Amazon GuardDutyのLambda Protectionを全リージョンで有効化するAWS CLIを試してみる

Amazon GuardDutyのLambda Protectionを全リージョンで有効化するAWS CLIを試してみる

Clock Icon2023.04.24

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

先日のアップデートで、AWS GuardDuty の Lambda Protection (Lambda 保護) が利用できるようになりました。早速導入するために、AWS CLI を用いて次のパターンで Lambda 保護を有効化してみました。

  • 単独アカウントの全リージョンの Lambda 保護有効化
  • メンバーアカウントの全リージョンの Lambda 保護有効化
    • 管理者アカウントの有効化
    • 既存メンバーアカウントの有効化
    • 新規メンバーアカウントの有効化


単独アカウントで全リージョン有効化

単独アカウントで全リージョンの Lambda 保護を有効化してみます。

AWS GuardDuty のオプション保護を有効化するコマンドはupdate-detectorです。featuresオプションで Lambda 保護の設定を指定します。


全てのリージョンを有効化する場合は次のコマンドで設定できます。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Enable Lambda protection in ${region}"
  detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
  aws guardduty update-detector \
    --region ${region} \
    --detector-id ${detector} \
    --features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
done

実行結果例です(折りたたんでいます)。

実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Enable Lambda protection in ${region}"
>   detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
>   aws guardduty update-detector \
>     --region ${region} \
>     --detector-id ${detector} \
>     --features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
> done
### Enable Lambda protection in ap-south-1
### Enable Lambda protection in eu-north-1
### Enable Lambda protection in eu-west-3
### Enable Lambda protection in eu-west-2
### Enable Lambda protection in eu-west-1
### Enable Lambda protection in ap-northeast-3
### Enable Lambda protection in ap-northeast-2
### Enable Lambda protection in ap-northeast-1
### Enable Lambda protection in ca-central-1
### Enable Lambda protection in sa-east-1
### Enable Lambda protection in ap-southeast-1
### Enable Lambda protection in ap-southeast-2
### Enable Lambda protection in eu-central-1
### Enable Lambda protection in us-east-1
### Enable Lambda protection in us-east-2
### Enable Lambda protection in us-west-1
### Enable Lambda protection in us-west-2


オプション保護の設定状況はget-detectorコマンドで確認できます。


全リージョンの Lambda 保護の設定状況を次のコマンドで確認できます。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Get Lambda protection in ${region}"
  detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
  aws guardduty get-detector \
    --region ${region} \
    --detector-id ${detector} \
    --query "Features[8]"
done

実行結果例です(折りたたんでいます)。ENABLEDが有効状態です。

実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Get Lambda protection in ${region}"
>   detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
>   aws guardduty get-detector \
>     --region ${region} \
>     --detector-id ${detector} \
>     --query "Features[8]"
> done
### Get Lambda protection in ap-south-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:19+00:00"
}
### Get Lambda protection in eu-north-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:25+00:00"
}
### Get Lambda protection in eu-west-3
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:30+00:00"
}
### Get Lambda protection in eu-west-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:34+00:00"
}
### Get Lambda protection in eu-west-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:40+00:00"
}
### Get Lambda protection in ap-northeast-3
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:43+00:00"
}
### Get Lambda protection in ap-northeast-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:47+00:00"
}
### Get Lambda protection in ap-northeast-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:50+00:00"
}
### Get Lambda protection in ca-central-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:44:55+00:00"
}
### Get Lambda protection in sa-east-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:00+00:00"
}
### Get Lambda protection in ap-southeast-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:05+00:00"
}
### Get Lambda protection in ap-southeast-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:09+00:00"
}
### Get Lambda protection in eu-central-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:14+00:00"
}
### Get Lambda protection in us-east-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:19+00:00"
}
### Get Lambda protection in us-east-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:24+00:00"
}
### Get Lambda protection in us-west-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:28+00:00"
}
### Get Lambda protection in us-west-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "Status": "ENABLED",
    "UpdatedAt": "2023-04-24T02:45:33+00:00"
}


メンバーアカウントの全リージョン有効化

GuardDuty を管理者アカウントとメンバーアカウントを関連付けて運用している環境で Lambda 保護を有効化してみます。


管理者アカウントの有効化

「単独アカウントで全リージョン有効化」と同様です。


既存メンバーアカウントの有効化

関連付けしているメンバーアカウントの Lambda 保護の有効化は管理者アカウントから設定変更できます。

メンバーアカウントの有効化をするコマンドはupdate-member-detectorsコマンドです。


account-idsに有効化したいアカウントを指定して実行します。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Enable member detectors Lambda protection in ${region}"
  detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
  aws guardduty update-member-detectors \
    --region ${region} \
    --detector-id ${detector} \
    --account-ids "111122223333" "444455556666" \
    --features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
done

実行結果例です(折りたたんでいます)。出力結果のアカウント ID は置換しています。

実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Enable member detectors Lambda protection in ${region}"
>   detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
>   aws guardduty update-member-detectors \
>     --region ${region} \
>     --detector-id ${detector} \
>     --account-ids "111122223333" "444455556666" \
>     --features Name="LAMBDA_NETWORK_LOGS",Status="ENABLED"
> done
### Enable member detectors Lambda protection in ap-south-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-north-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-west-3
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-west-2
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-west-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-northeast-3
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-northeast-2
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-northeast-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ca-central-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in sa-east-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-southeast-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in ap-southeast-2
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in eu-central-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-east-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-east-2
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-west-1
{
    "UnprocessedAccounts": []
}
### Enable member detectors Lambda protection in us-west-2
{
    "UnprocessedAccounts": []
}


メンバーアカウントのオプション保護の設定状況はget-member-detectorsコマンドで確認できます。


メンバーアカウントの全リージョンの Lambda 保護の設定状況は次のコマンドで確認できます。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Get member detectors Lambda protection in ${region}"
  detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
  aws guardduty get-member-detectors \
    --region ${region} \
    --detector-id ${detector} \
    --account-ids "111122223333" "444455556666" \
    --query "MemberDataSourceConfigurations[*].[{AccountId:AccountId},{Features:Features[8]}]"
done

実行結果例です(折りたたんでいます)。ENABLEDが有効化状態です。

実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Get member detectors Lambda protection in ${region}"
>   detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
>   aws guardduty get-member-detectors \
>     --region ${region} \
>     --detector-id ${detector} \
>     --account-ids "111122223333" "444455556666" \
>     --query "MemberDataSourceConfigurations[*].[{AccountId:AccountId},{Features:Features[8]}]"
> done
### Get member detectors Lambda protection in ap-south-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:13:52+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:13:52+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in eu-north-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:13:57+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:13:57+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in eu-west-3
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:03+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:03+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in eu-west-2
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:08+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:08+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in eu-west-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:13+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:13+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in ap-northeast-3
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:16+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:16+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in ap-northeast-2
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:20+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:20+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in ap-northeast-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:23+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:23+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in ca-central-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:28+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:28+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in sa-east-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:33+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:33+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in ap-southeast-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:38+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:38+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in ap-southeast-2
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:42+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:42+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in eu-central-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:47+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:47+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in us-east-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:52+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:52+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in us-east-2
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:56+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:14:56+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in us-west-1
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:15:06+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:15:06+00:00"
            }
        }
    ]
]
### Get member detectors Lambda protection in us-west-2
[
    [
        {
            "AccountId": "111122223333"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:15:14+00:00"
            }
        }
    ],
    [
        {
            "AccountId": "444455556666"
        },
        {
            "Features": {
                "Name": "LAMBDA_NETWORK_LOGS",
                "Status": "ENABLED",
                "UpdatedAt": "2023-04-24T04:15:14+00:00"
            }
        }
    ]
]


新しいメンバーアカウントの自動有効化

前提として、設定追加前の状態は下記画像の状態を想定しています。この状態から Lambda 保護の自動有効化設定を追加でオンにします。


メンバーアカウントの自動有効化設定はupdate-organization-configurationコマンドで実施します。オプションのfeaturesでオプションサービスの設定を更新します。


全リージョンを一括で有効化設定するコマンドは下記となります。auto-enable-organization-membersオプションは現在の設定に合わせてALLNEWを指定します。今回は、GuardDuty の自動有効化は組織に追加された新しいアカウントのみの設定となるためNEWを指定しています。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Update Lambda protection configuration in ${region}"
  detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
  aws guardduty update-organization-configuration \
    --region ${region} \
    --detector-id ${detector} \
    --auto-enable-organization-members "NEW" \
    --features Name="LAMBDA_NETWORK_LOGS",AutoEnable="NEW"
done

実行結果例です(折りたたんでいます)。

実行結果
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Update Lambda protection configuration in ${region}"
>   detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
>   aws guardduty update-organization-configuration \
>     --region ${region} \
>     --detector-id ${detector} \
>     --auto-enable-organization-members "NEW" \
>     --features Name="LAMBDA_NETWORK_LOGS",AutoEnable="NEW"
> done
### Update Lambda protection configuration in ap-south-1
### Update Lambda protection configuration in eu-north-1
### Update Lambda protection configuration in eu-west-3
### Update Lambda protection configuration in eu-west-2
### Update Lambda protection configuration in eu-west-1
### Update Lambda protection configuration in ap-northeast-3
### Update Lambda protection configuration in ap-northeast-2
### Update Lambda protection configuration in ap-northeast-1
### Update Lambda protection configuration in ca-central-1
### Update Lambda protection configuration in sa-east-1
### Update Lambda protection configuration in ap-southeast-1
### Update Lambda protection configuration in ap-southeast-2
### Update Lambda protection configuration in eu-central-1
### Update Lambda protection configuration in us-east-1
### Update Lambda protection configuration in us-east-2
### Update Lambda protection configuration in us-west-1
### Update Lambda protection configuration in us-west-2 


自動有効化の設定状況を確認するコマンドはdescribe-organization-configurationです。


全リージョンを一括で確認するコマンドは下記となります。queryオプションで出力結果を絞っています。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Describe Lambda protection configuration in ${region}"
  detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
  aws guardduty describe-organization-configuration  \
    --region ${region} \
    --detector-id ${detector} \
    --query "Features[5]"
done

実行結果例です(折りたたんでいます)。NEWは自動有効化がオンの状態を示します。

実行結果
  $ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Describe Lambda protection configuration in ${region}"
>   detector=$(aws guardduty list-detectors --region ${region} --query "DetectorIds[0]" --output text)
>   aws guardduty describe-organization-configuration  \
>     --region ${region} \
>     --detector-id ${detector} \
>     --query "Features[5]"
> done
### Describe Lambda protection configuration in ap-south-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-north-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-west-3
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-west-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-west-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-northeast-3
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-northeast-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-northeast-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ca-central-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in sa-east-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-southeast-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in ap-southeast-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in eu-central-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-east-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-east-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-west-1
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}
### Describe Lambda protection configuration in us-west-2
{
    "Name": "LAMBDA_NETWORK_LOGS",
    "AutoEnable": "NEW"
}


最後に、マネジメントコンソールで単独リージョンの設定後の画面を貼ります。Lambda 保護が有効化状態になっています。

さいごに

AWS GuardDuty で新しいオプションである Lambda 保護が追加されたため、全リージョンで自動有効化する設定を試してみました。メンバーアカウントの有効化のところは関連付けしているメンバーアカウントのアカウント ID も AWS CLI で取得するなどして効率化できるかもしれません。

このブログがどなたかのご参考になれば幸いです。

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.