Help us understand the problem. What is going on with this article?

[JAWS-UG CLI] #91 Amazon Inspector入門 (5) : Inspector構築作業

More than 3 years have passed since last update.

AWS CLIを利用して、inspectorの診断を実行します

前提条件

本手順はJAWS-UG CLI専門支部の実施したハンズオン手順です。
全工程については下記総合案内をご確認ください。
#91 Amazon Inspector 入門 (CloudWatch Eventで定期診断編)

Inspectorへの権限

Inspectorに対してフル権限があること。

AWS CLIのバージョン

以下のバージョンで動作確認済

  • AWS CLI 1.11.122
コマンド
aws --version

結果(例):

 aws-cli/1.11.122 Python/2.7.10 Linux/4.1.27-25.49.amzn1.x86_64 botocore/1.5.85

バージョンが古い場合は最新版に更新しましょう。

コマンド
sudo -H pip install -U awscli

0. 準備

まず変数の確認をします。

変数の確認
cat << ETX

        AWS_DEFAULT_PROFILE: (0.1) ${AWS_DEFAULT_PROFILE}
        IAM_ROLE_NAME        (0.2) ${IAM_ROLE_NAME}
        IAM_ROLE_ARN         (0.3) ${IAM_ROLE_ARN}
        TAG_KEY:             (0.4) ${TAG_KEY}
        TAG_VALUE:           (0.4) ${TAG_VALUE}


ETX

結果(例):

  AWS_DEFAULT_PROFILE: (0.1) <IAMのフル権限を許可されたプロファイル>
  IAM_ROLE_NAME        (0.2) inspector_role
  IAM_ROLE_ARN         (0.3) arn:aws:iam::549352348160:role/inspector_role
  TAG_KEY:             (0.4) inspector
  TAG_VALUE:           (0.4) ON

変数が入っていない、適切でない場合は、それぞれの手順番号について作業を
行います。

0.1. プロファイルの指定

プロファイルの一覧を確認します。

コマンド
cat ~/.aws/credentials \
       | grep '\[' \
       | sed 's/\[//g' | sed 's/\]//g'

結果(例):

  iamFull-prjz-mbpr13
  <IAMのフル権限を許可されたプロファイル>
変数の設定
export AWS_DEFAULT_PROFILE='<IAMのフル権限を許可されたプロファイル>'

0.2. IAMロール名の指定

変数の設定
IAM_ROLE_NAME='inspector_role'

0.3. IAMロールARNの指定

IAMロールのARN確認

コマンド
IAM_ROLE_ARN=$( \
        aws iam get-role \
          --role-name ${IAM_ROLE_NAME} \
          --query 'Role.Arn' \
          --output text \
) \
        && echo "${IAM_ROLE_ARN}"

結果(例):

 arn:aws:iam::xxxxx:role/inspector_role

0.4. タグの決定

変数の設定
TAG_KEY='inspector'
TAG_VALUE='ON'

最終確認

変数の確認
cat << ETX

        AWS_DEFAULT_PROFILE: (0.1) ${AWS_DEFAULT_PROFILE}
        IAM_ROLE_NAME        (0.2) ${IAM_ROLE_NAME}
        IAM_ROLE_ARN        (0.3) ${IAM_ROLE_ARN}
        TAG_KEY:             (0.4) ${TAG_KEY}
        TAG_VALUE:           (0.4) ${TAG_VALUE}

ETX

結果(例):

  AWS_DEFAULT_PROFILE: (0.1) <IAMのフル権限を許可されたプロファイル>
  IAM_ROLE_NAME        (0.2) inspector_role
  IAM_ROLE_ARN         (0.3) arn:aws:iam::549352348160:role/inspector_role
  TAG_KEY:             (0.4) inspector
  TAG_VALUE:           (0.4) ON

本作業

1.1.InspectorのIAMロール設定

コマンド
aws inspector register-cross-account-access-role \
  --role-arn ${IAM_ROLE_ARN}

結果:

  (戻り値なし)

1.2.InspectorのIAMロール確認

コマンド
aws inspector describe-cross-account-access-role

結果(例):

 {
     "roleArn": "arn:aws:iam::xxxxxxxx:role/inspector_role",
     "valid": true,
     "registeredAt": 1500862785.86
 }

2.1.InspectorのResource Group作成

コマンド
RESOURCE_GROUP_ARN=$( \
  aws inspector create-resource-group \
    --resource-group-tags key=${TAG_KEY},value=${TAG_VALUE} \
    --output text \
) \
  && echo ${RESOURCE_GROUP_ARN}

結果(例):

 arn:aws:inspector:ap-northeast-1:xxxxxxx:resourcegroup/0-UkYD9fxq

2.2.InspectorのResource Group作成確認

コマンド
aws inspector describe-resource-groups \
   --resource-group-arns ${RESOURCE_GROUP_ARN}

結果(例):

 {
     "resourceGroups": [
         {
             "createdAt": 1500863851.289,
             "arn": "arn:aws:inspector:ap-northeast-1:549352348160:resourcegroup/0-UkYD9fxq",
             "tags": [
                 {
                     "value": "ON",
                     "key": "inspector"
                 }
             ]
         }
     ],
     "failedItems": {}
 }

3.1.InspectorのAssessment Target名指定

コマンド
ASSESSMENT_TARGET_NAME="Inspector_target"

3.2.設定用変数の確認

コマンド
cat << ETX

  RESOURCE_GROUP_ARN:      ${RESOURCE_GROUP_ARN}
  ASSESSMENT_TARGET_NAME:  ${ASSESSMENT_TARGET_NAME}

ETX

結果(例):

  RESOURCE_GROUP_ARN:      arn:aws:inspector:ap-northeast-1:xxxxx:resourcegroup/0-UkYD9fxq
  ASSESSMENT_TARGET_NAME:  Inspector_target

3.3.InspectorのAssessment Target作成

コマンド
ASSESSMENT_TARGET_ARN=$( \
  aws inspector create-assessment-target \
    --assessment-target-name ${ASSESSMENT_TARGET_NAME} \
    --resource-group-arn ${RESOURCE_GROUP_ARN} \
    --output text \
) \
  && echo ${ASSESSMENT_TARGET_ARN}

結果(例):

 arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K

4.1.InspectorのRule Package確認

コマンド
aws inspector list-rules-packages

結果(例):

 {
     "rulesPackageArns": [
         "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
         "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
         "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT",
         "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
     ]
 }

ARNの一覧だけでどのような内容のルールかはこの時点ではわからない
今回はセキュリティのベストプラクティスを選択する(Security Best Practices-1.0)

4.2.Rule Package指定

コマンド
RULES_PACKAGE_ARN="arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
ASSESSMENT_TEMPLATE_NAME="template-security-15m"
DURATION_SEC="900"

4.3.設定用変数の確認

コマンド
cat << ETX

  RULES_PACKAGE_ARN: ${RULES_PACKAGE_ARN}
  ASSESSMENT_TARGET_ARN: ${ASSESSMENT_TARGET_ARN}
  ASSESSMENT_TEMPLATE_NAME: ${ASSESSMENT_TEMPLATE_NAME}
  DURATION_SEC: ${DURATION_SEC}

ETX

結果(例):

 RULES_PACKAGE_ARN: arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq
 ASSESSMENT_TARGET_ARN: arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K
 ASSESSMENT_TEMPLATE_NAME: template-security-15m
 DURATION_SEC: 900 (診断時間 15分)

5.1.Assessment Template作成

コマンド
ASSESSMENT_TEMPLATE_ARN=$( \
  aws inspector create-assessment-template \
    --assessment-target-arn ${ASSESSMENT_TARGET_ARN} \
    --assessment-template-name ${ASSESSMENT_TEMPLATE_NAME} \
    --duration-in-seconds ${DURATION_SEC} \
    --rules-package-arn ${RULES_PACKAGE_ARN} \
    --output text \
) \
  && echo ${ASSESSMENT_TEMPLATE_ARN}

結果(例):

   arn:aws:inspector:ap-northeast-1xxxxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp

5.2.Assessment Template確認

コマンド
aws inspector describe-assessment-templates \
  --assessment-template-arns ${ASSESSMENT_TEMPLATE_ARN}

結果(例):

 {
     "assessmentTemplates": [
         {
             "assessmentTargetArn": "arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K",
             "name": "template-security-15m",
             "createdAt": 1500870768.464,
             "durationInSeconds": 900,
             "rulesPackageArns": [
                 "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
             ],
             "userAttributesForFindings": [],
             "arn": "arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K/template/0-YZMRHdpp"
         }
     ],
     "failedItems": {}
 }

6.1.評価実行名の指定

コマンド
RUN_NAME="CLI_RUN_15M"

6.2.設定用変数の確認

コマンド
cat << ETX

  RUN_NAME:                 ${RUN_NAME}
  ASSESSMENT_TEMPLATE_ARN:  ${ASSESSMENT_TEMPLATE_ARN}

ETX

結果(例):

 RUN_NAME:                 CLI_RUN_15M
 ASSESSMENT_TEMPLATE_ARN:  arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp

6.3.評価の実行

コマンド
ASSESSMENT_RUN_ARN=$( \
  aws inspector start-assessment-run \
    --assessment-template-arn ${ASSESSMENT_TEMPLATE_ARN} \
    --assessment-run-name ${RUN_NAME} \
    --output text \
) \
  && echo ${ASSESSMENT_RUN_ARN}

結果(例):

 arn:aws:inspector:ap-northeast-1:549352348160:target/0-ZVbpDP3K/template/0-YZMRHdpp/run/0-GwNJOY8d

実行後15分ほどで診断が完了します。

6.4.実行ステータスの確認

コマンド
aws inspector describe-assessment-runs \
  --assessment-run-arns ${ASSESSMENT_RUN_ARN}

結果(例):

 {
     "failedItems": {},
     "assessmentRuns": [
         {
             "dataCollected": false,
             "name": "CLI_RUN_15M",
             "userAttributesForFindings": [],
             "stateChanges": [
                 {
                     "state": "CREATED",
                     "stateChangedAt": 1500875595.661
                 },
                 {
                     "state": "START_DATA_COLLECTION_PENDING",
                     "stateChangedAt": 1500875595.755
                 },
                 {
                     "state": "START_DATA_COLLECTION_IN_PROGRESS",
                     "stateChangedAt": 1500875595.858
                 },
                 {
                     "state": "COLLECTING_DATA",
                     "stateChangedAt": 1500875595.929
                 }
             ],
             "createdAt": 1500875595.661,
             "notifications": [],
             "state": "COLLECTING_DATA",
             "stateChangedAt": 1500875595.929,
             "durationInSeconds": 900,
             "rulesPackageArns": [
                 "arn:aws:inspector:ap-northeast-1:xxxx:rulespackage/0-bBUQnxMq"
             ],
             "startedAt": 1500875595.929,
             "assessmentTemplateArn": "arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp",
             "arn": "arn:aws:inspector:ap-northeast-1:xxxxx:target/0-ZVbpDP3K/template/0-YZMRHdpp/run/0-itgbnAwA"
         }
     ]
 }

完了まで大体15分ほどかかるため次のスケジュール設定に進みます(スケジュール設定をしない人はそのまま待機)

6.5.診断レポートの確認

診断進捗の確認

コマンド
aws inspector describe-assessment-runs \
  --assessment-run-arns "${ASSESSMENT_RUN_ARN}" \
  --query 'assessmentRuns[].state' \
  --output text

stateがCOMPLETEDに変わってから実行します

コマンド
aws inspector get-assessment-report \
   --assessment-run-arn ${ASSESSMENT_RUN_ARN} \
   --report-file-format HTML \
   --report-type FINDING

結果(例):

 {
     "status": "COMPLETED",
     "url": "https://inspector-temp-reports-prod-ap-northeast-1.s3-ap-northeast-1.amazonaws.comxxxxxx"
 }

WORK_IN_PROGRESSと表示された場合はもう一度実行してください。
ブラウザでURLにアクセスすると診断レポートを閲覧できます

6.6.診断レポートの確認(CLI)

コマンド
ASSESSMENT_FINDINGS_ARN=$( \
  aws inspector list-findings \
    --assessment-run-arns ${ASSESSMENT_RUN_ARN} \
    --query "findingArns[]" \
    --output text
) \
  && echo ${ASSESSMENT_FINDINGS_ARN}

結果(例):

 arn:aws:inspector:ap-northeast-1:xxxxxx:target/0-LDSOrTrC/template/0-B7VbuD9J/run/0-7vrfhRsp/finding/0-f1TutCr0
コマンド
aws inspector describe-findings \
  --finding-arns ${ASSESSMENT_FINDINGS_ARN}

結果(例):

 {
     "failedItems": {},
     "findings": [
         {
             "assetType": "ec2-instance",
             "confidence": 10,
             "numericSeverity": 6.0,
             "description": "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.",
             "service": "Inspector",
             "title": "Instance i-02466b00c57b79282 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.",
             "indicatorOfCompromise": false,
             "assetAttributes": {
                 "schemaVersion": 1,
                 "agentId": "i-02466b00c57b79282",
                 "ipv4Addresses": []
             },
             "userAttributes": [],
             "createdAt": 1503300850.401,
             "recommendation": "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use **sudo** to escalate privileges when necessary. To disable SSH root logins, set **PermitRootLogin** to \"no\" in **/etc/ssh/sshd_config** and restart sshd.",
             "updatedAt": 1503300850.401,
             "attributes": [
                 {
                     "value": "i-02466b00c57b79282",
                     "key": "INSTANCE_ID"
                 }
             ],
             "schemaVersion": 1,
             "serviceAttributes": {
                 "schemaVersion": 1,
                 "rulesPackageArn": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
                 "assessmentRunArn": "arn:aws:inspector:ap-northeast-1:xxxx:target/0-LDSOrTrC/template/0-B7VbuD9J/run/0-7vrfhRsp"
             },
             "id": "Disable root login over SSH",
             "arn": "arn:aws:inspector:ap-northeast-1:xxxx:target/0-LDSOrTrC/template/0-B7VbuD9J/run/0-7vrfhRsp/finding/0-f1TutCr0",
             "severity": "Medium"
         }
     ]
 }

完了

hoshiko
AWS
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした