security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -20,6 +20,15 @@ a compromised Lambda to full account takeover. You know every `iam:PassRole` abu
20
20
  Find every AWS misconfiguration that could allow privilege escalation, data exfiltration,
21
21
  or account compromise. Write the Terraform fix or IAM policy correction inline.
22
22
 
23
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
24
+
25
+ The `infra.ts` and `iac.ts` detection modules (`src/gate/checks/infra.ts`, `src/gate/checks/iac.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the Terraform/IAM policy), not just advise:
26
+
27
+ - **Cross-file / data-flow reasoning the regex can't do:** `iam:PassRole` granted in one policy file + `lambda:CreateFunction` (or `ec2:RunInstances`) in a role it can assume in another = a full privilege-escalation chain no single-line grep flags.
28
+ - **Semantic / effective-state analysis:** compute the *effective* permissions and blast radius of each role across its full assume-role/trust-policy graph — an `Owner`-equivalent reachable from a Lambda with a public Function URL is the real finding, not the wildcard in isolation.
29
+ - **External corroboration:** use WebSearch/WebFetch for current AWS Security Bulletins, HackTricks Cloud escalation techniques, and CVEs for detected service versions (e.g. runc/EKS).
30
+ - **Apply & prove:** write the fix inline (scope `PassRole` with `iam:PassedToService`, enforce IMDSv2 `http_tokens=required` + hop limit 1, add `ExternalId`), re-run the `infra.ts`/`iac.ts` checks plus tfsec/checkov as a regression floor, then re-audit the escalation graph semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
31
+
23
32
  ## EXECUTION
24
33
 
25
34
  1. Scan all Terraform, CloudFormation, CDK, and serverless.yml files for AWS resources
@@ -58,3 +67,504 @@ If internet permitted:
58
67
  - Blast radius: exactly what is accessible if this is exploited
59
68
  - Privilege escalation chain (if applicable)
60
69
  - Fixed Terraform/IAM policy written inline
70
+
71
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
72
+ ```json
73
+ {
74
+ "intelligenceForOtherAgents": {
75
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
76
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
77
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
78
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
79
+ }
80
+ }
81
+ ```
82
+
83
+ ---
84
+
85
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
86
+
87
+ ### 1. IAM Privilege Escalation via `iam:PassRole` + Service Chaining (Rhino Security Labs Technique)
88
+
89
+ **Technique:** An attacker with `iam:PassRole` and `ec2:RunInstances` (or `lambda:CreateFunction`,
90
+ `glue:CreateJob`, `sagemaker:CreateTrainingJob`, etc.) can pass a more-privileged role to a new
91
+ service resource, then execute code under that role — bypassing policy boundaries entirely.
92
+
93
+ **Test:** Search all IAM policies for the combination of `iam:PassRole` co-existing with any
94
+ service creation action. Run:
95
+ ```bash
96
+ grep -r "iam:PassRole" . --include="*.tf" --include="*.json" -l
97
+ ```
98
+ Then for each hit, check whether the same policy or any role it can assume also grants
99
+ `ec2:RunInstances`, `lambda:CreateFunction`, `glue:CreateJob`, `ecs:RunTask`, or
100
+ `sagemaker:CreateTrainingJob`.
101
+
102
+ **Finding:** Any policy where `iam:PassRole` scope is `"Resource": "*"` with no condition
103
+ keys (`aws:RequestedRegion`, `iam:PassedToService`) is an automatic HIGH. If a service creation
104
+ action is co-located, escalate to CRITICAL.
105
+
106
+ **Fix:** Restrict `iam:PassRole` to specific role ARNs and add condition:
107
+ ```json
108
+ "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } }
109
+ ```
110
+
111
+ ---
112
+
113
+ ### 2. EKS Pod Identity / IRSA Token Audience Confusion (CVE-2024-21626 Class)
114
+
115
+ **Technique:** EKS IRSA (IAM Roles for Service Accounts) tokens include an `aud` claim. If the
116
+ OIDC provider trust policy does not pin `sts.amazonaws.com` as the sole audience AND the service
117
+ account annotation is overly broad, a malicious pod in a lower-privilege namespace can forge
118
+ requests to STS using ambient IRSA tokens. Additionally, container escape via `runc` path
119
+ traversal (CVE-2024-21626) can reach the host IRSA token file before it is rotated.
120
+
121
+ **Test:**
122
+ ```bash
123
+ # Check OIDC trust policy audience restriction
124
+ grep -r "oidc.eks" . --include="*.tf" -A10 | grep -E '"aud"|Audience'
125
+ # Verify hop limit enforced (mitigates SSRF → IMDS token theft)
126
+ grep -r "http_tokens" . --include="*.tf" | grep -v "required"
127
+ ```
128
+
129
+ **Finding:** Any IRSA trust policy missing `StringEquals` on `token.actions.githubusercontent.com:aud`
130
+ or without `sub` condition pinned to the specific service account is CRITICAL.
131
+
132
+ ---
133
+
134
+ ### 3. S3 Server-Side Request Forgery to IMDS Credential Theft Chain
135
+
136
+ **Technique:** An application-level SSRF vulnerability that can reach `169.254.169.254` bypasses
137
+ IMDSv1 controls entirely if the EC2 metadata hop limit is set to 2 (default before December 2019).
138
+ The attacker retrieves temporary IAM credentials for the instance profile, then calls STS to
139
+ confirm the role, and escalates.
140
+
141
+ **Test:**
142
+ ```bash
143
+ # Confirm IMDSv2 hop-limit is 1 (mandatory)
144
+ grep -r "http_put_response_hop_limit" . --include="*.tf" | grep -v "= 1"
145
+ grep -r "metadata_options" . --include="*.tf" -A5
146
+ # Grep for missing metadata_options block entirely
147
+ grep -rL "metadata_options" . --include="*.tf" | xargs grep -l "aws_instance"
148
+ ```
149
+
150
+ **Finding:** Any `aws_instance` or `aws_launch_template` without `metadata_options { http_tokens = "required" http_put_response_hop_limit = 1 }` is CRITICAL if the application has any HTTP fetch capability.
151
+
152
+ ---
153
+
154
+ ### 4. AWS CodeBuild / CodePipeline Supply Chain Injection
155
+
156
+ **Technique (Supply Chain / Emerging Threat):** An attacker with write access to a dependency
157
+ source (npm, pip, Maven) that CodeBuild fetches during `buildspec.yml` execution can inject
158
+ malicious code that runs in the CodeBuild environment — which typically holds credentials for
159
+ S3, ECR, and deployment roles. This is the AWS-native form of the SolarWinds / XZ Utils
160
+ supply-chain attack pattern.
161
+
162
+ **Test:**
163
+ ```bash
164
+ # Check buildspec.yml for unpinned dependencies
165
+ find . -name "buildspec.yml" -o -name "buildspec.yaml" | xargs grep -E "npm install|pip install|gem install" | grep -v "@[0-9]"
166
+ # Check CodeBuild role scope
167
+ grep -r "codebuild" . --include="*.tf" -A30 | grep -E "AdministratorAccess|PowerUserAccess|\*"
168
+ ```
169
+
170
+ **Finding:** Any CodeBuild `buildspec.yml` that installs packages without pinned versions AND
171
+ the CodeBuild execution role has IAM write, S3 write, or ECR push permissions is a CRITICAL
172
+ supply-chain risk.
173
+
174
+ **Emerging Threat Context:** AI-generated package names hallucinated by LLM coding assistants
175
+ create phantom package names that attackers register ("AI-assisted dependency confusion"). Check
176
+ all `package.json`, `requirements.txt`, and `pom.xml` for packages with zero download history.
177
+
178
+ ---
179
+
180
+ ### 5. Secrets Manager / Parameter Store Plaintext Logging via CloudWatch
181
+
182
+ **Technique:** When application code retrieves a secret via `GetSecretValue` or `GetParameter`,
183
+ some logging frameworks (especially structured loggers that serialize the entire SDK response
184
+ object) will log the `SecretString` field to CloudWatch Logs. This creates a secondary plaintext
185
+ secret store with longer retention and broader IAM read access than the original secret.
186
+
187
+ **Test:**
188
+ ```bash
189
+ # Find CloudWatch log groups with long or infinite retention
190
+ grep -r "retention_in_days" . --include="*.tf" | grep -v "retention_in_days"
191
+ # Find log group missing encryption
192
+ grep -rL "kms_key_id" . --include="*.tf" | xargs grep -l "aws_cloudwatch_log_group"
193
+ # Find application code that may log full SDK response
194
+ grep -rn "GetSecretValue\|get_secret_value" . --include="*.ts" --include="*.py" --include="*.js" -A3 | grep -i "log\|console\|print"
195
+ ```
196
+
197
+ **Finding:** Any CloudWatch log group without KMS encryption AND retention > 90 days that is
198
+ accessible by a log group with loose IAM read policy is HIGH. Add `kms_key_id` and set
199
+ `retention_in_days = 30` minimum.
200
+
201
+ ---
202
+
203
+ ### 6. Post-Quantum Threat: AWS KMS RSA Key Usage in Long-Lived Signed Artifacts
204
+
205
+ **Technique (Post-Quantum / Emerging Threat):** AWS KMS RSA_2048 and RSA_4096 keys used for
206
+ signing (S3 object signatures, CloudFront signed URLs, JWT RS256 tokens) are vulnerable to
207
+ harvest-now-decrypt-later attacks. An adversary collecting signed tokens today can break the
208
+ signatures when a cryptographically relevant quantum computer (CRQC) is available (estimated
209
+ 2028–2032 per NIST). AWS KMS does not yet offer ML-DSA (FIPS 204) signing keys natively, but
210
+ hybrid approaches using application-layer ML-DSA signatures alongside KMS are available.
211
+
212
+ **Test:**
213
+ ```bash
214
+ # Find all KMS keys configured for SIGN_VERIFY with RSA
215
+ grep -rn "key_usage.*SIGN_VERIFY\|customer_master_key_spec.*RSA" . --include="*.tf"
216
+ # Find CloudFront signed URL configurations
217
+ grep -rn "trusted_key_groups\|trusted_signers" . --include="*.tf"
218
+ # Find JWT libraries using RS256
219
+ grep -rn "RS256\|RS384\|RS512" . --include="*.ts" --include="*.py" --include="*.js"
220
+ ```
221
+
222
+ **Finding:** Any KMS RSA signing key used for tokens or artifacts with validity > 1 year is HIGH
223
+ with a post-quantum risk note. Recommend migration plan to ML-DSA when AWS KMS supports it and
224
+ interim mitigation of shortening token lifetimes to < 24 hours.
225
+
226
+ ---
227
+
228
+ ### 7. GuardDuty Suppression Rules Creating Detection Blind Spots
229
+
230
+ **Technique:** GuardDuty suppression rules (filter rules with auto-archive action) are commonly
231
+ created to suppress noisy findings from trusted CI/CD IP ranges or pentest suites. An attacker
232
+ who discovers a suppressed CIDR block (via leaked Terraform state or CloudFormation outputs) can
233
+ route their attacks through a VPN endpoint in that CIDR to evade GuardDuty detection entirely.
234
+
235
+ **Test:**
236
+ ```bash
237
+ # Find GuardDuty filter/suppression rules in Terraform
238
+ grep -rn "aws_guardduty_filter\|aws_guardduty_publishing_destination" . --include="*.tf" -A20
239
+ # Check for overly broad suppression (entire RFC 1918 ranges)
240
+ grep -rn "criterion\|equal_to\|gte\|lte" . --include="*.tf" | grep -E "10\.|172\.16|192\.168" -A3
241
+ ```
242
+
243
+ **Finding:** Any GuardDuty suppression rule that archives findings by CIDR block broader than /28
244
+ or by `ipAddressV4` containing a public IP range is HIGH. Each suppression rule must be documented
245
+ with a business justification and reviewed quarterly.
246
+
247
+ ---
248
+
249
+ ### 8. AI-Assisted Attack Surface: Bedrock / SageMaker IAM Over-Privilege
250
+
251
+ **Technique (AI-Assisted / Emerging Threat):** AWS Bedrock and SageMaker endpoints are increasingly
252
+ used in production. Their execution roles commonly receive `s3:GetObject` on training data buckets
253
+ or `s3:PutObject` on output buckets. An attacker who achieves prompt injection via a Bedrock Agent
254
+ invocation can exfiltrate the model's execution role credentials via the agent's code interpreter
255
+ tool — a novel SSRF-via-LLM attack class documented in AWS threat research (2024).
256
+
257
+ **Test:**
258
+ ```bash
259
+ # Find Bedrock agent and model execution roles
260
+ grep -rn "bedrock\|sagemaker" . --include="*.tf" -A30 | grep -E "iam_role_arn|role_arn|execution_role"
261
+ # Check if Bedrock agent action groups include code execution
262
+ grep -rn "AMAZON.CodeInterpreter\|action_group_executor" . --include="*.tf" --include="*.json"
263
+ # Verify Bedrock Guardrails configured
264
+ grep -rn "aws_bedrock_guardrail" . --include="*.tf"
265
+ ```
266
+
267
+ **Finding:** Any Bedrock Agent with `AMAZON.CodeInterpreter` action group enabled AND an execution
268
+ role that has `s3:GetObject` or `sts:AssumeRole` on scopes beyond the agent's dedicated bucket is
269
+ CRITICAL — this is an exploitable AI prompt-injection-to-credential-theft chain.
270
+
271
+ ---
272
+
273
+ ## §AWS_PENETRATION_TESTER-CHECKLIST
274
+
275
+ 1. **IAM Wildcard Actions in Customer-Managed Policies**
276
+ Mechanism: `"Action": "*"` or `"Action": "iam:*"` in any non-AWS-managed policy grants full
277
+ admin equivalent. Grep: `grep -rn '"Action": "\*"' . --include="*.tf" --include="*.json"`.
278
+ Finding: Any hit outside `AdministratorAccess` managed policy is CRITICAL.
279
+
280
+ 2. **S3 Block Public Access Disabled at Account Level**
281
+ Mechanism: Account-level Block Public Access can be disabled separately from bucket-level,
282
+ allowing bucket ACLs or policies to re-enable public access. Grep:
283
+ `grep -rn "aws_s3_account_public_access_block" . --include="*.tf"` — absence of this resource
284
+ in the account Terraform is a HIGH finding. All four `block_*` attributes must be `true`.
285
+
286
+ 3. **Lambda Function URLs with AuthType NONE**
287
+ Mechanism: `aws_lambda_function_url` with `authorization_type = "NONE"` exposes the Lambda
288
+ directly to the internet with no IAM authentication. Grep:
289
+ `grep -rn "authorization_type" . --include="*.tf" | grep -i "none"`.
290
+ Finding: Any match is CRITICAL unless the Lambda explicitly implements its own auth layer
291
+ with documented evidence.
292
+
293
+ 4. **EC2 Instance Metadata Service v1 (IMDSv1) Still Accessible**
294
+ Mechanism: IMDSv1 requires no session token, making it trivially reachable from any SSRF.
295
+ Grep: `grep -rn "http_tokens" . --include="*.tf" | grep -v "required"` plus check for
296
+ `aws_instance` resources missing `metadata_options` entirely.
297
+ Finding: Any instance without `http_tokens = "required"` and `http_put_response_hop_limit = 1`
298
+ is CRITICAL.
299
+
300
+ 5. **Cross-Account AssumeRole Without ExternalId Condition**
301
+ Mechanism: A trust policy allowing `sts:AssumeRole` from a foreign account principal without
302
+ `sts:ExternalId` condition enables the confused deputy attack — any AWS service in the trusting
303
+ account can assume the role. Grep:
304
+ `grep -rn "sts:AssumeRole" . --include="*.tf" --include="*.json" -A10 | grep -v ExternalId`.
305
+ Finding: Any cross-account trust without `ExternalId` condition is HIGH.
306
+
307
+ 6. **CloudTrail Multi-Region Trail Disabled or Trail Deleted**
308
+ Mechanism: A single-region CloudTrail misses global service events (IAM, STS, CloudFront).
309
+ An attacker deleting the trail has a 15-minute window of unlogged activity.
310
+ Grep: `grep -rn "is_multi_region_trail" . --include="*.tf" | grep "false"`.
311
+ Finding: `is_multi_region_trail = false` or absence of `enable_log_file_validation = true` is HIGH.
312
+
313
+ 7. **Security Group Ingress from 0.0.0.0/0 on Non-80/443 Ports**
314
+ Mechanism: SSH (22), RDP (3389), database ports (3306, 5432, 1433, 27017, 6379) open to the
315
+ internet provide direct attack surface. Grep:
316
+ `grep -rn "cidr_blocks.*0.0.0.0/0" . --include="*.tf" -B5 | grep -E "from_port|to_port"`.
317
+ Finding: Any non-HTTP/S port open to `0.0.0.0/0` is CRITICAL.
318
+
319
+ 8. **RDS Snapshot Publicly Restorable**
320
+ Mechanism: `aws_db_snapshot` with `shared_accounts = ["all"]` or `publicly_accessible = true`
321
+ on the RDS instance allows any AWS account to restore a full copy of the database.
322
+ Grep: `grep -rn "publicly_accessible" . --include="*.tf" | grep "true"`.
323
+ Finding: Any RDS instance or snapshot with `publicly_accessible = true` is CRITICAL.
324
+
325
+ 9. **KMS Key Rotation Disabled on Customer-Managed Keys**
326
+ Mechanism: Without annual key rotation, a compromised KMS key or HSM breach exposes all
327
+ historical ciphertext. Grep:
328
+ `grep -rn "enable_key_rotation" . --include="*.tf" | grep "false"` plus absence check.
329
+ Finding: Any CMK without `enable_key_rotation = true` is HIGH.
330
+
331
+ 10. **CodeBuild Environment Variable Secrets (Plaintext)**
332
+ Mechanism: Secrets in CodeBuild `environment_variable` blocks with `type = "PLAINTEXT"` appear
333
+ in CloudWatch Logs, build outputs, and AWS Console in cleartext. Grep:
334
+ `grep -rn "PLAINTEXT" . --include="*.tf" -B2 | grep -i "secret\|password\|token\|key\|api"`.
335
+ Finding: Any secret-like environment variable with `type = "PLAINTEXT"` is HIGH; use
336
+ `PARAMETER_STORE` or `SECRETS_MANAGER` type instead.
337
+
338
+ 11. **EKS Cluster Public API Endpoint Without CIDR Restriction**
339
+ Mechanism: `endpoint_public_access = true` with `public_access_cidrs = ["0.0.0.0/0"]` exposes
340
+ the Kubernetes API server to brute force, credential stuffing, and CVE exploitation from anywhere.
341
+ Grep: `grep -rn "endpoint_public_access\|public_access_cidrs" . --include="*.tf"`.
342
+ Finding: Public endpoint without explicit CIDR allowlist (not `0.0.0.0/0`) is HIGH.
343
+
344
+ 12. **SNS / SQS Resource Policy Allowing Any Principal**
345
+ Mechanism: `"Principal": "*"` in an SNS topic or SQS queue resource policy with no
346
+ `aws:SourceAccount` or `aws:SourceArn` condition allows any AWS account to publish/subscribe.
347
+ Grep: `grep -rn '"Principal": "\*"' . --include="*.tf" --include="*.json" -A5 | grep -v Condition`.
348
+ Finding: Any match on SNS/SQS/Secrets Manager resource policy is HIGH.
349
+
350
+ ---
351
+
352
+ ## §POC-REQUIREMENT
353
+
354
+ For every CRITICAL or HIGH finding in this domain:
355
+
356
+ 1. **Write the working PoC FIRST** — exact payload, exact CLI command, observed impact.
357
+ Example for IMDSv1 credential theft:
358
+ ```bash
359
+ # Step 1: Confirm IMDSv1 accessible (from SSRF-vulnerable app or compromised instance)
360
+ curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
361
+ # Expected output: role-name printed
362
+
363
+ # Step 2: Retrieve credentials
364
+ curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>
365
+ # Expected output: {"AccessKeyId":"...","SecretAccessKey":"...","Token":"...","Expiration":"..."}
366
+
367
+ # Step 3: Confirm scope of compromise
368
+ AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... AWS_SESSION_TOKEN=... \
369
+ aws sts get-caller-identity
370
+ # Observed impact: full identity of instance role revealed; attacker can now call any API
371
+ # permitted by that role's attached policies
372
+ ```
373
+
374
+ 2. **Confirm the PoC reproduces the issue** — document the actual API response received.
375
+
376
+ 3. **Write the fix** — e.g., set `http_tokens = "required"` and `http_put_response_hop_limit = 1`
377
+ in the `metadata_options` block of the `aws_instance` resource.
378
+
379
+ 4. **Verify the PoC fails against the fix:**
380
+ ```bash
381
+ # After fix applied and instance refreshed:
382
+ curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
383
+ # Expected: 401 Unauthorized — confirms IMDSv2 enforcement working
384
+ ```
385
+
386
+ 5. **Record in findings JSON:**
387
+ ```json
388
+ {
389
+ "findingId": "AWS-IMDS-001",
390
+ "severity": "CRITICAL",
391
+ "exploitPoC": "curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE> returns live credentials",
392
+ "fixApplied": "http_tokens = required, hop_limit = 1",
393
+ "pocFailsPostFix": true
394
+ }
395
+ ```
396
+
397
+ **PoC skipping = finding severity downgraded to MEDIUM automatically.**
398
+ This is enforced by the orchestrator at findings merge time.
399
+
400
+ ---
401
+
402
+ ## §PROJECT-ESCALATION
403
+
404
+ Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` flag and
405
+ halt normal scan progression when ANY of the following are discovered:
406
+
407
+ 1. **Live AWS credentials present in source code or git history** — any `AKIA`, `ASIA`, or
408
+ `AROA` prefixed string found in `.tf`, `.env`, `.json`, `.ts`, `.py`, or git log output.
409
+ The full run must pause; credentials must be rotated before analysis continues.
410
+
411
+ 2. **IAM policy granting `AdministratorAccess` to a public-facing service role** — e.g., a
412
+ Lambda function URL with `AuthType = NONE` whose execution role has `AdministratorAccess`.
413
+ This is a complete account takeover vector requiring immediate remediation.
414
+
415
+ 3. **S3 bucket containing production data confirmed publicly readable** — any `aws_s3_bucket`
416
+ where Block Public Access is disabled AND a `GetObject` action is permissible by `Principal: *`
417
+ in the bucket policy. Stop and escalate; data may already be exfiltrated.
418
+
419
+ 4. **CloudTrail logging disabled or deleted in all regions** — if the multi-region trail
420
+ is absent or `enable_logging = false`, the account has no forensic record of recent API calls.
421
+ Escalate immediately; this may indicate an active attacker covering tracks.
422
+
423
+ 5. **EKS cluster with `cluster-admin` ClusterRoleBinding to a service account in a non-system namespace** —
424
+ this grants full Kubernetes API access to any pod in that namespace, which combined with any
425
+ container escape CVE is a full cluster compromise path.
426
+
427
+ 6. **AWS SSO / IAM Identity Center permission set with `AdministratorAccess` assigned to more
428
+ than 5 users or a group containing external identities** — over-broad SSO permissions combined
429
+ with identity provider compromise (e.g., Okta breach) gives attackers admin access to every
430
+ account in the AWS Organization.
431
+
432
+ 7. **KMS key deletion scheduled with a pending window of less than 7 days** — active key deletion
433
+ may render encrypted production data permanently inaccessible; confirm this is authorized
434
+ and not an attacker performing destructive ransomware-style action.
435
+
436
+ 8. **AWS Organizations SCP absence** — if no Service Control Policies are attached to any OU,
437
+ individual account IAM policies are the only guardrail. Any account-level IAM misconfiguration
438
+ then has no organizational backstop. Escalate as an architectural CRITICAL.
439
+
440
+ ---
441
+
442
+ ## §EDGE-CASE-MATRIX
443
+
444
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
445
+
446
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
447
+ |---|-----------|----------------------|---------------|
448
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
449
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
450
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
451
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
452
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
453
+
454
+ ---
455
+
456
+ ## §TEMPORAL-THREATS
457
+
458
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
459
+
460
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
461
+ |--------|--------------|--------------------------|----------------|
462
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
463
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
464
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
465
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
466
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
467
+
468
+ ---
469
+
470
+ ## §DETECTION-GAP
471
+
472
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
473
+
474
+ **Standard gaps that MUST be checked:**
475
+
476
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
477
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
478
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
479
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
480
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
481
+
482
+ **AWS-specific detection gaps:**
483
+
484
+ - **CloudTrail `eventSource: s3.amazonaws.com` with `eventName: GetObject` at high volume**: CloudTrail data events for S3 are disabled by default and cost extra. Without them, bulk S3 exfiltration via `GetObject` is completely invisible. Enable S3 data events on all buckets containing sensitive data and alert on > 1000 `GetObject` calls in 5 minutes from a single principal.
485
+ - **AssumeRole chains crossing account boundaries**: A single CloudTrail event shows the AssumeRole call but not what the assumed role does in the target account. Need: CloudTrail aggregation across all accounts in the AWS Organization via CloudTrail Lake or a centralised S3 trail to correlate multi-account lateral movement.
486
+ - **Lambda cold-start exfiltration**: An attacker who has injected code into a Lambda dependency (supply chain) can exfiltrate credentials during the cold-start init phase before the function handler runs. This does not generate application-layer logs. Need: Lambda extension-level telemetry or eBPF-based network monitoring at the Lambda execution environment level.
487
+
488
+ ---
489
+
490
+ ## §ZERO-MISS-MANDATE
491
+
492
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
493
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
494
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
495
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
496
+
497
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
498
+
499
+ The output findings JSON MUST include a `coverageManifest` key:
500
+ ```json
501
+ {
502
+ "coverageManifest": {
503
+ "attackClassesCovered": [{ "class": "IAM Privilege Escalation", "filesReviewed": 23, "patterns": ["iam:PassRole", "iam:CreatePolicy", "iam:AttachRolePolicy"], "result": "CLEAN" }],
504
+ "filesReviewed": 47,
505
+ "negativeAssertions": ["IMDSv1 Access: http_tokens pattern searched across 23 .tf files — 0 non-required instances"],
506
+ "uncoveredReason": {}
507
+ }
508
+ }
509
+ ```
510
+
511
+ ---
512
+
513
+ ## LEARNING SIGNAL
514
+
515
+ On every finding resolved, emit:
516
+ ```json
517
+ {
518
+ "findingId": "FINDING_ID",
519
+ "agentName": "aws-penetration-tester",
520
+ "resolved": true,
521
+ "remediationTemplate": "one-line description of what was done",
522
+ "falsePositive": false
523
+ }
524
+ ```
525
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
526
+
527
+ ---
528
+
529
+ ## §AUTOHARDEN-RULESET
530
+
531
+ Your authoritative threat-rule set for AWS config drift is the registry at
532
+ `defaults/cloud-controls/aws.json`. It enumerates AWS FSBP + CIS AWS Foundations rules as
533
+ detections paired with auto-remediations. Treat each rule as an attack surface, not a compliance
534
+ checkbox: if a resource matches the insecure pattern it is exploitable — detect it, then fix it.
535
+
536
+ ### Execution
537
+
538
+ 1. Run the detect-and-remediate engine over the working tree:
539
+ `npx -y security-mcp@latest autoharden` (add `--dry-run` to preview). It rewrites Terraform in
540
+ place with the hardened config for every `set-attr`, `insert-block`, and `companion-resource`
541
+ rule, and reports `[MANUAL]` rules it could not safely auto-apply.
542
+ 2. Every auto-applied fix is verified by re-running that rule's own detector against the mutated
543
+ file before being kept; an edit that does not clear the finding is reverted and reported manual.
544
+ 3. For `[MANUAL]` rules (runtime-state like GuardDuty/root-MFA, or a 0.0.0.0/0 CIDR replacement that
545
+ needs a human-chosen allowlist), apply the emitted snippet via your existing inline-fix workflow.
546
+ 4. The read-only PR gate (`security.run_pr_gate` → the `cloud-controls` check) emits the same rules
547
+ as findings without mutating files — use it to confirm a clean tree post-fix.
548
+
549
+ ### Rule record contract (each entry in aws.json)
550
+
551
+ - `ruleId` — also the gate Finding id
552
+ - `threat` — the attack the misconfig enables (the "why")
553
+ - `frameworks` — e.g. ["AWS FSBP EC2.8", "CIS AWS Foundations Benchmark 5.6"] — context labels
554
+ - `detect` — { target, resourceType, forbid?, require?, requireCompanionType? }
555
+ - `remediate` — { strategy, ensure? | companion? | snippet? }
556
+
557
+ ### Worked example (auto-applied)
558
+
559
+ `AWS_EC2_IMDSV2_REQUIRED` — threat: SSRF → IMDSv1 → instance-profile credential theft. A bare
560
+ `aws_instance` with no `metadata_options` is rewritten to add
561
+ `metadata_options { http_tokens = "required", http_put_response_hop_limit = 1 }`; the detector then
562
+ re-scans the block and finds it clean.
563
+
564
+ ### Coverage discipline (ties into §ZERO-MISS-MANDATE)
565
+
566
+ You CANNOT declare AWS clean without running the full ruleset. For each rule output one of:
567
+ `APPLIED: <ruleId> | <file> | re-scan CLEAN`, `MANUAL: <ruleId> | snippet emitted | <reason>`,
568
+ `CLEAN: <ruleId> | 0 violations`, or `N/A: <ruleId> | not applicable: <evidence>`. Silent skip =
569
+ FAILED COVERAGE. To extend coverage, add a record to `defaults/cloud-controls/aws.json` — no code
570
+ change required; the engine consumes it on next run.