Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-cloud-incident-containment-proceduresExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-cloud-incident-containment-procedures from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-cloud-incident-containment-procedures. Access via /performing-cloud-incident-containment-procedures in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-cloud-incident-containment-procedures |
| description | Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement. |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - cloud-security - incident-containment - aws - azure - gcp - cloud-forensics - credential-revocation - network-isolation |
| mitre_attack | - T1078 - T1537 - T1580 - T1525 - T1098 |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Restore Access - Password Authentication - Biometric Authentication - Strong Password Policy - Restore User Account Access |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Cloud incident containment requires cloud-native approaches that differ significantly from traditional on-premises response. Containment procedures must leverage platform-specific controls including security groups, IAM policies, network ACLs, and service-level isolation to restrict compromised resources while preserving forensic evidence. According to the 2025 Unit 42 Global Incident Response Report, responding to cloud incidents requires understanding shared responsibility models, ephemeral infrastructure, and API-driven operations. Effective containment involves credential revocation, resource isolation, evidence snapshot creation, and automated response playbook execution.
# Disable compromised IAM user access keys
aws iam update-access-key --user-name compromised-user \
--access-key-id AKIA... --status Inactive
# List and disable all access keys for user
aws iam list-access-keys --user-name compromised-user
aws iam delete-access-key --user-name compromised-user --access-key-id AKIA...
# Attach deny-all policy to compromised user
aws iam put-user-policy --user-name compromised-user \
--policy-name DenyAll \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}'
# Revoke all active sessions for IAM role
aws iam put-role-policy --role-name compromised-role \
--policy-name RevokeOldSessions \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {"aws:TokenIssueTime": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}
}
}]
}'
# Invalidate temporary credentials by updating role trust policy
aws iam update-assume-role-policy --role-name compromised-role \
--policy-document '{"Version":"2012-10-17","Statement":[]}'
# Create quarantine security group (no inbound, no outbound)
aws ec2 create-security-group --group-name quarantine-sg \
--description "Quarantine - No traffic allowed" --vpc-id vpc-xxxxx
# Remove all rules from quarantine SG (default allows outbound)
aws ec2 revoke-security-group-egress --group-id sg-quarantine \
--ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]'
# Take forensic snapshot BEFORE containment
aws ec2 create-snapshot --volume-id vol-xxxxx \
--description "Forensic snapshot - IR Case 2025-001" \
--tag-specifications 'ResourceType=snapshot,Tags=[{Key=IR-Case,Value=2025-001}]'
# Apply quarantine security group to compromised instance
aws ec2 modify-instance-attribute --instance-id i-xxxxx \
--groups sg-quarantine
# Tag instance as compromised
aws ec2 create-tags --resources i-xxxxx \
--tags Key=IR-Status,Value=Contained Key=IR-Case,Value=2025-001
# Capture memory (if SSM agent available)
aws ssm send-command --instance-ids i-xxxxx \
--document-name "AWS-RunShellScript" \
--parameters 'commands=["dd if=/dev/mem of=/tmp/memory.dump bs=1M"]'
# Block all public access
aws s3api put-public-access-block --bucket compromised-bucket \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
# Apply deny policy to bucket
aws s3api put-bucket-policy --bucket compromised-bucket \
--policy '{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllExceptForensics",
"Effect": "Deny",
"NotPrincipal": {"AWS": "arn:aws:iam::ACCOUNT:role/IR-Forensics"},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::compromised-bucket","arn:aws:s3:::compromised-bucket/*"]
}]
}'
# Enable versioning to preserve evidence
aws s3api put-bucket-versioning --bucket compromised-bucket \
--versioning-configuration Status=Enabled
# Enable Object Lock for evidence preservation
aws s3api put-object-lock-configuration --bucket evidence-bucket \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {"DefaultRetention": {"Mode": "COMPLIANCE", "Days": 365}}
}'
# Set reserved concurrency to 0 (stops all invocations)
aws lambda put-function-concurrency --function-name compromised-function \
--reserved-concurrent-executions 0
# Remove all event source mappings
aws lambda list-event-source-mappings --function-name compromised-function
aws lambda delete-event-source-mapping --uuid mapping-uuid
# Revoke all user sessions
Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id"
# Disable user account
Set-AzureADUser -ObjectId "user-object-id" -AccountEnabled $false
# Reset user password
Set-AzureADUserPassword -ObjectId "user-object-id" -Password (
ConvertTo-SecureString "TempP@ss!" -AsPlainText -Force
) -ForceChangePasswordNextLogin $true
# Block sign-in via Conditional Access (emergency policy)
# Create policy blocking user from all cloud apps
# Revoke Azure AD application consent
Remove-AzureADServiceAppRoleAssignment -ObjectId "sp-object-id" \
-AppRoleAssignmentId "assignment-id"
# Create Network Security Group with deny-all rules
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName "rg" -Location "eastus" `
-Name "quarantine-nsg" `
-SecurityRules @(
New-AzNetworkSecurityRuleConfig -Name "DenyAllInbound" -Protocol * `
-Direction Inbound -Priority 100 -SourceAddressPrefix * `
-SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange * -Access Deny,
New-AzNetworkSecurityRuleConfig -Name "DenyAllOutbound" -Protocol * `
-Direction Outbound -Priority 100 -SourceAddressPrefix * `
-SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange * -Access Deny
)
# Take disk snapshot for forensics
$vm = Get-AzVM -ResourceGroupName "rg" -Name "compromised-vm"
$snapshotConfig = New-AzSnapshotConfig -SourceUri $vm.StorageProfile.OsDisk.ManagedDisk.Id `
-Location "eastus" -CreateOption Copy
New-AzSnapshot -ResourceGroupName "rg" -SnapshotName "forensic-snap" -Snapshot $snapshotConfig
# Apply quarantine NSG to VM NIC
$nic = Get-AzNetworkInterface -ResourceGroupName "rg" -Name "compromised-nic"
$nic.NetworkSecurityGroup = $nsg
Set-AzNetworkInterface -NetworkInterface $nic
# Remove network access
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "rg" `
-Name "storageaccount" -DefaultAction Deny
# Regenerate access keys
New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key1
New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key2
# Revoke all SAS tokens (by rotating keys)
# Enable immutability for evidence preservation
# Remove all IAM bindings for compromised service account
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json
# Edit policy.json to remove compromised account bindings
gcloud projects set-iam-policy PROJECT_ID policy.json
# Disable service account
gcloud iam service-accounts disable SA_EMAIL
# Delete service account keys
gcloud iam service-accounts keys list --iam-account SA_EMAIL
gcloud iam service-accounts keys delete KEY_ID --iam-account SA_EMAIL
# Create forensic snapshot
gcloud compute disks snapshot compromised-disk \
--snapshot-names forensic-snap-$(date +%Y%m%d) \
--zone us-central1-a
# Apply firewall rule to deny all traffic
gcloud compute firewall-rules create quarantine-deny-all \
--network default --action DENY --rules all \
--target-tags quarantine --priority 0
# Tag compromised instance
gcloud compute instances add-tags compromised-instance \
--tags quarantine --zone us-central1-a
# Remove external IP
gcloud compute instances delete-access-config compromised-instance \
--access-config-name "External NAT" --zone us-central1-a
| Technique | Containment Action |
|---|---|
| T1078 - Valid Accounts | Disable accounts, revoke tokens |
| T1530 - Data from Cloud Storage | Lock down bucket/storage policies |
| T1537 - Transfer to Cloud Account | Block cross-account access |
| T1578 - Modify Cloud Compute | Isolate instances, snapshot disks |
| T1552 - Unsecured Credentials | Rotate all access keys and secrets |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added performing-cloud-incident-containment-procedures from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: performing-cloud-incident-containment-procedures is focused, and the summary matches what you get after install.
performing-cloud-incident-containment-procedures is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
performing-cloud-incident-containment-procedures has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: performing-cloud-incident-containment-procedures is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: performing-cloud-incident-containment-procedures is focused, and the summary matches what you get after install.
performing-cloud-incident-containment-procedures has been reliable in day-to-day use. Documentation quality is above average for community skills.
performing-cloud-incident-containment-procedures has been reliable in day-to-day use. Documentation quality is above average for community skills.
performing-cloud-incident-containment-procedures is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Keeps context tight: performing-cloud-incident-containment-procedures is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 34