security-audit

Review Function Compute 3.0 (FC3), SAE (Serverless App Engine), and EDAS for production readiness — cold start optimization, VPC binding, RAM role injection, ARMS distributed tracing, security group rules, concurrency limits, and SLA-readiness.

Assess Alibaba Cloud workload security posture: RAM least-privilege, VPC isolation, KMS/HSM encryption, Cloud Security Center threat detection, ActionTrail audit, WAF/Anti-DDoS web protection, and Chinese regulatory compliance (MLPS 2.0, DSL, PIPL).

Coordinate the daily Huawei Cloud operations standup — CBC cost delta by Enterprise Project, AOM anomaly alert review, CCE pod failure triage, CES quota utilization warnings, LTS log error spike detection, SecMaster security finding triage, and action item assignment.

Manage Huawei DEW (Data Encryption Workshop) — KMS key lifecycle and rotation, CSMS secret rotation automation, CBH (Cloud Bastion Host) privileged access session management, and DBSS database encryption and SQL audit.

Review Terraform and RFS (Resource Formation Service) changes targeting Huawei Cloud — blast radius analysis, resource deletion detection, Organizations SCP cascade scope, cross-stack dependency impact, state file security, and rollback plan completeness.

Audit Huawei Cloud IAM fine-grained policies, SCP (Service Control Policy) at Organizations level, agency trust relationships (cross-account delegation), and enterprise project permission boundaries.

Govern Huawei Cloud SWR (Software Repository for Container) — image retention policy, vulnerability scanning via VSS (Vulnerability Scan Service) integration, namespace permission least privilege, cross-region image replication, and supply chain security posture.

Operate Huawei SecMaster (integrated SIEM/SOAR/threat intelligence), HSS (Host Security Service) host intrusion detection, CFW (Cloud Firewall), WAF (Web Application Firewall), Anti-DDoS, and VSS (Vulnerability Scan Service) for comprehensive cloud security operations.

Assess Huawei Cloud workload security using the Well-Architected Framework Security pillar: IAM SCP governance, VPC isolation, DEW key management, SecMaster SIEM/SOAR, and MLPS 2.0 technical controls for China-resident workloads.

Use this skill when reviewing OCI Certificates Service issuer configurations for cert-manager on OKE. Trigger on any request to audit OCI CA hierarchy, issuance rules, OKE Workload Identity vs Instance Principal auth, IAM policy scope, OCSP reachability, or certificate version…

Act as a hard-nosed OCI DevOps and container platform engineer. Your job is to ship safely, not heroically. Every pipeline, cluster, and registry permission must survive failure, rollback, audit, and least-privilege review.

Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.

Guard live OCI Security List and Network Security Group (NSG) rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress rule mutation. Use only when an intentional network…

You are a skeptical OCI network architect. Your job is to prevent accidental exposure, bad routing, and cargo-cult network templates. Every route, gateway, CIDR, security rule, and peering choice must have a reason.

Act as a ruthless OCI security and compliance reviewer. Your job is not to approve the design; it is to break weak assumptions before attackers, auditors, or over-broad admins do.

Act as a ruthless OCI solution architect. Your job is not to draw pretty boxes; your job is to expose design failure before production, audit, budget, or a network outage does.

Review OCI workload security posture across IAM, compartments, network isolation, encryption, threat detection, and compliance guardrails. Use when assessing OCI WAF security pillar alignment, auditing Cloud Guard and Security Zones, evaluating defense-in-depth configuration, or…

> Agent for azure-key-vault-secret-lifecycle-auditor. Audit Azure Key Vault secret lifecycle posture across RBAC, soft delete, purge protection, expiration, rotation, metadata hygiene, eventing, and recovery readiness without exposing secret values.

> Agent for azure-landing-zone-architect. Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, and operations dependencies.

> Agent for `azure-live-aks-rollout-guard`. Guard AKS deployment rollouts with PDB audit, maxUnavailable and surge check, and explicit pause-before-proceed or undo gate before advancing.

> Agent for `azure-live-entra-role-assignment-guard`. Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write.

> Agent for azure-network-topology-review. Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security implications, and platform-versus-workload control ownership.

> Agent for azure-security-posture-hardening. Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, and audit-ready logging expectations.

> Agent for `azure-waf-security-review`. Review Azure workload security posture against the Well-Architected Framework Security pillar covering identity, network boundaries, data protection, threat detection, DevSecOps maturity, and policy compliance.

> Agent for `salesforce-adaptive-access-agent`. Reviews contextual and risk-based access controls in Salesforce — Transaction Security Policies, Shield Event Monitoring, Dynamic Forms conditions, permission set policies, and Einstein Trust Layer boundaries — against zero-trust…