Doc AWS SDK 예제 GitHub 리포지토리에서 더 많은 SDK 예제를 사용할 수 있습니다. AWS
기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
SDK for Python (Boto3)을 사용한 Audit Manager 예제
다음 코드 예제에서는 Audit Manager와 AWS SDK for Python (Boto3) 함께를 사용하여 작업을 수행하고 일반적인 시나리오를 구현하는 방법을 보여줍니다.
시나리오는 동일한 서비스 내에서 또는 다른 AWS 서비스와 결합된 상태에서 여러 함수를 호출하여 특정 태스크를 수행하는 방법을 보여주는 코드 예제입니다.
각 예시에는 전체 소스 코드에 대한 링크가 포함되어 있으며, 여기에서 컨텍스트에 맞춰 코드를 설정하고 실행하는 방법에 대한 지침을 찾을 수 있습니다.
주제
시나리오
다음 코드 예제는 다음과 같은 작업을 수행하는 방법을 보여줍니다.
AWS Config 적합성 팩 목록을 가져옵니다.
적합성 팩의 각 관리 규칙에 대해 Audit Manager 사용자 지정 컨트롤을 생성합니다.
제어 기능이 포함된 Audit Manager 사용자 지정 프레임워크를 생성합니다.
- SDK for Python (Boto3)
-
참고
GitHub에 더 많은 내용이 있습니다. AWS 코드 예시 리포지토리
에서 전체 예시를 찾고 설정 및 실행하는 방법을 배워보세요. import logging import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) class ConformancePack: def __init__(self, config_client, auditmanager_client): self.config_client = config_client self.auditmanager_client = auditmanager_client def get_conformance_pack(self): """ Return a selected conformance pack from the list of conformance packs. :return: selected conformance pack """ try: conformance_packs = self.config_client.describe_conformance_packs() print( "Number of conformance packs fetched: ", len(conformance_packs.get("ConformancePackDetails")), ) print("Fetched the following conformance packs: ") all_cpack_names = { cp["ConformancePackName"] for cp in conformance_packs.get("ConformancePackDetails") } for pack in all_cpack_names: print(f"\t{pack}") cpack_name = input( "Provide ConformancePackName that you want to create a custom " "framework for: " ) if cpack_name not in all_cpack_names: print(f"{cpack_name} is not in the list of conformance packs!") print( "Provide a conformance pack name from the available list of " "conformance packs." ) raise Exception("Invalid conformance pack") print("-" * 88) except ClientError: logger.exception("Couldn't select conformance pack.") raise else: return cpack_name def create_custom_controls(self, cpack_name): """ Create custom controls for all managed AWS Config rules in a conformance pack. :param cpack_name: The name of the conformance pack to create controls for. :return: The list of custom control IDs. """ try: rules_in_pack = self.config_client.describe_conformance_pack_compliance( ConformancePackName=cpack_name ) print( "Number of rules in the conformance pack: ", len(rules_in_pack.get("ConformancePackRuleComplianceList")), ) for rule in rules_in_pack.get("ConformancePackRuleComplianceList"): print(f"\t{rule.get('ConfigRuleName')}") print("-" * 88) print( "Creating a custom control for each rule and a custom framework " "consisting of these rules in Audit Manager." ) am_controls = [] for rule in rules_in_pack.get("ConformancePackRuleComplianceList"): config_rule = self.config_client.describe_config_rules( ConfigRuleNames=[rule.get("ConfigRuleName")] ) source_id = ( config_rule.get("ConfigRules")[0] .get("Source", {}) .get("SourceIdentifier") ) custom_control = self.auditmanager_client.create_control( name="Config-" + rule.get("ConfigRuleName"), controlMappingSources=[ { "sourceName": "ConfigRule", "sourceSetUpOption": "System_Controls_Mapping", "sourceType": "AWS_Config", "sourceKeyword": { "keywordInputType": "SELECT_FROM_LIST", "keywordValue": source_id, }, } ], ).get("control", {}) am_controls.append({"id": custom_control.get("id")}) print("Successfully created a control for each config rule.") print("-" * 88) except ClientError: logger.exception("Failed to create custom controls.") raise else: return am_controls def create_custom_framework(self, cpack_name, am_control_ids): """ Create a custom Audit Manager framework from a selected AWS Config conformance pack. :param cpack_name: The name of the conformance pack to create a framework from. :param am_control_ids: The IDs of the custom controls created from the conformance pack. """ try: print("Creating custom framework...") custom_framework = self.auditmanager_client.create_assessment_framework( name="Config-Conformance-pack-" + cpack_name, controlSets=[{"name": cpack_name, "controls": am_control_ids}], ) print( f"Successfully created the custom framework: ", f"{custom_framework.get('framework').get('name')}: ", f"{custom_framework.get('framework').get('id')}", ) print("-" * 88) except ClientError: logger.exception("Failed to create custom framework.") raise def run_demo(): print("-" * 88) print("Welcome to the AWS Audit Manager custom framework demo!") print("-" * 88) print( "You can use this sample to select a conformance pack from AWS Config and " "use AWS Audit Manager to create a custom control for all the managed " "rules under the conformance pack. A custom framework is also created " "with these controls." ) print("-" * 88) conf_pack = ConformancePack(boto3.client("config"), boto3.client("auditmanager")) cpack_name = conf_pack.get_conformance_pack() am_controls = conf_pack.create_custom_controls(cpack_name) conf_pack.create_custom_framework(cpack_name, am_controls) if __name__ == "__main__": run_demo()-
API 세부 정보는 AWS SDK for Python (Boto3) API 참조의 다음 주제를 참조하세요.
-
다음 코드 예제에서는 다음과 같은 작업을 수행하는 방법을 보여줍니다.
Security Hub를 데이터 소스로 사용하는 모든 표준 컨트롤 기능의 목록을 가져옵니다.
제어 기능이 포함된 Audit Manager 사용자 지정 프레임워크를 생성합니다.
- SDK for Python (Boto3)
-
참고
GitHub에 더 많은 내용이 있습니다. AWS 코드 예시 리포지토리
에서 전체 예시를 찾고 설정 및 실행하는 방법을 배워보세요. import logging import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) class SecurityHub: def __init__(self, auditmanager_client): self.auditmanager_client = auditmanager_client def get_sechub_controls(self): """ Gets the list of controls that use Security Hub as their data source. :return: The list of Security Hub controls. """ print("-" * 88) next_token = None page = 1 sechub_control_list = [] while True: print("Page [" + str(page) + "]") if next_token is None: control_list = self.auditmanager_client.list_controls( controlType="Standard", maxResults=100 ) else: control_list = self.auditmanager_client.list_controls( controlType="Standard", nextToken=next_token, maxResults=100 ) print("Total controls found:", len(control_list.get("controlMetadataList"))) for control in control_list.get("controlMetadataList"): control_details = self.auditmanager_client.get_control( controlId=control.get("id") ).get("control", {}) if "AWS Security Hub" in control_details.get("controlSources"): sechub_control_list.append({"id": control_details.get("id")}) next_token = control_list.get("nextToken") if not next_token: break page += 1 print("Number of Security Hub controls found: ", len(sechub_control_list)) return sechub_control_list def create_custom_framework(self, am_controls): """ Create a custom framework with a list of controls. :param am_controls: The list of controls to include in the framework. """ try: print("Creating custom framework...") custom_framework = self.auditmanager_client.create_assessment_framework( name="All Security Hub Controls Framework", controlSets=[{"name": "Security-Hub", "controls": am_controls}], ) print( f"Successfully created the custom framework: " f"{custom_framework.get('framework').get('name')}: " f"{custom_framework.get('framework').get('id')}" ) print("-" * 88) except ClientError: logger.exception("Failed to create custom framework.") raise def run_demo(): print("-" * 88) print("Welcome to the AWS Audit Manager Security Hub demo!") print("-" * 88) print(" This script creates a custom framework with all Security Hub controls.") print("-" * 88) sechub = SecurityHub(boto3.client("auditmanager")) am_controls = sechub.get_sechub_controls() sechub.create_custom_framework(am_controls) if __name__ == "__main__": run_demo()-
API 세부 정보는 AWS SDK for Python (Boto3) API 참조의 다음 주제를 참조하세요.
-
다음 코드 예제에서는 1일간의 증거를 포함하는 Audit Manager 평가 보고서를 생성하는 방법을 보여줍니다.
- SDK for Python (Boto3)
-
참고
GitHub에 더 많은 내용이 있습니다. AWS 코드 예시 리포지토리
에서 전체 예시를 찾고 설정 및 실행하는 방법을 배워보세요. import dateutil.parser import logging import time import urllib.request import uuid import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) class AuditReport: def __init__(self, auditmanager_client): self.auditmanager_client = auditmanager_client def get_input(self): print("-" * 40) try: assessment_id = input("Provide assessment id [uuid]: ").lower() try: assessment_uuid = uuid.UUID(assessment_id) except ValueError: logger.error("Assessment Id is not a valid UUID: %s", assessment_id) raise evidence_folder = input("Provide evidence date [yyyy-mm-dd]: ") try: evidence_date = dateutil.parser.parse(evidence_folder).date() except ValueError: logger.error("Invalid date : %s", evidence_folder) raise try: self.auditmanager_client.get_assessment( assessmentId=str(assessment_uuid) ) except ClientError: logger.exception("Couldn't get assessment %s.", assessment_uuid) raise except (ValueError, ClientError): return None, None else: return assessment_uuid, evidence_date def clear_staging(self, assessment_uuid, evidence_date): """ Find all the evidence in the report and clear it. """ next_token = None page = 1 interested_folder_id_list = [] while True: print(f"Page [{page}]") if next_token is None: folder_list = ( self.auditmanager_client.get_evidence_folders_by_assessment( assessmentId=str(assessment_uuid), maxResults=1000 ) ) else: folder_list = ( self.auditmanager_client.get_evidence_folders_by_assessment( assessmentId=str(assessment_uuid), nextToken=next_token, maxResults=1000, ) ) folders = folder_list.get("evidenceFolders") print(f"Got {len(folders)} folders.") for folder in folders: folder_id = folder.get("id") if folder.get("name") == str(evidence_date): interested_folder_id_list.append(folder_id) if folder.get("assessmentReportSelectionCount") == folder.get( "totalEvidence" ): print( f"Removing folder from report selection : {folder.get('name')} " f"{folder_id} {folder.get('controlId')}" ) self.auditmanager_client.disassociate_assessment_report_evidence_folder( assessmentId=str(assessment_uuid), evidenceFolderId=folder_id ) elif folder.get("assessmentReportSelectionCount") > 0: # Get all evidence in the folder and # add selected evidence in the selected_evidence_list. evidence_list = ( self.auditmanager_client.get_evidence_by_evidence_folder( assessmentId=str(assessment_uuid), controlSetId=folder_id, evidenceFolderId=folder_id, maxResults=1000, ) ) selected_evidence_list = [] for evidence in evidence_list.get("evidence"): if evidence.get("assessmentReportSelection") == "Yes": selected_evidence_list.append(evidence.get("id")) print( f"Removing evidence report selection : {folder.get('name')} " f"{len(selected_evidence_list)}" ) self.auditmanager_client.batch_disassociate_assessment_report_evidence( assessmentId=str(assessment_uuid), evidenceFolderId=folder_id, evidenceIds=selected_evidence_list, ) next_token = folder_list.get("nextToken") if not next_token: break page += 1 return interested_folder_id_list def add_folder_to_staging(self, assessment_uuid, folder_id_list): print(f"Adding folders to report : {folder_id_list}") for folder in folder_id_list: self.auditmanager_client.associate_assessment_report_evidence_folder( assessmentId=str(assessment_uuid), evidenceFolderId=folder ) def get_report(self, assessment_uuid): report = self.auditmanager_client.create_assessment_report( name="ReportViaScript", description="testing", assessmentId=str(assessment_uuid), ) if self._is_report_generated(report.get("assessmentReport").get("id")): report_url = self.auditmanager_client.get_assessment_report_url( assessmentReportId=report.get("assessmentReport").get("id"), assessmentId=str(assessment_uuid), ) print(report_url.get("preSignedUrl")) urllib.request.urlretrieve( report_url.get("preSignedUrl").get("link"), report_url.get("preSignedUrl").get("hyperlinkName"), ) print( f"Report saved as {report_url.get('preSignedUrl').get('hyperlinkName')}." ) else: print("Report generation did not finish in 15 minutes.") print( "Failed to download report. Go to the console and manually download " "the report." ) def _is_report_generated(self, assessment_report_id): max_wait_time = 0 while max_wait_time < 900: print(f"Checking status of the report {assessment_report_id}") report_list = self.auditmanager_client.list_assessment_reports(maxResults=1) if ( report_list.get("assessmentReports")[0].get("id") == assessment_report_id and report_list.get("assessmentReports")[0].get("status") == "COMPLETE" ): return True print("Sleeping for 5 seconds...") time.sleep(5) max_wait_time += 5 def run_demo(): print("-" * 88) print("Welcome to the AWS Audit Manager samples demo!") print("-" * 88) print( "This script creates an assessment report for an assessment with all the " "evidence collected on the provided date." ) print("-" * 88) report = AuditReport(boto3.client("auditmanager")) assessment_uuid, evidence_date = report.get_input() if assessment_uuid is not None and evidence_date is not None: folder_id_list = report.clear_staging(assessment_uuid, evidence_date) report.add_folder_to_staging(assessment_uuid, folder_id_list) report.get_report(assessment_uuid) if __name__ == "__main__": run_demo()-
API 세부 정보는 AWS SDK for Python (Boto3) API 참조의 다음 주제를 참조하세요.
-
