Cloud & Infrastructure Config Security Gate — Catch Misconfigurations Before You terraform apply
An adversarial gate that audits cloud and infrastructure-as-code config — Terraform, Kubernetes, IAM, security groups, buckets — for the misconfigurations that cause real breaches, and returns a structured PASS/REVISE/BLOCK verdict with severities and exact fixes before anything reaches your environment.
- Auditing a Terraform or CloudFormation plan before terraform apply
- Reviewing Kubernetes manifests and IAM policies in a CI/CD pipeline
- Auditing inherited cloud infrastructure you did not write
$34
· or 170 creditsSecure checkout via Stripe
Included in download
- Auditing a Terraform or CloudFormation plan before terraform apply
- Reviewing Kubernetes manifests and IAM policies in a CI/CD pipeline
- file_read automation included
- Ready for GPT
Sample input
resource "aws_s3_bucket" "logs" { bucket = "app-prod-logs" acl = "public-read" } resource "aws_iam_policy" "app" { policy = jsonencode({ Statement = [{ Effect = "Allow", Action = "", Resource = "" }] }) }
Sample output
VERDICT: BLOCK
SUMMARY: A log bucket is publicly readable and an IAM policy grants unrestricted access to every action on every resource. Both are critical and this config is not safe to apply.
FINDINGS:
- [SEVERITY: CRITICAL] aws_s3_bucket.logs — acl = "public-read" exposes production logs (which often contain tokens and PII) to the public — set acl to "private" and attach a public-access block.
- [SEVERITY: CRITICAL] aws_iam_policy.app — Action "" on Resource "" is full admin access — scope to the specific actions and ARNs the workload actually needs.
BLOCKERS: both CRITICAL findings must be fixed before apply.
SAFE TO APPLY: no
Cloud & Infrastructure Config Security Gate — Catch Misconfigurations Before You terraform apply
An adversarial gate that audits cloud and infrastructure-as-code config — Terraform, Kubernetes, IAM, security groups, buckets — for the misconfigurations that cause real breaches, and returns a structured PASS/REVISE/BLOCK verdict with severities and exact fixes before anything reaches your environment.
$34
· or 170 creditsSecure checkout via Stripe
Included in download
- Auditing a Terraform or CloudFormation plan before terraform apply
- Reviewing Kubernetes manifests and IAM policies in a CI/CD pipeline
- file_read automation included
- Ready for GPT
- Instant install
Sample input
resource "aws_s3_bucket" "logs" { bucket = "app-prod-logs" acl = "public-read" } resource "aws_iam_policy" "app" { policy = jsonencode({ Statement = [{ Effect = "Allow", Action = "", Resource = "" }] }) }
Sample output
VERDICT: BLOCK
SUMMARY: A log bucket is publicly readable and an IAM policy grants unrestricted access to every action on every resource. Both are critical and this config is not safe to apply.
FINDINGS:
- [SEVERITY: CRITICAL] aws_s3_bucket.logs — acl = "public-read" exposes production logs (which often contain tokens and PII) to the public — set acl to "private" and attach a public-access block.
- [SEVERITY: CRITICAL] aws_iam_policy.app — Action "" on Resource "" is full admin access — scope to the specific actions and ARNs the workload actually needs.
BLOCKERS: both CRITICAL findings must be fixed before apply.
SAFE TO APPLY: no
About This Skill
The Cloud & Infrastructure Config Security Gate turns your agent into a skeptical cloud security reviewer that judges configuration before it ships. Give it any infrastructure-as-code or cloud config — Terraform, CloudFormation, Kubernetes and Helm, Docker Compose, IAM policies, security-group rules, bucket settings, or CI/CD pipelines — and it runs an ordered, adversarial audit across five fronts: identity and access (wildcard permissions, over-broad roles, long-lived credentials), network exposure (open-internet ingress, public databases, permissive groups), data protection (public buckets, disabled encryption, plaintext state), secrets and supply chain (hardcoded keys, unpinned images, untrusted registries), and guardrails and drift (logging, deletion protection, resource limits). It does not rewrite or apply anything — it returns a structured PASS / REVISE / BLOCK verdict, with every finding mapped to the exact resource and line, a CRITICAL/HIGH/MEDIUM/LOW severity, and the specific fix. A single CRITICAL or HIGH forces BLOCK, so the dangerous mistakes — a public customer-data bucket, a database open to 0.0.0.0/0, an inline API key — get stopped before terraform apply, not discovered in an incident review. It is a pre-apply judgment gate, not a cloud scanner or auto-remediation tool.
Use Cases
- Auditing a Terraform or CloudFormation plan before terraform apply
- Reviewing Kubernetes manifests and IAM policies in a CI/CD pipeline
- Auditing inherited cloud infrastructure you did not write
Known Limitations
Audits the configuration text you provide — it does not connect to your cloud account, read live state, or detect drift between code and a running environment. It reasons from the config rather than running a policy engine, so for exhaustive, provider-certified coverage pair it with a dedicated CSPM or IaC scanner. Quality depends on the config being reasonably complete; it cannot judge values hidden behind unprovided variables or remote modules.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/cloud-infrastructure-config-security-gate-catch-misconfigurations-before-you-terraform-apply -o /tmp/cloud-infrastructure-config-security-gate-catch-misconfigurations-before-you-terraform-apply.zip && unzip -o /tmp/cloud-infrastructure-config-security-gate-catch-misconfigurations-before-you-terraform-apply.zip -d ~/.claude/skills && rm /tmp/cloud-infrastructure-config-security-gate-catch-misconfigurations-before-you-terraform-apply.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
File Scopes
Read-only by design. The skill reads the configuration text you provide and reasons about it. It never connects to a cloud account, makes network calls, modifies files, or applies infrastructure — it only judges the config and reports findings, so you stay in full control of what is applied.
Model-agnostic. Works with any SKILL.md-compatible agent (Claude, GPT, Gemini, Llama, Mistral). Pure reasoning over the config text you provide — read-only, with no cloud connection, no network, and no write access. It judges configuration and reports findings; it never modifies or applies infrastructure.
Creator
PubsProToolkit builds AI agent skills that bring regulated-industry rigor to written output. Created by a CMPP-certified medical writer with a PhD and 10+ years in pharma — covering clinical and scientific publishing, plus evidence-grounded QC for any agent.
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
sast-configuration
Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-signal security testing.
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
consumer-motivation-analyzer
Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.
Bounty Security Pattern Master Library — 399 Vulnerability Patterns
A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.