{Config}AWS CLI を使用した AWS Config のセットアップ

 

https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/gs-cli.html
https://www.ctc-g.co.jp/solutions/cloud/column/article/30.html
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/notifications-for-AWS-Config.html


AWS Config は、以下のイベントの通知を送信します。

リソースの設定項目の変更。
リソースの設定履歴がアカウントに配信された。
記録対象のリソースの設定スナップショットがアカウントで起動および配信された。
リソースのコンプライアンス状態とリソースがルールに準拠するかどうか。
リソースに対してルールの評価が開始された。
AWS Config からアカウントに通知を配信できなかった。

-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

-- 1.2 jqインストール
sudo yum -y install jq

 


-- 2. S3 バケットを作成する

aws s3 ls

aws s3 mb s3://bucket123

 

-- 3. バケットポリシーの設定

vim b.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSConfigBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket123",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "999999999999"
                }
            }
        },
        {
            "Sid": "AWSConfigBucketExistenceCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket123",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "999999999999"
                }
            }
        },
        {
            "Sid": "AWSConfigBucketDelivery",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket123/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "999999999999",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

aws s3api put-bucket-policy \
--bucket bucket123 \
--policy file://b.json


aws s3api get-bucket-policy \
--bucket bucket123

 


-- 4. SNSトピック作成

aws sns list-topics
aws sns list-subscriptions

aws sns create-topic --name topic01

aws sns subscribe \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--protocol email \
--notification-endpoint hoge@example.com

 


-- 5. SNSアクセスポリシー設定

aws sns get-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01

vim a.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sns:GetTopicAttributes",
        "sns:SetTopicAttributes",
        "sns:AddPermission",
        "sns:RemovePermission",
        "sns:DeleteTopic",
        "sns:Subscribe",
        "sns:ListSubscriptionsByTopic",
        "sns:Publish"
      ],
      "Resource": "arn:aws:sns:ap-northeast-1:999999999999:topic01",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "999999999999"
        }
      }
    },
    {
      "Sid": "AWSConfigSNSPolicy20180529",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::999999999999:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:ap-northeast-1:999999999999:topic01"
    }
  ]
}

 

aws sns set-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--attribute-name Policy \
--attribute-value file://a.json

 

 


-- 6. AWS Config の有効化


aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::999999999999:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group '{
  "allSupported": false,
  "includeGlobalResourceTypes": false,
  "resourceTypes": [
    "AWS::EC2::Instance"
  ]
}'


aws configservice put-delivery-channel \
--delivery-channel '{
    "name": "default",
    "s3BucketName": "bucket123",
    "snsTopicARN": "arn:aws:sns:ap-northeast-1:999999999999:topic01",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "TwentyFour_Hours"
    }
}'

 

aws configservice start-configuration-recorder \
--configuration-recorder-name default


aws configservice put-retention-configuration \
--retention-period-in-days 30

 

aws configservice describe-delivery-channels
aws configservice describe-configuration-recorders
aws configservice describe-configuration-recorder-status
aws configservice describe-retention-configurations


-- 7. 検出されたリソースの検索

aws configservice list-discovered-resources \
--resource-type AWS::EC2::Instance


-- 8. 設定詳細の表示 


aws configservice get-resource-config-history \
--resource-type AWS::EC2::Instance \
--resource-id i-11111111111111111

 

-- 9. Amazon S3 バケットへの設定スナップショットの配信


aws configservice deliver-config-snapshot \
--delivery-channel-name default


aws configservice describe-delivery-channel-status


aws s3 ls s3://bucket123 --recursive


-- 10. 動作確認

EC2インスタンスにタグを追加してメールが来ることを確認

→ OK


-- 11. クリーンアップ

 

-- AWS Config の無効化

aws configservice describe-delivery-channels
aws configservice describe-configuration-recorders
aws configservice describe-configuration-recorder-status
aws configservice describe-retention-configurations

aws configservice delete-retention-configuration \
--retention-configuration-name default


aws configservice stop-configuration-recorder \
--configuration-recorder-name default

aws configservice delete-delivery-channel \
--delivery-channel-name default

aws configservice delete-configuration-recorder \
--configuration-recorder-name default

 


-- SNSトピック削除
aws sns list-topics
aws sns list-subscriptions


aws sns unsubscribe --subscription-arn arn:aws:sns:ap-northeast-1:999999999999:topic01:11111111-2222-3333-4444-555555555555
aws sns delete-topic --topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01

 


-- バケットの削除

aws s3 ls

aws s3 rb s3://bucket123 --force