AWS の脆弱性評価のロール ポリシー

このページでは、AWS サービスの脆弱性診断を有効にするために必要な Amazon Web Services(AWS)ロールの権限ポリシーについて説明します。

次のポリシーを AWS ロールに貼り付けて、権限を追加します。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:CreateQueue",
                "sqs:TagQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:FilterLogEvents",
                "logs:PutRetentionPolicy"
            ],
            "Resource": [
                "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox",
                "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream",
                "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream:"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:DeleteFunction"
            ],
            "Resource": "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRouteTables",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeInternetGateways",
                "ecr:DescribeRepositories",
                "ecr:DescribeImages",
                "ecr-public:DescribeRepositories",
                "ecr-public:DescribeImages",
                "ec2:CreateSnapshot",
                "events:ListRules",
                "servicequotas:ListServiceQuotas",
                "organizations:DescribeOrganization",
                "lambda:TagResource",
                "events:TagResource",
                "cloudwatch:GetMetricStatistics",
                "ssm:DescribeInstanceInformation",
                "ssm:GetCommandInvocation",
                "ssm:ListCommandInvocations",
                "ec2:DescribeSecurityGroupRules",
                "lambda:ListEventSourceMappings",
                "lambda:ListFunctions",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::purplebox.cnspec.*",
                "arn:aws:s3:::purplebox.cnspec.*/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSubnet"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack",
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:cloudformation:AWS_REGION:AWS_ACCOUNT_ID:stack/testpurplebox-1o5k4/5060a950-17bb-11ef-9061-128493f57bb9"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSubnet"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateRouteTable"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVpcEndpoint"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc-endpoint*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVpcEndpoint"
            ],
            "Resource": [
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateInternetGateway"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": [
                "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",
                "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
                "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVpc"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateVpcEndpoint"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:ModifyVpcAttribute",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway"
            ],
            "Resource": [
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:Owner": "amazon"
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*::image/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:network-interface/*",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:volume/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",
                "arn:aws:ec2:*::snapshot/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:GetRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "lambda:DeleteCodeSigningConfig",
                "iam:CreateRole",
                "iam:GetInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:DeleteEventSourceMapping",
                "ssm:SendCommand",
                "iam:DetachRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume",
                "ec2:DeleteSnapshot",
                "ec2:DeleteVpc",
                "ec2:DeleteSubnet",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeleteRouteTable",
                "ec2:DeleteInternetGateway",
                "ec2:DetachInternetGateway"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::AWS_ACCOUNT_ID:instance-profile/scanner-instance-profile",
                    "ec2:InstanceType": [
                        "t4g.micro",
                        "t2.micro",
                        "t4g.medium"
                    ]
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                },
                "Bool": {
                    "kms:CallerAccount": "AWS_ACCOUNT_ID",
                    "kms:GrantIsForAWSResource": "true",
                    "kms:ViaService": "lambda.amazonaws.com"
                }
            },
            "Action": "kms:CreateGrant",
            "Resource": "arn:aws:kms:*:AWS_ACCOUNT_ID:key/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:PutRule",
                "events:DeleteRule",
                "events:TagResource"
            ],
            "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ssm:*::document/AWS-RunShellScript",
                "arn:aws:ssm:*::document/AWS-RunPowerShellScript"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:PutParameter",
                "ssm:DeleteParameter",
                "ssm:AddTagsToResource",
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:parameter/Purplebox*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:SendMessage",
                "sqs:DeleteMessage",
                "sqs:SetQueueAttributes",
                "sqs:DeleteQueue",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:PurgeQueue"
            ],
            "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:UpdateFunctionConfiguration",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode",
                "lambda:InvokeFunction",
                "lambda:RemovePermission",
                "lambda:DeleteFunction",
                "lambda:PutFunctionConcurrency",
                "lambda:UpdateEventSourceMapping",
                "lambda:PutFunctionCodeSigningConfig"
            ],
            "Resource": [
                "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",
                "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::SOURCE_BUCKET.AWS_REGION/*",
                "arn:aws:s3:::SOURCE_BUCKET.*/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:RemovePermission"
            ],
            "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:event-bus/default",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "sts:AWSServiceName": "ec2.amazonaws.com"
                }
            },
            "Action": [
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:UpdateCodeSigningConfig"
            ],
            "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:code-signing-config:csc-04006c10ff4690ad0",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:CreateCodeSigningConfig",
                "lambda:GetCodeSigningConfig"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_ID:role/scanner-role",
                "arn:aws:iam::AWS_ACCOUNT_ID:role/purplebox-sqs-lambda-role",
                "arn:aws:iam::AWS_ACCOUNT_ID:role/PurpleboxRole"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage",
                "sqs:SendMessage",
                "sqs:GetQueueAttributes",
                "lambda:InvokeFunction",
                "lambda:CreateEventSourceMapping",
                "lambda:UpdateFunctionConfiguration",
                "lambda:ListEventSourceMappings",
                "lambda:UpdateEventSourceMappings"
            ],
            "Resource": [
                "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
                "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:SendMessage"
            ],
            "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeMessages",
                "ec2:DescribeInstances",
                "ecr:DescribeImages",
                "ecr-public:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr-public:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::purplebox.cnspec.*",
            "Effect": "Allow"
        }
    ]
}