~~NOCACHE~~
~~DISCUSSION~~
## 10.適用手順-1.管理アカウント
### CloudShellから共通設定項目①を実施する。
[[Aws:SecurityManagement:ApplicationProcedure.Common-1|Aws/セキュリティ管理/10.適用手順-共通項目①]]
### CloudShellからCloudFormationで使用するロールを作成する。
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
ASSUME_ROLE_NAME=AWSCloudFormationStackSetAdministrationRole
ROLE_NAME=AWSCloudFormationStackSetExecutionRole
JSON='{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::'${ACCOUNT_ID}':role/'${ASSUME_ROLE_NAME}'"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam create-role --role-name ${ROLE_NAME} --assume-role-policy-document "${JSON}"
aws iam attach-role-policy --role-name ${ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
### CloudShellから以下を実行する。
#### 信頼されたアクセスの有効化/管理の委任
##### CloudFormation
# 設定
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws organizations enable-aws-service-access --service-principal member.org.stacksets.cloudformation.amazonaws.com
aws organizations register-delegated-administrator --service-principal member.org.stacksets.cloudformation.amazonaws.com --account-id ${ACCOUNT_ID}
--> 確認/削除(戻し)#
# 確認
aws organizations list-delegated-administrators --service-principal member.org.stacksets.cloudformation.amazonaws.com
# 削除(戻し)
aws organizations deregister-delegated-administrator --service-principal member.org.stacksets.cloudformation.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal member.org.stacksets.cloudformation.amazonaws.com
<--
##### CloudTrail
# 設定
aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com
--> 確認/削除(戻し)#
# 確認(一覧にあれば有効化済)
aws organizations list-aws-service-access-for-organization
# 削除(戻し)
aws organizations disable-aws-service-access --service-principal cloudtrail.amazonaws.com
<--
##### Config
# 設定
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws organizations enable-aws-service-access --service-principal config.amazonaws.com
aws organizations enable-aws-service-access --service-principal config-multiaccountsetup.amazonaws.com
aws organizations register-delegated-administrator --service-principal config.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id ${ACCOUNT_ID}
--> 確認/削除(戻し)#
# 確認
aws organizations list-delegated-administrators --service-principal config.amazonaws.com
aws organizations list-delegated-administrators --service-principal config-multiaccountsetup.amazonaws.com
# 削除(戻し)
aws organizations deregister-delegated-administrator --service-principal config.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations deregister-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal config.amazonaws.com
aws organizations disable-aws-service-access --service-principal config-multiaccountsetup.amazonaws.com
<--
##### GuardDuty
# 設定
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com
aws organizations register-delegated-administrator --service-principal guardduty.amazonaws.com --account-id ${ACCOUNT_ID}
# 全てのリージョンでGuardDutyの委任先アカウントを設定する
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### enable organization admin account in ${region}"
aws --region ${region} guardduty enable-organization-admin-account --admin-account-id ${ACCOUNT_ID}
done
--> 確認/削除(戻し)#
## 確認
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### list organization admin account in ${region}"
aws --region ${region} guardduty list-organization-admin-accounts
done
# 削除(戻し)
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### disable organization admin account in ${region}"
aws --region ${region} guardduty disable-organization-admin-account --admin-account-id ${ACCOUNT_ID}
done
aws organizations deregister-delegated-administrator --service-principal guardduty.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal guardduty.amazonaws.com
<--
##### Detective
# 設定
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws organizations enable-aws-service-access --service-principal detective.amazonaws.com
aws organizations register-delegated-administrator --service-principal detective.amazonaws.com --account-id ${ACCOUNT_ID}
# 全てのリージョンでDetectiveの委任先アカウントを設定する
ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "## Delegate Detective in ${region}"
aws --region ${region} detective enable-organization-admin-account --account-id ${ACCOUNT_ID}
done
--> 確認/削除(戻し)#
## 確認
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### list organization admin account in ${region}"
aws --region ${region} detective list-organization-admin-accounts
done
# 削除(戻し)
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### disable organization admin account in ${region}"
aws --region ${region} detective disable-organization-admin-account
done
aws organizations deregister-delegated-administrator --service-principal detective.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal detective.amazonaws.com
<--
##### SecurityHub
# 設定
aws organizations enable-aws-service-access --service-principal securityhub.amazonaws.com
# 全てのリージョンでSecurityHubを有効化する(AWSの基本的なセキュリティのベストプラクティス標準のみ)
ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "## enable SecurityHub in ${region}"
aws --region ${region} securityhub enable-security-hub --no-enable-default-standards
aws --region ${region} securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:'${region}'::standards/aws-foundational-security-best-practices/v/1.0.0"}'
aws --region ${region} securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:${region}:${ACCOUNT_ID}:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" --control-status DISABLED --disabled-reason "仮想MFAで対応"
aws --region ${region} securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:${region}:${ACCOUNT_ID}:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5" --control-status DISABLED --disabled-reason "EventBridgeで対応"
done
# 全てのリージョンでsecurityhubの委任先アカウントを設定する
ACCOUNT_ID=(委任先のAWSアカウントID 12桁)
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### enable organization admin account in ${region}"
aws --region ${region} securityhub enable-organization-admin-account --admin-account-id ${ACCOUNT_ID}
done
--> 確認/削除(戻し)#
## 確認
aws organizations list-aws-service-access-for-organization
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### list organization admin account in ${region}"
aws --region ${region} securityhub describe-hub
done
# 削除(戻し)
# 全てのリージョンでSecurityHubの委任設定削除
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### disable organization admin account in ${region}"
aws --region ${region} securityhub disable-organization-admin-account --admin-account-id ${ACCOUNT_ID}
done
# 全てのリージョンでSecurityHubを無効化する
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "## enable SecurityHub in ${region}"
aws --region ${region} securityhub disable-security-hub
done
aws organizations deregister-delegated-administrator --service-principal securityhub.amazonaws.com --account-id ${ACCOUNT_ID}
aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com
<--
{{tag>AWS Organizations Security セキュリティプリセット}}