この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
先日のアップデートで、AWS GuardDuty の Lambda Protection (Lambda 保護) が利用できるようになりました。早速導入するために、AWS CLI を用いて次のパターンで Lambda 保護を有効化してみました。
- 単独アカウントの全リージョンの Lambda 保護有効化
- メンバーアカウントの全リージョンの Lambda 保護有効化
- 管理者アカウントの有効化
- 既存メンバーアカウントの有効化
- 新規メンバーアカウントの有効化
単独アカウントで全リージョン有効化
単独アカウントで全リージョンの Lambda 保護を有効化してみます。
AWS GuardDuty のオプション保護を有効化するコマンドはupdate-detector
です。features
オプションで Lambda 保護の設定を指定します。
全てのリージョンを有効化する場合は次のコマンドで設定できます。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Enable Lambda protection in ${region}"
detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
aws guardduty update-detector \
--region ${region} \
--detector-id ${detector} \
--features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
done
実行結果例です(折りたたんでいます)。
実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Enable Lambda protection in ${region}"
> detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
> aws guardduty update-detector \
> --region ${region} \
> --detector-id ${detector} \
> --features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
> done
### Enable Lambda protection in ap-south-1
### Enable Lambda protection in eu-north-1
### Enable Lambda protection in eu-west-3
### Enable Lambda protection in eu-west-2
### Enable Lambda protection in eu-west-1
### Enable Lambda protection in ap-northeast-3
### Enable Lambda protection in ap-northeast-2
### Enable Lambda protection in ap-northeast-1
### Enable Lambda protection in ca-central-1
### Enable Lambda protection in sa-east-1
### Enable Lambda protection in ap-southeast-1
### Enable Lambda protection in ap-southeast-2
### Enable Lambda protection in eu-central-1
### Enable Lambda protection in us-east-1
### Enable Lambda protection in us-east-2
### Enable Lambda protection in us-west-1
### Enable Lambda protection in us-west-2
オプション保護の設定状況はget-detector
コマンドで確認できます。
全リージョンの Lambda 保護の設定状況を次のコマンドで確認できます。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Get Lambda protection in ${region}"
detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
aws guardduty get-detector \
--region ${region} \
--detector-id ${detector} \
--query "Features[8]"
done
実行結果例です(折りたたんでいます)。ENABLED
が有効状態です。
実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Get Lambda protection in ${region}"
> detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
> aws guardduty get-detector \
> --region ${region} \
> --detector-id ${detector} \
> --query "Features[8]"
> done
### Get Lambda protection in ap-south-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:19+00:00"
}
### Get Lambda protection in eu-north-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:25+00:00"
}
### Get Lambda protection in eu-west-3
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:30+00:00"
}
### Get Lambda protection in eu-west-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:34+00:00"
}
### Get Lambda protection in eu-west-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:40+00:00"
}
### Get Lambda protection in ap-northeast-3
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:43+00:00"
}
### Get Lambda protection in ap-northeast-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:47+00:00"
}
### Get Lambda protection in ap-northeast-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:50+00:00"
}
### Get Lambda protection in ca-central-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:44:55+00:00"
}
### Get Lambda protection in sa-east-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:00+00:00"
}
### Get Lambda protection in ap-southeast-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:05+00:00"
}
### Get Lambda protection in ap-southeast-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:09+00:00"
}
### Get Lambda protection in eu-central-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:14+00:00"
}
### Get Lambda protection in us-east-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:19+00:00"
}
### Get Lambda protection in us-east-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:24+00:00"
}
### Get Lambda protection in us-west-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:28+00:00"
}
### Get Lambda protection in us-west-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T02:45:33+00:00"
}
メンバーアカウントの全リージョン有効化
GuardDuty を管理者アカウントとメンバーアカウントを関連付けて運用している環境で Lambda 保護を有効化してみます。
管理者アカウントの有効化
「単独アカウントで全リージョン有効化」と同様です。
既存メンバーアカウントの有効化
関連付けしているメンバーアカウントの Lambda 保護の有効化は管理者アカウントから設定変更できます。
メンバーアカウントの有効化をするコマンドはupdate-member-detectors
コマンドです。
account-ids
に有効化したいアカウントを指定して実行します。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Enable member detectors Lambda protection in ${region}"
detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
aws guardduty update-member-detectors \
--region ${region} \
--detector-id ${detector} \
--account-ids "111122223333" "444455556666" \
--features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
done
実行結果例です(折りたたんでいます)。出力結果のアカウント ID は置換しています。
実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Enable member detectors Lambda protection in ${region}"
> detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
> aws guardduty update-member-detectors \
> --region ${region} \
> --detector-id ${detector} \
> --account-ids "111122223333" "444455556666" \
> --features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
> done
### Enable member detectors Lambda protection in ap-south-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-north-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-west-3
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-west-2
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-west-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-northeast-3
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-northeast-2
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-northeast-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ca-central-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in sa-east-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-southeast-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-southeast-2
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-central-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-east-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-east-2
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-west-1
{
"UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-west-2
{
"UnprocessedAccounts": []
}
メンバーアカウントのオプション保護の設定状況はget-member-detectors
コマンドで確認できます。
メンバーアカウントの全リージョンの Lambda 保護の設定状況は次のコマンドで確認できます。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Get member detectors Lambda protection in ${region}"
detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
aws guardduty get-member-detectors \
--region ${region} \
--detector-id ${detector} \
--account-ids "111122223333" "444455556666" \
--query "MemberDataSourceConfigurations[*].[{AccountId:AccountId},{Features:Features[8]}]"
done
実行結果例です(折りたたんでいます)。ENABLED
が有効化状態です。
実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Get member detectors Lambda protection in ${region}"
> detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
> aws guardduty get-member-detectors \
> --region ${region} \
> --detector-id ${detector} \
> --account-ids "111122223333" "444455556666" \
> --query "MemberDataSourceConfigurations[*].[{AccountId:AccountId},{Features:Features[8]}]"
> done
### Get member detectors Lambda protection in ap-south-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:13:52+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:13:52+00:00"
}
}
]
]
### Get member detectors Lambda protection in eu-north-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:13:57+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:13:57+00:00"
}
}
]
]
### Get member detectors Lambda protection in eu-west-3
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:03+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:03+00:00"
}
}
]
]
### Get member detectors Lambda protection in eu-west-2
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:08+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:08+00:00"
}
}
]
]
### Get member detectors Lambda protection in eu-west-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:13+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:13+00:00"
}
}
]
]
### Get member detectors Lambda protection in ap-northeast-3
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:16+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:16+00:00"
}
}
]
]
### Get member detectors Lambda protection in ap-northeast-2
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:20+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:20+00:00"
}
}
]
]
### Get member detectors Lambda protection in ap-northeast-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:23+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:23+00:00"
}
}
]
]
### Get member detectors Lambda protection in ca-central-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:28+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:28+00:00"
}
}
]
]
### Get member detectors Lambda protection in sa-east-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:33+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:33+00:00"
}
}
]
]
### Get member detectors Lambda protection in ap-southeast-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:38+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:38+00:00"
}
}
]
]
### Get member detectors Lambda protection in ap-southeast-2
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:42+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:42+00:00"
}
}
]
]
### Get member detectors Lambda protection in eu-central-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:47+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:47+00:00"
}
}
]
]
### Get member detectors Lambda protection in us-east-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:52+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:52+00:00"
}
}
]
]
### Get member detectors Lambda protection in us-east-2
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:56+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:14:56+00:00"
}
}
]
]
### Get member detectors Lambda protection in us-west-1
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:15:06+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:15:06+00:00"
}
}
]
]
### Get member detectors Lambda protection in us-west-2
[
[
{
"AccountId": "111122223333"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:15:14+00:00"
}
}
],
[
{
"AccountId": "444455556666"
},
{
"Features": {
"Name": "LAMBDA_NETWORK_LOGS",
"Status": "ENABLED",
"UpdatedAt": "2023-04-24T04:15:14+00:00"
}
}
]
]
新しいメンバーアカウントの自動有効化
前提として、設定追加前の状態は下記画像の状態を想定しています。この状態から Lambda 保護の自動有効化設定を追加でオンにします。
メンバーアカウントの自動有効化設定はupdate-organization-configuration
コマンドで実施します。オプションのfeatures
でオプションサービスの設定を更新します。
全リージョンを一括で有効化設定するコマンドは下記となります。auto-enable-organization-members
オプションは現在の設定に合わせてALL
かNEW
を指定します。今回は、GuardDuty の自動有効化は組織に追加された新しいアカウントのみ
の設定となるためNEW
を指定しています。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Update Lambda protection configuration in ${region}"
detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
aws guardduty update-organization-configuration \
--region ${region} \
--detector-id ${detector} \
--auto-enable-organization-members "NEW" \
--features Name="LAMBDA_NETWORK_LOGS",AutoEnable="NEW"
done
実行結果例です(折りたたんでいます)。
実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Update Lambda protection configuration in ${region}"
> detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
> aws guardduty update-organization-configuration \
> --region ${region} \
> --detector-id ${detector} \
> --auto-enable-organization-members "NEW" \
> --features Name="LAMBDA_NETWORK_LOGS",AutoEnable="NEW"
> done
### Update Lambda protection configuration in ap-south-1
### Update Lambda protection configuration in eu-north-1
### Update Lambda protection configuration in eu-west-3
### Update Lambda protection configuration in eu-west-2
### Update Lambda protection configuration in eu-west-1
### Update Lambda protection configuration in ap-northeast-3
### Update Lambda protection configuration in ap-northeast-2
### Update Lambda protection configuration in ap-northeast-1
### Update Lambda protection configuration in ca-central-1
### Update Lambda protection configuration in sa-east-1
### Update Lambda protection configuration in ap-southeast-1
### Update Lambda protection configuration in ap-southeast-2
### Update Lambda protection configuration in eu-central-1
### Update Lambda protection configuration in us-east-1
### Update Lambda protection configuration in us-east-2
### Update Lambda protection configuration in us-west-1
### Update Lambda protection configuration in us-west-2
自動有効化の設定状況を確認するコマンドはdescribe-organization-configuration
です。
全リージョンを一括で確認するコマンドは下記となります。query
オプションで出力結果を絞っています。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Describe Lambda protection configuration in ${region}"
detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
aws guardduty describe-organization-configuration \
--region ${region} \
--detector-id ${detector} \
--query "Features[5]"
done
実行結果例です(折りたたんでいます)。NEW
は自動有効化がオンの状態を示します。
実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Describe Lambda protection configuration in ${region}"
> detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
> aws guardduty describe-organization-configuration \
> --region ${region} \
> --detector-id ${detector} \
> --query "Features[5]"
> done
### Describe Lambda protection configuration in ap-south-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-north-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-west-3
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-west-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-west-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-northeast-3
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-northeast-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-northeast-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ca-central-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in sa-east-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-southeast-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-southeast-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-central-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-east-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-east-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-west-1
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-west-2
{
"Name": "LAMBDA_NETWORK_LOGS",
"AutoEnable": "NEW"
}
最後に、マネジメントコンソールで単独リージョンの設定後の画面を貼ります。Lambda 保護が有効化状態になっています。
さいごに
AWS GuardDuty で新しいオプションである Lambda 保護が追加されたため、全リージョンで自動有効化する設定を試してみました。メンバーアカウントの有効化のところは関連付けしているメンバーアカウントのアカウント ID も AWS CLI で取得するなどして効率化できるかもしれません。
このブログがどなたかのご参考になれば幸いです。