This skill guides organizations through implementing zero trust architecture in cloud environments following NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, and GCP environments.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-zero-trust-in-cloudExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-zero-trust-in-cloud from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-zero-trust-in-cloud. Access via /implementing-zero-trust-in-cloud in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-zero-trust-in-cloud |
| description | 'This skill guides organizations through implementing zero trust architecture in cloud environments following NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, and GCP environments. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - zero-trust - beyondcorp - identity-aware-proxy - micro-segmentation - continuous-verification |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for simple VPN replacement without broader architectural changes, for network firewall rule management alone (see implementing-cloud-network-segmentation), or for identity provider initial setup (see managing-cloud-identity-with-okta).
Establish the core principles following NIST SP 800-207: never trust, always verify. Every access request must be authenticated, authorized, and encrypted regardless of origin.
Zero Trust Architecture Components:
+-------------------------------------------------------------------+
| Policy Decision Point |
| +-------------------+ +------------------+ +-----------------+ |
| | Identity Provider | | Device Trust | | Risk Engine | |
| | (Okta/Azure AD) | | (Intune/Jamf) | | (Continuous) | |
| +-------------------+ +------------------+ +-----------------+ |
+-------------------------------------------------------------------+
|
+--------------------+
| Policy Enforcement |
| Point (IAP/Proxy) |
+--------------------+
|
+-------------------+-------------------+
| | |
+----------+ +----------+ +----------+
| App A | | App B | | App C |
| (AWS) | | (Azure) | | (GCP) |
+----------+ +----------+ +----------+
Configure Identity-Aware Proxy (IAP) to enforce identity and context-based access decisions before requests reach applications. Eliminate direct network access to application backends.
# GCP: Enable Identity-Aware Proxy for a backend service
gcloud services enable iap.googleapis.com
# Configure IAP for an App Engine application
gcloud iap web enable --resource-type=app-engine
# Set IAP access policy requiring specific user group
gcloud iap web add-iam-policy-binding \
--resource-type=app-engine \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor"
# Create Access Level requiring corporate device and MFA
gcloud access-context-manager levels create corporate-device \
--title="Corporate Device with MFA" \
--basic-level-spec='{
"conditions": [
{
"devicePolicy": {
"requireScreenlock": true,
"allowedEncryptionStatuses": ["ENCRYPTED"],
"osConstraints": [
{"osType": "DESKTOP_CHROME_OS", "minimumVersion": "100.0"},
{"osType": "DESKTOP_MAC", "minimumVersion": "12.0"},
{"osType": "DESKTOP_WINDOWS", "minimumVersion": "10.0.19041"}
]
},
"requiredAccessLevels": ["accessPolicies/POLICY_ID/accessLevels/require-mfa"]
}
]
}'
# AWS: Configure AWS Verified Access for zero trust application access
aws ec2 create-verified-access-instance \
--description "Zero Trust Access Instance"
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type oidc \
--oidc-options '{
"Issuer": "https://company.okta.com/oauth2/default",
"AuthorizationEndpoint": "https://company.okta.com/oauth2/default/v1/authorize",
"TokenEndpoint": "https://company.okta.com/oauth2/default/v1/token",
"UserInfoEndpoint": "https://company.okta.com/oauth2/default/v1/userinfo",
"ClientId": "verified-access-client-id",
"ClientSecret": "verified-access-client-secret",
"Scope": "openid profile groups"
}'
Configure real-time risk assessment that evaluates every access request based on identity, device posture, location, behavior patterns, and threat intelligence signals.
# Azure Conditional Access Policy (JSON representation)
{
"displayName": "Zero Trust - Require MFA and Compliant Device",
"state": "enabled",
"conditions": {
"users": {"includeUsers": ["All"]},
"applications": {"includeApplications": ["All"]},
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
},
"signInRiskLevels": ["medium", "high"],
"deviceStates": {
"includeStates": ["All"],
"excludeStates": ["Compliant", "DomainJoined"]
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"compliantDevice"
]
},
"sessionControls": {
"signInFrequency": {"value": 4, "type": "hours"},
"persistentBrowser": {"mode": "never"}
}
}
Apply network-level zero trust by segmenting cloud workloads into isolated zones with explicit allow rules for each communication path.
# AWS: Create isolated VPC with no default routes
aws ec2 create-vpc --cidr-block 10.100.0.0/16 --no-amazon-provided-ipv6-cidr-block
# Create security groups implementing micro-segmentation
aws ec2 create-security-group \
--group-name web-tier-sg \
--description "Web tier - accepts traffic from ALB only" \
--vpc-id vpc-abc123
aws ec2 authorize-security-group-ingress \
--group-id sg-web123 \
--protocol tcp --port 8080 \
--source-group sg-alb123
aws ec2 create-security-group \
--group-name app-tier-sg \
--description "App tier - accepts traffic from web tier only"
aws ec2 authorize-security-group-ingress \
--group-id sg-app123 \
--protocol tcp --port 8443 \
--source-group sg-web123
Integrate endpoint verification to assess device security posture before granting access. Require encryption, OS patches, and endpoint protection.
# Google Endpoint Verification with BeyondCorp
gcloud access-context-manager levels create managed-device \
--title="Managed and Encrypted Device" \
--basic-level-spec='{
"conditions": [{
"devicePolicy": {
"requireScreenlock": true,
"requireAdminApproval": true,
"allowedEncryptionStatuses": ["ENCRYPTED"],
"allowedDeviceManagementLevels": ["COMPLETE"]
}
}]
}'
# Apply access level to IAP-protected resource
gcloud iap web set-iam-policy \
--resource-type=backend-services \
--service=web-app-backend \
--condition='expression=accessPolicies/POLICY_ID/accessLevels/managed-device'
Deploy logging and analytics to monitor all access decisions, detect anomalies, and continuously refine zero trust policies based on real usage patterns.
# Export IAP access logs to BigQuery for analysis
gcloud logging sinks create iap-access-logs \
bigquery.googleapis.com/projects/my-project/datasets/security_logs \
--log-filter='resource.type="gce_backend_service" AND protoPayload.serviceName="iap.googleapis.com"'
# AWS Verified Access logs to CloudWatch
aws ec2 modify-verified-access-instance-logging-configuration \
--verified-access-instance-id vai-abc123 \
--access-logs '{
"CloudWatchLogs": {"Enabled": true, "LogGroup": "/aws/verified-access/logs"},
"S3": {"Enabled": true, "BucketName": "verified-access-logs"}
}'
| Term | Definition |
|---|---|
| Zero Trust | Security model that eliminates implicit trust by requiring continuous authentication, authorization, and encryption for every access request |
| BeyondCorp | Google's implementation of zero trust that shifts access controls from network perimeter to individual users and devices |
| Identity-Aware Proxy | Reverse proxy that verifies user identity and context before forwarding requests to backend applications, replacing VPN-based access |
| Continuous Verification | Real-time assessment of identity, device posture, location, and behavior for every access request, not just at initial authentication |
| Device Trust | Assessment of endpoint security posture including encryption status, OS version, patch level, and MDM compliance before granting access |
| NIST SP 800-207 | National Institute of Standards and Technology publication defining zero trust architecture principles and deployment models |
| Access Context Manager | GCP service for defining conditional access policies based on device attributes, IP ranges, and identity properties |
| AWS Verified Access | AWS service providing zero trust application access based on identity and device trust signals without VPN |
Context: An organization has 500 engineers accessing internal tools via VPN. The VPN concentrator is a single point of failure and recent credential theft incidents showed that VPN access grants excessive lateral movement capability.
Approach:
Pitfalls: Deploying zero trust without device management in place blocks legitimate users with personal devices. Setting re-authentication intervals too short disrupts developer productivity with excessive login prompts.
Zero Trust Architecture Assessment Report
===========================================
Organization: Acme Corp
Cloud Providers: AWS, Azure, GCP
Assessment Date: 2025-02-23
MATURITY LEVEL: Level 2 (Advanced) - NIST ZTA Maturity Model
IDENTITY PILLAR:
MFA Enforcement: 98% of users (target: 100%)
Phishing-Resistant MFA: 34% (target: 80%)
SSO Coverage: 87% of applications
Conditional Access Policies: 12 active policies
DEVICE PILLAR:
MDM Enrollment: 92% of corporate devices
Encryption Enforcement: 95%
OS Patch Compliance: 78% (30-day window)
Endpoint Protection: 96%
NETWORK PILLAR:
VPN Dependency: 3 applications remaining (target: 0)
IAP-Protected Applications: 47/50
Micro-Segmented Workloads: 65%
East-West Traffic Encryption: 40% (mTLS adoption)
APPLICATION PILLAR:
Applications Behind Zero Trust Proxy: 94%
Session Re-Authentication: Configured for 85% of apps
Runtime Access Logging: 100%
RECOMMENDATIONS:
1. [HIGH] Migrate remaining 3 VPN-dependent apps to IAP
2. [HIGH] Increase phishing-resistant MFA to 80% within 6 months
3. [MEDIUM] Expand micro-segmentation to remaining 35% of workloads
4. [MEDIUM] Deploy service mesh for east-west mTLS encryption
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Registry listing for implementing-zero-trust-in-cloud matched our evaluation — installs cleanly and behaves as described in the markdown.
implementing-zero-trust-in-cloud reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-zero-trust-in-cloud reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in implementing-zero-trust-in-cloud — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend implementing-zero-trust-in-cloud for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
I recommend implementing-zero-trust-in-cloud for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Useful defaults in implementing-zero-trust-in-cloud — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend implementing-zero-trust-in-cloud for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Useful defaults in implementing-zero-trust-in-cloud — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: implementing-zero-trust-in-cloud is focused, and the summary matches what you get after install.
showing 1-10 of 25