脆弱性診断について-Security
Banditの導入-Security
概要
Pythonコードの安全性を保つために、Pythonコードの脆弱性を検出するツールであるBanditを導入する。 github.com
1. Banditのインストール
$ pip install bandit
2. スキャンの実行
ファイルをスキャンする場合。
$ bandit sample.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.12.3
Run started:2025-03-02 04:13:10.346367
Test results:
No issues identified.
Code scanned:
Total lines of code: 1
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files skipped (0):
ディレクトリをスキャンする場合。
$ bandit -r /var/sample_app
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.12.3
Run started:2025-03-02 04:19:39.973820
Test results:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'django-insecure-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Severity: Low Confidence: Medium
CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
More Info: https://bandit.readthedocs.io/en/1.8.3/plugins/b105_hardcoded_password_string.html
Location: sample_app/sample_app/settings.py:23:13
22 # SECURITY WARNING: keep the secret key used in production secret!
23 SECRET_KEY = 'django-insecure-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
24
--------------------------------------------------
Code scanned:
Total lines of code: 130
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 1
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 1
High: 0
Files skipped (0):
AWS SAMでCI/CDを構築する-AWS
前提条件
・AWS SAM CLIがインストールされている
・GitHubアカウントを所有している
1. サンプルアプリの作成
$ sam init
You can preselect a particular runtime or package type when using the `sam init` experience.
Call `sam init --help` to learn more.
Which template source would you like to use?
1 - AWS Quick Start Templates
2 - Custom Template Location
Choice: 1
Choose an AWS Quick Start application template
1 - Hello World Example
2 - Data processing
3 - Hello World Example with Powertools for AWS Lambda
4 - Multi-step workflow
5 - Scheduled task
6 - Standalone function
7 - Serverless API
8 - Infrastructure event management
9 - Lambda Response Streaming
10 - Serverless Connector Hello World Example
11 - Multi-step workflow with Connectors
12 - GraphQLApi Hello World Example
13 - Full Stack
14 - Lambda EFS example
15 - DynamoDB Example
16 - Machine Learning
Template: 1
Use the most popular runtime and package type? (python3.13 and zip) [y/N]:
Which runtime would you like to use?
1 - dotnet8
2 - dotnet6
3 - go (provided.al2)
4 - go (provided.al2023)
5 - graalvm.java11 (provided.al2)
6 - graalvm.java17 (provided.al2)
7 - java21
8 - java17
9 - java11
10 - java8.al2
11 - nodejs22.x
12 - nodejs20.x
13 - nodejs18.x
14 - nodejs16.x
15 - python3.9
16 - python3.8
17 - python3.13
18 - python3.12
19 - python3.11
20 - python3.10
21 - ruby3.3
22 - ruby3.2
23 - rust (provided.al2)
24 - rust (provided.al2023)
Runtime: 18
What package type would you like to use?
1 - Zip
2 - Image
Package type: 1
Based on your selections, the only dependency manager available is pip.
We will proceed copying the template using pip.
Would you like to enable X-Ray tracing on the function(s) in your application? [y/N]:
Would you like to enable monitoring using CloudWatch Application Insights?
For more info, please view https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html [y/N]:
Would you like to set Structured Logging in JSON format on your Lambda functions? [y/N]:
Project name [sam-app]:
-----------------------
Generating application:
-----------------------
Name: sam-app
Runtime: python3.12
Architectures: x86_64
Dependency Manager: pip
Application Template: hello-world
Output Directory: .
Configuration file: sam-app/samconfig.toml
Next steps can be found in the README file at sam-app/README.md
Commands you can use next
=========================
[*] Create pipeline: cd sam-app && sam pipeline init --bootstrap
[*] Validate SAM template: cd sam-app && sam validate
[*] Test Function in the Cloud: cd sam-app && sam sync --stack-name {stack-name} --watch
SAM CLI update available (1.132.0); (1.131.0 installed)
To download: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html
2. GitHubへPush
GitHubに「sam-app」リポジトリを作成した後にサンプルアプリをPushしてください。
$ cd sam-app
$ git init
$ git remote add origin https://github.com/{GitHubユーザー名}/sam-app.git
$ git add .
$ git commit -m 'Initial commit'
$ git push origin main
3. Pipelineの構築
$ sam pipeline init --bootstrap
sam pipeline init generates a pipeline configuration file that your CI/CD system
can use to deploy serverless applications using AWS SAM.
We will guide you through the process to bootstrap resources for each stage,
then walk through the details necessary for creating the pipeline config file.
Please ensure you are in the root folder of your SAM application before you begin.
Select a pipeline template to get started:
1 - AWS Quick Start Pipeline Templates
2 - Custom Pipeline Template Location
Choice: 1
Cloning from https://github.com/aws/aws-sam-cli-pipeline-init-templates.git (process may take a moment)
Select CI/CD system
1 - Jenkins
2 - GitLab CI/CD
3 - GitHub Actions
4 - Bitbucket Pipelines
5 - AWS CodePipeline
Choice: 3
You are using the 2-stage pipeline template.
_________ _________
| | | |
| Stage 1 |->| Stage 2 |
|_________| |_________|
Checking for existing stages...
[!] None detected in this account.
Do you want to go through stage setup process now? If you choose no, you can still reference other bootstrapped resources. [Y/n]:
For each stage, we will ask for [1] stage definition, [2] account details, and [3]
reference application build resources in order to bootstrap these pipeline
resources.
We recommend using an individual AWS account profiles for each stage in your
pipeline. You can set these profiles up using aws configure or ~/.aws/credentials. See
[https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-getting-started-set-up-credentials.html].
Stage 1 Setup
[1] Stage definition
Enter a configuration name for this stage. This will be referenced later when you use the sam pipeline init command:
Stage configuration name: dev
[2] Account details
The following AWS credential sources are available to use.
To know more about configuration AWS credentials, visit the link below:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
1 - Environment variables (not available)
2 - maya (named profile)
q - Quit and configure AWS credentials
Select a credential source to associate with this stage: 2
Associated account {AWSアカウントID} with configuration dev.
Enter the region in which you want these resources to be created [us-east-1]: ap-northeast-1
Select a user permissions provider:
1 - IAM (default)
2 - OpenID Connect (OIDC)
Choice (1, 2):
Enter the pipeline IAM user ARN if you have previously created one, or we will create one for you []:
[3] Reference application build resources
Enter the pipeline execution role ARN if you have previously created one, or we will create one for you []:
Enter the CloudFormation execution role ARN if you have previously created one, or we will create one for you []:
Please enter the artifact bucket ARN for your Lambda function. If you do not have a bucket, we will create one for you []:
Does your application contain any IMAGE type Lambda functions? [y/N]:
[4] Summary
Below is the summary of the answers:
1 - Account: {AWSアカウントID}
2 - Stage configuration name: dev
3 - Region: ap-northeast-1
4 - Pipeline user: [to be created]
5 - Pipeline execution role: [to be created]
6 - CloudFormation execution role: [to be created]
7 - Artifacts bucket: [to be created]
8 - ECR image repository: [skipped]
Press enter to confirm the values above, or select an item to edit the value:
This will create the following required resources for the 'dev' configuration:
- Pipeline IAM user
- Pipeline execution role
- CloudFormation execution role
- Artifact bucket
Should we proceed with the creation? [y/N]: y
Updating the required resources...
Successfully updated!
The following resources were created in your account:
- Pipeline execution role
- CloudFormation execution role
- Artifact bucket
- Pipeline IAM user
Pipeline IAM user credential: # Pipeline IAMユーザーの認証情報はメモしておいてください
AWS_ACCESS_KEY_ID: {アクセスキーID}
AWS_SECRET_ACCESS_KEY: {シークレットアクセスキー}
View the definition in .aws-sam/pipeline/pipelineconfig.toml,
run sam pipeline bootstrap to generate another set of resources, or proceed to
sam pipeline init to create your pipeline configuration file.
Before running sam pipeline init, we recommend first setting up AWS credentials
in your CI/CD account. Read more about how to do so with your provider in
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-generating-example-ci-cd-others.html.
Checking for existing stages...
Only 1 stage(s) were detected, fewer than what the template requires: 2. If these are incorrect, delete .aws-sam/pipeline/pipelineconfig.toml and rerun
Do you want to go through stage setup process now? If you choose no, you can still reference other bootstrapped resources. [Y/n]:
For each stage, we will ask for [1] stage definition, [2] account details, and [3]
reference application build resources in order to bootstrap these pipeline
resources.
We recommend using an individual AWS account profiles for each stage in your
pipeline. You can set these profiles up using aws configure or ~/.aws/credentials. See
[https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-getting-started-set-up-credentials.html].
Stage 2 Setup
[1] Stage definition
Enter a configuration name for this stage. This will be referenced later when you use the sam pipeline init command:
Stage configuration name: prod
[2] Account details
The following AWS credential sources are available to use.
To know more about configuration AWS credentials, visit the link below:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
1 - Environment variables (not available)
2 - maya (named profile)
q - Quit and configure AWS credentials
Select a credential source to associate with this stage: 2
Associated account {AWSアカウントID} with configuration prod.
Enter the region in which you want these resources to be created [us-east-1]: ap-northeast-1
Pipeline IAM user ARN: arn:aws:iam::{AWSアカウントID}:user/aws-sam-cli-managed-dev-pipeline-resou-PipelineUser-xxxxxxxxxxxx
[3] Reference application build resources
Enter the pipeline execution role ARN if you have previously created one, or we will create one for you []:
Enter the CloudFormation execution role ARN if you have previously created one, or we will create one for you []:
Please enter the artifact bucket ARN for your Lambda function. If you do not have a bucket, we will create one for you []:
Does your application contain any IMAGE type Lambda functions? [y/N]:
[4] Summary
Below is the summary of the answers:
1 - Account: {AWSアカウントID}
2 - Stage configuration name: prod
3 - Region: ap-northeast-1
4 - Pipeline user ARN: arn:aws:iam::{AWSアカウントID}:user/aws-sam-cli-managed-dev-pipeline-resou-PipelineUser-xxxxxxxxxxxx
5 - Pipeline execution role: [to be created]
6 - CloudFormation execution role: [to be created]
7 - Artifacts bucket: [to be created]
8 - ECR image repository: [skipped]
Press enter to confirm the values above, or select an item to edit the value:
This will create the following required resources for the 'prod' configuration:
- Pipeline execution role
- CloudFormation execution role
- Artifact bucket
Should we proceed with the creation? [y/N]: y
Updating the required resources...
Successfully updated!
The following resources were created in your account:
- Pipeline execution role
- CloudFormation execution role
- Artifact bucket
View the definition in .aws-sam/pipeline/pipelineconfig.toml,
run sam pipeline bootstrap to generate another set of resources, or proceed to
sam pipeline init to create your pipeline configuration file.
Checking for existing stages...
2 stage(s) were detected, matching the template requirements. If these are incorrect, delete .aws-sam/pipeline/pipelineconfig.toml and rerun
This template configures a pipeline that deploys a serverless application to a testing and a production stage.
What is the GitHub secret name for pipeline user account access key ID? [AWS_ACCESS_KEY_ID]:
What is the GitHub Secret name for pipeline user account access key secret? [AWS_SECRET_ACCESS_KEY]:
What is the git branch used for production deployments? [main]:
What is the template file path? [template.yaml]:
We use the stage configuration name to automatically retrieve the bootstrapped resources created when you ran `sam pipeline bootstrap`.
Here are the stage configuration names detected in .aws-sam/pipeline/pipelineconfig.toml:
1 - dev
2 - prod
Select an index or enter the stage 1's configuration name (as provided during the bootstrapping): 1
What is the sam application stack name for stage 1? [sam-app]: sam-app-dev
Stage 1 configured successfully, configuring stage 2.
Here are the stage configuration names detected in .aws-sam/pipeline/pipelineconfig.toml:
1 - dev
2 - prod
Select an index or enter the stage 2's configuration name (as provided during the bootstrapping): 2
What is the sam application stack name for stage 2? [sam-app]: sam-app-prod
Stage 2 configured successfully.
SUMMARY
We will generate a pipeline config file based on the following information:
Select a user permissions provider.: AWS IAM
What is the GitHub secret name for pipeline user account access key ID?: test
What is the GitHub Secret name for pipeline user account access key secret?: test
What is the git branch used for production deployments?: main
What is the template file path?: template.yaml
Select an index or enter the stage 1's configuration name (as provided during the bootstrapping): 1
What is the sam application stack name for stage 1?: sam-app-dev
What is the pipeline execution role ARN for stage 1?: arn:aws:iam::{AWSアカウントID}:role/aws-sam-cli-managed-dev-pipel-PipelineExecutionRole-xxxxxxxxxxxx
What is the CloudFormation execution role ARN for stage 1?: arn:aws:iam::{AWSアカウントID}:role/aws-sam-cli-managed-dev-p-CloudFormationExecutionRo-xxxxxxxxxxxx
What is the S3 bucket name for artifacts for stage 1?: aws-sam-cli-managed-dev-pipeline-r-artifactsbucket-xxxxxxxxxxxx
What is the ECR repository URI for stage 1?:
What is the AWS region for stage 1?: ap-northeast-1
Select an index or enter the stage 2's configuration name (as provided during the bootstrapping): 2
What is the sam application stack name for stage 2?: sam-app-prod
What is the pipeline execution role ARN for stage 2?: arn:aws:iam::{AWSアカウントID}:role/aws-sam-cli-managed-prod-pipe-PipelineExecutionRole-xxxxxxxxxxxx
What is the CloudFormation execution role ARN for stage 2?: arn:aws:iam::{AWSアカウントID}:role/aws-sam-cli-managed-prod--CloudFormationExecutionRo-xxxxxxxxxxxx
What is the S3 bucket name for artifacts for stage 2?: aws-sam-cli-managed-prod-pipeline--artifactsbucket-xxxxxxxxxxxx
What is the ECR repository URI for stage 2?:
What is the AWS region for stage 2?: ap-northeast-1
Successfully created the pipeline configuration file(s):
- .github/workflows/pipeline.yaml
4. GitHubに認証情報を設定
GitHubの「sam-app」リポジトリのシークレットに3. Pipelineの構築で作成したPipeline IAMユーザーの認証情報(AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY)を設定してください。

5. CI/CDの実行
構築したPipelineをPushするとGitHub Actionsが実行され、デプロイが行われます。
$ git add . $ git commit -m 'Add Pipeline' $ git push origin main

CDK(Python)でS3を構築する-AWS
1. Node.jsのインストール
$ curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - $ sudo apt-get install -y nodejs
2. CDK CLIのインストール
$ sudo npm install -g aws-cdk
3. プロジェクトの作成
$ sudo mkdir test-cdk $ cd test-cdk $ cdk init app --language python $ python -m pip install -r requirements.txt
4. ソースコードの変更
S3を作成するコードを記述する。
test-cdk/test_cdk/test_cdk_stack.py
from aws_cdk import ( Stack, aws_s3 as s3, RemovalPolicy ) from constructs import Construct class TestCdkStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) s3bucket = s3.Bucket( self, "TestCdkS3", bucket_name = "test-cdk-s3", removal_policy=RemovalPolicy.DESTROY )
5. 作成されるリソースの確認
AWSに作成されるリソースを確認することができます。
$ cdk diff
6. デプロイ
デプロイを行うことでAWSにリソースが作成されます。
$ cdk deploy
Lambdaで外部ライブラリを利用する-AWS
前提条件
・「test-function」という名前のLambda functionを作成している。
1. 外部ライブラリの作成
利用する外部ライブラリを「python」フォルダにインストールして、ZIP形式で圧縮してください。
※フォルダの名前は必ず「python」にしてください。
$ mkdir python $ pip install -t python requests $ zip -r test-layer.zip python
2. Lambda layerの作成
$ aws lambda publish-layer-version --layer-name test-layer --zip-file fileb://test-layer.zip --compatible-runtimes python3.12
3. Lambda layerをLambda functionに追加
$ aws lambda update-function-configuration --function-name test-function --layers "arn:aws:lambda:ap-northeast-1:{AWSアカウントID}:layer:test-layer:1"
4. 外部ライブラリの利用
Lambda functionの中で外部ライブラリをインポートして利用することができます。
lambda_function.py
import json import requests def lambda_handler(event, context): response = requests.get('https://api.example.com/v1/items') return { 'statusCode': response.status_code, 'body': response.json() }
venvの使い方-Python
1. リポジトリの追加
$ sudo add-apt-repository ppa:deadsnakes/ppa $ sudo sudo apt update
2. Pythonとvenvのインストール
$ sudo apt install python3.12 python3.12-venv
3. 仮想環境の作成
$ python3.12 -m venv {任意の環境名}
4. 仮想環境の有効化
$ source ~/{任意の環境名}/bin/activate
({任意の環境名}) $ python --version
Python 3.12.3
5. 仮想環境の無効化
({任意の環境名}) $ deactivate
