pentesting-with-aws-security-agent
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS Security Agent — Penetration Test
AWS Security Agent — 渗透测试
This skill handles pentest setup, execution, and findings. Initial Security Agent setup (agent space, role, bucket) is handled by the skill — if is missing, the pentest workflow auto-runs setup inline first.
setup-security-agent.security-agent/config.jsonPentests are slow (1-24 hours) and active — they probe a real running app. Always confirm the user is authorized to test the target before starting.
本技能负责渗透测试的设置、执行及结果处理。初始Security Agent设置(agent space、角色、存储桶)由****技能处理——如果缺失,渗透测试工作流会先自动内联运行设置步骤。
setup-security-agent.security-agent/config.json渗透测试耗时较长(1-24小时)且为主动测试——会探测真实运行中的应用。开始前务必确认用户拥有测试目标的授权。
Resolving the values you need
获取所需参数值
The CLI examples below use placeholders. Resolve them at the start of every pentest:
| Placeholder | How to resolve |
|---|---|
| |
| |
| |
| |
| |
| |
| |
以下CLI示例使用占位符。每次渗透测试开始前需解析这些占位符:
| 占位符 | 获取方式 |
|---|---|
| |
| |
| |
| |
| |
| |
| |
Pre-pentest checks
渗透测试前检查
-
Read. If missing → tell the user one line — "First pentest in this workspace — running setup first." — and run the
.security-agent/config.jsonworkflow inline before continuing.setup-security-agent -
Verify agent space still exists:bash
aws securityagent batch-get-agent-spaces --agent-space-ids <id>If missing, clearfromagent_space_idand runconfig.jsonagain.setup-security-agent -
Resolve account and role ARN from the table above.
-
Authorization check: ask the user "Do you own or have explicit permission to pentest?" if it's not obvious from context. Do not proceed without confirmation.
<target>
-
读取。若文件缺失→告知用户一句话:“此工作区首次进行渗透测试——先运行设置步骤。”,并在继续前内联运行
.security-agent/config.json工作流。setup-security-agent -
验证agent space是否仍存在:bash
aws securityagent batch-get-agent-spaces --agent-space-ids <id>若不存在,从中清除config.json并重新运行agent_space_id。setup-security-agent -
根据上表解析账号和角色ARN。
-
授权检查:若上下文无法明确,询问用户“您是否拥有或获得明确授权对进行渗透测试?”。未获得确认前不得继续。
<target>
Workflow
工作流
1. Register target domain (one-time per domain)
1. 注册目标域名(每个域名仅需一次)
bash
aws securityagent create-target-domain --agent-space-id <id> \
--target-domain-name <domain> --verification-method HTTP_ROUTEThe response includes a verification token / route. Tell the user what to put on their server (typically a file or HTTP route returning a token), then:
.well-known/...bash
aws securityagent verify-target-domain --agent-space-id <id> --target-domain-id <td-id>Persist the verified in under so future pentests can reuse it.
target_domain_id.security-agent/config.jsontarget_domains: { "<domain>": "<td-id>" }bash
aws securityagent create-target-domain --agent-space-id <id> \
--target-domain-name <domain> --verification-method HTTP_ROUTE响应包含验证令牌/路由。告知用户需在服务器上配置的内容(通常是文件或返回令牌的HTTP路由),然后执行:
.well-known/...bash
aws securityagent verify-target-domain --agent-space-id <id> --target-domain-id <td-id>将已验证的持久化到的中,以便后续渗透测试复用。
target_domain_id.security-agent/config.jsontarget_domains: { "<domain>": "<td-id>" }2. Create a pentest
2. 创建渗透测试任务
Ask the user for:
- Title (no spaces — use hyphens; default )
pentest-<timestamp> - Endpoints to test (one or more URIs under the verified domain)
bash
aws securityagent create-pentest --agent-space-id <id> --title <title> \
--service-role <role-arn> \
--assets endpoints=[{uri=https://example.com/api/login},{uri=https://example.com/api/upload}]Capture .
pentestId向用户询问:
- 标题(无空格——使用连字符;默认值)
pentest-<timestamp> - 待测试端点(已验证域名下的一个或多个URI)
bash
aws securityagent create-pentest --agent-space-id <id> --title <title> \
--service-role <role-arn> \
--assets endpoints=[{uri=https://example.com/api/login},{uri=https://example.com/api/upload}]记录。
pentestId3. Start the pentest job
3. 启动渗透测试任务
bash
aws securityagent start-pentest-job --agent-space-id <id> --pentest-id <pentest-id>Capture . Append to (create as if it doesn't exist yet — the directory itself is already created by setup):
pentestJobId.security-agent/pentests.json[]json
{
"pentest_id": "p-...",
"pentest_job_id": "pj-...",
"agent_space_id": "as-...",
"title": "pentest-...",
"endpoints": ["https://..."],
"started_at": "2026-06-01T20:00:00Z",
"status": "IN_PROGRESS"
}Tell user: "Pentest started ({pentest_job_id}). Pentests typically run 1-24 hours depending on scope. I'll check every 15 minutes — say 'stop polling' to opt out."
bash
aws securityagent start-pentest-job --agent-space-id <id> --pentest-id <pentest-id>记录。将其追加到中(若文件不存在则创建为——该目录已由设置步骤创建):
pentestJobId.security-agent/pentests.json[]json
{
"pentest_id": "p-...",
"pentest_job_id": "pj-...",
"agent_space_id": "as-...",
"title": "pentest-...",
"endpoints": ["https://..."],
"started_at": "2026-06-01T20:00:00Z",
"status": "IN_PROGRESS"
}告知用户:“渗透测试已启动({pentest_job_id})。根据测试范围,渗透测试通常需要1-24小时。我会每15分钟检查一次——输入‘停止轮询’可退出。”
4. Polling loop
4. 轮询循环
-
(15 minutes) between checks. Do not poll faster.
sleep 900 -
Status:bash
aws securityagent batch-get-pentest-jobs --agent-space-id <id> --pentest-job-ids <pj-id> -
Only respond whenchanges or on terminal state (
status,COMPLETED,FAILED).STOPPED -
On→ run the Findings workflow.
COMPLETED
-
每次检查间隔(15分钟)。不得缩短轮询间隔。
sleep 900 -
查询状态:bash
aws securityagent batch-get-pentest-jobs --agent-space-id <id> --pentest-job-ids <pj-id> -
仅当变化或进入终端状态(
status、COMPLETED、FAILED)时回复用户。STOPPED -
当状态为→执行结果处理工作流。
COMPLETED
5. Findings
5. 检测结果处理
bash
aws securityagent list-findings --agent-space-id <id> --pentest-job-id <pj-id>If is returned, call again with until empty.
nextToken--next-token <token>bash
aws securityagent batch-get-findings --agent-space-id <id> --finding-ids <id1> <id2> ...Present in chat grouped by severity (same icons + format as code scans):
🟣 CRITICAL: {name}
Endpoint: {endpoint}
{description}Write a full report to with every field returned (findingId, name, description, riskLevel, riskType, confidence, status, endpoint, request/response samples if present, and remediationCode if present).
.security-agent/pentest-{pentest_job_id}.mdTell user: "Full details written to "
.security-agent/pentest-{pentest_job_id}.mdbash
aws securityagent list-findings --agent-space-id <id> --pentest-job-id <pj-id>若返回,需携带再次调用,直至无返回值。
nextToken--next-token <token>bash
aws securityagent batch-get-findings --agent-space-id <id> --finding-ids <id1> <id2> ...在聊天中按严重程度分组展示(与代码扫描使用相同图标和格式):
🟣 CRITICAL: {name}
端点: {endpoint}
{description}将所有返回字段(findingId、name、description、riskLevel、riskType、confidence、status、endpoint、请求/响应样本(若存在)、remediationCode(若存在))写入完整报告至。
.security-agent/pentest-{pentest_job_id}.md告知用户:“详细内容已写入”
.security-agent/pentest-{pentest_job_id}.md6. Stop a pentest
6. 停止渗透测试
bash
aws securityagent stop-pentest-job --agent-space-id <id> --pentest-job-id <pj-id>bash
aws securityagent stop-pentest-job --agent-space-id <id> --pentest-job-id <pj-id>Rules
规则
- Always confirm authorization to test the target before starting
- Verify the target domain before creating a pentest — will fail otherwise
create-pentest - Reuse a verified from
target_domain_idinstead of re-verifyingconfig.json - Pentest titles must not contain spaces — use hyphens
- Poll every 15 minutes max — pentests are long-running
- Don't auto-restart a failed pentest — show the failure to the user first
- 开始前务必确认测试授权
- 创建渗透测试任务前需验证目标域名——否则会失败
create-pentest - 复用中已验证的
config.json,无需重新验证target_domain_id - 渗透测试标题不得包含空格——使用连字符
- 最长每15分钟轮询一次——渗透测试为长时间运行任务
- 不得自动重启失败的渗透测试——先向用户展示失败信息
Troubleshooting
故障排除
- on
ValidationException→ the verification route isn't responding correctly yet. Ask user to confirm the route is live and serving the expected token.verify-target-domain - → run verify-target-domain (step 1) again.
target domain not verified - Pentest stuck in for >24 hours → likely a backend issue or the target is unreachable. Stop and inspect.
IN_PROGRESS - on the service role → the service role doesn't have the network/runtime permissions a pentest needs. The default
AccessDeniedis for code scans only — pentests against AWS resources may need broader permissions. Direct user to the AWS Security Agent console to configure a pentest-specific role.SecurityAgentScanRole
- 出现
verify-target-domain→验证路由未正确响应。请用户确认路由已上线并返回预期令牌。ValidationException - →重新运行verify-target-domain(步骤1)。
target domain not verified - 渗透测试卡在状态超过24小时→可能是后端问题或目标无法访问。停止测试并检查。
IN_PROGRESS - 服务角色出现→服务角色不具备渗透测试所需的网络/运行时权限。默认的
AccessDenied仅适用于代码扫描——针对AWS资源的渗透测试可能需要更广泛的权限。引导用户前往AWS Security Agent控制台配置渗透测试专用角色。SecurityAgentScanRole