hjdave/everything-claude-code-zh
1
0
Fork 0
mirror of https://github.com/sweetwisdom/everything-claude-code-zh.git synced 2026-03-22 06:20:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: 完成所有文档的中文翻译并应用到项目

Browse Source
This commit is contained in:
xuxiang
2026-01-28 00:12:54 +08:00
parent 0ced59a26b
commit e133f58e1c
76 changed files with 6808 additions and 6170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

290
skills/security-review/cloud-infrastructure-security.md
View File

@@ -1,49 +1,49 @@
| name | description |
|------|-------------|
| cloud-infrastructure-security | Use this skill when deploying to cloud platforms, configuring infrastructure, managing IAM policies, setting up logging/monitoring, or implementing CI/CD pipelines. Provides cloud security checklist aligned with best practices. |
| cloud-infrastructure-security | 当部署到云平台、配置基础设施、管理 IAM 策略、设置日志/监控或实现 CI/CD 流水线时,请使用此技能。提供符合最佳实践的云安全检查清单。 |
# Cloud & Infrastructure Security Skill
# 云与基础设施安全技能 (Cloud & Infrastructure Security Skill)
This skill ensures cloud infrastructure, CI/CD pipelines, and deployment configurations follow security best practices and comply with industry standards.
此技能旨在确保云基础设施、CI/CD 流水线(CI/CD Pipeline)和部署配置遵循安全最佳实践,并符合行业标准。
## When to Activate
## 何时激活
- Deploying applications to cloud platforms (AWS, Vercel, Railway, Cloudflare)
- Configuring IAM roles and permissions
- Setting up CI/CD pipelines
- Implementing infrastructure as code (Terraform, CloudFormation)
- Configuring logging and monitoring
- Managing secrets in cloud environments
- Setting up CDN and edge security
- Implementing disaster recovery and backup strategies
- 将应用程序部署到云平台(AWS, Vercel, Railway, Cloudflare
- 配置身份与访问管理IAM角色和权限
- 设置 CI/CD 流水线(CI/CD Pipeline
- 实现基础设施即代码Infrastructure as Code, IaC Terraform, CloudFormation
- 配置日志记录Logging与监控Monitoring
- 在云环境中管理机密Secrets
- 设置 CDN 与边缘安全
- 实现容灾Disaster Recovery)与备份策略
## Cloud Security Checklist
## 云安全检查清单
### 1. IAM & Access Control
### 1. IAM 与访问控制 (IAM & Access Control)
#### Principle of Least Privilege
#### 最小特权原则 (Principle of Least Privilege)
```yaml
# ✅ CORRECT: Minimal permissions
# ✅ 正确:最小权限
iam_role:
permissions:
- s3:GetObject # Only read access
- s3:GetObject # 仅读取权限
- s3:ListBucket
resources:
- arn:aws:s3:::my-bucket/* # Specific bucket only
- arn:aws:s3:::my-bucket/* # 仅限特定存储桶
# ❌ WRONG: Overly broad permissions
# ❌ 错误:权限过大
iam_role:
permissions:
- s3:* # All S3 actions
- s3:* # 所有 S3 操作
resources:
- "*" # All resources
- "*" # 所有资源
```
#### Multi-Factor Authentication (MFA)
#### 多因素身份验证 (Multi-Factor Authentication, MFA)
```bash
# ALWAYS enable MFA for root/admin accounts
# 务必为 root/管理员账户启用 MFA
aws iam enable-mfa-device \
--user-name admin \
--serial-number arn:aws:iam::123456789:mfa/admin \
@@ -51,98 +51,98 @@ aws iam enable-mfa-device \
--authentication-code2 789012
```
#### Verification Steps
#### 验证步骤
- [ ] No root account usage in production
- [ ] MFA enabled for all privileged accounts
- [ ] Service accounts use roles, not long-lived credentials
- [ ] IAM policies follow least privilege
- [ ] Regular access reviews conducted
- [ ] Unused credentials rotated or removed
- [ ] 生产环境中不使用 root 账户
- [ ] 所有特权账户均启用 MFA
- [ ] 服务账号(Service accounts使用角色Roles而非长期凭据
- [ ] IAM 策略遵循最小特权原则
- [ ] 定期进行访问权限审查
- [ ] 轮换或移除未使用的凭据
### 2. Secrets Management
### 2. 机密管理 (Secrets Management)
#### Cloud Secrets Managers
#### 云端机密管理器 (Cloud Secrets Managers)
```typescript
// ✅ CORRECT: Use cloud secrets manager
// ✅ 正确:使用云端机密管理器
import { SecretsManager } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManager({ region: 'us-east-1' });
const secret = await client.getSecretValue({ SecretId: 'prod/api-key' });
const apiKey = JSON.parse(secret.SecretString).key;
// ❌ WRONG: Hardcoded or in environment variables only
const apiKey = process.env.API_KEY; // Not rotated, not audited
// ❌ 错误:硬编码或仅存在于环境变量中
const apiKey = process.env.API_KEY; // 无法轮换,无法审计
```
#### Secrets Rotation
#### 机密轮换 (Secrets Rotation)
```bash
# Set up automatic rotation for database credentials
# 为数据库凭据设置自动轮换
aws secretsmanager rotate-secret \
--secret-id prod/db-password \
--rotation-lambda-arn arn:aws:lambda:region:account:function:rotate \
--rotation-rules AutomaticallyAfterDays=30
```
#### Verification Steps
#### 验证步骤
- [ ] All secrets stored in cloud secrets manager (AWS Secrets Manager, Vercel Secrets)
- [ ] Automatic rotation enabled for database credentials
- [ ] API keys rotated at least quarterly
- [ ] No secrets in code, logs, or error messages
- [ ] Audit logging enabled for secret access
- [ ] 所有机密均存储在云端机密管理器中(如 AWS Secrets Manager, Vercel Secrets
- [ ] 数据库凭据已启用自动轮换
- [ ] API 密钥至少每季度轮换一次
- [ ] 代码、日志或错误消息中不包含机密
- [ ] 已为机密访问启用审计日志
### 3. Network Security
### 3. 网络安全 (Network Security)
#### VPC and Firewall Configuration
#### VPC 与防火墙配置 (VPC and Firewall Configuration)
```terraform
# ✅ CORRECT: Restricted security group
# ✅ 正确:受限的安全组
resource "aws_security_group" "app" {
name = "app-sg"
ingress {
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"] # Internal VPC only
cidr_blocks = ["10.0.0.0/16"] # 仅限内部 VPC
}
egress {
egres s {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Only HTTPS outbound
cidr_blocks = ["0.0.0.0/0"] # 仅允许 HTTPS 出站
}
}
# ❌ WRONG: Open to the internet
# ❌ 错误:对互联网开放
resource "aws_security_group" "bad" {
ingress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # All ports, all IPs!
cidr_blocks = ["0.0.0.0/0"] # 所有端口,所有 IP
}
}
```
#### Verification Steps
#### 验证步骤
- [ ] Database not publicly accessible
- [ ] SSH/RDP ports restricted to VPN/bastion only
- [ ] Security groups follow least privilege
- [ ] Network ACLs configured
- [ ] VPC flow logs enabled
- [ ] 数据库不可通过公网访问
- [ ] SSH/RDP 端口仅限制在 VPN/堡垒机访问
- [ ] 安全组遵循最小特权原则
- [ ] 已配置网络 ACLNetwork ACLs
- [ ] 已启用 VPC 流日志(VPC flow logs
### 4. Logging & Monitoring
### 4. 日志记录与监控 (Logging & Monitoring)
#### CloudWatch/Logging Configuration
#### CloudWatch/日志配置 (CloudWatch/Logging Configuration)
```typescript
// ✅ CORRECT: Comprehensive logging
// ✅ 正确:全面的日志记录
import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';
const logSecurityEvent = async (event: SecurityEvent) => {
@@ -156,28 +156,28 @@ const logSecurityEvent = async (event: SecurityEvent) => {
userId: event.userId,
ip: event.ip,
result: event.result,
// Never log sensitive data
// 严禁记录敏感数据
})
}]
});
};
```
#### Verification Steps
#### 验证步骤
- [ ] CloudWatch/logging enabled for all services
- [ ] Failed authentication attempts logged
- [ ] Admin actions audited
- [ ] Log retention configured (90+ days for compliance)
- [ ] Alerts configured for suspicious activity
- [ ] Logs centralized and tamper-proof
- [ ] 所有服务均启用了 CloudWatch/日志记录
- [ ] 已记录失败的身份验证尝试
- [ ] 管理员操作已审计
- [ ] 已配置日志保留策略(合规性要求通常为 90 天以上)
- [ ] 为可疑活动配置了告警
- [ ] 日志采用集中化存储且具备防篡改能力
### 5. CI/CD Pipeline Security
### 5. CI/CD 流水线安全 (CI/CD Pipeline Security)
#### Secure Pipeline Configuration
#### 安全流水线配置 (Secure Pipeline Configuration)
```yaml
# ✅ CORRECT: Secure GitHub Actions workflow
# ✅ 正确:安全的 GitHub Actions 工作流
name: Deploy
on:
@@ -188,20 +188,20 @@ jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: read # Minimal permissions
contents: read # 最小权限
steps:
- uses: actions/checkout@v4
# Scan for secrets
# 扫描机密
- name: Secret scanning
uses: trufflesecurity/trufflehog@main
# Dependency audit
# 依赖项审计
- name: Audit dependencies
run: npm audit --audit-level=high
# Use OIDC, not long-lived tokens
# 使用 OIDC,而非长期令牌
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
@@ -209,40 +209,40 @@ jobs:
aws-region: us-east-1
```
#### Supply Chain Security
#### 供应链安全 (Supply Chain Security)
```json
// package.json - Use lock files and integrity checks
// package.json - 使用 lock 文件和完整性检查
{
"scripts": {
"install": "npm ci", // Use ci for reproducible builds
"install": "npm ci", // 使用 ci 以获得可复现的构建
"audit": "npm audit --audit-level=moderate",
"check": "npm outdated"
}
}
```
#### Verification Steps
#### 验证步骤
- [ ] OIDC used instead of long-lived credentials
- [ ] Secrets scanning in pipeline
- [ ] Dependency vulnerability scanning
- [ ] Container image scanning (if applicable)
- [ ] Branch protection rules enforced
- [ ] Code review required before merge
- [ ] Signed commits enforced
- [ ] 使用 OIDC 代替长期凭据
- [ ] 在流水线中进行机密扫描
- [ ] 依赖项漏洞扫描
- [ ] 容器镜像扫描(如适用)
- [ ] 强制执行分支保护规则
- [ ] 合并前必须进行代码审查
- [ ] 强制执行签名提交(Signed commits
### 6. Cloudflare & CDN Security
### 6. Cloudflare 与 CDN 安全 (Cloudflare & CDN Security)
#### Cloudflare Security Configuration
#### Cloudflare 安全配置
```typescript
// ✅ CORRECT: Cloudflare Workers with security headers
// ✅ 正确:带有安全响应头的 Cloudflare Workers
export default {
async fetch(request: Request): Promise<Response> {
const response = await fetch(request);
// Add security headers
// 添加安全响应头
const headers = new Headers(response.headers);
headers.set('X-Frame-Options', 'DENY');
headers.set('X-Content-Type-Options', 'nosniff');
@@ -257,105 +257,105 @@ export default {
};
```
#### WAF Rules
#### WAF 规则
```bash
# Enable Cloudflare WAF managed rules
# - OWASP Core Ruleset
# - Cloudflare Managed Ruleset
# - Rate limiting rules
# - Bot protection
# 启用 Cloudflare WAF 托管规则
# - OWASP 核心规则集
# - Cloudflare 托管规则集
# - 速率限制规则
# - 机器人保护
```
#### Verification Steps
#### 验证步骤
- [ ] WAF enabled with OWASP rules
- [ ] Rate limiting configured
- [ ] Bot protection active
- [ ] DDoS protection enabled
- [ ] Security headers configured
- [ ] SSL/TLS strict mode enabled
- [ ] 已启用 WAF 并配置了 OWASP 规则
- [ ] 已配置速率限制(Rate limiting
- [ ] 机器人保护(Bot protection)已激活
- [ ] 已启用 DDoS 防护
- [ ] 已配置安全响应头
- [ ] 已启用 SSL/TLS 严格模式
### 7. Backup & Disaster Recovery
### 7. 备份与容灾 (Backup & Disaster Recovery)
#### Automated Backups
#### 自动化备份
```terraform
# ✅ CORRECT: Automated RDS backups
# ✅ 正确RDS 自动化备份
resource "aws_db_instance" "main" {
allocated_storage = 20
engine = "postgres"
backup_retention_period = 30 # 30 days retention
backup_retention_period = 30 # 保留 30 天
backup_window = "03:00-04:00"
maintenance_window = "mon:04:00-mon:05:00"
enabled_cloudwatch_logs_exports = ["postgresql"]
deletion_protection = true # Prevent accidental deletion
deletion_protection = true # 防止误删
}
```
#### Verification Steps
#### 验证步骤
- [ ] Automated daily backups configured
- [ ] Backup retention meets compliance requirements
- [ ] Point-in-time recovery enabled
- [ ] Backup testing performed quarterly
- [ ] Disaster recovery plan documented
- [ ] RPO and RTO defined and tested
- [ ] 已配置每日自动化备份
- [ ] 备份保留时间符合合规性要求
- [ ] 已启用时间点恢复(Point-in-time recovery
- [ ] 每季度进行备份测试
- [ ] 已记录容灾计划文档
- [ ] 已定义并测试 RPO恢复点目标和 RTO恢复时间目标
## Pre-Deployment Cloud Security Checklist
## 部署前云安全检查表 (Pre-Deployment Cloud Security Checklist)
Before ANY production cloud deployment:
在任何生产环境云部署之前:
- [ ] **IAM**: Root account not used, MFA enabled, least privilege policies
- [ ] **Secrets**: All secrets in cloud secrets manager with rotation
- [ ] **Network**: Security groups restricted, no public databases
- [ ] **Logging**: CloudWatch/logging enabled with retention
- [ ] **Monitoring**: Alerts configured for anomalies
- [ ] **CI/CD**: OIDC auth, secrets scanning, dependency audits
- [ ] **CDN/WAF**: Cloudflare WAF enabled with OWASP rules
- [ ] **Encryption**: Data encrypted at rest and in transit
- [ ] **Backups**: Automated backups with tested recovery
- [ ] **Compliance**: GDPR/HIPAA requirements met (if applicable)
- [ ] **Documentation**: Infrastructure documented, runbooks created
- [ ] **Incident Response**: Security incident plan in place
- [ ] **IAM**:不使用 root 账户,启用 MFA执行最小特权策略
- [ ] **机密 (Secrets)**:所有机密均存放在带轮换机制的云端机密管理器中
- [ ] **网络 (Network)**:受限的安全组,无公网数据库
- [ ] **日志 (Logging)**:启用带保留策略的 CloudWatch/日志记录
- [ ] **监控 (Monitoring)**:为异常活动配置告警
- [ ] **CI/CD**OIDC 认证、机密扫描、依赖项审计
- [ ] **CDN/WAF**:启用带 OWASP 规则的 Cloudflare WAF
- [ ] **加密 (Encryption)**:数据在静态(at rest)和传输(in transit)中均已加密
- [ ] **备份 (Backups)**:带有恢复测试的自动化备份
- [ ] **合规性 (Compliance)**:满足 GDPR/HIPAA 等要求(如适用)
- [ ] **文档 (Documentation)**基础设施已记录文档创建了运行手册Runbooks
- [ ] **事件响应 (Incident Response)**:已制定安全事件响应计划
## Common Cloud Security Misconfigurations
## 常见的云安全错误配置 (Common Cloud Security Misconfigurations)
### S3 Bucket Exposure
### S3 存储桶暴露
```bash
# ❌ WRONG: Public bucket
# ❌ 错误:公共存储桶
aws s3api put-bucket-acl --bucket my-bucket --acl public-read
# ✅ CORRECT: Private bucket with specific access
# ✅ 正确:具有特定访问权限的私有存储桶
aws s3api put-bucket-acl --bucket my-bucket --acl private
aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
```
### RDS Public Access
### RDS 公网访问
```terraform
# ❌ WRONG
# ❌ 错误
resource "aws_db_instance" "bad" {
publicly_accessible = true # NEVER do this!
publicly_accessible = true # 绝不要这样做!
}
# ✅ CORRECT
# ✅ 正确
resource "aws_db_instance" "good" {
publicly_accessible = false
vpc_security_group_ids = [aws_security_group.db.id]
}
```
## Resources
## 资源 (Resources)
- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/)
- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)
- [Cloudflare Security Documentation](https://developers.cloudflare.com/security/)
- [OWASP Cloud Security](https://owasp.org/www-project-cloud-security/)
- [Terraform Security Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/)
- [AWS 安全最佳实践](https://aws.amazon.com/security/best-practices/)
- [CIS AWS 基础基准](https://www.cisecurity.org/benchmark/amazon_web_services)
- [Cloudflare 安全文档](https://developers.cloudflare.com/security/)
- [OWASP 云安全](https://owasp.org/www-project-cloud-security/)
- [Terraform 安全最佳实践](https://www.terraform.io/docs/cloud/guides/recommended-practices/)
**Remember**: Cloud misconfigurations are the leading cause of data breaches. A single exposed S3 bucket or overly permissive IAM policy can compromise your entire infrastructure. Always follow the principle of least privilege and defense in depth.
**请记住**:云端配置错误是导致数据泄露的主要原因。一个暴露的 S3 存储桶或权限过大的 IAM 策略就可能危害您的整个基础设施。请务必遵循最小特权原则和纵深防御原则。