This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionauditing-cloud-with-cis-benchmarksExecute the skills CLI command in your project's root directory to begin installation:
Fetches auditing-cloud-with-cis-benchmarks from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate auditing-cloud-with-cis-benchmarks. Access via /auditing-cloud-with-cis-benchmarks in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | auditing-cloud-with-cis-benchmarks |
| description | 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cis-benchmarks - cloud-audit - compliance-assessment - prowler - security-hardening |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - GOVERN-1.1 - GOVERN-4.2 - MAP-2.3 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for runtime threat detection (see detecting-cloud-threats-with-guardduty), for application-level security testing (see conducting-cloud-penetration-testing), or for compliance frameworks not based on CIS (refer to specific regulatory skill files).
Choose the correct benchmark version for each cloud provider. Current versions as of 2025 include CIS AWS Foundations Benchmark v5.0, CIS Azure Foundations Benchmark v4.0, and CIS GCP Foundations Benchmark v4.0.
CIS Benchmark Coverage Areas:
+-------------------+-------------------------+------------------------+
| Section | AWS v5.0 | Azure v4.0 |
+-------------------+-------------------------+------------------------+
| Identity & Access | IAM policies, MFA, root | Azure AD, RBAC, PIM |
| Logging | CloudTrail, Config | Activity Log, Diag |
| Monitoring | CloudWatch alarms | Defender, Sentinel |
| Networking | VPC, SG, NACLs | NSG, ASG, Firewall |
| Storage | S3 encryption, access | Storage encryption |
| Database | RDS encryption | SQL TDE, auditing |
+-------------------+-------------------------+------------------------+
CIS Profile Levels:
Level 1: Practical security settings that can be implemented without significant
performance impact or reduced functionality
Level 2: Defense-in-depth settings that may reduce functionality or require
additional planning for implementation
Execute comprehensive CIS benchmark scans using Prowler for automated control evaluation across AWS, Azure, and GCP.
# AWS CIS v5.0 assessment
prowler aws \
--compliance cis_5.0_aws \
--profile audit-account \
--output-formats json-ocsf,html,csv \
--output-directory ./cis-audit-$(date +%Y%m%d)
# Azure CIS v4.0 assessment
prowler azure \
--compliance cis_4.0_azure \
--subscription-ids "sub-id-1,sub-id-2" \
--output-formats json-ocsf,html,csv \
--output-directory ./cis-audit-azure-$(date +%Y%m%d)
# GCP CIS v4.0 assessment
prowler gcp \
--compliance cis_4.0_gcp \
--project-ids "project-1,project-2" \
--output-formats json-ocsf,html,csv \
--output-directory ./cis-audit-gcp-$(date +%Y%m%d)
# Multi-account AWS scan using ScoutSuite
scout suite aws \
--profile audit-account \
--report-dir ./scout-report \
--ruleset cis-5.0 \
--force
Analyze audit results by section and severity. Prioritize Level 1 controls first as they represent fundamental security hygiene, then address Level 2 controls for defense in depth.
# Parse Prowler results for failed controls
cat ./cis-audit-*/prowler-output-*.json | \
jq '[.[] | select(.StatusExtended == "FAIL")] | group_by(.CheckID) |
map({control: .[0].CheckID, description: .[0].CheckTitle,
failed_resources: length, severity: .[0].Severity}) |
sort_by(-.failed_resources)'
# Generate compliance score by section
cat ./cis-audit-*/prowler-output-*.json | \
jq 'group_by(.Section) | map({
section: .[0].Section,
total: length,
passed: [.[] | select(.StatusExtended == "PASS")] | length,
failed: [.[] | select(.StatusExtended == "FAIL")] | length,
score: (([.[] | select(.StatusExtended == "PASS")] | length) / length * 100 | round)
})'
Address failed controls starting with the highest impact items. Use AWS Config remediation, Azure Policy, or Terraform to apply fixes systematically.
# CIS 1.4: Ensure no root account access key exists
aws iam list-access-keys --user-name root
# If keys exist, delete them
aws iam delete-access-key --user-name root --access-key-id AKIAEXAMPLE
# CIS 2.1.1: Ensure S3 bucket default encryption is enabled
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
aws s3api put-bucket-encryption --bucket "$bucket" \
--server-side-encryption-configuration '{
"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]
}' 2>/dev/null && echo "Encrypted: $bucket" || echo "FAILED: $bucket"
done
# CIS 3.1: Ensure CloudTrail is enabled in all regions
aws cloudtrail create-trail \
--name organization-trail \
--s3-bucket-name cloudtrail-logs-bucket \
--is-multi-region-trail \
--enable-log-file-validation \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id
aws cloudtrail start-logging --name organization-trail
# CIS 4.x: Configure CloudWatch metric filters and alarms
aws logs put-metric-filter \
--log-group-name CloudTrail/DefaultLogGroup \
--filter-name UnauthorizedAPICalls \
--filter-pattern '{ ($.errorCode = "*UnauthorizedAccess*") || ($.errorCode = "AccessDenied*") }' \
--metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=CISBenchmark,metricValue=1
Deploy automated compliance monitoring to detect configuration drift between periodic audits. Use AWS Security Hub, Azure Policy, or GCP Security Command Center.
# AWS: Enable CIS v5.0 in Security Hub
aws securityhub batch-enable-standards \
--standards-subscription-requests '[
{"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/5.0.0"}
]'
# Azure: Assign CIS benchmark policy initiative
az policy assignment create \
--name cis-azure-benchmark \
--scope "/subscriptions/<sub-id>" \
--policy-set-definition "1a5bb27d-173f-493e-9568-eb56638dbd0e" \
--params '{"effect": {"value": "AuditIfNotExists"}}'
# Schedule periodic Prowler assessments
# Run weekly via cron or CI/CD pipeline
0 2 * * 1 prowler aws --compliance cis_5.0_aws --output-formats csv --output-directory /opt/audits/weekly-$(date +\%Y\%m\%d)
| Term | Definition |
|---|---|
| CIS Benchmark | Prescriptive security configuration guidelines developed by the Center for Internet Security through community consensus |
| Level 1 Profile | Practical security controls implementable without significant performance or functionality impact, representing security hygiene |
| Level 2 Profile | Defense-in-depth controls that may restrict functionality and require careful planning before implementation |
| Foundations Benchmark | CIS benchmark specifically for cloud providers covering IAM, logging, monitoring, networking, and storage security |
| Control ID | Unique numerical identifier for each CIS recommendation (e.g., 1.4 for root access key checks, 2.1.1 for S3 encryption) |
| Compliance Score | Percentage of CIS controls in a passing state, tracked over time to measure security posture improvement |
| Automated Assessment | Tool-driven evaluation of CIS controls using cloud provider APIs to check resource configurations against benchmark requirements |
| Remediation Runbook | Documented step-by-step procedure for fixing a specific failed CIS control, including pre-checks and validation |
Context: A SaaS company pursuing SOC 2 Type II certification needs to demonstrate cloud security controls aligned to CIS benchmarks. The auditor requires evidence of continuous compliance monitoring across 45 AWS accounts.
Approach:
Pitfalls: Remediating controls without testing in a staging environment first can break production workloads. Ignoring Level 2 controls entirely weakens the audit narrative even if they are not strictly required.
CIS Benchmark Audit Report
============================
Cloud Provider: AWS
Benchmark Version: CIS AWS Foundations Benchmark v5.0
Accounts Assessed: 45
Assessment Date: 2025-02-23
Tool: Prowler v4.3.0
OVERALL COMPLIANCE SCORE: 74%
COMPLIANCE BY SECTION:
1. Identity and Access Management: 68% (41/60 controls passed)
2. Storage: 82% (28/34 controls passed)
3. Logging: 91% (20/22 controls passed)
4. Monitoring: 55% (18/33 controls passed)
5. Networking: 78% (32/41 controls passed)
TOP FAILED CONTROLS (by affected accounts):
[1.4] Root account has active access keys - 3/45 accounts
[1.5] MFA not enabled for root account - 2/45 accounts
[2.1.1] S3 default encryption not enabled - 12/45 accounts
[3.1] CloudTrail not multi-region - 8/45 accounts
[4.3] No alarm for root account usage - 28/45 accounts
[5.1] VPC flow logs not enabled - 15/45 accounts
[5.4] Security groups allow 0.0.0.0/0 ingress - 22/45 accounts
REMEDIATION PRIORITY:
Critical (Fix within 7 days): Root access keys, missing root MFA
High (Fix within 30 days): S3 encryption, CloudTrail, VPC flow logs
Medium (Fix within 60 days): CloudWatch alarms, security group restrictions
Low (Fix within 90 days): Level 2 controls, informational items
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Registry listing for auditing-cloud-with-cis-benchmarks matched our evaluation — installs cleanly and behaves as described in the markdown.
We added auditing-cloud-with-cis-benchmarks from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: auditing-cloud-with-cis-benchmarks is focused, and the summary matches what you get after install.
Keeps context tight: auditing-cloud-with-cis-benchmarks is the kind of skill you can hand to a new teammate without a long onboarding doc.
auditing-cloud-with-cis-benchmarks reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in auditing-cloud-with-cis-benchmarks — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend auditing-cloud-with-cis-benchmarks for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: auditing-cloud-with-cis-benchmarks is focused, and the summary matches what you get after install.
auditing-cloud-with-cis-benchmarks fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
auditing-cloud-with-cis-benchmarks has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 73