Cloud Security Posture
🔥 Vibe Prompt
"Set up AWS Security Hub, Config rules, and custom posture management."
AWS Security Hub
resource "aws_securityhub_account" "main" {}
resource "aws_securityhub_standards_subscription" "cis" {
standards_arn = "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0"
}
resource "aws_securityhub_standards_subscription" "pci" {
standards_arn = "arn:aws:securityhub:us-west-2::standards/pci-dss/v/3.2.1"
}
AWS Config Rules
resource "aws_config_config_rule" "s3_public_read" {
name = "s3-bucket-public-read-prohibited"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
resource "aws_config_config_rule" "encrypted_volumes" {
name = "ec2-ebs-encryption-enabled"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
}
resource "aws_config_config_rule" "mfa_enabled" {
name = "iam-user-mfa-enabled"
source {
owner = "AWS"
source_identifier = "IAM_USER_MFA_ENABLED"
}
}
Custom Config Rule (Lambda)
def lambda_handler(event, context):
config = boto3.client('config')
invoking_event = json.loads(event['invokingEvent'])
config_item = invoking_event['configurationItem']
resource_type = config_item['resourceType']
resource_id = config_item['resourceId']
configuration = config_item['configuration']
# Check: Security group should not allow SSH from 0.0.0.0/0
if resource_type == 'AWS::EC2::SecurityGroup':
for permission in configuration.get('ipPermissions', []):
if permission.get('fromPort') == 22:
for range in permission.get('ipRanges', []):
if range.get('cidrIp') == '0.0.0.0/0':
# Non-compliant!
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': resource_type,
'ComplianceResourceId': resource_id,
'ComplianceType': 'NON_COMPLIANT',
'Annotation': 'SSH open to world (0.0.0.0/0)'
}],
ResultToken=event['resultToken']
)
return
# Default: compliant
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': resource_type,
'ComplianceResourceId': resource_id,
'ComplianceType': 'COMPLIANT'
}],
ResultToken=event['resultToken']
)
Security Posture Dashboard
┌─────────────────────────────────────────────┐
│ Security Hub - Overall Score: 78% (GOOD) │
├─────────────────────────────────────────────┤
│ CIS Benchmark: 12/18 passed (66%) │
│ ├── [✅] 1.1 - IAM root user MFA │
│ ├── [✅] 1.3 - Unused IAM credentials │
│ ├── [❌] 1.4 - IAM user policy attachment │
│ └── [❌] 2.1 - S3 public access │
├─────────────────────────────────────────────┤
│ Top Failures: │
│ 1. S3 bucket public access (5 buckets) │
│ 2. Security group overly permissive (3 SGs)│
│ 3. EBS volumes unencrypted (2 volumes) │
└─────────────────────────────────────────────┘
Automated Remediation
def remediate_non_compliant(event):
rule_name = event['configRuleName']
resource_id = event['resourceId']
if "S3_PUBLIC" in rule_name:
s3.put_public_access_block(
Bucket=resource_id,
BlockPublicAcls=True,
BlockPublicPolicy=True
)
elif "SSH_OPEN" in rule_name:
ec2.revoke_security_group_ingress(
GroupId=resource_id,
IpPermissions=[{
'IpProtocol': 'tcp',
'FromPort': 22,
'ToPort': 22,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}]
)
Cloud Security Course Complete! 🎉
- ✅ Shared Responsibility
- ✅ CloudTrail & GuardDuty
- ✅ Secrets & KMS
- ✅ Container Security
- ✅ Posture Management
為什麼要學雲端安全姿態管理?
雲端安全姿態管理 是 security-cloud-security 課程的核心章節之一。
在真實世界中
雲端安全姿態管理 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。
你將從本章獲得
- 🎯 完整的知識體系:從核心原理到實作細節,條理分明
- 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
- 🔍 除錯技巧:常見錯誤的分析與解決方案
- 🚀 下一步指引:學完後該往哪個方向繼續深入
銜接下一章
本章為你建立了 雲端安全姿態管理 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。