Inspector安全与自动生成报表实战
新钛云服已为您服务1480天
Amazon Inspector 是一项漏洞管理服务,可持续扫描AWS漏洞的工作负载。Amazon Inspector会自动发现并扫描驻留在 Amazon 弹性容器注册表 (Amazon ECR) 中的 Amazon EC2 实例和容器映像,以查找软件漏洞和意外的网络暴露。
Inspector扫描EC2安全评估漏洞自动推送安全报告(Inspector对接KMS认证和Lambda脚本触发CloudWatch定时任务导出安全报告到S3存储)。
一、角色权限
1、EC2 IAM角色策略配置
新建AmazonSSMRoleForInstancesQuickSetup角色赋予策略权限为iam_eni_policy.json、CloudWatchAgentServerPolicy、AmazonSSMManagedInstanceCore、AmazonSSMPatchAssociation:
iam_eni_policy.json策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:*",
"ec2:*"
],
"Resource": "*"
}
]
}
2、EC2 IAM角色赋予权限
EC2实例主机在安全版块IAM角色授权:AmazonSSMRoleForInstancesQuickSetup权限:
二、Inspector配置调式
1、Inspector服务开启EC2扫描
启用Inspector服务,扫描类型只针对EC2:
查看按漏洞或按实例展示漏洞信息,扫描结果进行分析统计:
在所有结果查询位置按照资源类型: AWS EC2 Instance进行分类:
报表信息点击Export Findings,导出操作:
筛选资源类型为EC2 Instance,选择导出格式为CSV、S3存储位置Bucket、KMS密钥信息:
2、KMS密钥信息配置
· 别名名称 S3-ECR
· 别名 ARN arn:aws:kms:ap-southeast-1:xxx2492xxxxx:alias/S3-ECR
· 密钥使用用户 xx.xxx
· 账户id xxx2492xxxxx
· aws:SourceArn": "arn:aws:inspector2:ap-southeast-1:xxx2492xxxxx:report/*
· kms配置密钥策略配置
注:请修改策略配置内容中的账户id和密钥使用用户信息
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::账户id:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::账户id:user/密钥使用用户"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::账户id:user/密钥使用用户"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::账户id:user/密钥使用用户"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow inspector to perform kms actions",
"Effect": "Allow",
"Principal": {
"Service": "inspector2.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "账户id"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:inspector2:ap-southeast-1:账户id:report/*"
}
}
}
]
}
密钥类型:对称
密钥使用情况:加密和解密
3、s3存储配置
阻止公开访问:关闭
存储桶策略配置
注:存储bucket名称修改为新建bucket名称, 账户id修改为实际的id
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow inspector to perform Put and Delete actions on s3",
"Effect": "Allow",
"Principal": {
"Service": "inspector2.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::存储bucket名称/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "账户id"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:inspector2:ap-southeast-1:账户id:report/*"
}
}
}
]
}
跨源资源共享(CORS):
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"HEAD",
"PUT",
"POST",
"DELETE"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [
"ETag"
],
"MaxAgeSeconds": 3000
}
]
三、使用Lambda函数调用Inspector为自动导报表
1、Lambda名称为Inspector-Findings ,运行在Python 3.9
权限配置:Inspector-Findings-role-qlz0f062(账户id修改为实际的id)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:ap-southeast-1:账户id:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:ap-southeast-1:账户id:log-group:/aws/lambda/Inspector-Findings:*"
]
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "inspector2:CreateFindingsReport",
"Resource": "*"
}
]
}
python3.9代码
注:需要安装python模块打包成zip格式上传到lambda Inspector-Findings,修改bucketname和账户id信息:
import boto3
def lambda_handler(event, context):
client = boto3.client('inspector2', region_name='ap-southeast-1')
response = client.create_findings_report(
filterCriteria= {
'resourceType': [
{
'comparison': 'EQUALS',
'value': 'AWS_EC2_INSTANCE'
}
],
'findingStatus': [
{
'comparison': 'EQUALS',
'value': 'ACTIVE'
}
]
},
reportFormat='CSV',
s3Destination={
'bucketName': 's3存储bucket',
'kmsKeyArn': 'arn:aws:kms:ap-southeast-1:账户id:key/a3ecc003-b96e-4865-902b-d69804f32fc0'
})
print(response)
return {
'statusCode': 200,
'body': json.dumps(response)
}
2、配置Cloudwatch为自定触发生成报表
Cron 5 8 ? * FRI * 计划时间,见图表达式格式:
3、Inspector报表CSV格式文件生成到S3
4、脚本任务编排
可以根据特定实例EC2或者资源组实例标签进行分类
output查看输出uname -a结果详细信息
安全是重中之重之事,实时预警与加强管控,有效安全防护与定期安全检查。
了解新钛云服
新钛云服荣膺第四届FMCG零售消费品行业CIO年会「年度数字化服务最值得信赖品牌奖」
新钛云服三周岁,公司月营收超600万元,定下百年新钛的发展目标
当IPFS遇见云服务|新钛云服与冰河分布式实验室达成战略协议
新钛云服正式获批工信部ISP/IDC(含互联网资源协作)牌照
新钛云服,打造最专业的Cloud MSP+,做企业业务和云之间的桥梁
往期技术干货
刚刚,OpenStack 第 19 个版本来了,附28项特性详细解读!
OpenStack与ZStack深度对比:架构、部署、计算存储与网络、运维监控等
微信扫码关注该文公众号作者