AWS Config の勉強会資料を公開します
AWS Config に関する基本的な内容と AWS CloudFormation Guard を用いた Config カスタムルールに関する勉強会資料です。
AWS Config 勉強会資料
AWS Config の勉強会をする機会がありましたので資料を公開します。
前半は AWS Config の基本的な内容、後半は AWS CloudFormation Guard を用いた Config カスタムルールの説明となります。
勉強会資料は次の構成です。
- AWS Cofnig の基本的な内容
- AWS CloudTrail と AWS Config の違い
- AWS Config ルール
- AWS Config のマルチアカウント管理
- AWS CloudFormation Guard を⽤いたカスタムルール
「AWS CloudFormation Guard を⽤いたカスタムルール」を説明することが最終的な目的の勉強会であり、前段として AWS Config の基本的な内容があります。また、AWS CloudTrail との違いを説明するために、始めは AWS CloudTrail のログの説明から始まっています。
「AWS CloudTrail と AWS Config の違い」の補足資料
勉強会資料中に紹介している AWS CloudTrail と AWS Config のサンプルログを掲載します。VPC に関するログとなりますが、説明用のサンプルログなので VPC に関連付けているリソースは少ないです。
サンプルログは長いので折りたたんでいます
VPC 作成のログ
マネジメントコンソールから VPC のみを作成したときのログです。
AWS CloudTrail
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAWLQZGIQFTRCEG2FVP",
"arn": "arn:aws:iam::111122223333:user/test-user",
"accountId": "111122223333",
"accessKeyId": "ASIAWLQZGIQF5VQZQAFC",
"userName": "test-user",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-09-20T06:18:22Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-09-20T06:18:58Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateVpc",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"cidrBlock": "10.0.0.0/24",
"instanceTenancy": "default",
"amazonProvidedIpv6CidrBlock": false,
"tagSpecificationSet": {
"items": [
{
"resourceType": "vpc",
"tags": [
{
"key": "Name",
"value": "test-vpc"
}
]
}
]
}
},
"responseElements": {
"requestId": "a57e199b-d75e-4882-849a-e6a6facbd9d4",
"vpc": {
"vpcId": "vpc-0a2375b90a4ec629e",
"state": "pending",
"ownerId": "111122223333",
"cidrBlock": "10.0.0.0/24",
"cidrBlockAssociationSet": {
"items": [
{
"cidrBlock": "10.0.0.0/24",
"associationId": "vpc-cidr-assoc-0ed021c785e97b15c",
"cidrBlockState": {
"state": "associated"
}
}
]
},
"ipv6CidrBlockAssociationSet": {},
"dhcpOptionsId": "dopt-0491e761",
"instanceTenancy": "default",
"tagSet": {
"items": [
{
"key": "Name",
"value": "test-vpc"
}
]
},
"isDefault": false
}
},
"requestID": "a57e199b-d75e-4882-849a-e6a6facbd9d4",
"eventID": "fc0ff41b-948d-4e58-8367-a004df3b98f6",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
AWS Config
{
"version": "1.3",
"accountId": "111122223333",
"configurationItemCaptureTime": "2022-09-20T06:20:42.661Z",
"configurationItemStatus": "ResourceDiscovered",
"configurationStateId": "1663654842661",
"configurationItemMD5Hash": "",
"arn": "arn:aws:ec2:ap-northeast-1:111122223333:vpc/vpc-0a2375b90a4ec629e",
"resourceType": "AWS::EC2::VPC",
"resourceId": "vpc-0a2375b90a4ec629e",
"awsRegion": "ap-northeast-1",
"availabilityZone": "Multiple Availability Zones",
"tags": {
"Name": "test-vpc"
},
"relatedEvents": [],
"relationships": [
{
"resourceType": "AWS::EC2::NetworkAcl",
"resourceId": "acl-0f472e70b2bb21dbf",
"relationshipName": "Contains NetworkAcl"
},
{
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-0bd7960876c6dac61",
"relationshipName": "Contains SecurityGroup"
},
{
"resourceType": "AWS::EC2::RouteTable",
"resourceId": "rtb-036527a273f228e71",
"relationshipName": "Contains RouteTable"
}
],
"configuration": {
"cidrBlock": "10.0.0.0/24",
"dhcpOptionsId": "dopt-0491e761",
"state": "available",
"vpcId": "vpc-0a2375b90a4ec629e",
"ownerId": "111122223333",
"instanceTenancy": "default",
"ipv6CidrBlockAssociationSet": [],
"cidrBlockAssociationSet": [
{
"associationId": "vpc-cidr-assoc-0ed021c785e97b15c",
"cidrBlock": "10.0.0.0/24",
"cidrBlockState": {
"state": "associated"
}
}
],
"isDefault": false,
"tags": [
{
"key": "Name",
"value": "test-vpc"
}
]
},
"supplementaryConfiguration": {},
"resourceTransitionStatus": "None"
}
VPC 設定変更のログ
マネジメントコンソールから VPC に IPv6 CIDR を追加したときのログです。
AWS CloudTrail
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAWLQZGIQFTRCEG2FVP",
"arn": "arn:aws:iam::111122223333:user/test-user",
"accountId": "111122223333",
"accessKeyId": "ASIAWLQZGIQF5VQZQAFC",
"userName": "test-user",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-09-20T06:18:22Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-09-20T07:17:30Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AssociateVpcCidrBlock",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"AssociateVpcCidrBlockRequest": {
"VpcId": "vpc-0a2375b90a4ec629e",
"Ipv6CidrBlockNetworkBorderGroup": "ap-northeast-1",
"AmazonProvidedIpv6CidrBlock": true
}
},
"responseElements": {
"AssociateVpcCidrBlockResponse": {
"xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/",
"requestId": "d0919644-d85c-4595-b1ba-281b16395a77",
"vpcId": "vpc-0a2375b90a4ec629e",
"ipv6CidrBlockAssociation": {
"networkBorderGroup": "ap-northeast-1",
"ipv6Pool": "Amazon",
"ipv6CidrBlockState": {
"state": "associating"
},
"associationId": "vpc-cidr-assoc-006f0fa33579f750d"
}
}
},
"requestID": "d0919644-d85c-4595-b1ba-281b16395a77",
"eventID": "bf1f23d6-06fd-4fd6-9b9b-e85c166e8e0e",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
AWS Config
{
"version": "1.3",
"accountId": "111122223333",
"configurationItemCaptureTime": "2022-09-20T07:19:21.941Z",
"configurationItemStatus": "OK",
"configurationStateId": "1663658361941",
"configurationItemMD5Hash": "",
"arn": "arn:aws:ec2:ap-northeast-1:111122223333:vpc/vpc-0a2375b90a4ec629e",
"resourceType": "AWS::EC2::VPC",
"resourceId": "vpc-0a2375b90a4ec629e",
"awsRegion": "ap-northeast-1",
"availabilityZone": "Multiple Availability Zones",
"tags": {
"Name": "test-vpc"
},
"relatedEvents": [],
"relationships": [
{
"resourceType": "AWS::EC2::NetworkAcl",
"resourceId": "acl-0f472e70b2bb21dbf",
"relationshipName": "Contains NetworkAcl"
},
{
"resourceType": "AWS::EC2::RouteTable",
"resourceId": "rtb-036527a273f228e71",
"relationshipName": "Contains RouteTable"
},
{
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-0bd7960876c6dac61",
"relationshipName": "Contains SecurityGroup"
}
],
"configuration": {
"cidrBlock": "10.0.0.0/24",
"dhcpOptionsId": "dopt-0491e761",
"state": "available",
"vpcId": "vpc-0a2375b90a4ec629e",
"ownerId": "111122223333",
"instanceTenancy": "default",
"ipv6CidrBlockAssociationSet": [
{
"associationId": "vpc-cidr-assoc-006f0fa33579f750d",
"ipv6CidrBlock": "2406:da14:87e:5100::/56",
"ipv6CidrBlockState": {
"state": "associated"
},
"networkBorderGroup": "ap-northeast-1",
"ipv6Pool": "Amazon"
}
],
"cidrBlockAssociationSet": [
{
"associationId": "vpc-cidr-assoc-0ed021c785e97b15c",
"cidrBlock": "10.0.0.0/24",
"cidrBlockState": {
"state": "associated"
}
}
],
"isDefault": false,
"tags": [
{
"key": "Name",
"value": "test-vpc"
}
]
},
"supplementaryConfiguration": {}
}
VPC 削除のログ
マネジメントコンソールから VPC を削除したときのログです。
AWS CloudTrail
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAWLQZGIQFTRCEG2FVP",
"arn": "arn:aws:iam::111122223333:user/test-user",
"accountId": "111122223333",
"accessKeyId": "ASIAWLQZGIQF5VQZQAFC",
"userName": "test-user",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-09-20T06:18:22Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-09-20T07:46:07Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "DeleteVpc",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"vpcId": "vpc-0a2375b90a4ec629e"
},
"responseElements": {
"requestId": "e7ca6bbb-1d14-4034-b4b6-9af0e11deffc",
"_return": true
},
"requestID": "e7ca6bbb-1d14-4034-b4b6-9af0e11deffc",
"eventID": "a600cede-299e-45ae-b0d5-77c24ee69438",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
AWS Config
{
"version": "1.3",
"accountId": "111122223333",
"configurationItemCaptureTime": "2022-09-20T07:48:04.718Z",
"configurationItemStatus": "ResourceDeleted",
"configurationStateId": "1663660084718",
"configurationItemMD5Hash": "",
"arn": "arn:aws:ec2:ap-northeast-1:111122223333:vpc/vpc-0a2375b90a4ec629e",
"resourceType": "AWS::EC2::VPC",
"resourceId": "vpc-0a2375b90a4ec629e",
"awsRegion": "ap-northeast-1",
"tags": {},
"relatedEvents": [],
"relationships": [],
"configuration": null,
"supplementaryConfiguration": {},
"resourceTransitionStatus": "None"
}
「AWS CloudFormation Guard を⽤いたカスタムルール」の補足資料
試料中で紹介している単体テストのサンプルです。テストの期待している結果はFAILですが、テスト結果はPASSの例です。
rule vpc_dhcp_option_check {
configuration.dhcpOptionsId == "dopt-0024732f85497bcd2"
}
---
- name: MyTest
input:
version: '1.3'
accountId: '111122223333'
configurationItemCaptureTime: '2022-09-20T06:20:42.661Z'
configurationItemStatus: ResourceDiscovered
configurationStateId: '1663654842661'
configurationItemMD5Hash: ''
arn: 'arn:aws:ec2:ap-northeast-1:111122223333:vpc/vpc-0a2375b90a4ec629e'
resourceType: 'AWS::EC2::VPC'
resourceId: vpc-0a2375b90a4ec629e
awsRegion: ap-northeast-1
availabilityZone: 'Multiple Availability Zones'
tags:
Name: test-vpc
relatedEvents: { }
relationships:
-
resourceType: 'AWS::EC2::NetworkAcl'
resourceId: acl-0f472e70b2bb21dbf
relationshipName: 'Contains NetworkAcl'
-
resourceType: 'AWS::EC2::SecurityGroup'
resourceId: sg-0bd7960876c6dac61
relationshipName: 'Contains SecurityGroup'
-
resourceType: 'AWS::EC2::RouteTable'
resourceId: rtb-036527a273f228e71
relationshipName: 'Contains RouteTable'
configuration:
cidrBlock: 10.0.0.0/24
dhcpOptionsId: dopt-0024732f85497bcd2
state: available
vpcId: vpc-0a2375b90a4ec629e
ownerId: '111122223333'
instanceTenancy: default
ipv6CidrBlockAssociationSet: { }
cidrBlockAssociationSet:
-
associationId: vpc-cidr-assoc-0ed021c785e97b15c
cidrBlock: 10.0.0.0/24
cidrBlockState:
state: associated
isDefault: false
tags:
-
key: Name
value: test-vpc
supplementaryConfiguration: { }
resourceTransitionStatus: None
expectations:
rules:
vpc_dhcp_option_check: FAIL
さいごに
AWS Config について基本的な内容と AWS CloudFormation Guard を用いた Config カスタムルールに関する勉強会資料でした。
このブログがどなたかのご参考になれば幸いです。
