sg-deceptive-reachability-auditor

Official

Audit AWS SGs for hidden lateral movement paths.

Authoranyshift-io
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Security group rules appear safe in isolation, but ordinary single-upstream references can compose into a hidden multi-hop lateral movement path from an internet-facing or compromised entry point to a crown-jewel database. This skill builds a directed reachability graph from AWS security group ingress rules and instance membership to surface the buried path that no single rule reveals, while correctly staying quiet on segmented, orphaned, or disconnected fleets where no such path exists.

Core Features & Use Cases

  • Directed Reachability Graph: Composes SG-to-SG UserIdGroupPairs and internet-facing CIDR rules into a directed graph and computes the transitive closure to enumerate every reachable tier from a named entry point.
  • Buried Needle Detection: Surfaces long 4-6 hop lateral movement chains as critical findings with the exact hop list, rather than stopping at obvious surface exposures like a single public rule.
  • Deceptive-Clean Handling: Correctly reports no reachable path on segmented, orphaned, broken, or disjoint fleets instead of fabricating a path from disconnected deep chains or loud intended public exposures.
  • Pivot/Hub Identification: Flags high-severity hub security groups that bridge otherwise-isolated reachable regions, revealing quiet chokepoints that a per-rule read misses.
  • Explicit Boundary Statement: Names exactly where the SG graph stops being able to answer the question, including live host membership, route tables, NACLs, and app-layer authentication.

Quick Start

Use the sg-deceptive-reachability-auditor skill to audit the attached AWS security group and instance JSON for hidden multi-hop lateral movement paths to the crown-jewel database tier.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: sg-deceptive-reachability-auditor
Download link: https://github.com/anyshift-io/sre-skills/archive/main.zip#sg-deceptive-reachability-auditor

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.