Systems ManagerͳͲΛۦͯࣗ͠ಈԽՄೳ • AutomationυΩϡϝϯτͷ࡞ͳͲࣄલ४උ͕ඞཁ https://dev.classmethod.jp/cloud/aws/workflow-to-add-temporary-privilege-by-ssm-automation/
side encryption ྫɿEnsure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) ྫɿEnsure IAM policies are attached only to groups or roles Kinesis should have encrypted=true SecurityGroup should not have inboundRules with [scope = '0.0.0.0/0' and port<=3389 and portTo>=3389] IamUser where not (name regexMatch /^<root_account>$/i ) should have managedPolicies isEmpty() and inlinePolicies isEmpty()
"findingKey": "xxxxxxxxxxxxxxxxx", "Rules violations found": [ { "Rule": "Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)", "ID": "sg-xxxxxxxxxxxxxxxxx", "Name": "dome9-test-sg", "Remediation": "sg_single_rule_delete", "Execution status": "passed", "Bot message": "Split matching for the port to be remediated is set to False. If the port is contained within a larger scope, it will be skipped.\nThe protocol to be removed is TCP\nScope to be removed found: 0.0.0.0/0 \nThe rule to be removed is going to be for inbound traffic\nPort to be removed: 22 \nMatching rule found that is going to be deleted. Protocol:TCP Direction:inbound Port: 22 Scope:0.0.0.0/0\nSecurity Group rule from port 22 to port 22 successfully removed\n" } ] }