https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/evaluate-config.html
https://dev.classmethod.jp/articles/config-automatically-repair-ebs-default-encryption/
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/remediation.html#remediate-api
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. S3 バケットを作成する
aws s3 ls
aws s3 mb s3://bucket123
-- 3. バケットポリシーの設定
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket123",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "999999999999"
}
}
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket123",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "999999999999"
}
}
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket123/*",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "999999999999",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
aws s3api put-bucket-policy \
--bucket bucket123 \
--policy file://b.json
aws s3api get-bucket-policy \
--bucket bucket123
-- 4. SNSトピック作成
aws sns list-topics
aws sns list-subscriptions
aws sns create-topic --name topic01
aws sns subscribe \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--protocol email \
--notification-endpoint hoge@example.com
-- 5. SNSアクセスポリシー設定
aws sns get-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:AddPermission",
"sns:RemovePermission",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:ListSubscriptionsByTopic",
"sns:Publish"
],
"Resource": "arn:aws:sns:ap-northeast-1:999999999999:topic01",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "999999999999"
}
}
},
{
"Sid": "AWSConfigSNSPolicy20180529",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-northeast-1:999999999999:topic01"
}
]
}
aws sns set-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--attribute-name Policy \
--attribute-value file://a.json
-- 6. AWS Config の有効化
aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::999999999999:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group '{
"allSupported": false,
"includeGlobalResourceTypes": false,
"resourceTypes": [
"AWS::EC2::Instance",
"AWS::EC2::Volume"
]
}'
aws configservice put-delivery-channel \
--delivery-channel '{
"name": "default",
"s3BucketName": "bucket123",
"snsTopicARN": "arn:aws:sns:ap-northeast-1:999999999999:topic01",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "TwentyFour_Hours"
}
}'
aws configservice start-configuration-recorder \
--configuration-recorder-name default
aws configservice put-retention-configuration \
--retention-period-in-days 30
aws configservice describe-delivery-channels
aws configservice describe-configuration-recorders
aws configservice describe-configuration-recorder-status
aws configservice describe-retention-configurations
-- 7. IAMポリシー作成
vim policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:EnableEbsEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault"
],
"Resource": "*"
}
]
}
aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json
-- 9. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01
-- 10. ルールの追加
{
"ConfigRule": {
"ConfigRuleName": "rule01",
"Description": "ec2-ebs-encryption-by-default",
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EC2_EBS_ENCRYPTION_BY_DEFAULT"
},
"InputParameters": "{}",
"MaximumExecutionFrequency": "TwentyFour_Hours"
}
}
※ルール評価対象はConfigの変更管理の対象リソースとして登録しておく必要がある
aws configservice put-config-rule \
--cli-input-json file://rule.json
aws configservice describe-config-rules
-- 11. 自動修復の設定
[
{
"ConfigRuleName": "rule01",
"TargetType": "SSM_DOCUMENT",
"TargetId": "AWSConfigRemediation-EnableEbsEncryptionByDefault",
"TargetVersion": "2",
"Parameters": {"AutomationAssumeRole": {
"StaticValue": {
"Values": ["arn:aws:iam::999999999999:role/role01"]
}
}
},
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60
}
]
aws configservice put-remediation-configurations \
--remediation-configurations file://remediation.json
aws configservice describe-remediation-configurations \
--config-rule-names rule01
-- 12. オンデマンド評価
aws configservice start-config-rules-evaluation \
--config-rule-names rule01
aws configservice describe-config-rule-evaluation-status
-- 13. 評価結果の削除
aws configservice delete-evaluation-results \
--config-rule-name rule01
-- 14. クリーンアップ
-- 自動修復の削除
aws configservice describe-remediation-configurations \
--config-rule-names rule01
aws configservice delete-remediation-configuration \
--config-rule-name rule01
-- ルールの削除
aws configservice describe-config-rules
aws configservice delete-config-rule \
--config-rule-name rule01
少し時間がかかる
-- IAMロールの削除
aws iam list-roles | grep role01
aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam delete-role --role-name role01
-- IAMポリシーの削除
aws iam list-policies | grep policy01
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01
-- AWS Config の無効化
aws configservice describe-delivery-channels
aws configservice describe-configuration-recorders
aws configservice describe-configuration-recorder-status
aws configservice describe-retention-configurations
aws configservice delete-retention-configuration \
--retention-configuration-name default
aws configservice stop-configuration-recorder \
--configuration-recorder-name default
aws configservice delete-delivery-channel \
--delivery-channel-name default
aws configservice delete-configuration-recorder \
--configuration-recorder-name default
-- SNSトピック削除
aws sns list-topics
aws sns list-subscriptions
aws sns unsubscribe --subscription-arn arn:aws:sns:ap-northeast-1:999999999999:topic01:11111111-2222-3333-4444-555555555555
aws sns delete-topic --topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01
-- バケットの削除
aws s3 ls
aws s3 rb s3://bucket123 --force