Cloud Security Posture

🔥 Vibe Prompt

"Set up AWS Security Hub, Config rules, and custom posture management."

AWS Security Hub

resource "aws_securityhub_account" "main" {}

resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

resource "aws_securityhub_standards_subscription" "pci" {
  standards_arn = "arn:aws:securityhub:us-west-2::standards/pci-dss/v/3.2.1"
}

AWS Config Rules

resource "aws_config_config_rule" "s3_public_read" {
  name = "s3-bucket-public-read-prohibited"
  
  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
}

resource "aws_config_config_rule" "encrypted_volumes" {
  name = "ec2-ebs-encryption-enabled"
  
  source {
    owner             = "AWS"
    source_identifier = "ENCRYPTED_VOLUMES"
  }
}

resource "aws_config_config_rule" "mfa_enabled" {
  name = "iam-user-mfa-enabled"
  
  source {
    owner             = "AWS"
    source_identifier = "IAM_USER_MFA_ENABLED"
  }
}

Custom Config Rule (Lambda)

def lambda_handler(event, context):
    config = boto3.client('config')
    
    invoking_event = json.loads(event['invokingEvent'])
    config_item = invoking_event['configurationItem']
    
    resource_type = config_item['resourceType']
    resource_id = config_item['resourceId']
    configuration = config_item['configuration']
    
    # Check: Security group should not allow SSH from 0.0.0.0/0
    if resource_type == 'AWS::EC2::SecurityGroup':
        for permission in configuration.get('ipPermissions', []):
            if permission.get('fromPort') == 22:
                for range in permission.get('ipRanges', []):
                    if range.get('cidrIp') == '0.0.0.0/0':
                        # Non-compliant!
                        config.put_evaluations(
                            Evaluations=[{
                                'ComplianceResourceType': resource_type,
                                'ComplianceResourceId': resource_id,
                                'ComplianceType': 'NON_COMPLIANT',
                                'Annotation': 'SSH open to world (0.0.0.0/0)'
                            }],
                            ResultToken=event['resultToken']
                        )
                        return
    
    # Default: compliant
    config.put_evaluations(
        Evaluations=[{
            'ComplianceResourceType': resource_type,
            'ComplianceResourceId': resource_id,
            'ComplianceType': 'COMPLIANT'
        }],
        ResultToken=event['resultToken']
    )

Security Posture Dashboard

┌─────────────────────────────────────────────┐
│  Security Hub - Overall Score: 78% (GOOD)   │
├─────────────────────────────────────────────┤
│  CIS Benchmark: 12/18 passed (66%)          │
│  ├── [✅] 1.1 - IAM root user MFA          │
│  ├── [✅] 1.3 - Unused IAM credentials      │
│  ├── [❌] 1.4 - IAM user policy attachment  │
│  └── [❌] 2.1 - S3 public access           │
├─────────────────────────────────────────────┤
│  Top Failures:                              │
│  1. S3 bucket public access (5 buckets)     │
│  2. Security group overly permissive (3 SGs)│
│  3. EBS volumes unencrypted (2 volumes)     │
└─────────────────────────────────────────────┘

Automated Remediation

def remediate_non_compliant(event):
    rule_name = event['configRuleName']
    resource_id = event['resourceId']
    
    if "S3_PUBLIC" in rule_name:
        s3.put_public_access_block(
            Bucket=resource_id,
            BlockPublicAcls=True,
            BlockPublicPolicy=True
        )
    elif "SSH_OPEN" in rule_name:
        ec2.revoke_security_group_ingress(
            GroupId=resource_id,
            IpPermissions=[{
                'IpProtocol': 'tcp',
                'FromPort': 22,
                'ToPort': 22,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }]
        )

Cloud Security Course Complete! 🎉

  • ✅ Shared Responsibility
  • ✅ CloudTrail & GuardDuty
  • ✅ Secrets & KMS
  • ✅ Container Security
  • ✅ Posture Management


為什麼要學雲端安全姿態管理?

雲端安全姿態管理 是 security-cloud-security 課程的核心章節之一。

在真實世界中

雲端安全姿態管理 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 雲端安全姿態管理 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!