例CDK定義
import cdk = require("aws-cdk-lib"); import { Table, AttributeType, StreamViewType, BillingMode, } from "aws-cdk-lib/aws-dynamodb"; import { Construct } from "constructs"; export class AppSyncCdkStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); const tableName = "items"; new Table(this, "ItemsTable", { tableName: tableName, partitionKey: { name: `${tableName}Id`, type: AttributeType.STRING, }, billingMode: BillingMode.PAY_PER_REQUEST, stream: StreamViewType.NEW_IMAGE, }); } } const app = new cdk.App(); new AppSyncCdkStack(app, "DynamoDBExample"); app.synth();
例 cdk synth
出力
Resources: ItemsTable5AAC2C46: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: itemsId AttributeType: S BillingMode: PAY_PER_REQUEST KeySchema: - AttributeName: itemsId KeyType: HASH StreamSpecification: StreamViewType: NEW_IMAGE TableName: items UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: DynamoDBExample/ItemsTable/Resource CDKMetadata: Type: AWS::CDK::Metadata Properties: Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzQ20jNQTCwv1k1OydbNyUzSqw4uSUzO1gEKxadU5iXm5qcAxUISk3JSdZzT8sCMWp2g1OL80qJksBAy2zk/LyWzJDM/r1YnLz8lVS+rWL/M0EwPiAwUs4ozM3WLSvNKMnNT9YIgNABcnFrfgQAAAA== Metadata: aws:cdk:path: DynamoDBExample/CDKMetadata/Default Condition: CDKMetadataAvailable Conditions: CDKMetadataAvailable: Fn::Or: - Fn::Or: - Fn::Equals: - Ref: AWS::Region - af-south-1 - Fn::Equals: - Ref: AWS::Region - ap-east-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-2 - Fn::Equals: - Ref: AWS::Region - ap-south-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-2 - Fn::Equals: - Ref: AWS::Region - ca-central-1 - Fn::Equals: - Ref: AWS::Region - cn-north-1 - Fn::Equals: - Ref: AWS::Region - cn-northwest-1 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - eu-central-1 - Fn::Equals: - Ref: AWS::Region - eu-north-1 - Fn::Equals: - Ref: AWS::Region - eu-south-1 - Fn::Equals: - Ref: AWS::Region - eu-west-1 - Fn::Equals: - Ref: AWS::Region - eu-west-2 - Fn::Equals: - Ref: AWS::Region - eu-west-3 - Fn::Equals: - Ref: AWS::Region - il-central-1 - Fn::Equals: - Ref: AWS::Region - me-central-1 - Fn::Equals: - Ref: AWS::Region - me-south-1 - Fn::Equals: - Ref: AWS::Region - sa-east-1 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - us-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-2 - Fn::Equals: - Ref: AWS::Region - us-west-1 - Fn::Equals: - Ref: AWS::Region - us-west-2 Parameters: BootstrapVersion: Type: AWS::SSM::Parameter::Value<String> Default: /cdk-bootstrap/hnb659fds/version Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] Rules: CheckBootstrapVersion: Assertions: - Assert: Fn::Not: - Fn::Contains: - - "1" - "2" - "3" - "4" - "5" - Ref: BootstrapVersion AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.
スキャンコマンドの例
#!/usr/bin/env bash # Scans a template file # Requires "cdk" (https://docs.aws.amazon.com/cdk/v2/guide/home.html) to be installed # Requires "jq" (https://stedolan.github.io/jq/) to be installed api_key="Your Trend API Key" api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api" # Perform any language specific compilation steps before this line. (example transpiling typescript to javascript) contents=$(cdk synth | jq '.' -MRs) payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}" echo Request: echo ${payload} | jq '.' -M echo Response: curl -s -X POST \ -H "Authorization: ApiKey ${api_key}" \ -H "Content-Type: application/vnd.api+json" \ ${api_base_url}/template-scanner/scan \ --data-binary "${payload}" | jq '.' -M
例のTemplate Scanner API出力
出力が切り捨てられました。このテンプレートで生成されたチェックの実際の数は、以下に表示されている数よりも多い可能性があります。
{ "data": [ { "type": "checks", "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:itemstable5aac2c46-erjv68sb17u6", "attributes": { "region": "us-east-1", "status": "FAILURE", "risk-level": "LOW", "pretty-risk-level": "Low", "message": "dynamodb-table itemstable5aac2c46-erjv68sb17u6 has [Environment, Role, Owner, Name] tags missing", "resource": "itemstable5aac2c46-erjv68sb17u6", "descriptorType": "dynamodb-table", "categories": [ "security", "reliability", "performance-efficiency", "cost-optimisation", "operational-excellence", "sustainability" ], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "NIST-CSF-2_0", "ISO27001", "ISO27001-2022", "AGISM", "HITRUST", "ASAE-3150", "PCI-V4", "FEDRAMP", "MAS", "CSA" ], "extradata": [ { "name": "DETAILED_STATUS", "label": "Resource tags status for dynamodb-table itemstable5aac2c46-erjv68sb17u6", "value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"itemstable5aac2c46-erjv68sb17u6\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":false},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":false},{\"key\":\"Name\",\"hasValue\":false}]}", "type": "META", "internal": true } ], "cost": 0, "waste": 0, "not-scored": false, "ignored": false, "rule-title": "Tags", "provider": "aws", "resolution-page-url": "https://www.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html", "service": "ResourceGroup" }, "relationships": { "rule": { "data": { "type": "rules", "id": "RG-001" } }, "account": { "data": null } } }, { "type": "checks", "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:itemstable5aac2c46-erjv68sb17u6", "attributes": { "region": "us-east-1", "status": "FAILURE", "risk-level": "HIGH", "pretty-risk-level": "High", "message": "Continuous Backups aren't enabled for [itemstable5aac2c46-erjv68sb17u6]", "resource": "itemstable5aac2c46-erjv68sb17u6", "descriptorType": "dynamodb-table", "categories": ["reliability"], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9" ], "last-updated-date": null, "tags": [], "cost": 0, "waste": 0, "not-scored": false, "ignored": false, "rule-title": "DynamoDB Continuous Backups", "provider": "aws", "resolution-page-url": "https://www.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html", "service": "DynamoDB", "logicalResourceId": "itemstable5aac2c46-erjv68sb17u6" }, "relationships": { "rule": { "data": { "type": "rules", "id": "DynamoDB-003" } }, "account": { "data": null } } }, { "type": "checks", "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:itemstable5aac2c46-erjv68sb17u6", "attributes": { "region": "us-east-1", "status": "FAILURE", "risk-level": "HIGH", "pretty-risk-level": "High", "message": "Table [itemstable5aac2c46-erjv68sb17u6] is encrypted at rest using the AWS-owned key", "resource": "itemstable5aac2c46-erjv68sb17u6", "descriptorType": "dynamodb-table", "categories": ["security"], "compliances": [ "GDPR", "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9", "LGPD" ], "last-updated-date": null, "tags": [], "cost": 0, "waste": 0, "not-scored": false, "ignored": false, "rule-title": "Enable Encryption at Rest with Amazon KMS Keys", "provider": "aws", "resolution-page-url": "https://www.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html", "service": "DynamoDB", "logicalResourceId": "itemstable5aac2c46-erjv68sb17u6" }, "relationships": { "rule": { "data": { "type": "rules", "id": "DynamoDB-004" } }, "account": { "data": null } } } ], "meta": { "missingParameters": [], "errors": [] } }