Skip to content

Instantly share code, notes, and snippets.

View skuenzli's full-sized avatar

Stephen Kuenzli skuenzli

34 followers · 7 following
View GitHub Profile
@skuenzli
skuenzli / export_ocsf_findings.py
Created September 23, 2025 21:44
Export Findings from Security Hub in OCSF format
#!/usr/bin/env python3
"""
Get findings from Security Hub in OCSF format.
Example usage:
python3 export_ocsf_findings.py --account 123456789012 --status New --severity Fatal --severity Critical --severity High
python3 export_ocsf_findings.py --days-ago 30 --severity Critical
"""
import argparse
@skuenzli
skuenzli / analyze_security_findings.py
Created September 11, 2025 02:20
Analyze Issues in Security Hub
@tool
def analyze_security_findings(findings: List[Dict[str, Any]],
max_important_findings: int = 10) -> Dict[str, Any]:
"""
Analyze and prioritize security findings based on severity, resource type, and impact.
Args:
findings: List of security findings in OCSF format
max_important_findings: Maximum number of 'important' findings to return from the analysis (default 10)
@skuenzli
skuenzli / unverified.1.yaml
Created May 27, 2025 23:02
Vendor AWS Account Verification Output
- accounts:
- '165736516723'
name: Cloudability
source:
- https://github.com/edrans/tf-aws-iam-cloudability
- https://developers.cloudability.com/docs/vendor-credentials-end-point
- accounts:
- '507897595701'
- '530014582677'
name: Rackspace
@skuenzli
skuenzli / book-list.md
Last active May 7, 2025 03:46
Stephen's startup book list

This is a list of books that helped me the most in the early stages of k9 Security (which is still in early stages).

It's the list I wish I had when starting out.

Background

I'm a technical founder with +20 years experience as an engineer, architect, and independent consultant. I've also written 2 technical books and +125 blog posts.

Building solutions is easy.

But building a company that solves problems people are willing to pay for is hard.

@skuenzli
skuenzli / k9diff
Last active April 20, 2021 20:33
Prototype - k9 AWS IAM access summary diff tool
#!/opt/local/bin/bash
#set -x
set -e
report_name=$1
acct=$2
date_1=$3
date_2=$4
# find summaries with a command like
@skuenzli
skuenzli / example.simulate-bucket-policy.json
Last active June 26, 2021 18:21
Bucket Policy for IAM Policy Simulator Tutorial
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureCommunications",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucket-name>",
@skuenzli
skuenzli / example-DenyUnencryptedStorage-statement.json
Last active September 21, 2023 04:28
Secure S3 Bucket Resource Policy Examples
{
"Sid": "DenyUnencryptedStorage",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::sensitive-app-data/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"Null": {
@skuenzli
skuenzli / default-cmk.key-policy.json
Last active September 30, 2020 17:15
KMS Resource Policy Examples
{
"Version": "2012-10-17",
"Id": "DefaultKeyPolicy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:root"
},
@skuenzli
skuenzli / create-least-priv-bucket-policy.tf
Last active May 22, 2020 16:34
Potential Terraform module interface for declaring a least privilege S3 bucket policy
# Engineers write this
locals {
administrator_arns = [
"arn:aws:iam::12345678910:user/ci"
, "arn:aws:iam::12345678910:user/person1"
]
read_data_arns = [
"arn:aws:iam::12345678910:user/person1",
"arn:aws:iam::12345678910:role/appA",
@skuenzli
skuenzli / create-and-use-echo-service.sh
Last active February 5, 2019 23:06
Simple Echo Service on Docker Swram
# Create an 'echo' service on a Swarm that replies back whatever you send it
docker service create --name echo --publish '8000:8' busybox:1.29 nc -v -lk -p 8 -e /bin/cat
# talk to the service, assuming you're on a Swarm node; change localhost to a Swarm node hostname if remote
echo "hello netcat my old friend..." | nc localhost -w 3 8000
echo "i've come to test connection behavior again." | nc localhost -w 3 8000