EC2やVPC,サブネット等々、設計通りにパラメータ設定されているか確認試験時にAWSマネージメントコンソールを画面キャプチャしてエビデンス残しをするのは時間がかかるので。
aws cliの実行ログをエビデンスとして残す際に使えるワンライナーを書きました。
それぞれ、コマンド冒頭部の”name=”のところに試験対象の名前を入れ替えて実行します。
アクセスキー、シークレットアクセスキーの設定は行っていませんので、ワンライナー実行前に設定を済ませておく必要があります。
■EC2
name=”インスタンス名“;aws ec2 describe-instances|jq ‘.Reservations[].Instances[]|select(.Tags[].Value == $name )|{AvailabilityZone:.Placement.AvailabilityZone,Name: .Tags[].Value,InstanceType,SubnetId:.NetworkInterfaces[].SubnetId,IAMrole:.IamInstanceProfile.Arn,PriveteIP:.NetworkInterfaces[].PrivateIpAddress,ElasticIP:.NetworkInterfaces[].Association.PublicIp},{SecurityGroup: .SecurityGroups[].GroupName}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’;name2=`aws ec2 describe-instances|jq ‘.Reservations[].Instances[]|select(.Tags[].Value == $name )|.NetworkInterfaces[].SubnetId’ –arg name $name 2>/dev/null|sed -e s/”//g`;aws ec2 describe-subnets|jq ‘.Subnets[]|select(.SubnetId == $name2)|{SubnetName: .Tags[].Value}’ –arg name2 $name2 2>/dev/null|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
# name=”hoge”;aws ec2 describe-instances|jq ‘.Reservations[].Instances[]|select(.Tags[].Value == $name )|{AvailabilityZone:.Placement.AvailabilityZone,Name: .Tags[].Value,InstanceType,SubnetId:.NetworkInterfaces[].SubnetId,IAMrole:.IamInstanceProfile.Arn,PriveteIP:.NetworkInterfaces[].PrivateIpAddress,ElasticIP:.Net
workInterfaces[].Association.PublicIp},{SecurityGroup: .SecurityGroups[].GroupName}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’;name2=`aws ec2 describe-instances|jq ‘.Reservations[].Instances[]|select(.Tags[].Value == $name )|.NetworkInterfaces[].SubnetId’ –arg name $name 2>/dev/null|sed -e s/”//g`;aws ec2 describe-subnets|jq ‘.Subnets[]|select(.SubnetId == $name2)|{SubnetName: .Tags[].Value}’ –arg name2 $name2 2>/dev/null|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’ “ElasticIP”: “xxx.xxx.xxx.xxx”, Elastic IP
“PriveteIP”: “yyy.yyy.yyy.yyy”, Privete IP
“IAMrole”: “arn:aws:iam::XXXXXXXXXXXX:instance-profile/role-hoge”, IAM role
“SubnetId”: “subnet-XXXXXXXX”, 所属サブネットID
“InstanceType”: “m3.medium”, InstanceType
“Name”: “hoge”, インスタンス名
“AvailabilityZone”: “ap-northeast-1a” 所属AZ
“SecurityGroup”: “security01” 割当セキュリティグループ
“SecurityGroup”: “security02”
“SecurityGroup”: “security03”
“SubnetName”: “subnet_public_a” 所属サブネット名
|
■VPC
name=”VPC名“;aws ec2 describe-vpcs|jq ‘.Vpcs[]|select(.Tags[].Value == $name )|{VpcId, Name: .Tags[].Value, CidrBlock}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
# name=”hoge-vpc”;aws ec2 describe-vpcs|jq ‘.Vpcs[]|select(.Tags[].Value == $name )|{VpcId, Name: .Tags[].Value, CidrBlock}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
“CidrBlock”: “xxx.xxx.xxx.xxx/xx”, VPCのCIDR
“Name”: “hoge-vpc”, VPC名
“VpcId”: “vpc-xxxxxx” VPC ID
|
■subnet
name=”サブネット名“;aws ec2 describe-subnets|jq ‘.Subnets[]|select(.Tags[].Value == $name)|{Name: .Tags[].Value,VpcId,SubnetId,CidrBlock,AvailableIpAddressCount,AvailabilityZone}’ –arg name $name 2>/dev/null|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’;name2=`aws ec2 describe-subnets|jq ‘.Subnets[]|select(.Tags[].Value == $name)|.SubnetId’ –arg name $name 2>/dev/null|sed -e s/”//g`;aws ec2 describe-route-tables|jq ‘.RouteTables[]|select(.Associations[].SubnetId == $name2 )|{RouteTableName: .Tags[].Value}’ –arg name2 $name2|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’;aws ec2 describe-network-acls|jq ‘.NetworkAcls[]|select(.Associations[].SubnetId == $name2 )|{NACLName: .Tags[].Value}’ –arg name2 $name2|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
# name=”subnet_hoge”;aws ec2 describe-subnets|jq ‘.Subnets[]|select(.Tags[].Value == $name)|{Name: .Tags[].Value,VpcId,SubnetId,CidrBlock,AvailableIpAddressCount,AvailabilityZone}’ –arg name $name 2>/dev/null|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’;name2=`aws ec2 describe-subnets|jq ‘.Subnets[]|select(.Tags[].Value == $name)|.SubnetId’ –arg name $name 2>/dev/null|sed -e s/”//g`;aws ec2 describe-route-tables|jq ‘.RouteTables[]|select(.Associations[].SubnetId == $name2 )|{RouteTableName: .Tags[].Value}’ –arg name2 $name2|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’;aws ec2 describe-network-acls|jq ‘.NetworkAcls[]|select(.Associations[].SubnetId == $name2 )|{NACLName: .Tags[].Value}’ –arg name2 $name2|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
“AvailabilityZone”: “ap-northeast-1a”, 所属AZ
“AvailableIpAddressCount”: 123, AvailableIp
“CidrBlock”: “xxx.xxx.xxx.xxx/xx”, サブネットのCIDR
“SubnetId”: “subnet-xxxxxxx”, サブネットID
“VpcId”: “vpc-xxxxxxx”, 所属VPCのID
“Name”: “subnet_hoge” サブネット名
“RouteTableName”: “hoge_Table” 割当ルートテーブル名
“NACLName”: “hoge-acl” 割当ネットワークACL名
|
■route table
name=”ルートテーブル名“;aws ec2 describe-route-tables|jq ‘.RouteTables[]|select(.Tags[].Value == $name )|{Routes, Name: .Tags[].Value, RouteTableId}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
# name=”hogetable”;aws ec2 describe-route-tables|jq ‘.RouteTables[]|select(.Tags[].Value == $name )|{Routes, Name: .Tags[].Value, RouteTableId}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
“RouteTableId”: “rtb-xxxxxxxx”, ルートテーブルID
“Name”: “hogetable”, ルートテーブル名
“Routes”: [ 経路情報(レンジと行き先)
“State”: “active”,
“DestinationCidrBlock”: “xxx.xxx.xxx.xxx/xx”,
“GatewayId”: “local”
,
“State”: “active”,
“DestinationCidrBlock”: “xxx.xxx.xxx.xxx/xx”,
“GatewayId”: “igw-xxxxxxxx”
]
|
■ネットワークACL
name=”ネットワークACL名”;aws ec2 describe-network-acls|jq ‘.NetworkAcls[]|select(.Tags[].Value == $name )|{VpcId, Name: .Tags[].Value, Entries}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
# name=”hoge-acl”;aws ec2 describe-network-acls|jq ‘.NetworkAcls[]|select(.Tags[].Value == $name )|{VpcId, Name: .Tags[].Value, Entries}’ –arg name $name|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
“Entries”: [ INBOUD/OUTBOUNDのルール(”Egress”: true=OUTBOUND)
“RuleAction”: “allow”,
“Egress”: true,
“Protocol”: “-1”,
“RuleNumber”: 100,
“CidrBlock”: “0.0.0.0/0”
,
“RuleAction”: “deny”,
“Egress”: true,
“Protocol”: “-1”,
“RuleNumber”: 32767,
“CidrBlock”: “0.0.0.0/0”
,
“RuleAction”: “allow”,
“Egress”: false,
“Protocol”: “-1”,
“RuleNumber”: 100,
“CidrBlock”: “0.0.0.0/0”
,
“RuleAction”: “deny”,
“Egress”: false,
“Protocol”: “-1”,
“RuleNumber”: 32767,
“CidrBlock”: “0.0.0.0/0”
],
“Name”: “hoge-acl”, ネットワークACL名
“VpcId”: “vpc-xxxxxx” 所属VPCのID
|
■セキュリティグループ
name=”セキュリティグループ名“;aws ec2 describe-security-groups|jq ‘.SecurityGroups[]|select(.Tags[].Value == $name )|{GroupId,Name: .Tags[].Value,IpPermissions,IpPermissionsEgress}’ –arg name $name 2>/dev/null|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
# name=”hoge-security”;aws ec2 describe-security-groups|jq ‘.SecurityGroups[]|select(.Tags[].Value == $name )|{GroupId,Name: .Tags[].Value,IpPermissions,IpPermissionsEgress}’ –arg name $name 2>/dev/null|sed -e s/{//g -e s/}//g|sed ‘/^ *$/d’
“IpPermissionsEgress”: [ OUTBOUNDのルール
“FromPort”: 80,
“UserIdGroupPairs”: [],
“IpRanges”: [
“CidrIp”: “0.0.0.0/0”
],
“IpProtocol”: “tcp”,
“ToPort”: 80
,
“UserIdGroupPairs”: [
“GroupId”: “sg-xxxxxxxx”,
“UserId”: “XXXXXXXXXXX”
],
“IpRanges”: [],
“IpProtocol”: “-1”
,
“FromPort”: 443,
“UserIdGroupPairs”: [],
“IpRanges”: [
“CidrIp”: “0.0.0.0/0”
],
“IpProtocol”: “tcp”,
“ToPort”: 443
],
“IpPermissions”: [ INBOUNDのルール
“UserIdGroupPairs”: [
“GroupId”: “s-xxxxxxxxxx”,
“UserId”: “XXXXXXXXXXXX”
],
“IpRanges”: [],
“IpProtocol”: “-1”
],
“Name”: “hoge-security”, セキュリティグループ名
“GroupId”: “sg-xxxxxxxx” セキュリティグループID
|
元記事は、こちら