cloud-security-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese云安全审计
Cloud Security Audit
概述
Overview
云安全审计是评估云环境安全性的重要环节。本技能提供云安全审计的方法、工具和最佳实践,涵盖AWS、Azure、GCP等主流云平台。
Cloud security audit is a critical process for evaluating the security of cloud environments. This skill provides methods, tools, and best practices for cloud security audits, covering major cloud platforms such as AWS, Azure, and GCP.
审计范围
Audit Scope
1. 身份和访问管理
1. Identity and Access Management
检查项目:
- IAM策略配置
- 用户权限
- 角色权限
- 访问密钥管理
Check Items:
- IAM policy configuration
- User permissions
- Role permissions
- Access key management
2. 网络安全
2. Network Security
检查项目:
- 安全组配置
- 网络ACL
- VPC配置
- 流量加密
Check Items:
- Security group configuration
- Network ACL
- VPC configuration
- Traffic encryption
3. 数据安全
3. Data Security
检查项目:
- 数据加密
- 密钥管理
- 备份策略
- 数据分类
Check Items:
- Data encryption
- Key management
- Backup policies
- Data classification
4. 合规性
4. Compliance
检查项目:
- 合规框架
- 审计日志
- 监控告警
- 事件响应
Check Items:
- Compliance frameworks
- Audit logs
- Monitoring and alerting
- Incident response
AWS安全审计
AWS Security Audit
IAM审计
IAM Audit
检查IAM策略:
bash
undefinedCheck IAM Policies:
bash
undefined列出所有IAM用户
列出所有IAM用户
aws iam list-users
aws iam list-users
列出所有IAM策略
列出所有IAM策略
aws iam list-policies
aws iam list-policies
检查用户权限
检查用户权限
aws iam list-user-policies --user-name username
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username
aws iam list-attached-user-policies --user-name username
检查角色权限
检查角色权限
aws iam list-role-policies --role-name rolename
**常见问题:**
- 过度权限
- 未使用的访问密钥
- 密码策略弱
- MFA未启用aws iam list-role-policies --role-name rolename
**Common Issues:**
- Excessive permissions
- Unused access keys
- Weak password policies
- MFA not enabledS3安全审计
S3 Security Audit
检查S3存储桶:
bash
undefinedCheck S3 Buckets:
bash
undefined列出所有存储桶
列出所有存储桶
aws s3 ls
aws s3 ls
检查存储桶策略
检查存储桶策略
aws s3api get-bucket-policy --bucket bucketname
aws s3api get-bucket-policy --bucket bucketname
检查存储桶ACL
检查存储桶ACL
aws s3api get-bucket-acl --bucket bucketname
aws s3api get-bucket-acl --bucket bucketname
检查存储桶加密
检查存储桶加密
aws s3api get-bucket-encryption --bucket bucketname
**常见问题:**
- 公开访问
- 未加密
- 版本控制未启用
- 日志记录未启用aws s3api get-bucket-encryption --bucket bucketname
**Common Issues:**
- Public access
- Unencrypted storage
- Versioning not enabled
- Logging not enabled安全组审计
Security Group Audit
检查安全组:
bash
undefinedCheck Security Groups:
bash
undefined列出所有安全组
列出所有安全组
aws ec2 describe-security-groups
aws ec2 describe-security-groups
检查开放端口
检查开放端口
aws ec2 describe-security-groups --group-ids sg-xxx
**常见问题:**
- 0.0.0.0/0开放
- 不必要的端口开放
- 规则过于宽松aws ec2 describe-security-groups --group-ids sg-xxx
**Common Issues:**
- 0.0.0.0/0 open access
- Unnecessary ports open
- Overly permissive rulesCloudTrail审计
CloudTrail Audit
检查审计日志:
bash
undefinedCheck Audit Logs:
bash
undefined列出所有跟踪
列出所有跟踪
aws cloudtrail describe-trails
aws cloudtrail describe-trails
检查日志文件完整性
检查日志文件完整性
aws cloudtrail get-trail-status --name trailname
undefinedaws cloudtrail get-trail-status --name trailname
undefinedAzure安全审计
Azure Security Audit
订阅和资源组
Subscriptions and Resource Groups
检查订阅:
bash
undefinedCheck Subscriptions:
bash
undefined列出所有订阅
列出所有订阅
az account list
az account list
检查资源组
检查资源组
az group list
undefinedaz group list
undefined网络安全组
Network Security Groups
检查NSG:
bash
undefinedCheck NSG:
bash
undefined列出所有NSG
列出所有NSG
az network nsg list
az network nsg list
检查NSG规则
检查NSG规则
az network nsg rule list --nsg-name nsgname --resource-group rgname
undefinedaz network nsg rule list --nsg-name nsgname --resource-group rgname
undefined存储账户
Storage Accounts
检查存储账户:
bash
undefinedCheck Storage Accounts:
bash
undefined列出所有存储账户
列出所有存储账户
az storage account list
az storage account list
检查访问策略
检查访问策略
az storage account show --name accountname --resource-group rgname
undefinedaz storage account show --name accountname --resource-group rgname
undefinedGCP安全审计
GCP Security Audit
项目和组织
Projects and Organizations
检查项目:
bash
undefinedCheck Projects:
bash
undefined列出所有项目
列出所有项目
gcloud projects list
gcloud projects list
检查IAM策略
检查IAM策略
gcloud projects get-iam-policy project-id
undefinedgcloud projects get-iam-policy project-id
undefined计算引擎
Compute Engine
检查实例:
bash
undefinedCheck Instances:
bash
undefined列出所有实例
列出所有实例
gcloud compute instances list
gcloud compute instances list
检查防火墙规则
检查防火墙规则
gcloud compute firewall-rules list
undefinedgcloud compute firewall-rules list
undefined存储
Storage
检查存储桶:
bash
undefinedCheck Buckets:
bash
undefined列出所有存储桶
列出所有存储桶
gsutil ls
gsutil ls
检查存储桶权限
检查存储桶权限
gsutil iam get gs://bucketname
undefinedgsutil iam get gs://bucketname
undefined自动化工具
Automation Tools
Scout Suite
Scout Suite
bash
undefinedbash
undefinedAWS审计
AWS审计
scout aws
scout aws
Azure审计
Azure审计
scout azure
scout azure
GCP审计
GCP审计
scout gcp
undefinedscout gcp
undefinedProwler
Prowler
bash
undefinedbash
undefinedAWS安全审计
AWS安全审计
prowler -c check11,check12,check13
prowler -c check11,check12,check13
完整审计
完整审计
prowler
undefinedprowler
undefinedCloudSploit
CloudSploit
bash
undefinedbash
undefined扫描AWS账户
扫描AWS账户
cloudsploit scan aws
cloudsploit scan aws
扫描Azure订阅
扫描Azure订阅
cloudsploit scan azure
undefinedcloudsploit scan azure
undefinedPacu
Pacu
bash
undefinedbash
undefinedAWS渗透测试框架
AWS渗透测试框架
pacu
undefinedpacu
undefined审计清单
Audit Checklist
IAM安全
IAM Security
- 检查用户权限
- 检查角色权限
- 检查访问密钥
- 检查密码策略
- 检查MFA启用情况
- Check user permissions
- Check role permissions
- Check access keys
- Check password policies
- Check MFA enablement
网络安全
Network Security
- 检查安全组/NSG规则
- 检查VPC配置
- 检查网络ACL
- 检查流量加密
- Check security group/NSG rules
- Check VPC configuration
- Check network ACL
- Check traffic encryption
数据安全
Data Security
- 检查数据加密
- 检查密钥管理
- 检查备份策略
- 检查数据分类
- Check data encryption
- Check key management
- Check backup policies
- Check data classification
合规性
Compliance
- 检查审计日志
- 检查监控告警
- 检查事件响应
- 检查合规框架
- Check audit logs
- Check monitoring and alerting
- Check incident response
- Check compliance frameworks
常见安全问题
Common Security Issues
1. 过度权限
1. Excessive Permissions
问题:
- IAM策略过于宽松
- 用户拥有管理员权限
- 角色权限过大
修复:
- 最小权限原则
- 定期审查权限
- 使用IAM策略模拟
Issue:
- Overly permissive IAM policies
- Users have administrator permissions
- Excessive role permissions
Remediation:
- Principle of least privilege
- Regular permission reviews
- Use IAM policy simulation
2. 公开资源
2. Public Resources
问题:
- S3存储桶公开
- 安全组开放0.0.0.0/0
- 数据库公开访问
修复:
- 限制访问范围
- 使用私有网络
- 启用访问控制
Issue:
- Public S3 buckets
- Security groups open to 0.0.0.0/0
- Public database access
Remediation:
- Restrict access scope
- Use private networks
- Enable access control
3. 未加密数据
3. Unencrypted Data
问题:
- 存储未加密
- 传输未加密
- 密钥管理不当
修复:
- 启用加密
- 使用TLS/SSL
- 使用密钥管理服务
Issue:
- Unencrypted storage
- Unencrypted transmission
- Improper key management
Remediation:
- Enable encryption
- Use TLS/SSL
- Use key management services
4. 日志缺失
4. Missing Logs
问题:
- 未启用审计日志
- 日志未保留
- 日志未监控
修复:
- 启用CloudTrail/Azure Monitor
- 设置日志保留策略
- 配置监控告警
Issue:
- Audit logs not enabled
- Logs not retained
- Logs not monitored
Remediation:
- Enable CloudTrail/Azure Monitor
- Set log retention policies
- Configure monitoring and alerting
最佳实践
Best Practices
1. 最小权限
1. Least Privilege
- 只授予必要权限
- 定期审查权限
- 使用IAM策略模拟
- Grant only necessary permissions
- Regularly review permissions
- Use IAM policy simulation
2. 多层防护
2. Multi-Layered Protection
- 网络层防护
- 应用层防护
- 数据层防护
- Network layer protection
- Application layer protection
- Data layer protection
3. 监控和告警
3. Monitoring and Alerting
- 启用审计日志
- 配置监控告警
- 建立事件响应流程
- Enable audit logs
- Configure monitoring and alerting
- Establish incident response processes
4. 合规性
4. Compliance
- 遵循合规框架
- 定期安全审计
- 文档化安全策略
- Follow compliance frameworks
- Conduct regular security audits
- Document security policies
注意事项
Notes
- 仅在授权环境中进行审计
- 避免对生产环境造成影响
- 注意不同云平台的差异
- 定期进行安全审计
- Only perform audits in authorized environments
- Avoid impacting production environments
- Note differences between different cloud platforms
- Conduct regular security audits