Skill This
AI Skill Report Card

Analyzing Infrastructure Vulnerabilities

A-85·Jun 10, 2026·Source: Web

Infrastructure Vulnerability Analysis and Reporting

Quick Start15 / 15
Python
import boto3
import json
from datetime import datetime, timedelta

# Initialize AWS clients across all accounts
accounts = {
    "375938171839": "PROD-DEVOPS",
    "154019634110": "SDLC-SHARED", 
    "194403957971": "PROD-SHARED",
    # ... add all accounts
}

services = ["eks", "ecs", "rds", "docdb", "elasticache", "lambda", "glue", "batch"]
region = "eu-central-1"

# Scan for vulnerabilities
for account_id, account_name in accounts.items():
    session = boto3.Session(profile_name=f"account-{account_id}")
    for service in services:
        client = session.client(service, region_name=region)
        # Collect resource versions and check against CVE database
Recommendation
Remove the lengthy accounts dictionary and comments from Quick Start - just show the core scanning pattern
Workflow15 / 15

Progress:

  • Step 1: Discover and inventory all AWS resources
  • Step 2: Version detection and CVE mapping
  • Step 3: PHS score calculation and priority assignment
  • Step 4: EOL assessment and upgrade path analysis
  • Step 5: Generate comprehensive PDF report
  • Step 6: Create remediation roadmap

Step 1: Asset Discovery

  • Enumerate EKS clusters, ECS services, RDS instances, DocumentDB clusters, ElastiCache clusters, Lambda functions, Glue jobs, and Batch compute environments
  • Record current versions, configurations, and auto-upgrade settings
  • Exclude container images and runtime dependencies

Step 2: Vulnerability Assessment

  • Cross-reference current versions against CVE databases
  • Calculate CVSS scores and map to PHS priority levels:
    • Prio 0 (Emergency): CVSS 9.0-10.0, 3 calendar days
    • Prio 1 (Critical): CVSS 9.0-10.0, 30 calendar days
    • Prio 2 (High): CVSS 7.0-8.9, 60 calendar days
    • Prio 3 (Medium): CVSS 4.0-6.9, 180 calendar days
    • Prio 4 (Low): CVSS 0.1-3.9, best effort

Step 3: Version Analysis

  • Identify latest minor/major versions
  • Check EOL dates for current versions
  • Assess upgrade paths and compatibility

Step 4: Report Generation

Generate PDF with detailed tables for each resource:

  • Resource name, account, type
  • Current/latest versions, EOL dates
  • CVE IDs, CVSS scores, PHS scores, due dates
  • Auto-upgrade status
Recommendation
Compress the PHS priority mapping - Claude already understands scoring systems, just provide the essential thresholds
Examples20 / 20

Example 1: EKS Cluster Assessment Input: EKS cluster running v1.24 Output:

Resource: prod-cluster-01
Account: 375938171839 (PROD-DEVOPS)
Type: EKS Cluster
Current Version: 1.24
Latest Minor: 1.28.5
Latest Major: 1.29.0
EOL Date: 2024-07-31
CVEs: CVE-2023-5528 (CVSS: 8.8, PHS: Prio 2)
Auto-upgrade: Disabled
Due Date: 2024-03-15 (60 days)

Example 2: RDS Instance with Multiple CVEs Input: RDS PostgreSQL 13.7 Output:

Resource: prod-db-main
Account: 180045630901 (PROD-PROCESSING)
Type: RDS PostgreSQL
Current Version: 13.7
Latest Minor: 13.13
Latest Major: 15.4
EOL Date: 2025-11-13
CVEs: 
- CVE-2023-39417 (CVSS: 9.8, PHS: Prio 1)
- CVE-2023-39418 (CVSS: 7.5, PHS: Prio 2)
Auto-upgrade: Minor only
Due Date: 2024-02-14 (30 days for highest priority)
Recommendation
Add a concrete pitfall example showing what NOT to do, rather than just listing abstract warnings
Best Practices
  • Scope Focus: Only assess specified services in eu-central-1 region
  • PHS Priority Mapping: Always include PHS score and corresponding due dates
  • Resource-Level Detail: Provide individual tables per resource, not summaries
  • Version Tracking: Include current, latest minor, latest major, and EOL information
  • Risk-Based Prioritization: Order remediation by PHS priority, then by exploitability
  • Executive Clarity: Lead with high-level summary, support with detailed findings
Common Pitfalls
  • Don't include container image vulnerabilities or runtime dependencies
  • Don't assess regions outside eu-central-1
  • Don't group resources in detailed findings - provide individual entries
  • Don't skip due date calculations based on PHS requirements
  • Don't ignore newer versions without CVEs - still flag for upgrade planning
  • Don't miss EOL assessments for extended support planning
Report Structure Template
Markdown
# Infrastructure Security Assessment Report
Executive Summary

[High-level status of infrastructure security posture]

Scope and Methodology
  • AWS Accounts: [list all 11 accounts]
  • Region: eu-central-1
  • Services: EKS, ECS, RDS, DocumentDB, ElastiCache, Lambda, Glue, Batch
  • Exclusions: Container images, runtime code, dependency scanning
Asset Inventory
AccountServiceResource CountCritical Assets
Findings by Service and Severity
ServicePrio 0Prio 1Prio 2Prio 3Prio 4
Key Findings

[Major vulnerabilities requiring immediate attention]

Detailed Findings

[Individual resource tables with all required fields]

Remediation Plan

[Priority-ordered action items with effort estimates]

Limitations

[Scope constraints and analysis limitations]

0
Grade A-AI Skill Framework
Scorecard
Criteria Breakdown
Quick Start
15/15
Workflow
15/15
Examples
20/20
Completeness
17/20
Format
15/15
Conciseness
13/15
Save to My Skills