Aws:SecurityManagement:ApplicationProcedure-1.Managementaccount-1
−目次
10.適用手順-1.管理アカウント
CloudShellから共通設定項目①を実施する。
CloudShellからCloudFormationで使用するロールを作成する。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
ACCOUNT_ID=(委任先のAWSアカウントID 12桁) ASSUME_ROLE_NAME=AWSCloudFormationStackSetAdministrationRole ROLE_NAME=AWSCloudFormationStackSetExecutionRole JSON='{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Principal" : { "AWS" : "arn:aws:iam::'${ACCOUNT_ID}':role/'${ASSUME_ROLE_NAME}'" }, "Action" : "sts:AssumeRole" } ] }' aws iam create-role --role-name ${ROLE_NAME} --assume-role-policy-document "${JSON}" aws iam attach-role-policy --role-name ${ROLE_NAME} --policy-arn arn:aws:iam::aws:policy /AdministratorAccess |
CloudShellから以下を実行する。
信頼されたアクセスの有効化/管理の委任
CloudFormation
1 2 3 4 |
# 設定 ACCOUNT_ID=(委任先のAWSアカウントID 12桁) aws organizations enable -aws-service-access --service-principal member.org.stacksets.cloudformation.amazonaws.com aws organizations register-delegated-administrator --service-principal member.org.stacksets.cloudformation.amazonaws.com --account- id ${ACCOUNT_ID} |
- 確認/削除(戻し)
-
123456
# 確認
aws organizations list-delegated-administrators --service-principal member.org.stacksets.cloudformation.amazonaws.com
# 削除(戻し)
aws organizations deregister-delegated-administrator --service-principal member.org.stacksets.cloudformation.amazonaws.com --account-
id
${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal member.org.stacksets.cloudformation.amazonaws.com
CloudTrail
1 2 |
# 設定 aws organizations enable -aws-service-access --service-principal cloudtrail.amazonaws.com |
- 確認/削除(戻し)
-
12345
# 確認(一覧にあれば有効化済)
aws organizations list-aws-service-access-
for
-organization
# 削除(戻し)
aws organizations disable-aws-service-access --service-principal cloudtrail.amazonaws.com
Config
1 2 3 4 5 6 7 |
# 設定 ACCOUNT_ID=(委任先のAWSアカウントID 12桁) aws organizations enable -aws-service-access --service-principal config.amazonaws.com aws organizations enable -aws-service-access --service-principal config-multiaccountsetup.amazonaws.com aws organizations register-delegated-administrator --service-principal config.amazonaws.com --account- id ${ACCOUNT_ID} aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account- id ${ACCOUNT_ID} |
- 確認/削除(戻し)
-
12345678910
# 確認
aws organizations list-delegated-administrators --service-principal config.amazonaws.com
aws organizations list-delegated-administrators --service-principal config-multiaccountsetup.amazonaws.com
# 削除(戻し)
aws organizations deregister-delegated-administrator --service-principal config.amazonaws.com --account-
id
${ACCOUNT_ID}
aws organizations deregister-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-
id
${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal config.amazonaws.com
aws organizations disable-aws-service-access --service-principal config-multiaccountsetup.amazonaws.com
GuardDuty
1 2 3 4 5 6 7 8 9 10 11 12 |
# 設定 ACCOUNT_ID=(委任先のAWSアカウントID 12桁) aws organizations enable -aws-service-access --service-principal guardduty.amazonaws.com aws organizations register-delegated-administrator --service-principal guardduty.amazonaws.com --account- id ${ACCOUNT_ID} # 全てのリージョンでGuardDutyの委任先アカウントを設定する ACCOUNT_ID=(委任先のAWSアカウントID 12桁) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### enable organization admin account in ${region}" aws --region ${region} guardduty enable -organization-admin-account --admin-account- id ${ACCOUNT_ID} done |
- 確認/削除(戻し)
-
1234567891011121314151617
## 確認
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"##### list organization admin account in ${region}"
aws --region ${region} guardduty list-organization-admin-accounts
done
# 削除(戻し)
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"##### disable organization admin account in ${region}"
aws --region ${region} guardduty disable-organization-admin-account --admin-account-
id
${ACCOUNT_ID}
done
aws organizations deregister-delegated-administrator --service-principal guardduty.amazonaws.com --account-
id
${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal guardduty.amazonaws.com
Detective
1 2 3 4 5 6 7 8 9 10 11 12 |
# 設定 ACCOUNT_ID=(委任先のAWSアカウントID 12桁) aws organizations enable -aws-service-access --service-principal detective.amazonaws.com aws organizations register-delegated-administrator --service-principal detective.amazonaws.com --account- id ${ACCOUNT_ID} # 全てのリージョンでDetectiveの委任先アカウントを設定する ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## Delegate Detective in ${region}" aws --region ${region} detective enable -organization-admin-account --account- id ${ACCOUNT_ID} done |
- 確認/削除(戻し)
-
1234567891011121314151617
## 確認
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"##### list organization admin account in ${region}"
aws --region ${region} detective list-organization-admin-accounts
done
# 削除(戻し)
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"##### disable organization admin account in ${region}"
aws --region ${region} detective disable-organization-admin-account
done
aws organizations deregister-delegated-administrator --service-principal detective.amazonaws.com --account-
id
${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal detective.amazonaws.com
SecurityHub
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# 設定 aws organizations enable -aws-service-access --service-principal securityhub.amazonaws.com # 全てのリージョンでSecurityHubを有効化する(AWSの基本的なセキュリティのベストプラクティス標準のみ) ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## enable SecurityHub in ${region}" aws --region ${region} securityhub enable -security-hub --no- enable -default-standards aws --region ${region} securityhub batch- enable -standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:' ${region} '::standards/aws-foundational-security-best-practices/v/1.0.0"}' aws --region ${region} securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:${region}:${ACCOUNT_ID}:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" --control-status DISABLED --disabled-reason "仮想MFAで対応" aws --region ${region} securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:${region}:${ACCOUNT_ID}:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5" --control-status DISABLED --disabled-reason "EventBridgeで対応" done # 全てのリージョンでsecurityhubの委任先アカウントを設定する ACCOUNT_ID=(委任先のAWSアカウントID 12桁) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### enable organization admin account in ${region}" aws --region ${region} securityhub enable -organization-admin-account --admin-account- id ${ACCOUNT_ID} done |
- 確認/削除(戻し)
-
1234567891011121314151617181920212223242526
## 確認
aws organizations list-aws-service-access-
for
-organization
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"##### list organization admin account in ${region}"
aws --region ${region} securityhub describe-hub
done
# 削除(戻し)
# 全てのリージョンでSecurityHubの委任設定削除
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"##### disable organization admin account in ${region}"
aws --region ${region} securityhub disable-organization-admin-account --admin-account-
id
${ACCOUNT_ID}
done
# 全てのリージョンでSecurityHubを無効化する
aws ec2 describe-regions --query
"Regions[].[RegionName]"
--output text \
|
while
read
region;
do
echo
"## enable SecurityHub in ${region}"
aws --region ${region} securityhub disable-security-hub
done
aws organizations deregister-delegated-administrator --service-principal securityhub.amazonaws.com --account-
id
${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com
Aws/SecurityManagement/ApplicationProcedure-1.Managementaccount-1.txt · 最終更新: 2022/05/30 by 127.0.0.1
コメント