CloudFormation StackSets 작업
중요
AWS 보안 인시던트 대응는 기본적으로 격리 기능을 활성화하지 않습니다. 이러한 격리 조치를 실행하려면 AWS Identity and Access Management 역할을 사용하여 서비스에 필요한 권한을 부여해야 합니다. CloudFormation StackSets를 배포하여 계정당 또는 조직 전체에 걸쳐 이러한 역할을 개별적으로 생성할 수 있습니다. StackSets가 필요한 역할을 생성합니다.
서비스 관리형 권한으로 StackSet를 생성하는 방법에 대한 구체적인 지침은 AWS CloudFormation 사용 설명서의 서비스 관리형 권한으로 CloudFormation StackSet 생성을 참조하세요.
다음은 AWSSecurityIncidentResponseContainment 및 AWSSecurityIncidentResponseContainmentExecution 역할을 생성하기 위한 템플릿입니다.
AWSTemplateFormatVersion: '2010-09-09' Description: 'Template for production SIR containment roles' Resources: AWSSecurityIncidentResponseContainment: Type: 'AWS::IAM::Role' Properties: RoleName: AWSSecurityIncidentResponseContainment AssumeRolePolicyDocument: { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Principal': { 'Service': 'containment.security-ir.amazonaws.com' }, 'Action': 'sts:AssumeRole', 'Condition': { 'StringEquals': { 'sts:ExternalId': !Sub '${AWS::AccountId}' } }, }, { 'Effect': 'Allow', 'Principal': { 'Service': 'containment.security-ir.amazonaws.com' }, 'Action': 'sts:TagSession', }, ], } Policies: - PolicyName: AWSSecurityIncidentResponseContainmentPolicy PolicyDocument: { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': ['ssm:StartAutomationExecution'], 'Resource': [ !Sub 'arn:${AWS::Partition}:ssm:*:*:automation-definition/AWSSupport-ContainEC2Instance:$DEFAULT', !Sub 'arn:${AWS::Partition}:ssm:*:*:automation-definition/AWSSupport-ContainS3Resource:$DEFAULT', !Sub 'arn:${AWS::Partition}:ssm:*:*:automation-definition/AWSSupport-ContainIAMPrincipal:$DEFAULT', ], }, { 'Effect': 'Allow', 'Action': ['ssm:DescribeInstanceInformation', 'ssm:GetAutomationExecution', 'ssm:ListCommandInvocations'], 'Resource': '*', }, { 'Effect': 'Allow', 'Action': ['iam:PassRole'], 'Resource': !GetAtt AWSSecurityIncidentResponseContainmentExecution.Arn, 'Condition': { 'StringEquals': { 'iam:PassedToService': 'ssm.amazonaws.com' } }, }, ], } AWSSecurityIncidentResponseContainmentExecution: Type: 'AWS::IAM::Role' Properties: RoleName: AWSSecurityIncidentResponseContainmentExecution AssumeRolePolicyDocument: { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': 'ssm.amazonaws.com' }, 'Action': 'sts:AssumeRole' }], } ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit Policies: - PolicyName: AWSSecurityIncidentResponseContainmentExecutionPolicy PolicyDocument: { 'Version': '2012-10-17', 'Statement': [ { 'Sid': 'AllowIAMContainment', 'Effect': 'Allow', 'Action': [ 'iam:AttachRolePolicy', 'iam:AttachUserPolicy', 'iam:DeactivateMFADevice', 'iam:DeleteLoginProfile', 'iam:DeleteRolePolicy', 'iam:DeleteUserPolicy', 'iam:GetLoginProfile', 'iam:GetPolicy', 'iam:GetRole', 'iam:GetRolePolicy', 'iam:GetUser', 'iam:GetUserPolicy', 'iam:ListAccessKeys', 'iam:ListAttachedRolePolicies', 'iam:ListAttachedUserPolicies', 'iam:ListMfaDevices', 'iam:ListPolicies', 'iam:ListRolePolicies', 'iam:ListUserPolicies', 'iam:ListVirtualMFADevices', 'iam:PutRolePolicy', 'iam:PutUserPolicy', 'iam:TagMFADevice', 'iam:TagPolicy', 'iam:TagRole', 'iam:TagUser', 'iam:UntagMFADevice', 'iam:UntagPolicy', 'iam:UntagRole', 'iam:UntagUser', 'iam:UpdateAccessKey', 'identitystore:CreateGroupMembership', 'identitystore:DeleteGroupMembership', 'identitystore:IsMemberInGroups', 'identitystore:ListUsers', 'identitystore:ListGroups', 'identitystore:ListGroupMemberships', ], 'Resource': '*', }, { 'Sid': 'AllowOrgListAccounts', 'Effect': 'Allow', 'Action': 'organizations:ListAccounts', 'Resource': '*', }, { 'Sid': 'AllowSSOContainment', 'Effect': 'Allow', 'Action': [ 'sso:CreateAccountAssignment', 'sso:DeleteAccountAssignment', 'sso:DeleteInlinePolicyFromPermissionSet', 'sso:GetInlinePolicyForPermissionSet', 'sso:ListAccountAssignments', 'sso:ListInstances', 'sso:ListPermissionSets', 'sso:ListPermissionSetsProvisionedToAccount', 'sso:PutInlinePolicyToPermissionSet', 'sso:TagResource', 'sso:UntagResource', ], 'Resource': '*', }, { 'Sid': 'AllowSSORead', 'Effect': 'Allow', 'Action': ['sso-directory:SearchUsers', 'sso-directory:DescribeUser'], 'Resource': '*', }, { 'Sid': 'AllowS3Read', 'Effect': 'Allow', 'Action': [ 's3:GetAccountPublicAccessBlock', 's3:GetBucketAcl', 's3:GetBucketLocation', 's3:GetBucketOwnershipControls', 's3:GetBucketPolicy', 's3:GetBucketPolicyStatus', 's3:GetBucketPublicAccessBlock', 's3:GetBucketTagging', 's3:GetEncryptionConfiguration', 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectTagging', 's3:GetReplicationConfiguration', 's3:ListBucket', 's3express:GetBucketPolicy', ], 'Resource': '*', }, { 'Sid': 'AllowS3Write', 'Effect': 'Allow', 'Action': [ 's3:CreateBucket', 's3:DeleteBucketPolicy', 's3:DeleteObjectTagging', 's3:PutAccountPublicAccessBlock', 's3:PutBucketACL', 's3:PutBucketOwnershipControls', 's3:PutBucketPolicy', 's3:PutBucketPublicAccessBlock', 's3:PutBucketTagging', 's3:PutBucketVersioning', 's3:PutObject', 's3:PutObjectAcl', 's3express:CreateSession', 's3express:DeleteBucketPolicy', 's3express:PutBucketPolicy', ], 'Resource': '*', }, { 'Sid': 'AllowAutoScalingWrite', 'Effect': 'Allow', 'Action': [ 'autoscaling:CreateOrUpdateTags', 'autoscaling:DeleteTags', 'autoscaling:DescribeAutoScalingGroups', 'autoscaling:DescribeAutoScalingInstances', 'autoscaling:DescribeTags', 'autoscaling:EnterStandby', 'autoscaling:ExitStandby', 'autoscaling:UpdateAutoScalingGroup', ], 'Resource': '*', }, { 'Sid': 'AllowEC2Containment', 'Effect': 'Allow', 'Action': [ 'ec2:AuthorizeSecurityGroupEgress', 'ec2:AuthorizeSecurityGroupIngress', 'ec2:CopyImage', 'ec2:CreateImage', 'ec2:CreateSecurityGroup', 'ec2:CreateSnapshot', 'ec2:CreateTags', 'ec2:DeleteSecurityGroup', 'ec2:DeleteTags', 'ec2:DescribeImages', 'ec2:DescribeInstances', 'ec2:DescribeSecurityGroups', 'ec2:DescribeSnapshots', 'ec2:DescribeTags', 'ec2:ModifyNetworkInterfaceAttribute', 'ec2:RevokeSecurityGroupEgress', ], 'Resource': '*', }, { 'Sid': 'AllowKMSActions', 'Effect': 'Allow', 'Action': [ 'kms:CreateGrant', 'kms:DescribeKey', 'kms:GenerateDataKeyWithoutPlaintext', 'kms:ReEncryptFrom', 'kms:ReEncryptTo', ], 'Resource': '*', }, { 'Sid': 'AllowSSMActions', 'Effect': 'Allow', 'Action': ['ssm:DescribeAutomationExecutions'], 'Resource': '*', }, ], }
