AWS 無伺服器框架範本掃描範例。
範例無伺服器框架 (serverless.yml) 檔案
app: aws-golang-rest-api-with-dynamodb service: aws-golang-rest-api-with-dynamodb frameworkVersion: "3" provider: name: aws runtime: go1.x region: us-east-1 environment: DYNAMODB_TABLE: ${self:service}-${opt:stage, self:provider.stage} iam: role: statements: - Effect: Allow Action: - dynamodb:Query - dynamodb:Scan - dynamodb:GetItem - dynamodb:PutItem - dynamodb:UpdateItem - dynamodb:DeleteItem Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE}" functions: list: handler: bin/list package: include: - ./bin/list events: - http: path: todos method: get resources: Resources: TodosDynamoDbTable: Type: "AWS::DynamoDB::Table" Properties: AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: 1 WriteCapacityUnits: 1 TableName: ${self:provider.environment.DYNAMODB_TABLE}
範例無伺服器套件輸出
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "The AWS CloudFormation template for this Serverless application", "Resources": { "ServerlessDeploymentBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] } } }, "ServerlessDeploymentBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "ServerlessDeploymentBucket" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Effect": "Deny", "Principal": "*", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "ServerlessDeploymentBucket" }, "/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "ServerlessDeploymentBucket" } ] ] } ], "Condition": { "Bool": { "aws:SecureTransport": false } } } ] } } }, "ListLogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": "/aws/lambda/aws-golang-rest-api-with-dynamodb-dev-list" } }, "IamRoleLambdaExecution": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": ["lambda.amazonaws.com"] }, "Action": ["sts:AssumeRole"] } ] }, "Policies": [ { "PolicyName": { "Fn::Join": [ "-", ["aws-golang-rest-api-with-dynamodb", "dev", "lambda"] ] }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:TagResource" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aws-golang-rest-api-with-dynamodb-dev*:*" } ] }, { "Effect": "Allow", "Action": ["logs:PutLogEvents"], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aws-golang-rest-api-with-dynamodb-dev*:*:*" } ] }, { "Effect": "Allow", "Action": [ "dynamodb:Query", "dynamodb:Scan", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:us-east-1:*:table/aws-golang-rest-api-with-dynamodb-dev" } ] } } ], "Path": "/", "RoleName": { "Fn::Join": [ "-", [ "aws-golang-rest-api-with-dynamodb", "dev", { "Ref": "AWS::Region" }, "lambdaRole" ] ] } } }, "ListLambdaFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Ref": "ServerlessDeploymentBucket" }, "S3Key": "serverless/aws-golang-rest-api-with-dynamodb/dev/1710062641444-2024-03-10T09:24:01.444Z/aws-golang-rest-api-with-dynamodb.zip" }, "Handler": "bin/list", "Runtime": "go1.x", "FunctionName": "aws-golang-rest-api-with-dynamodb-dev-list", "MemorySize": 1024, "Timeout": 6, "Environment": { "Variables": { "DYNAMODB_TABLE": "aws-golang-rest-api-with-dynamodb-dev" } }, "Role": { "Fn::GetAtt": ["IamRoleLambdaExecution", "Arn"] } }, "DependsOn": ["ListLogGroup"] }, "ListLambdaVersionJ684s4LZRbBw6J320LvKtLIeU1fR8jPz3N7XRVUU": { "Type": "AWS::Lambda::Version", "DeletionPolicy": "Retain", "Properties": { "FunctionName": { "Ref": "ListLambdaFunction" }, "CodeSha256": "h+adt3PlVl1Ojig8cC2oRoSspbiCI6OkH+atrtllc8c=" } }, "ApiGatewayRestApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Name": "dev-aws-golang-rest-api-with-dynamodb", "EndpointConfiguration": { "Types": ["EDGE"] }, "Policy": "" } }, "ApiGatewayResourceTodos": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Fn::GetAtt": ["ApiGatewayRestApi", "RootResourceId"] }, "PathPart": "todos", "RestApiId": { "Ref": "ApiGatewayRestApi" } } }, "ApiGatewayMethodTodosGet": { "Type": "AWS::ApiGateway::Method", "Properties": { "HttpMethod": "GET", "RequestParameters": {}, "ResourceId": { "Ref": "ApiGatewayResourceTodos" }, "RestApiId": { "Ref": "ApiGatewayRestApi" }, "ApiKeyRequired": false, "AuthorizationType": "NONE", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": ["ListLambdaFunction", "Arn"] }, "/invocations" ] ] } }, "MethodResponses": [] }, "DependsOn": ["ListLambdaPermissionApiGateway"] }, "ApiGatewayDeployment1710062639137": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "ApiGatewayRestApi" }, "StageName": "dev" }, "DependsOn": ["ApiGatewayMethodTodosGet"] }, "ListLambdaPermissionApiGateway": { "Type": "AWS::Lambda::Permission", "Properties": { "FunctionName": { "Fn::GetAtt": ["ListLambdaFunction", "Arn"] }, "Action": "lambda:InvokeFunction", "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiGatewayRestApi" }, "/*/*" ] ] } } }, "TodosDynamoDbTable": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "id", "AttributeType": "S" } ], "KeySchema": [ { "AttributeName": "id", "KeyType": "HASH" } ], "ProvisionedThroughput": { "ReadCapacityUnits": 1, "WriteCapacityUnits": 1 }, "TableName": "aws-golang-rest-api-with-dynamodb-dev" } } }, "Outputs": { "ServerlessDeploymentBucketName": { "Value": { "Ref": "ServerlessDeploymentBucket" }, "Export": { "Name": "sls-aws-golang-rest-api-with-dynamodb-dev-ServerlessDeploymentBucketName" } }, "ListLambdaFunctionQualifiedArn": { "Description": "Current Lambda function version", "Value": { "Ref": "ListLambdaVersionJ684s4LZRbBw6J320LvKtLIeU1fR8jPz3N7XRVUU" }, "Export": { "Name": "sls-aws-golang-rest-api-with-dynamodb-dev-ListLambdaFunctionQualifiedArn" } }, "ServiceEndpoint": { "Description": "URL of the service endpoint", "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "ApiGatewayRestApi" }, ".execute-api.", { "Ref": "AWS::Region" }, ".", { "Ref": "AWS::URLSuffix" }, "/dev" ] ] }, "Export": { "Name": "sls-aws-golang-rest-api-with-dynamodb-dev-ServiceEndpoint" } } } }
範例掃瞄指令
#!/usr/bin/env bash # Scans a template file # Requires "serverless" (https://www.serverless.com/framework/docs/getting-started) to be installed # Requires "jq" (https://stedolan.github.io/jq/) to be installed api_key="Your Trend Vision One API Key" api_base_url="https://api.xdr.trendmicro.com" # Modify serverless package command as needed depending on stage, region, etc. serverless package --stage dev content=$( cat .serverless/cloudformation-template-update-stack.json | jq '.' -MRs) payload="{\"type\":\"cloudformation-template\",\"content\":${content}}" echo Request: echo ${payload} | jq '.' -M echo Response: curl -s -X POST \ -H "Authorization: Bearer ${api_key}" \ -H "Content-Type: application/json" \ ${api_base_url}/beta/cloudPosture/scanTemplate \ --data-binary "${payload}" | jq '.' -M
範例範本掃描器 API 輸出
輸出已截斷,為此範本生成的實際檢查數量超過下方所見。
{ "scanResults": [ { "id": "ccc:OrganisationId:S3-026:S3:global:ServerlessDeploymentBucket", "accountId": "", "ruleId": "S3-026", "provider": "aws", "ruleTitle": "Enable S3 Block Public Access for S3 Buckets", "riskLevel": "MEDIUM", "status": "FAILURE", "service": "S3", "description": "s3-bucket ServerlessDeploymentBucket doesn't have S3 Block Public Access feature enabled.", "resource": "ServerlessDeploymentBucket", "resourceType": "s3-bucket", "resourceId": "ServerlessDeploymentBucket", "ignored": false, "categories": ["security"], "compliances": [ "AWAF", "CISAWSF-1_5_0", "CISAWSF-2_0", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "ENISA", "FISC-V9" ], "region": "global", "tags": [], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/S3/bucket-public-access-block.html" }, { "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:todosdynamodbtable-ra4yet9ua88m", "accountId": "", "ruleId": "DynamoDB-003", "provider": "aws", "ruleTitle": "DynamoDB Continuous Backups", "riskLevel": "HIGH", "status": "FAILURE", "service": "DynamoDB", "description": "Continuous Backups aren't enabled for [todosdynamodbtable-ra4yet9ua88m]", "resource": "todosdynamodbtable-ra4yet9ua88m", "resourceType": "dynamodb-table", "resourceId": "todosdynamodbtable-ra4yet9ua88m", "ignored": false, "categories": ["reliability"], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9" ], "region": "us-east-1", "tags": [], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html" }, { "id": "ccc:OrganisationId:Lambda-001:Lambda:us-east-1:aws-golang-rest-api-with-dynamodb-dev-list", "accountId": "", "ruleId": "Lambda-001", "provider": "aws", "ruleTitle": "Lambda Using Latest Runtime Environment", "riskLevel": "MEDIUM", "status": "FAILURE", "service": "Lambda", "description": "Function aws-golang-rest-api-with-dynamodb-dev-list isn't using the latest version of runtime environment", "resource": "aws-golang-rest-api-with-dynamodb-dev-list", "resourceType": "lambda-function", "resourceId": "aws-golang-rest-api-with-dynamodb-dev-list", "ignored": false, "categories": ["security", "reliability", "sustainability"], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "ENISA", "FISC-V9" ], "region": "us-east-1", "tags": [], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/Lambda/runtime-environment.html" } ], "missingParameters": [], "skippedRules": [] }