Cloud Security

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

The exploiting-server-side-request-forgery skill helps assess SSRF-prone features in authorized web targets, including URL fetchers, webhooks, preview tools, and cloud metadata access. It provides a guided workflow for detection, bypass testing, internal service probing, and Security Audit validation.

detecting-oauth-token-theft helps investigate OAuth token theft, replay, and session hijacking in Microsoft Entra ID and M365. Use this detecting-oauth-token-theft skill for Security Audit, incident response, and hardening reviews. It focuses on sign-in anomalies, suspicious scopes, new devices, and containment steps.

detecting-cryptomining-in-cloud helps security teams detect unauthorized cryptomining in cloud workloads by correlating cost spikes, mining-port traffic, GuardDuty crypto findings, and runtime process evidence. Use it for triage, detection engineering, and detecting-cryptomining-in-cloud for Security Audit workflows.

detecting-compromised-cloud-credentials is a cloud security skill for AWS, Azure, and GCP that helps confirm credential abuse, trace anomalous API activity, investigate impossible travel and suspicious logins, and scope incident impact with provider telemetry and alerts.

detecting-cloud-threats-with-guardduty guides AWS teams through enabling Amazon GuardDuty, reviewing findings, and building automated response for cloud threats across accounts and workloads. It is useful for GuardDuty install, usage, and day-two operations in Cloud Architecture.

detecting-aws-cloudtrail-anomalies helps analyze AWS CloudTrail activity for unusual API sources, first-time actions, high-frequency calls, and suspicious behavior tied to credential compromise or privilege escalation. Use it for structured anomaly detection with boto3, baselining, and event-field analysis.

conducting-cloud-penetration-testing helps you plan and execute authorized cloud assessments across AWS, Azure, and GCP. Use it to find IAM misconfigurations, metadata exposure, public resources, and escalation paths, then turn results into a security audit report. It fits the conducting-cloud-penetration-testing skill for Security Audit workflows.

conducting-cloud-incident-response is a cloud incident response skill for AWS, Azure, and GCP. It focuses on identity-based containment, log review, resource isolation, and forensic evidence capture. Use it for suspicious API activity, compromised access keys, or cloud-hosted workload breaches when you need a practical conducting-cloud-incident-response guide.

building-cloud-siem-with-sentinel is a practical guide for deploying Microsoft Sentinel as a cloud SIEM and SOAR layer. It covers multi-cloud log ingestion, KQL detections, incident investigation, and Logic Apps response playbooks for Security Audit and SOC operations. Use this building-cloud-siem-with-sentinel skill when you need a repo-backed starting point for centralized cloud security monitoring.

auditing-kubernetes-cluster-rbac helps audit Kubernetes RBAC for overbroad roles, risky bindings, secret access, and privilege escalation paths. It is built for security audit workflows across EKS, GKE, AKS, and self-managed clusters, with practical guidance for kubectl, rbac-tool, KubiScan, and Kubeaudit.

auditing-gcp-iam-permissions helps review Google Cloud IAM access for risky bindings, primitive roles, public access, service account exposure, and cross-project paths. This access-control audit skill is built for evidence-driven reviews with gcloud, Cloud Asset, IAM Recommender, and Policy Analyzer.

auditing-cloud-with-cis-benchmarks is a cloud Security Audit skill for AWS, Azure, and GCP. It helps you assess environments against CIS Foundations Benchmarks, review failed controls, and follow a repeatable path from findings to remediation using the skill guide, reference files, and agent patterns in the repo.

The auditing-azure-active-directory-configuration skill helps review Microsoft Entra ID tenant security for risky authentication settings, admin role sprawl, stale accounts, Conditional Access gaps, guest exposure, and MFA coverage. It is designed for Security Audit workflows with Graph-based evidence and practical guidance.

The auditing-aws-s3-bucket-permissions skill helps you audit AWS S3 buckets for public exposure, overly permissive ACLs, weak bucket policies, and missing encryption. Built for Security Audit workflows, it supports a repeatable least-privilege review with AWS CLI and boto3-oriented guidance, plus practical install and usage notes.