檢視次數:

AWS 無伺服器框架範本掃描範例。

範例無伺服器框架 (serverless.yml) 檔案

app: aws-golang-rest-api-with-dynamodb
service: aws-golang-rest-api-with-dynamodb

frameworkVersion: "3"

provider:
  name: aws
  runtime: go1.x
  region: us-east-1
  environment:
    DYNAMODB_TABLE: ${self:service}-${opt:stage, self:provider.stage}
  iam:
    role:
      statements:
        - Effect: Allow
          Action:
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:DeleteItem
          Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE}"

functions:
  list:
    handler: bin/list
    package:
      include:
        - ./bin/list
    events:
      - http:
          path: todos
          method: get

resources:
  Resources:
    TodosDynamoDbTable:
      Type: "AWS::DynamoDB::Table"
      Properties:
        AttributeDefinitions:
          - AttributeName: id
            AttributeType: S
        KeySchema:
          - AttributeName: id
            KeyType: HASH
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        TableName: ${self:provider.environment.DYNAMODB_TABLE}

範例無伺服器套件輸出

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "The AWS CloudFormation template for this Serverless application",
  "Resources": {
    "ServerlessDeploymentBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
              }
            }
          ]
        }
      }
    },
    "ServerlessDeploymentBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "ServerlessDeploymentBucket"
        },
        "PolicyDocument": {
          "Statement": [
            {
              "Action": "s3:*",
              "Effect": "Deny",
              "Principal": "*",
              "Resource": [
                {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":s3:::",
                      {
                        "Ref": "ServerlessDeploymentBucket"
                      },
                      "/*"
                    ]
                  ]
                },
                {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":s3:::",
                      {
                        "Ref": "ServerlessDeploymentBucket"
                      }
                    ]
                  ]
                }
              ],
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": false
                }
              }
            }
          ]
        }
      }
    },
    "ListLogGroup": {
      "Type": "AWS::Logs::LogGroup",
      "Properties": {
        "LogGroupName": "/aws/lambda/aws-golang-rest-api-with-dynamodb-dev-list"
      }
    },
    "IamRoleLambdaExecution": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": ["lambda.amazonaws.com"]
              },
              "Action": ["sts:AssumeRole"]
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": {
              "Fn::Join": [
                "-",
                ["aws-golang-rest-api-with-dynamodb", "dev", "lambda"]
              ]
            },
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup",
                    "logs:TagResource"
                  ],
                  "Resource": [
                    {
                      "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aws-golang-rest-api-with-dynamodb-dev*:*"
                    }
                  ]
                },
                {
                  "Effect": "Allow",
                  "Action": ["logs:PutLogEvents"],
                  "Resource": [
                    {
                      "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aws-golang-rest-api-with-dynamodb-dev*:*:*"
                    }
                  ]
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "dynamodb:Query",
                    "dynamodb:Scan",
                    "dynamodb:GetItem",
                    "dynamodb:PutItem",
                    "dynamodb:UpdateItem",
                    "dynamodb:DeleteItem"
                  ],
                  "Resource": "arn:aws:dynamodb:us-east-1:*:table/aws-golang-rest-api-with-dynamodb-dev"
                }
              ]
            }
          }
        ],
        "Path": "/",
        "RoleName": {
          "Fn::Join": [
            "-",
            [
              "aws-golang-rest-api-with-dynamodb",
              "dev",
              {
                "Ref": "AWS::Region"
              },
              "lambdaRole"
            ]
          ]
        }
      }
    },
    "ListLambdaFunction": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": {
            "Ref": "ServerlessDeploymentBucket"
          },
          "S3Key": "serverless/aws-golang-rest-api-with-dynamodb/dev/1710062641444-2024-03-10T09:24:01.444Z/aws-golang-rest-api-with-dynamodb.zip"
        },
        "Handler": "bin/list",
        "Runtime": "go1.x",
        "FunctionName": "aws-golang-rest-api-with-dynamodb-dev-list",
        "MemorySize": 1024,
        "Timeout": 6,
        "Environment": {
          "Variables": {
            "DYNAMODB_TABLE": "aws-golang-rest-api-with-dynamodb-dev"
          }
        },
        "Role": {
          "Fn::GetAtt": ["IamRoleLambdaExecution", "Arn"]
        }
      },
      "DependsOn": ["ListLogGroup"]
    },
    "ListLambdaVersionJ684s4LZRbBw6J320LvKtLIeU1fR8jPz3N7XRVUU": {
      "Type": "AWS::Lambda::Version",
      "DeletionPolicy": "Retain",
      "Properties": {
        "FunctionName": {
          "Ref": "ListLambdaFunction"
        },
        "CodeSha256": "h+adt3PlVl1Ojig8cC2oRoSspbiCI6OkH+atrtllc8c="
      }
    },
    "ApiGatewayRestApi": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "Name": "dev-aws-golang-rest-api-with-dynamodb",
        "EndpointConfiguration": {
          "Types": ["EDGE"]
        },
        "Policy": ""
      }
    },
    "ApiGatewayResourceTodos": {
      "Type": "AWS::ApiGateway::Resource",
      "Properties": {
        "ParentId": {
          "Fn::GetAtt": ["ApiGatewayRestApi", "RootResourceId"]
        },
        "PathPart": "todos",
        "RestApiId": {
          "Ref": "ApiGatewayRestApi"
        }
      }
    },
    "ApiGatewayMethodTodosGet": {
      "Type": "AWS::ApiGateway::Method",
      "Properties": {
        "HttpMethod": "GET",
        "RequestParameters": {},
        "ResourceId": {
          "Ref": "ApiGatewayResourceTodos"
        },
        "RestApiId": {
          "Ref": "ApiGatewayRestApi"
        },
        "ApiKeyRequired": false,
        "AuthorizationType": "NONE",
        "Integration": {
          "IntegrationHttpMethod": "POST",
          "Type": "AWS_PROXY",
          "Uri": {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":apigateway:",
                {
                  "Ref": "AWS::Region"
                },
                ":lambda:path/2015-03-31/functions/",
                {
                  "Fn::GetAtt": ["ListLambdaFunction", "Arn"]
                },
                "/invocations"
              ]
            ]
          }
        },
        "MethodResponses": []
      },
      "DependsOn": ["ListLambdaPermissionApiGateway"]
    },
    "ApiGatewayDeployment1710062639137": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": {
          "Ref": "ApiGatewayRestApi"
        },
        "StageName": "dev"
      },
      "DependsOn": ["ApiGatewayMethodTodosGet"]
    },
    "ListLambdaPermissionApiGateway": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::GetAtt": ["ListLambdaFunction", "Arn"]
        },
        "Action": "lambda:InvokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "SourceArn": {
          "Fn::Join": [
            "",
            [
              "arn:",
              {
                "Ref": "AWS::Partition"
              },
              ":execute-api:",
              {
                "Ref": "AWS::Region"
              },
              ":",
              {
                "Ref": "AWS::AccountId"
              },
              ":",
              {
                "Ref": "ApiGatewayRestApi"
              },
              "/*/*"
            ]
          ]
        }
      }
    },
    "TodosDynamoDbTable": {
      "Type": "AWS::DynamoDB::Table",
      "Properties": {
        "AttributeDefinitions": [
          {
            "AttributeName": "id",
            "AttributeType": "S"
          }
        ],
        "KeySchema": [
          {
            "AttributeName": "id",
            "KeyType": "HASH"
          }
        ],
        "ProvisionedThroughput": {
          "ReadCapacityUnits": 1,
          "WriteCapacityUnits": 1
        },
        "TableName": "aws-golang-rest-api-with-dynamodb-dev"
      }
    }
  },
  "Outputs": {
    "ServerlessDeploymentBucketName": {
      "Value": {
        "Ref": "ServerlessDeploymentBucket"
      },
      "Export": {
        "Name": "sls-aws-golang-rest-api-with-dynamodb-dev-ServerlessDeploymentBucketName"
      }
    },
    "ListLambdaFunctionQualifiedArn": {
      "Description": "Current Lambda function version",
      "Value": {
        "Ref": "ListLambdaVersionJ684s4LZRbBw6J320LvKtLIeU1fR8jPz3N7XRVUU"
      },
      "Export": {
        "Name": "sls-aws-golang-rest-api-with-dynamodb-dev-ListLambdaFunctionQualifiedArn"
      }
    },
    "ServiceEndpoint": {
      "Description": "URL of the service endpoint",
      "Value": {
        "Fn::Join": [
          "",
          [
            "https://",
            {
              "Ref": "ApiGatewayRestApi"
            },
            ".execute-api.",
            {
              "Ref": "AWS::Region"
            },
            ".",
            {
              "Ref": "AWS::URLSuffix"
            },
            "/dev"
          ]
        ]
      },
      "Export": {
        "Name": "sls-aws-golang-rest-api-with-dynamodb-dev-ServiceEndpoint"
      }
    }
  }
}

範例掃瞄指令

#!/usr/bin/env bash
# Scans a template file
# Requires "serverless" (https://www.serverless.com/framework/docs/getting-started) to be installed
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"

# Modify serverless package command as needed depending on stage, region, etc.
serverless package --stage dev
content=$( cat .serverless/cloudformation-template-update-stack.json | jq '.' -MRs)
payload="{\"type\":\"cloudformation-template\",\"content\":${content}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: Bearer ${api_key}" \
     -H "Content-Type: application/json" \
     ${api_base_url}/beta/cloudPosture/scanTemplate \
     --data-binary "${payload}" | jq '.' -M

範例範本掃描器 API 輸出

輸出已截斷,為此範本生成的實際檢查數量超過下方所見。
{
  "scanResults": [
    {
      "id": "ccc:OrganisationId:S3-026:S3:global:ServerlessDeploymentBucket",
      "accountId": "",
      "ruleId": "S3-026",
      "provider": "aws",
      "ruleTitle": "Enable S3 Block Public Access for S3 Buckets",
      "riskLevel": "MEDIUM",
      "status": "FAILURE",
      "service": "S3",
      "description": "s3-bucket ServerlessDeploymentBucket doesn't have S3 Block Public Access feature enabled.",
      "resource": "ServerlessDeploymentBucket",
      "resourceType": "s3-bucket",
      "resourceId": "ServerlessDeploymentBucket",
      "ignored": false,
      "categories": ["security"],
      "compliances": [
        "AWAF",
        "CISAWSF-1_5_0",
        "CISAWSF-2_0",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "ENISA",
        "FISC-V9"
      ],
      "region": "global",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/S3/bucket-public-access-block.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:todosdynamodbtable-ra4yet9ua88m",
      "accountId": "",
      "ruleId": "DynamoDB-003",
      "provider": "aws",
      "ruleTitle": "DynamoDB Continuous Backups",
      "riskLevel": "HIGH",
      "status": "FAILURE",
      "service": "DynamoDB",
      "description": "Continuous Backups aren't enabled for [todosdynamodbtable-ra4yet9ua88m]",
      "resource": "todosdynamodbtable-ra4yet9ua88m",
      "resourceType": "dynamodb-table",
      "resourceId": "todosdynamodbtable-ra4yet9ua88m",
      "ignored": false,
      "categories": ["reliability"],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9"
      ],
      "region": "us-east-1",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
    },
    {
      "id": "ccc:OrganisationId:Lambda-001:Lambda:us-east-1:aws-golang-rest-api-with-dynamodb-dev-list",
      "accountId": "",
      "ruleId": "Lambda-001",
      "provider": "aws",
      "ruleTitle": "Lambda Using Latest Runtime Environment",
      "riskLevel": "MEDIUM",
      "status": "FAILURE",
      "service": "Lambda",
      "description": "Function aws-golang-rest-api-with-dynamodb-dev-list isn't using the latest version of runtime environment",
      "resource": "aws-golang-rest-api-with-dynamodb-dev-list",
      "resourceType": "lambda-function",
      "resourceId": "aws-golang-rest-api-with-dynamodb-dev-list",
      "ignored": false,
      "categories": ["security", "reliability", "sustainability"],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "ENISA",
        "FISC-V9"
      ],
      "region": "us-east-1",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/Lambda/runtime-environment.html"
    }
  ],
  "missingParameters": [],
  "skippedRules": []
}