+ |--------|--------------|--------------------------|----------------|
453
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
454
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
455
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
456
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
457
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
458
+
459
+ ---
460
+
461
+ ## §DETECTION-GAP
462
+
463
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
464
+
465
+ **Standard gaps that MUST be checked:**
466
+
467
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
468
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
469
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
470
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
471
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
472
+
473
+ **AWS-specific detection gaps:**
474
+
475
+ - **CloudTrail `eventSource: s3.amazonaws.com` with `eventName: GetObject` at high volume**: CloudTrail data events for S3 are disabled by default and cost extra. Without them, bulk S3 exfiltration via `GetObject` is completely invisible. Enable S3 data events on all buckets containing sensitive data and alert on > 1000 `GetObject` calls in 5 minutes from a single principal.
476
+ - **AssumeRole chains crossing account boundaries**: A single CloudTrail event shows the AssumeRole call but not what the assumed role does in the target account. Need: CloudTrail aggregation across all accounts in the AWS Organization via CloudTrail Lake or a centralised S3 trail to correlate multi-account lateral movement.
477
+ - **Lambda cold-start exfiltration**: An attacker who has injected code into a Lambda dependency (supply chain) can exfiltrate credentials during the cold-start init phase before the function handler runs. This does not generate application-layer logs. Need: Lambda extension-level telemetry or eBPF-based network monitoring at the Lambda execution environment level.
478
+
479
+ ---
480
+
481
+ ## §ZERO-MISS-MANDATE
482
+
483
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
484
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
485
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
486
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
487
+
488
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
489
+
490
+ The output findings JSON MUST include a `coverageManifest` key:
491
+ ```json
492
+ {
493
+ "coverageManifest": {
494
+ "attackClassesCovered": [{ "class": "IAM Privilege Escalation", "filesReviewed": 23, "patterns": ["iam:PassRole", "iam:CreatePolicy", "iam:AttachRolePolicy"], "result": "CLEAN" }],
495
+ "filesReviewed": 47,
496
+ "negativeAssertions": ["IMDSv1 Access: http_tokens pattern searched across 23 .tf files — 0 non-required instances"],
497
+ "uncoveredReason": {}
498
+ }
499
+ }
500
+ ```
501
+
502
+ ---
503
+
504
+ ## LEARNING SIGNAL
505
+
506
+ On every finding resolved, emit:
507
+ ```json
508
+ {
509
+ "findingId": "FINDING_ID",
510
+ "agentName": "aws-penetration-tester",
511
+ "resolved": true,
512
+ "remediationTemplate": "one-line description of what was done",
513
+ "falsePositive": false
514
+ }
515
+ ```
516
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.