-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. S3 バケット(証跡用)を作成する
aws s3 mb s3://bucket123
aws s3 ls
-- 3. バケットポリシーの追加
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket123"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket123/AWSLogs/999999999999/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:ap-northeast-1:999999999999:trail/trail01"
}
}
}
]
}
aws s3api put-bucket-policy \
--bucket bucket123 \
--policy file://s3_policy.json
aws s3api get-bucket-policy \
--bucket bucket123
-- 4. 証跡の作成
aws cloudtrail create-trail \
--name trail01 \
--s3-bucket-name bucket123 \
--no-include-global-service-events \
--no-is-multi-region-trail \
--no-enable-log-file-validation \
--no-is-organization-trail
aws cloudtrail list-trails
aws cloudtrail describe-trails
aws cloudtrail get-trail \
--name trail01
-- 5. ログ記録の開始
aws cloudtrail get-trail-status \
--name trail01
aws cloudtrail start-logging \
--name trail01
-- 6. CloudWatchロググループの作成
aws logs create-log-group --log-group-name CloudTrail/logs
aws logs describe-log-groups --log-group-name-prefix CloudTrail/logs
aws logs put-retention-policy \
--log-group-name CloudTrail/logs \
--retention-in-days 1
-- 7. IAMポリシー作成
vim policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream2014110",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:999999999999:log-group:CloudTrail/logs:log-stream:*"
]
}
]
}
aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json
-- 9. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01
-- 10. 証跡を更新する
aws cloudtrail update-trail \
--name trail01 \
--cloud-watch-logs-log-group-arn "arn:aws:logs:ap-northeast-1:999999999999:log-group:CloudTrail/logs:*" \
--cloud-watch-logs-role-arn arn:aws:iam::999999999999:role/role01
-- 11. SNSトピック作成
aws sns list-topics
aws sns list-subscriptions
aws sns create-topic --name topic01
aws sns subscribe \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--protocol email \
--notification-endpoint hoge@example.com
-- 12. メトリクスフィルターの作成
aws logs put-metric-filter \
--log-group-name CloudTrail/logs \
--filter-name filter01 \
--filter-pattern "{ $.eventSource = kms* && $.errorMessage = \"* is pending deletion.\"}" \
--metric-transformations \
metricName=KMSKeyPendingDeletionErrorCount,metricNamespace=CloudTrailLogMetrics,metricValue=1
aws logs describe-metric-filters
-- 13. CloudWatch アラームを作成
aws cloudwatch put-metric-alarm \
--alarm-name alarm01 \
--alarm-description "alarm01" \
--metric-name KMSKeyPendingDeletionErrorCount \
--namespace CloudTrailLogMetrics \
--statistic Sum \
--period 60 \
--threshold 1.0 \
--evaluation-periods 1 \
--datapoints-to-alarm 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--alarm-actions arn:aws:sns:ap-northeast-1:999999999999:topic01
aws cloudwatch describe-alarms
-- 14. 動作確認
GenerateDataKeyを実行し、メール通知が届くか確認する
aws kms generate-data-key \
--key-id 00000000-0000-0000-0000-000000000000 \
--key-spec AES_256
数分待つ
-- 15. クリーンアップ
-- アラームの削除
aws cloudwatch describe-alarms
aws cloudwatch delete-alarms \
--alarm-names alarm01
-- メトリクスフィルターの削除
aws logs describe-metric-filters
aws logs delete-metric-filter \
--log-group-name CloudTrail/logs \
--filter-name filter01
-- SNSトピック削除
aws sns unsubscribe --subscription-arn arn:aws:sns:ap-northeast-1:999999999999:topic01:11111111-2222-3333-4444-555555555555
aws sns delete-topic --topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01
aws sns list-topics
aws sns list-subscriptions
-- IAMロールの削除
aws iam list-roles | grep role01
aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam delete-role --role-name role01
-- IAMポリシーの削除
aws iam list-policies | grep policy01
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01
-- CloudWatchロググループの削除
aws logs describe-log-groups --log-group-name-prefix CloudTrail/logs
aws logs delete-log-group --log-group-name CloudTrail/logs
-- 証跡の削除
aws cloudtrail describe-trails
aws cloudtrail delete-trail \
--name trail01
-- バケットの削除
aws s3 ls
aws s3 rb s3://bucket123 --force
