31. 31
buildspec ファイル for SAM テンプレート
version: 0.2
phases:
install:
runtime-versions:
python: 3.8
commands:
- pip install -U pip
- pip install -U cfn-lint
# Use the latest version
- pip install -U awscli
# for Lambda
- pip install -U aws-sam-cli
- pip install -U boto3
# for Lambda Powertools
- pip install -U aws-lambda-powertools
# for cloudformation-guard
- wget https://github.com/aws-cloudformation/cloudformation-guard/releases/download/1.0.0/cfn-guard-linux-1.0.0.tar.gz
- tar -xvf cfn-guard-linux-1.0.0.tar.gz
pre_build:
commands:
- find ./ -type f -name "*.yaml" | xargs --no-run-if-empty cfn-lint
- find ./ -type f -name "*.yaml" | xargs -I {} ./cfn-guard-linux/cfn-guard check -r ./security-standards.ruleset -t {}
build:
commands:
- sam validate --template ${TEMPLATE_FILE_PATH}template.yaml
- sam build --template ${TEMPLATE_FILE_PATH}template.yaml
- sam package --template-file .aws-sam/build/template.yaml --s3-bucket ${PACKAGE_BUCKET} --output-template-file packaged.yaml
artifacts:
files:
- packaged.yaml
https://git.io/JT8z1GitHub
eijikominami/aws-cloudformation-templates
32. 32
cfn-guard ルールファイルの例
AWS Security Hub Security Standards に⼀部準拠
AWS::CloudTrail::Trail IsMultiRegionTrail == true << CloudTrail trails should cover all regions
AWS::CloudTrail::Trail EnableLogFileValidation == true << CloudTrail file validation should be enabled
AWS::CloudTrail::Trail CloudWatchLogsLogGroupArn == /.*/ << CloudTrail trails should be integrated with Amazon CloudWatch Logs
AWS::CloudTrail::Trail KMSKeyId == /.*/ << CloudTrail trails should encrypt the logs delivered by it.
AWS::DMS::ReplicationInstance PubliclyAccessible == false << DMS instance should not be publicly accessible
AWS::EC2::Volume Encrypted == true << EC2 volumes should be encrypted
AWS::EC2::Instance BlockDeviceMappings.*.Ebs.Encrypted == true << EC2 volumes should be encrypted
AWS::EC2::SecurityGroup WHEN SecurityGroupIngress.*.ToPort == 22 CHECK SecurityGroupIngress.*.CidrIp != 0.0.0.0/0
AWS::EC2::SecurityGroup WHEN SecurityGroupIngress.*.ToPort == 3389 CHECK SecurityGroupIngress.*.CidrIp != 0.0.0.0/0
AWS::Elasticsearch::Domain EncryptionAtRestOptions.Enabled == true << Domain encryption should be enabled
AWS::GuardDuty::Detector Enable == true << Detector should be enabled
AWS::IAM::Role Policies.*.PolicyDocument.Statement.*.Action.* != ¥* << IAM Role should not allow full "*" administrative privileges
AWS::KMS::Key EnableKeyRotation == true << Key rotation should be enabled
AWS::RDS::DBInstance PubliclyAccessible == false << Databasae should not be publicly accessible
AWS::RDS::DBInstance StorageEncrypted == true << Storage encryption should be enabled
AWS::S3::Bucket BucketEncryption.ServerSideEncryptionConfiguration == /.*/ << S3 bucket encryption should be enabled
AWS::SageMaker::NotebookInstance DirectInternetAccess == Disabled << Notebooks should not have direct internet access
https://git.io/JT8g4GitHub
eijikominami/aws-cloudformation-templates