Cloud Security Posture
🔥 Vibe Prompt
"Set up AWS Security Hub, Config rules, and custom posture management."
AWS Security Hub
resource "aws_securityhub_account" "main" {}
resource "aws_securityhub_standards_subscription" "cis" {
standards_arn = "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0"
}
resource "aws_securityhub_standards_subscription" "pci" {
standards_arn = "arn:aws:securityhub:us-west-2::standards/pci-dss/v/3.2.1"
}
AWS Config Rules
resource "aws_config_config_rule" "s3_public_read" {
name = "s3-bucket-public-read-prohibited"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
resource "aws_config_config_rule" "encrypted_volumes" {
name = "ec2-ebs-encryption-enabled"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
}
resource "aws_config_config_rule" "mfa_enabled" {
name = "iam-user-mfa-enabled"
source {
owner = "AWS"
source_identifier = "IAM_USER_MFA_ENABLED"
}
}
Custom Config Rule (Lambda)
def lambda_handler(event, context):
config = boto3.client('config')
invoking_event = json.loads(event['invokingEvent'])
config_item = invoking_event['configurationItem']
resource_type = config_item['resourceType']
resource_id = config_item['resourceId']
configuration = config_item['configuration']
# Check: Security group should not allow SSH from 0.0.0.0/0
if resource_type == 'AWS::EC2::SecurityGroup':
for permission in configuration.get('ipPermissions', []):
if permission.get('fromPort') == 22:
for range in permission.get('ipRanges', []):
if range.get('cidrIp') == '0.0.0.0/0':
# Non-compliant!
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': resource_type,
'ComplianceResourceId': resource_id,
'ComplianceType': 'NON_COMPLIANT',
'Annotation': 'SSH open to world (0.0.0.0/0)'
}],
ResultToken=event['resultToken']
)
return
# Default: compliant
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': resource_type,
'ComplianceResourceId': resource_id,
'ComplianceType': 'COMPLIANT'
}],
ResultToken=event['resultToken']
)
Security Posture Dashboard
┌─────────────────────────────────────────────┐
│ Security Hub - Overall Score: 78% (GOOD) │
├─────────────────────────────────────────────┤
│ CIS Benchmark: 12/18 passed (66%) │
│ ├── [✅] 1.1 - IAM root user MFA │
│ ├── [✅] 1.3 - Unused IAM credentials │
│ ├── [❌] 1.4 - IAM user policy attachment │
│ └── [❌] 2.1 - S3 public access │
├─────────────────────────────────────────────┤
│ Top Failures: │
│ 1. S3 bucket public access (5 buckets) │
│ 2. Security group overly permissive (3 SGs)│
│ 3. EBS volumes unencrypted (2 volumes) │
└─────────────────────────────────────────────┘
Automated Remediation
def remediate_non_compliant(event):
rule_name = event['configRuleName']
resource_id = event['resourceId']
if "S3_PUBLIC" in rule_name:
s3.put_public_access_block(
Bucket=resource_id,
BlockPublicAcls=True,
BlockPublicPolicy=True
)
elif "SSH_OPEN" in rule_name:
ec2.revoke_security_group_ingress(
GroupId=resource_id,
IpPermissions=[{
'IpProtocol': 'tcp',
'FromPort': 22,
'ToPort': 22,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}]
)
Cloud Security Course Complete! 🎉
- ✅ Shared Responsibility
- ✅ CloudTrail & GuardDuty
- ✅ Secrets & KMS
- ✅ Container Security
- ✅ Posture Management
雲端合規管理
什麼是雲端合規?
你的 AWS 環境是否符合 SOC 2、ISO 27001、PCI DSS 等法規要求?Security Hub 和 Config 可以自動檢查。
AWS Security Hub
Security Hub 整合 GuardDuty、Inspector、Macie 等安全服務的發現,集中在一個儀表板顯示。它也提供 CIS AWS Foundations 等合規標準的自動檢查。
AWS Config
Config 記錄 AWS 資源的配置變更歷史——誰在什麼時間改了 Security Group、S3 Bucket Policy。
課程總結
這堂雲端安全課程從 IAM 基礎、CloudTrail/GuardDuty、Secrets Manager、容器安全到合規管理——你現在可以為 AWS 環境建立多層次的安全防護。