このページでは、AWS の脆弱性評価サービスを有効にするために必要な Amazon Web Services(AWS)ロールの権限ポリシーについて説明します。
以下を置き換えます。
AWS_REGION
: AWS CloudFormation をインストールするリージョンAWS_ACCOUNT_ID
: AWS CloudFormation をインストールする AWS アカウント IDSOURCE_BUCKET
: バイナリが保存されているバケット
このポリシーを AWS ロールに貼り付けて、権限を追加します。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:CreateQueue", "sqs:TagQueue" ], "Resource": [ "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue" ], "Effect": "Allow" }, { "Action": [ "logs:FilterLogEvents", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox", "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream", "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream:" ], "Effect": "Allow" }, { "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction" ], "Resource": "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeRouteTables", "ec2:DescribeVpcEndpoints", "ec2:DescribeInternetGateways", "ecr:DescribeRepositories", "ecr:DescribeImages", "ecr-public:DescribeRepositories", "ecr-public:DescribeImages", "ec2:CreateSnapshot", "events:ListRules", "servicequotas:ListServiceQuotas", "organizations:DescribeOrganization", "lambda:TagResource", "events:TagResource", "cloudwatch:GetMetricStatistics", "ssm:DescribeInstanceInformation", "ssm:GetCommandInvocation", "ssm:ListCommandInvocations", "ec2:DescribeSecurityGroupRules", "lambda:ListEventSourceMappings", "lambda:ListFunctions", "s3:ListAllMyBuckets", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:DeleteRule" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::purplebox.cnspec.*", "arn:aws:s3:::purplebox.cnspec.*/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateSubnet" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*", "Effect": "Allow" }, { "Action": [ "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudformation:GetTemplate", "cloudformation:DescribeStacks" ], "Resource": [ "arn:aws:cloudformation:AWS_REGION:AWS_ACCOUNT_ID:stack/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateSubnet" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:AuthorizeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:AuthorizeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule", "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateRouteTable" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateVpcEndpoint" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc-endpoint*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateVpcEndpoint" ], "Resource": [ "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*", "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*", "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateInternetGateway" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox", "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing", "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateVpc" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*", "Effect": "Allow" }, { "Action": [ "ec2:CreateVpcEndpoint" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:ModifyVpcAttribute", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway" ], "Resource": [ "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*", "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*", "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:TerminateInstances" ], "Resource": [ "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:Owner": "amazon" } }, "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*::image/*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:AWS_ACCOUNT_ID:network-interface/*", "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*", "arn:aws:ec2:*:AWS_ACCOUNT_ID:volume/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*", "arn:aws:ec2:*::snapshot/*" ], "Effect": "Allow" }, { "Action": [ "iam:GetRole", "iam:PassRole", "iam:TagRole", "iam:PutRolePolicy", "iam:GetRolePolicy", "iam:AttachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", "lambda:DeleteCodeSigningConfig", "iam:CreateRole", "iam:GetInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "lambda:GetFunction", "lambda:CreateFunction", "lambda:CreateEventSourceMapping", "lambda:GetEventSourceMapping", "lambda:DeleteEventSourceMapping", "ssm:SendCommand", "iam:DetachRolePolicy", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox" } }, "Action": [ "ec2:AttachVolume", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:DeleteSnapshot", "ec2:DeleteVpc", "ec2:DeleteSubnet", "ec2:DeleteSecurityGroup", "ec2:DeleteVpcEndpoints", "ec2:DeleteRouteTable", "ec2:DeleteInternetGateway", "ec2:DetachInternetGateway", "lambda:DeleteFunction" ], "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:RequestTag/Created By": "Purplebox" } }, "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:InstanceProfile": "arn:aws:iam::AWS_ACCOUNT_ID:instance-profile/scanner-instance-profile", "ec2:InstanceType": [ "t4g.micro", "t2.micro", "t4g.medium" ] } }, "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:ResourceTag/Created By": "Purplebox", "kms:CallerAccount": "AWS_ACCOUNT_ID", "kms:ViaService": "lambda.AWS_REGION.amazonaws.com" }, "Bool": { "kms:GrantIsForAWSResource": "true" } }, "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:AWS_ACCOUNT_ID:key/*", "Effect": "Allow" }, { "Action": [ "events:PutRule", "events:DeleteRule", "events:TagResource" ], "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*", "Effect": "Allow" }, { "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ssm:*::document/AWS-RunShellScript", "arn:aws:ssm:*::document/AWS-RunPowerShellScript" ], "Effect": "Allow" }, { "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:AddTagsToResource", "ssm:GetParameter", "ssm:GetParameters" ], "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:parameter/Purplebox*", "Effect": "Allow" }, { "Action": [ "sqs:SendMessage", "sqs:DeleteMessage", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:PurgeQueue" ], "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue", "Effect": "Allow" }, { "Action": [ "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration", "lambda:*Permission", "lambda:UpdateFunctionCode", "lambda:*Function", "lambda:PutFunctionConcurrency", "lambda:UpdateEventSourceMapping", "lambda:PutFunctionCodeSigningConfig" ], "Resource": [ "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox", "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing", "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBoxUpdater" ], "Effect": "Allow" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::SOURCE_BUCKET.AWS_REGION/*", "arn:aws:s3:::SOURCE_BUCKET.*/*" ], "Effect": "Allow" }, { "Action": [ "events:RemovePermission" ], "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:event-bus/default", "Effect": "Allow" }, { "Condition": { "StringEquals": { "sts:AWSServiceName": "ec2.amazonaws.com" } }, "Action": [ "sts:GetServiceBearerToken" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:UpdateCodeSigningConfig" ], "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:code-signing-config:csc-04006c10ff4690ad0", "Effect": "Allow" }, { "Action": [ "lambda:CreateCodeSigningConfig", "lambda:GetCodeSigningConfig" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "iam:ListAttachedRolePolicies", "iam:ListRolePolicies" ], "Resource": [ "arn:aws:iam::AWS_ACCOUNT_ID:role/scanner-role", "arn:aws:iam::AWS_ACCOUNT_ID:role/purplebox-sqs-lambda-role", "arn:aws:iam::AWS_ACCOUNT_ID:role/PurpleboxRole" ], "Effect": "Allow" }, { "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:SendMessage", "sqs:GetQueueAttributes", "lambda:InvokeFunction", "lambda:CreateEventSourceMapping", "lambda:UpdateFunctionConfiguration", "lambda:ListEventSourceMappings", "lambda:UpdateEventSourceMapping" ], "Resource": [ "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing", "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue" ], "Effect": "Allow" }, { "Action": [ "sqs:SendMessage" ], "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue", "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ecr:DescribeImages", "ecr-public:DescribeImages", "ecr:DescribeRepositories", "ecr-public:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::purplebox.cnspec.*", "Effect": "Allow" } ] }