feat: AWS Security & Compliance — finding-to-code mapping with AI remediation

.claude/skills/atmos-aws-security

@@ -0,0 +1 @@
+../../agent-skills/skills/atmos-aws-security

.golangci.yml

@@ -70,6 +70,7 @@ linters:
             - "!**/internal/aws_utils/**"
             - "!**/pkg/aws/identity/**"
             - "!**/pkg/aws/organization/**"
+            - "!**/pkg/aws/security/**"
             - "!**/pkg/provisioner/backend/**"
             - "!**/pkg/ci/github/**"
             - "!**/pkg/ci/planfile/github/**"

NOTICE

@@ -39,15 +39,15 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - cloud.google.com/go/iam
     License: Apache-2.0
-    URL: https://github.com/googleapis/google-cloud-go/blob/iam/v1.6.0/iam/LICENSE
+    URL: https://github.com/googleapis/google-cloud-go/blob/iam/v1.7.0/iam/LICENSE
 
   - cloud.google.com/go/monitoring
     License: Apache-2.0
-    URL: https://github.com/googleapis/google-cloud-go/blob/monitoring/v1.24.3/monitoring/LICENSE
+    URL: https://github.com/googleapis/google-cloud-go/blob/monitoring/v1.25.0/monitoring/LICENSE
 
   - cloud.google.com/go/secretmanager
     License: Apache-2.0
-    URL: https://github.com/googleapis/google-cloud-go/blob/secretmanager/v1.16.0/secretmanager/LICENSE
+    URL: https://github.com/googleapis/google-cloud-go/blob/secretmanager/v1.17.0/secretmanager/LICENSE
 
   - cloud.google.com/go/storage
     License: Apache-2.0
@@ -107,19 +107,19 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/aws/aws-sdk-go-v2/config
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.32.13/config/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.32.14/config/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/credentials
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.19.13/credentials/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.19.14/credentials/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/feature/ec2/imds
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.18.21/feature/ec2/imds/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/feature/s3/manager
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/s3/manager/v1.22.11/feature/s3/manager/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/s3/manager/v1.22.12/feature/s3/manager/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/internal/configsources
     License: Apache-2.0
@@ -169,6 +169,10 @@ APACHE 2.0 LICENSED DEPENDENCIES
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/service/organizations/v1.51.0/service/organizations/LICENSE.txt
 
+  - github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi
+    License: Apache-2.0
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/resourcegroupstaggingapi/v1.31.10/service/resourcegroupstaggingapi/LICENSE.txt
+
   - github.com/aws/aws-sdk-go-v2/service/s3
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.98.0/service/s3/LICENSE.txt
@@ -177,6 +181,10 @@ APACHE 2.0 LICENSED DEPENDENCIES
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/service/secretsmanager/v1.41.5/service/secretsmanager/LICENSE.txt
 
+  - github.com/aws/aws-sdk-go-v2/service/securityhub
+    License: Apache-2.0
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/securityhub/v1.68.3/service/securityhub/LICENSE.txt
+
   - github.com/aws/aws-sdk-go-v2/service/signin
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/service/signin/v1.0.9/service/signin/LICENSE.txt
@@ -187,19 +195,19 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/aws/aws-sdk-go-v2/service/sso
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.30.14/service/sso/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.30.15/service/sso/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/service/ssooidc
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.35.18/service/ssooidc/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.35.19/service/ssooidc/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/service/sts
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.41.10/service/sts/LICENSE.txt
 
   - github.com/aws/smithy-go
     License: Apache-2.0
-    URL: https://github.com/aws/smithy-go/blob/v1.24.2/LICENSE
+    URL: https://github.com/aws/smithy-go/blob/v1.24.3/LICENSE
 
   - github.com/cloudposse/atmos
     License: Apache-2.0
@@ -239,7 +247,7 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/containerd/platforms
     License: Apache-2.0
-    URL: https://github.com/containerd/platforms/blob/v1.0.0-rc.3/LICENSE
+    URL: https://github.com/containerd/platforms/blob/v1.0.0-rc.4/LICENSE
 
   - github.com/containerd/stargz-snapshotter/estargz
     License: Apache-2.0
@@ -287,7 +295,7 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/go-jose/go-jose/v4
     License: Apache-2.0
-    URL: https://github.com/go-jose/go-jose/blob/v4.1.3/LICENSE
+    URL: https://github.com/go-jose/go-jose/blob/v4.1.4/LICENSE
 
   - github.com/go-logr/logr
     License: Apache-2.0
@@ -547,15 +555,15 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - google.golang.org/genproto/googleapis
     License: Apache-2.0
-    URL: https://github.com/googleapis/go-genproto/blob/d5a96adf58d8/LICENSE
+    URL: https://github.com/googleapis/go-genproto/blob/9d38bb4040a9/LICENSE
 
   - google.golang.org/genproto/googleapis/api
     License: Apache-2.0
-    URL: https://github.com/googleapis/go-genproto/blob/d5a96adf58d8/googleapis/api/LICENSE
+    URL: https://github.com/googleapis/go-genproto/blob/9d38bb4040a9/googleapis/api/LICENSE
 
   - google.golang.org/genproto/googleapis/rpc
     License: Apache-2.0
-    URL: https://github.com/googleapis/go-genproto/blob/d5a96adf58d8/googleapis/rpc/LICENSE
+    URL: https://github.com/googleapis/go-genproto/blob/9d38bb4040a9/googleapis/rpc/LICENSE
 
   - google.golang.org/grpc
     License: Apache-2.0
@@ -648,7 +656,7 @@ BSD LICENSED DEPENDENCIES
 
   - github.com/aws/smithy-go/internal/sync/singleflight
     License: BSD-3-Clause
-    URL: https://github.com/aws/smithy-go/blob/v1.24.2/internal/sync/singleflight/LICENSE
+    URL: https://github.com/aws/smithy-go/blob/v1.24.3/internal/sync/singleflight/LICENSE
 
   - github.com/bearsh/hid/hidapi
     License: BSD-3-Clause
@@ -684,11 +692,11 @@ BSD LICENSED DEPENDENCIES
 
   - github.com/go-jose/go-jose/v3/json
     License: BSD-3-Clause
-    URL: https://github.com/go-jose/go-jose/blob/v3.0.4/json/LICENSE
+    URL: https://github.com/go-jose/go-jose/blob/v3.0.5/json/LICENSE
 
   - github.com/go-jose/go-jose/v4/json
     License: BSD-3-Clause
-    URL: https://github.com/go-jose/go-jose/blob/v4.1.3/json/LICENSE
+    URL: https://github.com/go-jose/go-jose/blob/v4.1.4/json/LICENSE
 
   - github.com/godbus/dbus
     License: BSD-2-Clause
@@ -728,7 +736,7 @@ BSD LICENSED DEPENDENCIES
 
   - github.com/googleapis/gax-go/v2
     License: BSD-3-Clause
-    URL: https://github.com/googleapis/gax-go/blob/v2.20.0/v2/LICENSE
+    URL: https://github.com/googleapis/gax-go/blob/v2.21.0/v2/LICENSE
 
   - github.com/gorilla/css/scanner
     License: BSD-3-Clause
@@ -872,11 +880,11 @@ BSD LICENSED DEPENDENCIES
 
   - google.golang.org/api
     License: BSD-3-Clause
-    URL: https://github.com/googleapis/google-api-go-client/blob/v0.273.1/LICENSE
+    URL: https://github.com/googleapis/google-api-go-client/blob/v0.274.0/LICENSE
 
   - google.golang.org/api/internal/third_party/uritemplates
     License: BSD-3-Clause
-    URL: https://github.com/googleapis/google-api-go-client/blob/v0.273.1/internal/third_party/uritemplates/LICENSE
+    URL: https://github.com/googleapis/google-api-go-client/blob/v0.274.0/internal/third_party/uritemplates/LICENSE
 
   - google.golang.org/protobuf
     License: BSD-3-Clause
@@ -957,7 +965,7 @@ MOZILLA PUBLIC LICENSE (MPL) 2.0 DEPENDENCIES
 
   - github.com/hashicorp/go-getter
     License: MPL-2.0
-    URL: https://github.com/hashicorp/go-getter/blob/v1.8.5/LICENSE
+    URL: https://github.com/hashicorp/go-getter/blob/v1.8.6/LICENSE
 
   - github.com/hashicorp/go-immutable-radix
     License: MPL-2.0
@@ -1082,7 +1090,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/Azure/azure-sdk-for-go/sdk/internal
     License: MIT
-    URL: https://github.com/Azure/azure-sdk-for-go/blob/sdk/internal/v1.11.2/sdk/internal/LICENSE.txt
+    URL: https://github.com/Azure/azure-sdk-for-go/blob/sdk/internal/v1.12.0/sdk/internal/LICENSE.txt
 
   - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions
     License: MIT
@@ -1154,7 +1162,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/anthropics/anthropic-sdk-go
     License: MIT
-    URL: https://github.com/anthropics/anthropic-sdk-go/blob/v1.27.1/LICENSE
+    URL: https://github.com/anthropics/anthropic-sdk-go/blob/v1.29.0/LICENSE
 
   - github.com/apparentlymart/go-cidr/cidr
     License: MIT
@@ -1438,7 +1446,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/huandu/go-sqlbuilder
     License: MIT
-    URL: https://github.com/huandu/go-sqlbuilder/blob/v1.40.0/LICENSE
+    URL: https://github.com/huandu/go-sqlbuilder/blob/v1.40.1/LICENSE
 
   - github.com/huandu/xstrings
     License: MIT
@@ -1454,11 +1462,11 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/itchyny/gojq
     License: MIT
-    URL: https://github.com/itchyny/gojq/blob/v0.12.18/LICENSE
+    URL: https://github.com/itchyny/gojq/blob/v0.12.19/LICENSE
 
   - github.com/itchyny/timefmt-go
     License: MIT
-    URL: https://github.com/itchyny/timefmt-go/blob/v0.1.7/LICENSE
+    URL: https://github.com/itchyny/timefmt-go/blob/v0.1.8/LICENSE
 
   - github.com/jbenet/go-context/io
     License: MIT
@@ -1522,7 +1530,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/lestrrat-go/dsig
     License: MIT
-    URL: https://github.com/lestrrat-go/dsig/blob/v1.0.0/LICENSE
+    URL: https://github.com/lestrrat-go/dsig/blob/v1.1.0/LICENSE
 
   - github.com/lestrrat-go/httpcc
     License: MIT
@@ -1762,7 +1770,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/yuin/gopher-lua
     License: MIT
-    URL: https://github.com/yuin/gopher-lua/blob/v1.1.1/LICENSE
+    URL: https://github.com/yuin/gopher-lua/blob/v1.1.2/LICENSE
 
   - github.com/zalando/go-keyring
     License: MIT

agent-skills/AGENTS.md

@@ -73,6 +73,7 @@ When a task involves Atmos, activate the matching skill for detailed guidance.
 | Toolchain management: install/exec/search tools, .tool-versions, Aqua registries, custom registries, aliases         | `atmos-toolchain`       | `agent-skills/skills/atmos-toolchain/SKILL.md`       |
 | Introspection: describe component/stacks/affected/dependents, list stacks/components/instances, querying, provenance | `atmos-introspection`   | `agent-skills/skills/atmos-introspection/SKILL.md`   |
 | Devcontainers: start/stop/attach/exec/shell, Docker/Podman, identity integration, instance management (experimental) | `atmos-devcontainer`    | `agent-skills/skills/atmos-devcontainer/SKILL.md`    |
+| AWS security: analyze findings, map to components/stacks, structured remediation, compliance reports                  | `atmos-aws-security`    | `agent-skills/skills/atmos-aws-security/SKILL.md`    |
 
 ## Common Patterns
 

agent-skills/skills/atmos-aws-security/SKILL.md

@@ -0,0 +1,108 @@
+---
+name: atmos-aws-security
+description: "AWS security finding analysis: analyze findings, map to Atmos components/stacks, generate structured remediation with exact Terraform changes and deploy commands"
+metadata:
+  copyright: Copyright Cloud Posse, LLC 2026
+  version: "1.0.0"
+---
+
+# Atmos AWS Security Finding Analysis
+
+You are analyzing AWS security findings that have been mapped to Atmos infrastructure components.
+Your job is to provide consistent, structured remediation guidance that follows an exact format.
+
+## Output Format
+
+You MUST return your analysis using these exact section headers. Every section is required.
+The output is parsed programmatically — do not deviate from the format.
+
+### Root Cause
+
+Explain WHY this finding exists in the infrastructure. Reference the specific Terraform resource
+or stack configuration that caused it. Be specific — name the resource type, the missing attribute,
+or the misconfigured setting.
+
+### Steps
+
+Return an ordered list of remediation steps. Each step should be a concrete action.
+Use numbered list format:
+
+1. First step
+2. Second step
+3. Third step
+
+### Code Changes
+
+Show the specific Terraform/HCL changes needed. Use the component source code provided in the
+context. Format as a diff or before/after:
+
+```hcl
+# Before
+resource "aws_s3_bucket" "this" {
+  bucket = var.bucket_name
+}
+
+# After
+resource "aws_s3_bucket" "this" {
+  bucket = var.bucket_name
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+```
+
+### Stack Changes
+
+Show the specific stack YAML changes needed. Reference the exact `vars` key to add or modify:
+
+```yaml
+# stacks/deploy/prod/us-east-1.yaml
+components:
+  terraform:
+    s3-bucket:
+      vars:
+        versioning_enabled: true
+```
+
+### Deploy
+
+Provide the exact `atmos terraform apply` command to deploy the fix:
+
+```bash
+atmos terraform apply <component> -s <stack>
+```
+
+### Risk
+
+Rate the risk of applying this remediation: `low`, `medium`, or `high`.
+- `low` — Read-only change, no service disruption
+- `medium` — Config change that may cause brief disruption
+- `high` — Destructive change (resource replacement, data loss risk)
+
+### References
+
+List relevant AWS documentation URLs, CIS benchmark controls, or compliance framework references.
+
+## Context You Receive
+
+For each finding, you will receive:
+
+1. **Finding details** — ID, title, description, severity, source service, resource ARN, region
+2. **Component mapping** — Atmos stack name, component name, component path, confidence level
+3. **Component source** — The `main.tf` content from the Terraform component (if available)
+4. **Stack config** — The resolved stack configuration for the component (if available)
+
+## Analysis Guidelines
+
+- Always reference the **specific Terraform resource** that needs to change.
+- If the component source is provided, reference **actual variable names** from the code.
+- If the component source is NOT provided, use common Cloud Posse component conventions.
+- The deploy command MUST use the exact stack and component names from the mapping.
+- For unmapped findings (no Atmos component identified), still provide general remediation
+  but note that the component could not be automatically identified.
+- Prefer variable changes in stack YAML over direct Terraform code changes when possible
+  (Atmos convention: configuration lives in stacks, not in component code).

cmd/aws/aws.go

@@ -3,8 +3,10 @@ package aws
 import (
 	"github.com/spf13/cobra"
 
+	awscompliance "github.com/cloudposse/atmos/cmd/aws/compliance"
 	"github.com/cloudposse/atmos/cmd/aws/ecr"
 	"github.com/cloudposse/atmos/cmd/aws/eks"
+	awssecurity "github.com/cloudposse/atmos/cmd/aws/security"
 	"github.com/cloudposse/atmos/cmd/internal"
 	"github.com/cloudposse/atmos/pkg/flags"
 	"github.com/cloudposse/atmos/pkg/flags/compat"
@@ -31,6 +33,12 @@ func init() {
 	// Add EKS subcommand from the eks subpackage.
 	awsCmd.AddCommand(eks.EksCmd)
 
+	// Add Security subcommand from the security subpackage.
+	awsCmd.AddCommand(awssecurity.SecurityCmd)
+
+	// Add Compliance subcommand from the compliance subpackage.
+	awsCmd.AddCommand(awscompliance.ComplianceCmd)
+
 	// Register this command with the registry.
 	internal.Register(&AWSCommandProvider{})
 }