SecOps
Network exposure detection, public storage access, security group misconfiguration, and security posture baseline across AWS and Azure.
What it covers
| Skill | What it detects | Output |
|---|---|---|
| Public ingress detection | Security groups with unrestricted inbound rules (0.0.0.0/0, ::/0) on any port | Finding |
| Public storage access | S3 buckets with public ACLs or public access block disabled | Finding |
| Azure NSG exposure | NSGs with unrestricted inbound rules | Finding |
| Azure Blob public access | Storage accounts with public blob access enabled | Finding |
| Exposure ranking | Ranked list of exposure findings by severity and blast radius | Report |
| Security posture baseline | Aggregated view of open findings across all exposure categories | Report |
Example prompts
Which EC2 instances are reachable from the internet?
Are any of my S3 buckets publicly readable?
Show me all security groups with port 22 open to 0.0.0.0/0
What is my overall network exposure score?
List all Azure NSGs allowing unrestricted inbound trafficFinding severity model
| Condition | Severity |
|---|---|
Port 22 or 3389 open to 0.0.0.0/0 | CRITICAL |
Any port open to 0.0.0.0/0 on a production account | HIGH |
| S3 bucket with public read ACL | HIGH |
| S3 bucket with public access block disabled (no public objects) | MEDIUM |
Port open to 0.0.0.0/0 on non-production account | MEDIUM |
Azure NSG with * source on management ports | HIGH |
Required permissions
AWS
json
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock"Azure
Assign the Reader role on the target subscription. For NSG and storage scanning, the following additional permissions are required (or use the built-in Security Reader role):
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/securityRules/read
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Authorization/roleAssignments/readbash
# Assign Security Reader role to Escher service principal
az role assignment create \
--assignee YOUR_SP_APP_ID \
--role "Security Reader" \
--scope /subscriptions/YOUR_SUBSCRIPTION_IDRemediation playbooks
SecOps findings can trigger:
security.remediate_public_exposure— removes unrestricted ingress rules from security groupssecurity.lock_public_storage— disables public access on S3 buckets
See Writing Playbooks for the schema.
Next steps
- IAM — Audit access and privilege escalation
- Compliance — Map findings to compliance frameworks