Companion skill for auditclaw-grc. Collects compliance evidence from AWS accounts using read-only API calls.
15 checks | Read-only IAM policy | Evidence stored in shared GRC database
aws configure, env vars, or IAM instance role). No credentials stored by this skill.boto3==1.34.46 (pinned)~/.openclaw/grc/compliance.sqlite via auditclaw-grcaws configure or IAM instance role)pip install -r scripts/requirements.txtAll evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite
via the auditclaw-grc skill's db_query.py script.
To run a full evidence sweep:
python3 scripts/aws_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all
To run specific checks:
python3 scripts/aws_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks iam,s3,cloudtrail
| Check | What It Verifies |
|---|---|
| ------- | ----------------- |
| iam | Password policy, MFA enforcement, access key rotation, unused credentials |
| s3 | Default encryption, public access blocks, versioning, access logging |
| cloudtrail | Trail enabled, multi-region, log validation, S3 delivery |
| vpc | Flow logs enabled, security group rules, NACL configuration |
| kms | Key rotation enabled, key policies, key usage |
| ec2 | IMDSv2 enforcement, EBS encryption, public IP exposure |
| rds | Storage encryption, automated backups, public accessibility |
| security_hub | Security Hub enabled, active findings by severity |
| guardduty | Detector enabled, active findings, threat intelligence |
| lambda | Runtime currency, public access, VPC attachment |
| cloudwatch | Log group retention policies, metric alarm coverage |
| config | Config recorder active, rule compliance status |
| eks_ecs | Container cluster encryption, logging, network policies |
| elb | HTTPS listeners, WAF association, access logging |
| credential_report | Full IAM credential report analysis |
Each check produces evidence items stored with:
source: "aws"type: "automated"control_id: Mapped to relevant SOC2/ISO/HIPAA controlsdescription: Human-readable finding summaryfile_content: JSON details of the check resultSee scripts/iam-policy.json for the minimum IAM permissions needed.
Use the principle of least privilege; the policy uses read-only permissions only.
When a user asks to set up AWS integration, guide them through these steps:
Direct the user to AWS Console → IAM → Policies → Create Policy → JSON tab.
The exact policy is in scripts/iam-policy.json. Show it with:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider aws
The policy contains 43 read-only API actions across 14 AWS services. No write/modify/delete permissions.
Name: auditclaw-scanner. Attach the AuditClawReadOnly policy.
CLI: aws iam create-user --user-name auditclaw-scanner
Security Credentials → Create Access Key → CLI use case.
CLI: aws iam create-access-key --user-name auditclaw-scanner
Store credentials: aws configure or set AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY env vars.
Run: python3 {baseDir}/scripts/aws_evidence.py --test-connection
This probes each AWS service and reports accessibility.
Do NOT recommend SecurityAudit or ViewOnlyAccess managed policies. They grant far more access than needed. Always use our custom policy from scripts/iam-policy.json.
共 1 个版本