Feat/#55 Inspector 스캔을 통한 취약점 검사

.gitignore

@@ -28,4 +28,9 @@ ehthumbs.db             # Windows
 .vscode/
 
 # OpenSearch alert 생성 시 생기는 임시 파일
-modules/opensearch/slack_response.json
+modules/opensearch/slack_response.json
+
+
+# OpenSearch alert 생성 시 생기는 임시 파일
+modules/opensearch/slack_response.json
+

management-team-account/inspector-delegation/organizations/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "cloudfence-management-state"
+    key            = "inspector-delegation/organizations.tfstate"
+    region         = "ap-northeast-2"
+    encrypt        = true
+    dynamodb_table = "s3-management-lock"
+  }
+}

management-team-account/inspector-delegation/organizations/main.tf

@@ -0,0 +1,26 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+
+}
+
+provider "aws" {
+  region = "ap-northeast-2"
+}
+
+provider "aws" {
+  alias  = "operation"
+  region = "ap-northeast-2"
+}
+
+data "aws_caller_identity" "operation" {
+  provider = aws.operation
+}
+
+resource "aws_inspector2_delegated_admin_account" "this" {
+  account_id = data.aws_caller_identity.operation.account_id
+}

modules/lambda_log_processor/lambda_function.py

@@ -0,0 +1,127 @@
+import os
+import json
+import gzip
+import boto3
+import urllib.request
+import urllib.error
+import requests
+
+# OpenSearch로 로그 전송
+def send_to_opensearch(record: dict):
+    endpoint = os.environ['OPENSEARCH_URL']
+    index    = "security-alerts-" + record.get("eventName", "unknown").lower()
+    url      = f"{endpoint}/{index}/_doc"
+    headers  = {"Content-Type": "application/json"}
+    # 원하는 형태로 문서 구조를 정리
+    doc = {
+        "@timestamp": record.get("eventTime"),
+        "eventName":  record.get("eventName"),
+        "user":       record.get("userIdentity", {}).get("arn"),
+        "sourceIP":   record.get("sourceIPAddress"),
+        "awsRegion":  record.get("awsRegion"),
+        "accountId":  record.get("recipientAccountId"),
+        "raw":        record
+    }
+    resp = requests.post(url, headers=headers, data=json.dumps(doc), timeout=5)
+    resp.raise_for_status()
+
+
+def send_slack_alert(record: dict):
+    webhook_url = os.environ['SLACK_WEBHOOK_URL']
+    user       = record.get("userIdentity", {}).get("arn", "Unknown user")
+    event_name = record.get("eventName", "Unknown event")
+    source_ip  = record.get("sourceIPAddress", "Unknown IP")
+    time       = record.get("eventTime", "Unknown time")
+    region     = record.get("awsRegion", "Unknown region")
+    account    = record.get("recipientAccountId", "Unknown account")
+
+    slack_payload = {
+        "blocks": [
+            {
+                "type": "header",
+                "text": {
+                    "type": "plain_text",
+                    "text": ":rotating_light: AWS Security Alert",
+                    "emoji": True
+                }
+            },
+            {
+                "type": "section",
+                "fields": [
+                    {"type": "mrkdwn", "text": f"*Event:*\n`{event_name}`"},
+                    {"type": "mrkdwn", "text": f"*User:*\n`{user}`"},
+                    {"type": "mrkdwn", "text": f"*Source IP:*\n`{source_ip}`"},
+                    {"type": "mrkdwn", "text": f"*Region:*\n`{region}`"},
+                    {"type": "mrkdwn", "text": f"*Account:*\n`{account}`"},
+                    {"type": "mrkdwn", "text": f"*Time:*\n`{time}`"}
+                ]
+            },
+            {
+                "type": "divider"
+            }
+        ]
+    }
+
+    data = json.dumps(slack_payload).encode('utf-8')
+    req = urllib.request.Request(webhook_url, data=data, headers={'Content-Type': 'application/json'})
+
+    try:
+        with urllib.request.urlopen(req, timeout=5) as response:
+            print("Slack message sent:", response.status)
+    except Exception as e:
+        print("Error sending Slack message:", str(e))
+
+
+def lambda_handler(event, context):
+    print("Received S3 PutObject event:", json.dumps(event, indent=2))
+
+    # 1) EventBridge detail 로부터 버킷과 키 추출
+    detail = event.get("detail", {})
+    bucket = detail.get("requestParameters", {}).get("bucketName")
+    key    = detail.get("requestParameters", {}).get("key")
+
+    if not bucket or not key:
+        print("Bucket or key missing in event detail")
+        return {"statusCode": 400, "body": json.dumps({"error": "Invalid event"})}
+
+    # 2) S3에서 gzip된 CloudTrail 로그 파일 다운로드 및 파싱
+    s3  = boto3.client("s3")
+    try:
+        obj = s3.get_object(Bucket=bucket, Key=key)
+    except Exception as e:
+        print(f"Error fetching object {bucket}/{key}: {e}")
+        return {"statusCode": 500, "body": json.dumps({"error": str(e)})}
+
+    try:
+        with gzip.GzipFile(fileobj=obj["Body"]) as gz:
+            log_data = json.load(gz)
+    except Exception as e:
+        print(f"Error decompressing/parsing CloudTrail log: {e}")
+        return {"statusCode": 500, "body": json.dumps({"error": str(e)})}
+
+    # 3) 각 레코드별 필터링 및 Slack 알림
+    alert_events = {
+        "DeleteUser", "DeleteRole", "DeleteLoginProfile",
+        "StopLogging", "DeleteTrail",
+        "DeactivateMFADevice", "DeleteVirtualMFADevice",
+        "AuthorizeSecurityGroupIngress", "RevokeSecurityGroupIngress",
+        "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupEgress",
+        "AttachUserPolicy", "DetachUserPolicy",
+        "PutUserPolicy", "DeleteUserPolicy",
+        "CreatePolicy", "DeletePolicy",
+        "RunInstances"
+    }
+
+    for record in log_data.get("Records", []):
+        evt = record.get("eventName")
+        if evt in alert_events:
+            send_slack_alert(record)
+            try:
+                send_to_opensearch(record)
+            except Exception as e:
+                print(f"[Warning] OpenSearch indexing failed for {evt}: {e}")
+
+    return {
+        "statusCode": 200,
+        "body": json.dumps({"message": "Processed S3 log and sent alerts."})
+    }

modules/lambda_log_processor/main.tf

@@ -0,0 +1,85 @@
+resource "aws_iam_role" "lambda_exec" {
+  name = "lambda-log-processor-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Service = "lambda.amazonaws.com" }
+        Action    = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "lambda_policy" {
+  name = "lambda-log-policy"
+  role = aws_iam_role.lambda_exec.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowCloudWatchLogs"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowOpenSearchAccess"
+        Effect = "Allow"
+        Action = [
+          "es:ESHttpPost",
+          "es:ESHttpPut",
+          "es:ESHttpGet"
+        ]
+        Resource = "${var.opensearch_domain_arn}/security-alerts-*/*"
+      },
+      {
+        Sid      = "AllowKMSDecrypt"
+        Effect   = "Allow"
+        Action   = ["kms:Decrypt"]
+        Resource = var.kms_key_arn
+      },
+      {
+        Sid      = "AllowS3Read"
+        Effect   = "Allow"
+        Action   = ["s3:GetObject"]
+        Resource = "${var.bucket_arn}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_lambda_function" "log_processor" {
+  function_name    = var.lambda_function_name
+  handler          = "lambda_function.lambda_handler"
+  runtime          = "python3.11"
+  role             = aws_iam_role.lambda_exec.arn
+  timeout          = 30
+  memory_size      = 256
+  filename         = var.lambda_zip_path
+  source_code_hash = filebase64sha256(var.lambda_zip_path)
+
+  vpc_config {
+    subnet_ids         = var.lambda_subnet_ids
+    security_group_ids = var.lambda_security_group_ids
+  }
+
+  environment {
+    variables = {
+      SLACK_WEBHOOK_URL = var.slack_webhook_url
+      OPENSEARCH_URL    = "https://${var.opensearch_endpoint}"
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "vpc_access" {
+  role       = aws_iam_role.lambda_exec.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}

modules/lambda_log_processor/outputs.tf

@@ -0,0 +1,14 @@
+output "lambda_function_name" {
+  value       = aws_lambda_function.log_processor.function_name
+  description = "Name of the deployed Lambda function"
+}
+
+output "lambda_function_role_arn" {
+  value       = aws_iam_role.lambda_exec.arn
+  description = "IAM Role ARN for Lambda execution"
+}
+
+output "lambda_function_arn" {
+  value       = aws_lambda_function.log_processor.arn
+  description = "ARN of the Lambda function"
+}

modules/lambda_log_processor/variables.tf

@@ -0,0 +1,45 @@
+variable "lambda_function_name" {
+  type        = string
+  description = "Name of the Lambda function"
+}
+
+variable "lambda_zip_path" {
+  type        = string
+  description = "Path to the zipped Lambda package"
+}
+
+variable "opensearch_domain_arn" {
+  type        = string
+  description = "ARN of the OpenSearch domain"
+}
+
+variable "opensearch_endpoint" {
+  type        = string
+  description = "OpenSearch endpoint URL"
+}
+
+variable "slack_webhook_url" {
+  type        = string
+  description = "Slack Webhook URL"
+  sensitive   = true
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "KMS key for decrypting Slack secret (if encrypted)"
+}
+
+variable "bucket_arn" {
+  description = "ARN of the S3 bucket for CloudTrail logs"
+  type        = string
+}
+
+variable "lambda_subnet_ids" {
+  description = "List of subnet IDs for the Lambda function to attach to the VPC"
+  type        = list(string)
+}
+
+variable "lambda_security_group_ids" {
+  description = "Security group IDs for the Lambda function in the VPC"
+  type        = list(string)
+}