CtrlK
BlogDocsLog inGet started
Tessl Logo

jbvc/security-review

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

78

Quality

78%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

cloud-infrastructure-security.md

namedescription
cloud-infrastructure-securityUse this skill when deploying to cloud platforms, configuring infrastructure, managing IAM policies, setting up logging/monitoring, or implementing CI/CD pipelines. Provides cloud security checklist aligned with best practices.

Cloud & Infrastructure Security Skill

This skill ensures cloud infrastructure, CI/CD pipelines, and deployment configurations follow security best practices and comply with industry standards.

When to Activate

  • Deploying applications to cloud platforms (AWS, Vercel, Railway, Cloudflare)
  • Configuring IAM roles and permissions
  • Setting up CI/CD pipelines
  • Implementing infrastructure as code (Terraform, CloudFormation)
  • Configuring logging and monitoring
  • Managing secrets in cloud environments
  • Setting up CDN and edge security
  • Implementing disaster recovery and backup strategies

Cloud Security Checklist

1. IAM & Access Control

Principle of Least Privilege

# ✅ CORRECT: Minimal permissions
iam_role:
  permissions:
    - s3:GetObject  # Only read access
    - s3:ListBucket
  resources:
    - arn:aws:s3:::my-bucket/*  # Specific bucket only

# ❌ WRONG: Overly broad permissions
iam_role:
  permissions:
    - s3:*  # All S3 actions
  resources:
    - "*"  # All resources

Multi-Factor Authentication (MFA)

# ALWAYS enable MFA for root/admin accounts
aws iam enable-mfa-device \
  --user-name admin \
  --serial-number arn:aws:iam::123456789:mfa/admin \
  --authentication-code1 123456 \
  --authentication-code2 789012

Verification Steps

  • No root account usage in production
  • MFA enabled for all privileged accounts
  • Service accounts use roles, not long-lived credentials
  • IAM policies follow least privilege
  • Regular access reviews conducted
  • Unused credentials rotated or removed

2. Secrets Management

Cloud Secrets Managers

// ✅ CORRECT: Use cloud secrets manager
import { SecretsManager } from '@aws-sdk/client-secrets-manager';

const client = new SecretsManager({ region: 'us-east-1' });
const secret = await client.getSecretValue({ SecretId: 'prod/api-key' });
const apiKey = JSON.parse(secret.SecretString).key;

// ❌ WRONG: Hardcoded or in environment variables only
const apiKey = process.env.API_KEY; // Not rotated, not audited

Secrets Rotation

# Set up automatic rotation for database credentials
aws secretsmanager rotate-secret \
  --secret-id prod/db-password \
  --rotation-lambda-arn arn:aws:lambda:region:account:function:rotate \
  --rotation-rules AutomaticallyAfterDays=30

Verification Steps

  • All secrets stored in cloud secrets manager (AWS Secrets Manager, Vercel Secrets)
  • Automatic rotation enabled for database credentials
  • API keys rotated at least quarterly
  • No secrets in code, logs, or error messages
  • Audit logging enabled for secret access

3. Network Security

VPC and Firewall Configuration

# ✅ CORRECT: Restricted security group
resource "aws_security_group" "app" {
  name = "app-sg"
  
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]  # Internal VPC only
  }
  
  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # Only HTTPS outbound
  }
}

# ❌ WRONG: Open to the internet
resource "aws_security_group" "bad" {
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # All ports, all IPs!
  }
}

Verification Steps

  • Database not publicly accessible
  • SSH/RDP ports restricted to VPN/bastion only
  • Security groups follow least privilege
  • Network ACLs configured
  • VPC flow logs enabled

4. Logging & Monitoring

CloudWatch/Logging Configuration

// ✅ CORRECT: Comprehensive logging
import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';

const logSecurityEvent = async (event: SecurityEvent) => {
  await cloudwatch.putLogEvents({
    logGroupName: '/aws/security/events',
    logStreamName: 'authentication',
    logEvents: [{
      timestamp: Date.now(),
      message: JSON.stringify({
        type: event.type,
        userId: event.userId,
        ip: event.ip,
        result: event.result,
        // Never log sensitive data
      })
    }]
  });
};

Verification Steps

  • CloudWatch/logging enabled for all services
  • Failed authentication attempts logged
  • Admin actions audited
  • Log retention configured (90+ days for compliance)
  • Alerts configured for suspicious activity
  • Logs centralized and tamper-proof

5. CI/CD Pipeline Security

Secure Pipeline Configuration

# ✅ CORRECT: Secure GitHub Actions workflow
name: Deploy

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: read  # Minimal permissions
      
    steps:
      - uses: actions/checkout@v4
      
      # Scan for secrets
      - name: Secret scanning
        uses: trufflesecurity/trufflehog@main
        
      # Dependency audit
      - name: Audit dependencies
        run: npm audit --audit-level=high
        
      # Use OIDC, not long-lived tokens
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
          aws-region: us-east-1

Supply Chain Security

// package.json - Use lock files and integrity checks
{
  "scripts": {
    "install": "npm ci",  // Use ci for reproducible builds
    "audit": "npm audit --audit-level=moderate",
    "check": "npm outdated"
  }
}

Verification Steps

  • OIDC used instead of long-lived credentials
  • Secrets scanning in pipeline
  • Dependency vulnerability scanning
  • Container image scanning (if applicable)
  • Branch protection rules enforced
  • Code review required before merge
  • Signed commits enforced

6. Cloudflare & CDN Security

Cloudflare Security Configuration

// ✅ CORRECT: Cloudflare Workers with security headers
export default {
  async fetch(request: Request): Promise<Response> {
    const response = await fetch(request);
    
    // Add security headers
    const headers = new Headers(response.headers);
    headers.set('X-Frame-Options', 'DENY');
    headers.set('X-Content-Type-Options', 'nosniff');
    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
    headers.set('Permissions-Policy', 'geolocation=(), microphone=()');
    
    return new Response(response.body, {
      status: response.status,
      headers
    });
  }
};

WAF Rules

# Enable Cloudflare WAF managed rules
# - OWASP Core Ruleset
# - Cloudflare Managed Ruleset
# - Rate limiting rules
# - Bot protection

Verification Steps

  • WAF enabled with OWASP rules
  • Rate limiting configured
  • Bot protection active
  • DDoS protection enabled
  • Security headers configured
  • SSL/TLS strict mode enabled

7. Backup & Disaster Recovery

Automated Backups

# ✅ CORRECT: Automated RDS backups
resource "aws_db_instance" "main" {
  allocated_storage     = 20
  engine               = "postgres"
  
  backup_retention_period = 30  # 30 days retention
  backup_window          = "03:00-04:00"
  maintenance_window     = "mon:04:00-mon:05:00"
  
  enabled_cloudwatch_logs_exports = ["postgresql"]
  
  deletion_protection = true  # Prevent accidental deletion
}

Verification Steps

  • Automated daily backups configured
  • Backup retention meets compliance requirements
  • Point-in-time recovery enabled
  • Backup testing performed quarterly
  • Disaster recovery plan documented
  • RPO and RTO defined and tested

Pre-Deployment Cloud Security Checklist

Before ANY production cloud deployment:

  • IAM: Root account not used, MFA enabled, least privilege policies
  • Secrets: All secrets in cloud secrets manager with rotation
  • Network: Security groups restricted, no public databases
  • Logging: CloudWatch/logging enabled with retention
  • Monitoring: Alerts configured for anomalies
  • CI/CD: OIDC auth, secrets scanning, dependency audits
  • CDN/WAF: Cloudflare WAF enabled with OWASP rules
  • Encryption: Data encrypted at rest and in transit
  • Backups: Automated backups with tested recovery
  • Compliance: GDPR/HIPAA requirements met (if applicable)
  • Documentation: Infrastructure documented, runbooks created
  • Incident Response: Security incident plan in place

Common Cloud Security Misconfigurations

S3 Bucket Exposure

# ❌ WRONG: Public bucket
aws s3api put-bucket-acl --bucket my-bucket --acl public-read

# ✅ CORRECT: Private bucket with specific access
aws s3api put-bucket-acl --bucket my-bucket --acl private
aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json

RDS Public Access

# ❌ WRONG
resource "aws_db_instance" "bad" {
  publicly_accessible = true  # NEVER do this!
}

# ✅ CORRECT
resource "aws_db_instance" "good" {
  publicly_accessible = false
  vpc_security_group_ids = [aws_security_group.db.id]
}

Resources

  • AWS Security Best Practices
  • CIS AWS Foundations Benchmark
  • Cloudflare Security Documentation
  • OWASP Cloud Security
  • Terraform Security Best Practices

Remember: Cloud misconfigurations are the leading cause of data breaches. A single exposed S3 bucket or overly permissive IAM policy can compromise your entire infrastructure. Always follow the principle of least privilege and defense in depth.

cloud-infrastructure-security.md

SKILL.md

tile.json