目次

AWS CloudFormationの例

テンプレートの例

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  dynamodb003S1:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      AttributeDefinitions:
        - AttributeName: Album
          AttributeType: S
        - AttributeName: Artist
          AttributeType: S
        - AttributeName: Sales
          AttributeType: N
        - AttributeName: NumberOfSongs
          AttributeType: N
      KeySchema:
        - AttributeName: Album
          KeyType: HASH
        - AttributeName: Artist
          KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: "5"
        WriteCapacityUnits: "5"
      SSESpecification:
        SSEEnabled: true
      TableName: myTableName
      GlobalSecondaryIndexes:
        - IndexName: myGSI
          KeySchema:
            - AttributeName: Sales
              KeyType: HASH
            - AttributeName: Artist
              KeyType: RANGE
          Projection:
            NonKeyAttributes:
              - Album
              - NumberOfSongs
            ProjectionType: INCLUDE
          ProvisionedThroughput:
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
        - IndexName: myGSI2
          KeySchema:
            - AttributeName: NumberOfSongs
              KeyType: HASH
            - AttributeName: Sales
              KeyType: RANGE
          Projection:
            NonKeyAttributes:
              - Album
              - Artist
            ProjectionType: INCLUDE
          ProvisionedThroughput:
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
      LocalSecondaryIndexes:
        - IndexName: myLSI
          KeySchema:
            - AttributeName: Album
              KeyType: HASH
            - AttributeName: Sales
              KeyType: RANGE
          Projection:
            NonKeyAttributes:
              - Artist
              - NumberOfSongs
            ProjectionType: INCLUDE

検索コマンドの例

#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend API Key"
file_path="Path to template"
api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api"

contents=$(cat ${file_path} | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: ApiKey ${api_key}" \
     -H "Content-Type: application/vnd.api+json" \
     ${api_base_url}/template-scanner/scan \
     --data-binary "${payload}" | jq '.' -M

Template Scanner APIの出力例

{
  "data": [
    {
      "type": "checks",
      "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:dynamodb003s1-4ez4cs0amgea",
      "attributes": {
        "region": "us-east-1",
        "status": "FAILURE",
        "risk-level": "LOW",
        "pretty-risk-level": "Low",
        "message": "dynamodb-table dynamodb003s1-4ez4cs0amgea has [Environment, Role, Owner, Name] tags missing",
        "resource": "dynamodb003s1-4ez4cs0amgea",
        "descriptorType": "dynamodb-table",
        "categories": [
          "security",
          "reliability",
          "performance-efficiency",
          "cost-optimisation",
          "operational-excellence",
          "sustainability"
        ],
        "compliances": [
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HITRUST",
          "ASAE-3150",
          "PCI-V4",
          "FEDRAMP",
          "MAS",
          "CSA"
        ],
        "extradata": [
          {
            "name": "DETAILED_STATUS",
            "label": "Resource tags status for dynamodb-table dynamodb003s1-4ez4cs0amgea",
            "value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"dynamodb003s1-4ez4cs0amgea\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":false},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":false},{\"key\":\"Name\",\"hasValue\":false}]}",
            "type": "META",
            "internal": true
          }
        ],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "Tags",
        "provider": "aws",
        "resolution-page-url": "https://wdevelopment.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html",
        "service": "ResourceGroup"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "RG-001"
          }
        },
        "account": {
          "data": null
        }
      }
    },
    {
      "type": "checks",
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:dynamodb003s1-4ez4cs0amgea",
      "attributes": {
        "region": "us-east-1",
        "status": "SUCCESS",
        "risk-level": "HIGH",
        "pretty-risk-level": "High",
        "message": "Continuous Backups are enabled for [dynamodb003s1-4ez4cs0amgea]",
        "resource": "dynamodb003s1-4ez4cs0amgea",
        "descriptorType": "dynamodb-table",
        "categories": ["reliability"],
        "compliances": [
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HIPAA",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "APRA",
          "FEDRAMP",
          "MAS",
          "CSA",
          "ENISA",
          "FISC-V9"
        ],
        "last-updated-date": null,
        "extradata": [
          {
            "name": "EarliestRestorableDateTime",
            "label": "Earliest Restorable DateTime",
            "value": 1707793902245,
            "type": "META"
          },
          {
            "name": "LatestRestorableDateTime",
            "label": "Latest Restorable DateTime",
            "value": 1707793902245,
            "type": "META"
          }
        ],
        "tags": [],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "DynamoDB Continuous Backups",
        "provider": "aws",
        "resolution-page-url": "https://wdevelopment.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html",
        "service": "DynamoDB",
        "logicalResourceId": "dynamodb003s1-4ez4cs0amgea"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "DynamoDB-003"
          }
        },
        "account": {
          "data": null
        }
      }
    },
    {
      "type": "checks",
      "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003s1-4ez4cs0amgea",
      "attributes": {
        "region": "us-east-1",
        "status": "SUCCESS",
        "risk-level": "HIGH",
        "pretty-risk-level": "High",
        "message": "Table [dynamodb003s1-4ez4cs0amgea] is encrypted at rest using the AWS managed key or Customer managed key",
        "resource": "dynamodb003s1-4ez4cs0amgea",
        "descriptorType": "dynamodb-table",
        "categories": ["security"],
        "compliances": [
          "GDPR",
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HIPAA",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "APRA",
          "FEDRAMP",
          "MAS",
          "CSA",
          "ENISA",
          "FISC-V9",
          "LGPD"
        ],
        "last-updated-date": null,
        "tags": [],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "Enable Encryption at Rest with Amazon KMS Keys",
        "provider": "aws",
        "resolution-page-url": "https://wdevelopment.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html",
        "service": "DynamoDB",
        "logicalResourceId": "dynamodb003s1-4ez4cs0amgea"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "DynamoDB-004"
          }
        },
        "account": {
          "data": null
        }
      }
    }
  ],
  "meta": {
    "missingParameters": [],
    "errors": []
  }
}