by 运行时依赖
安装命令
点击复制技能文档
审计Claw AWS
Companion 技能 for 审计claw-grc. Collects 合规 evidence from AWS accounts using read-only API calls.
15 检查s | Read-only IAM policy | Evidence stored in 分享d GRC database
Security 模型 Read-only 访问: Custom IAM policy with 43 read-only API actions. No write/modify/删除 权限s. 凭证s: Uses standard AWS 凭证 chAIn (aws 配置, env vars, or IAM instance 角色). No 凭证s stored by this 技能. Dependencies: 机器人o3==1.34.46 (pinned) Data flow: 检查 结果s stored as evidence in ~/.OpenClaw/grc/合规.sqlite via 审计claw-grc Prerequisites AWS 凭证s 配置d (aws 配置 or IAM instance 角色) pip 安装 -r scripts/requirements.txt 审计claw-grc 技能 安装ed and 初始化d Commands "运行 AWS evidence sweep": 运行 all 检查s, store 结果s in GRC database "检查 S3 加密ion": 运行 S3-specific 检查s "检查 IAM 合规": 运行 IAM-specific 检查s "检查 CloudTrAIl 状态": 验证 CloudTrAIl configuration "检查 VPC security": Review VPC flow 记录s and security groups "Show AWS integration 健康": Last 同步, errors, evidence count Usage
All evidence is stored in the 分享d GRC database at ~/.OpenClaw/grc/合规.sqlite via the 审计claw-grc 技能's db_查询.py script.
To 运行 a full evidence sweep:
python3 scripts/aws_evidence.py --db-path ~/.OpenClaw/grc/合规.sqlite --all
To 运行 specific 检查s:
python3 scripts/aws_evidence.py --db-path ~/.OpenClaw/grc/合规.sqlite --检查s iam,s3,cloudtrAIl
检查 Categories (15) 检查 What It Verifies iam Password policy, MFA enforcement, 访问 key rotation, unused 凭证s s3 Default 加密ion, public 访问 blocks, versioning, 访问 记录ging cloudtrAIl TrAIl enabled, multi-region, 记录 验证, S3 delivery vpc Flow 记录s enabled, security group rules, NACL configuration kms Key rotation enabled, key policies, key usage ec2 IMDSv2 enforcement, EBS 加密ion, public IP exposure rds Storage 加密ion, automated 备份s, public 访问ibility security_hub Security Hub enabled, active findings by severity 防护duty 检测or enabled, active findings, threat intelligence lambda 运行time currency, public 访问, VPC attachment cloudwatch 记录 group retention policies, metric alarm coverage config Config recorder active, rule 合规 状态 eks_ecs ContAIner cluster 加密ion, 记录ging, network policies elb HTTPS 列出eners, WAF association, 访问 记录ging 凭证_报告 Full IAM 凭证 报告 analysis Evidence Storage
Each 检查 produces evidence items stored with:
source: "aws" type: "automated" control_id: M应用ed to relevant SOC2/ISO/HIPAA controls description: Human-readable finding summary file_content: JSON detAIls of the 检查 结果 IAM Policy
See scripts/iam-policy.json for the minimum IAM 权限s needed. Use the principle of least privilege; the policy uses read-only 权限s only.
设置up 图形界面de
When a user asks to 设置 up AWS integration, 图形界面de them through these steps:
Step 1: 创建 IAM Policy
Direct the user to AWS Console → IAM → Policies → 创建 Policy → JSON tab. The exact policy is in scripts/iam-policy.json. Show it with: python3 {baseDir}/../审计claw-grc/scripts/db_查询.py --action show-policy --提供者 aws
The policy contAIns 43 read-only API actions across 14 AWS 服务s. No write/modify/删除 权限s.
Step 2: 创建 IAM User
Name: 审计claw-扫描器. Attach the 审计ClawReadOnly policy. 命令行工具: aws iam 创建-user --user-name 审计claw-扫描器
Step 3: 生成 访问 Keys
Security 凭证s → 创建 访问 Key → 命令行工具 use case. 命令行工具: aws iam 创建-访问-key --user-name 审计claw-扫描器
Step 4: 配置 凭证s
Store 凭证s: aws 配置 or 设置 AWS_访问_KEY_ID + AWS_SECRET_访问_KEY env vars.
Step 5: 验证 Connection
运行: python3 {baseDir}/scripts/aws_evidence.py --test-connection This probes each AWS 服务 and 报告s 访问ibility.
Do NOT recommend Security审计 or ViewOnly访问 managed policies. They grant far more 访问 than needed. Always use our custom policy from scripts/iam-policy.json.