Analyze AWS infrastructure security using Cyntrisec MCP tools. Use when asked about AWS attack paths, security findings, IAM permissions, compliance status, or remediation recommendations. Guides tool selection and workflow patterns for comprehensive security assessments.
Add this skill
npx mdskills install cyntrisec/aws-security-analysisComprehensive AWS security analysis guide with clear workflows and tool selection patterns
1---2name: aws-security-analysis3description: Analyze AWS infrastructure security using Cyntrisec MCP tools. Use when asked about AWS attack paths, security findings, IAM permissions, compliance status, or remediation recommendations. Guides tool selection and workflow patterns for comprehensive security assessments.4license: Apache-2.05metadata:6 author: cyntrisec7 version: "0.1.7"8---910# AWS Security Analysis1112This skill guides you through analyzing AWS infrastructure security using Cyntrisec MCP tools.1314## Prerequisites1516Before using any tool, ensure a scan exists:17- Call `get_scan_summary` first to verify scan data is available18- If you receive `SNAPSHOT_NOT_FOUND`, inform the user to run `cyntrisec scan` first1920## Tool Selection Guide2122### When User Asks About...2324| User Question | Tool to Use |25|--------------|-------------|26| "What's in my AWS account?" | `get_scan_summary` → `get_assets` |27| "What are the security issues?" | `get_findings` (filter by severity if specified) |28| "Show me attack paths" | `get_attack_paths` |29| "Explain this attack path" | `explain_path` (requires path_id) |30| "How do I fix this?" | `get_remediations` → `get_terraform_snippet` |31| "Can role X access resource Y?" | `check_access` |32| "What permissions are unused?" | `get_unused_permissions` |33| "Are we compliant?" | `check_compliance` |34| "What changed since last scan?" | `compare_scans` |3536### Tool Categories3738**Discovery (start here)**39- `get_scan_summary` - Always call first to understand scope40- `list_tools` - Show available capabilities4142**Data Retrieval**43- `get_assets` - Browse AWS resources (EC2, IAM, S3, RDS, Lambda)44- `get_relationships` - See how assets connect (CAN_ASSUME, CAN_REACH, MAY_ACCESS)45- `get_findings` - Security issues found in the scan4647**Attack Analysis**48- `get_attack_paths` - Paths from internet to sensitive targets49- `explain_path` - Step-by-step breakdown of an attack path50- `explain_finding` - Deep dive into a specific finding5152**Remediation**53- `get_remediations` - Optimal fixes using min-cut algorithm54- `get_terraform_snippet` - IaC code to implement a fix5556**Advanced**57- `check_access` - Simulate IAM access decisions58- `get_unused_permissions` - Find permission bloat59- `check_compliance` - CIS AWS or SOC 2 frameworks6061## Common Workflows6263### Workflow 1: Security Assessment6465User wants to understand their security posture.6667```681. get_scan_summary69 → Understand scope: account, regions, asset counts70712. get_findings(severity="CRITICAL")72 → Focus on highest priority issues first73743. get_attack_paths(min_risk=0.7)75 → Find high-risk paths to sensitive targets76774. explain_path(path_id=<from step 3>)78 → Understand the most critical path in detail79```8081### Workflow 2: Remediation Planning8283User wants to fix security issues efficiently.8485```861. get_attack_paths87 → See all attack paths88892. get_remediations(max_cuts=5)90 → Find minimal set of changes to block most paths91923. For each remediation:93 get_terraform_snippet(source, target, relationship_type)94 → Generate IaC code95```9697### Workflow 3: Compliance Audit9899User needs compliance status for audit.100101```1021. check_compliance(framework="cis-aws") # or "soc2"103 → Get compliance score and failing controls1041052. get_findings(severity="HIGH")106 → Correlate findings with compliance gaps1071083. get_remediations109 → Prioritize fixes by compliance impact110```111112### Workflow 4: Access Investigation113114User asks "Can X access Y?" or investigates lateral movement.115116```1171. check_access(principal="RoleName", resource="s3://bucket-name")118 → Direct answer: yes/no with relationship type1191202. If access exists, use:121 get_relationships(source_name="RoleName")122 → Understand the full access chain123```124125### Workflow 5: Permission Optimization126127User wants to reduce blast radius or clean up IAM.128129```1301. get_unused_permissions(days_threshold=90)131 → Find stale permissions1321332. get_assets(asset_type="iam:role")134 → List all roles for context1351363. Present reduction opportunities by blast_radius_reduction score137```138139### Workflow 6: Drift Detection140141User wants to know what changed.142143```1441. compare_scans145 → Shows new/removed assets, relationships, paths, findings1461472. If regressions detected:148 get_attack_paths149 → Focus on new attack paths150```151152## Best Practices153154### Always Do155156- **Start with `get_scan_summary`** - Establishes context and verifies data exists157- **Use severity filters** - Focus on CRITICAL/HIGH first: `get_findings(severity="CRITICAL")`158- **Use min_risk filter** - Focus on high-risk paths: `get_attack_paths(min_risk=0.7)`159- **Chain explain tools** - After listing, offer to explain specific items160- **Present ROI scores** - When showing remediations, highlight `roi_score` for prioritization161162### Never Do163164- **Skip the summary** - Always verify scan data exists first165- **Return raw IDs without context** - Always include names and descriptions166- **Overwhelm with data** - Use `max_*` parameters to limit results167- **Ignore error codes** - Handle `SNAPSHOT_NOT_FOUND` and `INSUFFICIENT_DATA` gracefully168169### Response Patterns170171When showing attack paths:172```173Found {total} attack paths. Top {n} by risk:1741751. **{source_name} → {target_name}** (Risk: {risk_score})176 Vector: {attack_vector}177 Path: {path_assets joined by " → "}178```179180When showing remediations:181```182Top remediation opportunities:1831841. **Block {source} → {target}** ({relationship_type})185 - Blocks {paths_blocked} attack paths186 - Estimated savings: ${estimated_savings}187 - ROI Score: {roi_score}188```189190## Troubleshooting191192### No scan data found193```194Error: SNAPSHOT_NOT_FOUND195```196→ User needs to run `cyntrisec scan` with AWS credentials configured.197198### Need multiple scans for comparison199```200Error: INSUFFICIENT_DATA201```202→ User needs at least 2 scans to use `compare_scans`.203204### No attack paths found205This is good news! The infrastructure has no detected paths from internet-facing resources to sensitive targets.206207### Empty findings208Either the infrastructure is well-configured, or the scan may need to cover more services/regions.209210## Tool Parameter Reference211212### Severity Values213`CRITICAL`, `HIGH`, `MEDIUM`, `LOW`214215### Asset Types216`iam:role`, `iam:user`, `iam:policy`, `ec2:instance`, `ec2:security-group`, `s3:bucket`, `rds:instance`, `lambda:function`217218### Relationship Types219`CAN_ASSUME`, `CAN_REACH`, `MAY_ACCESS`, `ALLOWS_TRAFFIC_TO`, `HAS_POLICY`, `MEMBER_OF`220221### Compliance Frameworks222`cis-aws`, `soc2`223
Full transparency — inspect the skill content before installing.