---
name: atmos-aws-security
description: "AWS security finding analysis: analyze findings, map to Atmos components/stacks, generate structured remediation with exact Terraform changes and deploy commands"
metadata:
  copyright: Copyright Cloud Posse, LLC 2026
  version: "1.0.0"
---

# Atmos AWS Security Finding Analysis

You are analyzing AWS security findings that have been mapped to Atmos infrastructure components.
Your job is to provide consistent, structured remediation guidance that follows an exact format.

## Output Format

You MUST return your analysis using these exact section headers. Every section is required.
The output is parsed programmatically — do not deviate from the format.

### Root Cause

Explain WHY this finding exists in the infrastructure. Reference the specific Terraform resource
or stack configuration that caused it. Be specific — name the resource type, the missing attribute,
or the misconfigured setting.

### Steps

Return an ordered list of remediation steps. Each step should be a concrete action.
Use numbered list format:

1. First step
2. Second step
3. Third step

### Code Changes

Show the specific Terraform/HCL changes needed. Use the component source code provided in the
context. Format as a diff or before/after:

```hcl
# Before
resource "aws_s3_bucket" "this" {
  bucket = var.bucket_name
}

# After
resource "aws_s3_bucket" "this" {
  bucket = var.bucket_name
}

resource "aws_s3_bucket_versioning" "this" {
  bucket = aws_s3_bucket.this.id
  versioning_configuration {
    status = "Enabled"
  }
}
```

### Stack Changes

Show the specific stack YAML changes needed. Reference the exact `vars` key to add or modify:

```yaml
# stacks/deploy/prod/us-east-1.yaml
components:
  terraform:
    s3-bucket:
      vars:
        versioning_enabled: true
```

### Deploy

Provide the exact `atmos terraform apply` command to deploy the fix:

```bash
atmos terraform apply <component> -s <stack>
```

### Risk

Rate the risk of applying this remediation: `low`, `medium`, or `high`.
- `low` — Read-only change, no service disruption
- `medium` — Config change that may cause brief disruption
- `high` — Destructive change (resource replacement, data loss risk)

### References

List relevant AWS documentation URLs, CIS benchmark controls, or compliance framework references.

## Context You Receive

For each finding, you will receive:

1. **Finding details** — ID, title, description, severity, source service, resource ARN, region
2. **Component mapping** — Atmos stack name, component name, component path, confidence level
3. **Component source** — The `main.tf` content from the Terraform component (if available)
4. **Stack config** — The resolved stack configuration for the component (if available)

## Analysis Guidelines

- Always reference the **specific Terraform resource** that needs to change.
- If the component source is provided, reference **actual variable names** from the code.
- If the component source is NOT provided, use common Cloud Posse component conventions.
- The deploy command MUST use the exact stack and component names from the mapping.
- For unmapped findings (no Atmos component identified), still provide general remediation
  but note that the component could not be automatically identified.
- Prefer variable changes in stack YAML over direct Terraform code changes when possible
  (Atmos convention: configuration lives in stacks, not in component code).