https://docs.aws.amazon.com/ja_jp/guardduty/latest/ug/guardduty_settingup.html
https://sayjoyblog.com/aws_guardduty_enable/
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. Amazon GuardDuty の有効化
aws guardduty create-detector \
--finding-publishing-frequency SIX_HOURS \
--enable
aws guardduty list-detectors
aws guardduty get-detector \
--detector-id 11111111111111111111111111111111
-- 3. S3 バケットへの GuardDuty の検出結果のエクスポートを設定する
-- 3.1 KMSカスタマキーの作成
{
"Id": "key01",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/iamuser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::999999999999:user/iamuser"
]},
"Action": [
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::999999999999:user/iamuser"
]}, "Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "AllowGuardDutyKey",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "999999999999",
"aws:SourceArn": "arn:aws:guardduty:ap-northeast-1:999999999999:detector/11111111111111111111111111111111"
}
}
}
]
}
aws kms create-key \
--description key03 \
--policy file://key.json
aws kms create-alias \
--alias-name alias/key03 \
--target-key-id 22222222-2222-2222-2222-222222222222
aws kms list-aliases
-- 3.2 S3 バケットを作成する
aws s3 mb s3://bucke123
aws s3 ls
-- 3.3 バケットポリシーの設定
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucke123/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header",
"Effect": "Deny",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucke123/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:ap-northeast-1:999999999999:key/22222222-2222-2222-2222-222222222222"
}
}
},
{
"Sid": "Deny unencrypted object uploads",
"Effect": "Deny",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucke123/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow PutObject",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucke123/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "999999999999",
"aws:SourceArn": "arn:aws:guardduty:ap-northeast-1:999999999999:detector/11111111111111111111111111111111"
}
}
},
{
"Sid": "Allow GetBucketLocation",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::bucke123",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "999999999999",
"aws:SourceArn": "arn:aws:guardduty:ap-northeast-1:999999999999:detector/11111111111111111111111111111111"
}
}
}
]
}
aws s3api put-bucket-policy \
--bucket bucke123 \
--policy file://b.json
aws s3api get-bucket-policy \
--bucket bucke123 | jq -r .Policy | jq .
-- 3.4 S3 バケットへの GuardDuty の検出結果のエクスポートを設定する
aws guardduty create-publishing-destination \
--detector-id 11111111111111111111111111111111 \
--destination-type S3 \
--destination-properties '{
"DestinationArn": "arn:aws:s3:::bucke123",
"KmsKeyArn": "arn:aws:kms:ap-northeast-1:999999999999:alias/key03"
}'
aws guardduty list-publishing-destinations \
--detector-id 11111111111111111111111111111111
aws guardduty describe-publishing-destination \
--detector-id 11111111111111111111111111111111 \
--destination-id 33333333333333333333333333333333
-- 4. SNS を使用して GuardDuty の検出結果アラートを設定する
-- 4.1 SNSトピック作成
aws sns list-topics
aws sns list-subscriptions
aws sns create-topic --name topic01
aws sns subscribe \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--protocol email \
--notification-endpoint hoge@example.com
-- 4.2 SNSアクセスポリシー設定
aws sns get-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:aws:sns:ap-northeast-1:999999999999:topic01",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "999999999999"
}
}
},
{
"Sid": "event01",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-northeast-1:999999999999:topic01"
}
]
}
aws sns set-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01 \
--attribute-name Policy \
--attribute-value file://sns.json
aws sns get-topic-attributes \
--topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01
-- 4.3 ルールの作成
aws events put-rule \
--name rule01 \
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"]
}
' \
--state ENABLED \
--description rule01
aws events list-rules
aws events describe-rule --name rule01
-- 4.4 ターゲットの作成
aws events put-targets \
--rule rule01 \
--targets '[
{
"Id": "1",
"Arn": "arn:aws:sns:ap-northeast-1:999999999999:topic01",
"InputTransformer": {
"InputPathsMap": {
"Finding_ID": "$.detail.id",
"Finding_Type": "$.detail.type",
"Finding_description": "$.detail.description",
"region": "$.region",
"severity": "$.detail.severity"
},
"InputTemplate": "\n\"You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region.\"\n\"Finding Description:\"\n\"<Finding_description>. \"\n\"For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=
}
}
]'
aws events list-targets-by-rule \
--rule rule01
-- 5. サンプル検出結果を生成する
aws guardduty create-sample-findings \
--detector-id 11111111111111111111111111111111
aws guardduty list-findings \
--detector-id 11111111111111111111111111111111
aws guardduty get-findings \
--detector-id 11111111111111111111111111111111 \
--finding-ids 44444444444444444444444444444444
-- 6. 動作確認
5分程度待ち、S3格納とメール受信を確認する
aws s3 ls s3://bucke123 --recursive
-- 7. クリーンアップ
-- ターゲットの削除
aws events list-targets-by-rule \
--rule rule01
aws events remove-targets \
--rule rule01 \
--ids 1
-- ルールの削除
aws events list-rules
aws events delete-rule \
--name rule01
-- SNSトピック削除
aws sns unsubscribe --subscription-arn arn:aws:sns:ap-northeast-1:999999999999:topic01:55555555-5555-5555-5555-555555555555
aws sns delete-topic --topic-arn arn:aws:sns:ap-northeast-1:999999999999:topic01
aws sns list-topics
aws sns list-subscriptions
-- バケットの削除
aws s3 ls
aws s3 rb s3://bucke123 --force
-- KMSカスタマキーの削除
aws kms list-aliases | grep -A4 key03
aws kms list-keys
aws kms schedule-key-deletion \
--key-id 22222222-2222-2222-2222-222222222222 \
--pending-window-in-days 7
-- Amazon GuardDuty の無効化
aws guardduty list-detectors
aws guardduty get-detector \
--detector-id 11111111111111111111111111111111
aws guardduty delete-detector \
--detector-id 11111111111111111111111111111111
