AWS CLIを利用して、inspectorの診断を実行します
前提条件
本手順はJAWS-UG CLI専門支部の実施したハンズオン手順です。
全工程については下記総合案内をご確認ください。
#91 Amazon Inspector 入門 (CloudWatch Eventで定期診断編)
Inspectorへの権限
Inspectorに対してフル権限があること。
AWS CLIのバージョン
以下のバージョンで動作確認済
- AWS CLI 1.11.122
コマンド
aws --version
結果(例):
aws-cli/1.11.122 Python/2.7.10 Linux/4.1.27-25.49.amzn1.x86_64 botocore/1.5.85
バージョンが古い場合は最新版に更新しましょう。
コマンド
sudo -H pip install -U awscli
0. 準備
まず変数の確認をします。
変数の確認
cat << ETX
AWS_DEFAULT_PROFILE: (0.1) ${AWS_DEFAULT_PROFILE}
IAM_ROLE_NAME (0.2) ${IAM_ROLE_NAME}
IAM_ROLE_ARN (0.3) ${IAM_ROLE_ARN}
TAG_KEY: (0.4) ${TAG_KEY}
TAG_VALUE: (0.4) ${TAG_VALUE}
ETX
結果(例):
AWS_DEFAULT_PROFILE: (0.1) <IAMのフル権限を許可されたプロファイル>
IAM_ROLE_NAME (0.2) inspector_role
IAM_ROLE_ARN (0.3) arn:aws:iam::549352348160:role/inspector_role
TAG_KEY: (0.4) inspector
TAG_VALUE: (0.4) ON
変数が入っていない、適切でない場合は、それぞれの手順番号について作業を
行います。
0.1. プロファイルの指定
プロファイルの一覧を確認します。
コマンド
cat ~/.aws/credentials \
| grep '\[' \
| sed 's/\[//g' | sed 's/\]//g'
結果(例):
iamFull-prjz-mbpr13
<IAMのフル権限を許可されたプロファイル>
変数の設定
export AWS_DEFAULT_PROFILE='<IAMのフル権限を許可されたプロファイル>'
0.2. IAMロール名の指定
変数の設定
IAM_ROLE_NAME='inspector_role'
0.3. IAMロールARNの指定
IAMロールのARN確認
コマンド
IAM_ROLE_ARN=$( \
aws iam get-role \
--role-name ${IAM_ROLE_NAME} \
--query 'Role.Arn' \
--output text \
) \
&& echo "${IAM_ROLE_ARN}"
結果(例):
arn:aws:iam::xxxxx:role/inspector_role
0.4. タグの決定
変数の設定
TAG_KEY='inspector'
TAG_VALUE='ON'
最終確認
変数の確認
cat << ETX
AWS_DEFAULT_PROFILE: (0.1) ${AWS_DEFAULT_PROFILE}
IAM_ROLE_NAME (0.2) ${IAM_ROLE_NAME}
IAM_ROLE_ARN (0.3) ${IAM_ROLE_ARN}
TAG_KEY: (0.4) ${TAG_KEY}
TAG_VALUE: (0.4) ${TAG_VALUE}
ETX
結果(例):
AWS_DEFAULT_PROFILE: (0.1) <IAMのフル権限を許可されたプロファイル>
IAM_ROLE_NAME (0.2) inspector_role
IAM_ROLE_ARN (0.3) arn:aws:iam::549352348160:role/inspector_role
TAG_KEY: (0.4) inspector
TAG_VALUE: (0.4) ON
本作業
1.1.InspectorのIAMロール設定
コマンド
aws inspector register-cross-account-access-role \
--role-arn ${IAM_ROLE_ARN}
結果:
(戻り値なし)
1.2.InspectorのIAMロール確認
コマンド
aws inspector describe-cross-account-access-role
結果(例):
{
"roleArn": "arn:aws:iam::xxxxxxxx:role/inspector_role",
"valid": true,
"registeredAt": 1500862785.86
}
2.1.InspectorのResource Group作成
コマンド
RESOURCE_GROUP_ARN=$( \
aws inspector create-resource-group \
--resource-group-tags key=${TAG_KEY},value=${TAG_VALUE} \
--output text \
) \
&& echo ${RESOURCE_GROUP_ARN}
結果(例):
arn:aws:inspector:ap-northeast-1:xxxxxxx:resourcegroup/0-UkYD9fxq
2.2.InspectorのResource Group作成確認
コマンド
aws inspector describe-resource-groups \
--resource-group-arns ${RESOURCE_GROUP_ARN}
結果(例):
{
"resourceGroups": [
{
"createdAt": 1500863851.289,
"arn": "arn:aws:inspector:ap-northeast-1:549352348160:resourcegroup/0-UkYD9fxq",
"tags": [
{
"value": "ON",
"key": "inspector"
}
]
}
],
"failedItems": {}
}
3.1.InspectorのAssessment Target名指定
コマンド
ASSESSMENT_TARGET_NAME="Inspector_target"
3.2.設定用変数の確認
コマンド
cat << ETX
RESOURCE_GROUP_ARN: ${RESOURCE_GROUP_ARN}
ASSESSMENT_TARGET_NAME: ${ASSESSMENT_TARGET_NAME}
ETX
結果(例):
RESOURCE_GROUP_ARN: arn:aws:inspector:ap-northeast-1:xxxxx:resourcegroup/0-UkYD9fxq
ASSESSMENT_TARGET_NAME: Inspector_target
3.3.InspectorのAssessment Target作成
コマンド
ASSESSMENT_TARGET_ARN=$( \
aws inspector create-assessment-target \
--assessment-target-name ${ASSESSMENT_TARGET_NAME} \
--resource-group-arn ${RESOURCE_GROUP_ARN} \
--output text \
) \
&& echo ${ASSESSMENT_TARGET_ARN}
結果(例):
arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K
4.1.InspectorのRule Package確認
コマンド
aws inspector list-rules-packages
結果(例):
{
"rulesPackageArns": [
"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT",
"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
]
}
ARNの一覧だけでどのような内容のルールかはこの時点ではわからない
今回はセキュリティのベストプラクティスを選択する(Security Best Practices-1.0)
4.2.Rule Package指定
コマンド
RULES_PACKAGE_ARN="arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
ASSESSMENT_TEMPLATE_NAME="template-security-15m"
DURATION_SEC="900"
4.3.設定用変数の確認
コマンド
cat << ETX
RULES_PACKAGE_ARN: ${RULES_PACKAGE_ARN}
ASSESSMENT_TARGET_ARN: ${ASSESSMENT_TARGET_ARN}
ASSESSMENT_TEMPLATE_NAME: ${ASSESSMENT_TEMPLATE_NAME}
DURATION_SEC: ${DURATION_SEC}
ETX
結果(例):
RULES_PACKAGE_ARN: arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq
ASSESSMENT_TARGET_ARN: arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K
ASSESSMENT_TEMPLATE_NAME: template-security-15m
DURATION_SEC: 900 (診断時間 15分)
5.1.Assessment Template作成
コマンド
ASSESSMENT_TEMPLATE_ARN=$( \
aws inspector create-assessment-template \
--assessment-target-arn ${ASSESSMENT_TARGET_ARN} \
--assessment-template-name ${ASSESSMENT_TEMPLATE_NAME} \
--duration-in-seconds ${DURATION_SEC} \
--rules-package-arn ${RULES_PACKAGE_ARN} \
--output text \
) \
&& echo ${ASSESSMENT_TEMPLATE_ARN}
結果(例):
arn:aws:inspector:ap-northeast-1xxxxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp
5.2.Assessment Template確認
コマンド
aws inspector describe-assessment-templates \
--assessment-template-arns ${ASSESSMENT_TEMPLATE_ARN}
結果(例):
{
"assessmentTemplates": [
{
"assessmentTargetArn": "arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K",
"name": "template-security-15m",
"createdAt": 1500870768.464,
"durationInSeconds": 900,
"rulesPackageArns": [
"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
],
"userAttributesForFindings": [],
"arn": "arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K/template/0-YZMRHdpp"
}
],
"failedItems": {}
}
6.1.評価実行名の指定
コマンド
RUN_NAME="CLI_RUN_15M"
6.2.設定用変数の確認
コマンド
cat << ETX
RUN_NAME: ${RUN_NAME}
ASSESSMENT_TEMPLATE_ARN: ${ASSESSMENT_TEMPLATE_ARN}
ETX
結果(例):
RUN_NAME: CLI_RUN_15M
ASSESSMENT_TEMPLATE_ARN: arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp
6.3.評価の実行
コマンド
ASSESSMENT_RUN_ARN=$( \
aws inspector start-assessment-run \
--assessment-template-arn ${ASSESSMENT_TEMPLATE_ARN} \
--assessment-run-name ${RUN_NAME} \
--output text \
) \
&& echo ${ASSESSMENT_RUN_ARN}
結果(例):
arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K/template/0-YZMRHdpp/run/0-GwNJOY8d
実行後15分ほどで診断が完了します。
6.4.実行ステータスの確認
コマンド
aws inspector describe-assessment-runs \
--assessment-run-arns ${ASSESSMENT_RUN_ARN}
結果(例):
{
"failedItems": {},
"assessmentRuns": [
{
"dataCollected": false,
"name": "CLI_RUN_15M",
"userAttributesForFindings": [],
"stateChanges": [
{
"state": "CREATED",
"stateChangedAt": 1500875595.661
},
{
"state": "START_DATA_COLLECTION_PENDING",
"stateChangedAt": 1500875595.755
},
{
"state": "START_DATA_COLLECTION_IN_PROGRESS",
"stateChangedAt": 1500875595.858
},
{
"state": "COLLECTING_DATA",
"stateChangedAt": 1500875595.929
}
],
"createdAt": 1500875595.661,
"notifications": [],
"state": "COLLECTING_DATA",
"stateChangedAt": 1500875595.929,
"durationInSeconds": 900,
"rulesPackageArns": [
"arn:aws:inspector:ap-northeast-1:xxxx:rulespackage/0-bBUQnxMq"
],
"startedAt": 1500875595.929,
"assessmentTemplateArn": "arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp",
"arn": "arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp/run/0-itgbnAwA"
}
]
}
完了まで大体15分ほどかかるため次のスケジュール設定に進みます(スケジュール設定をしない人はそのまま待機)
6.5.診断レポートの確認
診断進捗の確認
コマンド
aws inspector describe-assessment-runs \
--assessment-run-arns "${ASSESSMENT_RUN_ARN}" \
--query 'assessmentRuns[].state' \
--output text
stateがCOMPLETEDに変わってから実行します
コマンド
aws inspector get-assessment-report \
--assessment-run-arn ${ASSESSMENT_RUN_ARN} \
--report-file-format HTML \
--report-type FINDING
結果(例):
{
"status": "COMPLETED",
"url": "https://inspector-temp-reports-prod-ap-northeast-1.s3-ap-northeast-1.amazonaws.comxxxxxx"
}
WORK_IN_PROGRESSと表示された場合はもう一度実行してください。
ブラウザでURLにアクセスすると診断レポートを閲覧できます
6.6.診断レポートの確認(CLI)
コマンド
ASSESSMENT_FINDINGS_ARN=$( \
aws inspector list-findings \
--assessment-run-arns ${ASSESSMENT_RUN_ARN} \
--query "findingArns[]" \
--output text
) \
&& echo ${ASSESSMENT_FINDINGS_ARN}
結果(例):
arn:aws:inspector:ap-northeast-1:xxxxxx:target/0-LDSOrTrC/template/0-B7VbuD9J/run/0-7vrfhRsp/finding/0-f1TutCr0
コマンド
aws inspector describe-findings \
--finding-arns ${ASSESSMENT_FINDINGS_ARN}
結果(例):
{
"failedItems": {},
"findings": [
{
"assetType": "ec2-instance",
"confidence": 10,
"numericSeverity": 6.0,
"description": "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.",
"service": "Inspector",
"title": "Instance i-02466b00c57b79282 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.",
"indicatorOfCompromise": false,
"assetAttributes": {
"schemaVersion": 1,
"agentId": "i-02466b00c57b79282",
"ipv4Addresses": []
},
"userAttributes": [],
"createdAt": 1503300850.401,
"recommendation": "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use **sudo** to escalate privileges when necessary. To disable SSH root logins, set **PermitRootLogin** to \"no\" in **/etc/ssh/sshd_config** and restart sshd.",
"updatedAt": 1503300850.401,
"attributes": [
{
"value": "i-02466b00c57b79282",
"key": "INSTANCE_ID"
}
],
"schemaVersion": 1,
"serviceAttributes": {
"schemaVersion": 1,
"rulesPackageArn": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
"assessmentRunArn": "arn:aws:inspector:ap-northeast-1:xxxx:target/0-LDSOrTrC/template/0-B7VbuD9J/run/0-7vrfhRsp"
},
"id": "Disable root login over SSH",
"arn": "arn:aws:inspector:ap-northeast-1:xxxx:target/0-LDSOrTrC/template/0-B7VbuD9J/run/0-7vrfhRsp/finding/0-f1TutCr0",
"severity": "Medium"
}
]
}