#CloudFormationテンプレート格納用S3バケット作成 MAIN_REGION_ID=ap-northeast-1 ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) BUCKET_NAME=cf-templates-${ACCOUNT_ID}-${MAIN_REGION_ID} JSON='{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny non SSL request", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::'${BUCKET_NAME}'", "arn:aws:s3:::'${BUCKET_NAME}'/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }' aws s3api create-bucket --bucket ${BUCKET_NAME} --create-bucket-configuration "LocationConstraint=${MAIN_REGION_ID}" aws s3api put-bucket-encryption --bucket ${BUCKET_NAME} --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' aws s3api put-public-access-block --bucket ${BUCKET_NAME} --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true aws s3api put-bucket-policy --bucket ${BUCKET_NAME} --policy "${JSON}"
■メインリージョン
上記リンクから「DelegateAccountMainRegionStack.yaml」を委任先アカウントへ実行する。 ※スタックにて作成
■その他のリージョン
上記リンクから「DelegateAccountOtherRegionStackSets.yaml」を委任先アカウントへ実行する。 ※StackSetsからセルフサービスのアカウントID指定
■全てのリージョンを対象
上記リンクから「ManagedAccountStackSets.yaml」を管理アカウントへ実行する。 ※StackSetsからセルフサービスのアカウントID指定
■全てのリージョンを対象
上記リンクから「MemberAccountStackSets.yaml」を管理アカウントへ実行する。 ※StackSetsからサービスマネージドのOUID指定
# 設定 ## 全てのリージョンでSecurityHubからCISを無効化する ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## enable SecurityHub in ${region}" aws --region ${region} securityhub batch-disable-standards --standards-subscription-arns "arn:aws:securityhub:${region}:${ACCOUNT_ID}:ruleset/cis-aws-foundations-benchmark/v/1.2.0" aws --region ${region} securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:${region}:${ACCOUNT_ID}:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" --control-status DISABLED --disabled-reason "仮想MFAで対応" aws --region ${region} securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:${region}:${ACCOUNT_ID}:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5" --control-status DISABLED --disabled-reason "EventBridgeで対応" done ## 全てのリージョンでSecurityHubの自動有効化と現状のメンバ承認、リージョンの集約設定を行う ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## create member in ${region}" aws --region ${region} securityhub update-organization-configuration --auto-enable --auto-enable-standards NONE MEMBER_ID=`aws organizations list-accounts --query "Accounts[?Id!='${ACCOUNT_ID}'].[Id,Email]" --output text | awk '{print "AccountId=" $1 "," "Email=" $2}'` aws --region ${region} securityhub create-members --account-details $MEMBER_ID aws --region ${region} securityhub create-finding-aggregator --region-linking-mode ALL_REGIONS done
# 確認 aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### list organization admin account in ${region}" aws --region ${region} securityhub get-enabled-standards done aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### list organization admin account in ${region}" aws --region ${region} securityhub list-members aws --region ${region} securityhub list-finding-aggregators done # 削除(戻し) # 全てのリージョンでSecurityHubを無効化する aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## enable SecurityHub in ${region}" aws --region ${region} securityhub disable-security-hub done
# 全てのリージョンでGurdDutyのエクスポート先を設定する ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) DESTINATION_ARN=arn:aws:s3:::aggregation-${ACCOUNT_ID}-guardduty-log BUCKET_REGION=(S3バケットのリージョン名) aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## enable guard duty setting in ${region}" DETECTOR_ID=`aws --region ${region} guardduty list-detectors --query 'DetectorIds' --output text` KMS_KEY_ARN=arn:aws:kms:${BUCKET_REGION}:${ACCOUNT_ID}:alias/GuardDutyKey aws --region ${region} guardduty create-publishing-destination --detector-id ${DETECTOR_ID} --destination-type S3 --destination-properties DestinationArn="${DESTINATION_ARN}",KmsKeyArn="${KMS_KEY_ARN}" done #全てのリージョンでGurdDutyの自動有効化と現状のメンバ承認を行う ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) MEMBER_ID=`aws organizations list-accounts --query "Accounts[?Id!='${ACCOUNT_ID}'].[Id,Email]" --output text | awk '{print "AccountId=" $1 "," "Email=" $2}'` aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## create member in ${region}" DETECTOR_ID=`aws --region ${region} guardduty list-detectors --query 'DetectorIds' --output text` aws --region ${region} guardduty update-organization-configuration --auto-enable --detector-id ${DETECTOR_ID} aws --region ${region} guardduty create-members --account-details ${MEMBER_ID} --detector-id ${DETECTOR_ID} done
# 確認 aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### list organization admin account in ${region}" DETECTOR_ID=`aws --region ${region} guardduty list-detectors --query 'DetectorIds' --output text` aws --region ${region} guardduty list-detectors aws --region ${region} guardduty describe-organization-configuration --detector-id ${DETECTOR_ID} aws --region ${region} guardduty list-members --detector-id ${DETECTOR_ID} done # 削除(戻し) # 全てのリージョンでGurdDutyを無効化する aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## disable Guardduty in ${region}" DETECTOR_ID=`aws --region ${region} guardduty list-detectors --query 'DetectorIds' --output text` aws --region ${region} guardduty delete-detector --detector-id ${DETECTOR_ID} done
#全てのリージョンでGurdDutyの自動有効化と現状のメンバ承認を行う ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) MEMBER_ID=`aws organizations list-accounts --query "Accounts[?Id!='${ACCOUNT_ID}'].[Id,Email]" --output text | awk '{print "AccountId=" $1 "," "EmailAddress=" $2}'` aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## create member in ${region}" GRAPH_ARN=`aws --region ${region} detective list-graphs --query 'GraphList[].[Arn]' --output text` aws --region ${region} detective update-organization-configuration --auto-enable --graph-arn ${GRAPH_ARN} aws --region ${region} detective create-members --accounts ${MEMBER_ID} --graph-arn ${GRAPH_ARN} done
# 確認 aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### list organization admin account in ${region}" GRAPH_ARN=`aws --region ${region} detective list-graphs --query 'GraphList[].[Arn]' --output text` aws --region ${region} detective list-graphs aws --region ${region} detective describe-organization-configuration --graph-arn ${GRAPH_ARN} aws --region ${region} detective list-members --graph-arn ${GRAPH_ARN} done # 削除(戻し) # 全てのリージョンでDetectiveを無効化する aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "## disable Detective in ${region}" GRAPH_ARN=`aws --region ${region} detective list-graphs --query 'GraphList[].[Arn]' --output text` aws --region ${region} detective delete-graph --graph-arn ${GRAPH_ARN} done