Aws

IAM 역활 특정 정책을 제외하고 모두 REVOKE

wngnl05 2024. 12. 27. 14:57

CloudTrail 추적을 생성하고 CloudWatch 로그그룹을 연결해줍니다.

CloudWatch 로그그룹으로 이동해서 "지표 필터" > "지표 필터 생성"을 눌러줍니다.

{($.eventName=AttachRolePolicy)&&($.userIdentity.userName=Employee)}

필터를 생성하고

"경보 생성"을 눌러줍니다.

 

이제 람다 함수를 만들어줍니다.

람다 함수에 트리거를 CloudWatch LogGroup으로 하고 아래 핉터를 적용시켜 줍니다.

{($.eventName=AttachRolePolicy)&&($.userIdentity.userName=Employee)}

Lambda Python Code

람다의 제한 시간을 45초로 수정해주세요.

더보기 
import boto3
import os
import time

iam_client = boto3.client('iam')

def lambda_handler(event, context):
    
    role_name = 'wsc2024-instance-role'
    policy_to_keep_arn = 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'

    attached_policies = iam_client.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']
    
    for policy in attached_policies:
        policy_arn = policy['PolicyArn']
        
        if policy_arn != policy_to_keep_arn:
            iam_client.detach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
            print(f"Detached policy: {policy_arn}")
        else:
            print(f"Kept policy: {policy_arn}")
import boto3
import os
import time

cloudwatch_client = boto3.client('cloudwatch')
alarm_name = 'wsc2024-gvn-alarm'

def lambda_handler(event, context):
    time.sleep(40)
    while True:
        time.sleep(5)
        cloudwatch_client.set_alarm_state(
            AlarmName=alarm_name,
            StateValue='OK',
            StateReason='Lambda function completed successfully and detached unnecessary policies.'
        )
        print("Alarm Status is OK")
aws lambda add-permission \
--function-name <람다 이름> \
--statement-id cloudwatch-invoke-ok \
--action "lambda:InvokeFunction" \
--principal "lambda.alarms.cloudwatch.amazonaws.com" \
--source-arn "<CloudWatch Alarm ARN>"

 

CloudWatch Alram 경보에서 "편집"을 누르고 "경보 상태"일때 Lambda를 실해하도록 수정해주세요.

 

확인

rm -rf ~/.aws/*
USERNAME="Employee"
CREATED_KEYS=$(aws iam create-access-key --user-name "$USERNAME")
ACCESS_KEY_ID=$(echo "$CREATED_KEYS" | jq -r '.AccessKey.AccessKeyId')
SECRET_ACCESS_KEY=$(echo "$CREATED_KEYS" | jq -r '.AccessKey.SecretAccessKey')
aws configure set aws_access_key_id "$ACCESS_KEY_ID"
aws configure set aws_secret_access_key "$SECRET_ACCESS_KEY"
sleep 10
aws iam attach-role-policy --role-name wsc2024-instance-role --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
rm -rf ~/.aws/*
timeout 180 bash -c 'while [ "$(aws cloudwatch describe-alarms --alarm-names "wsc2024-gvn-alarm" --query "MetricAlarms[0].StateValue" --output text)" != "ALARM" ]; do echo "Waiting for alarm to enter ALARM state..."; sleep 30; done; echo "Alarm is now in ALARM state."'
aws iam list-attached-role-policies --role-name wsc2024-instance-role
echo =====================================
USERNAME="Admin"
CREATED_KEYS=$(aws iam create-access-key --user-name "$USERNAME")
ACCESS_KEY_ID=$(echo "$CREATED_KEYS" | jq -r '.AccessKey.AccessKeyId')
SECRET_ACCESS_KEY=$(echo "$CREATED_KEYS" | jq -r '.AccessKey.SecretAccessKey')
aws configure set aws_access_key_id "$ACCESS_KEY_ID"
aws configure set aws_secret_access_key "$SECRET_ACCESS_KEY"
sleep 10
aws iam attach-role-policy --role-name wsc2024-instance-role --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
rm -rf ~/.aws/*
sleep 180 && aws cloudwatch describe-alarms --alarm-names "wsc2024-gvn-alarm" --query "MetricAlarms[0].StateValue" --output text
aws iam list-attached-role-policies --role-name wsc2024-instance-role

 

 

 

 

 

 

 

 

 

 

 

 

 

저작자표시 비영리 변경금지