aws-fundamentals | argos

Stats

Actions

Tags

aws-fundamentals | argos

AWS Fundamentals

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load (agents/coordination.md §11). Çıktı Critical / High / Medium / Low + kanıt formatında. Sahiplik dışı bulgu delege:

security-reviewer — IAM, OWASP A01 (IDOR/broken access), bucket policy
database-optimizer — RDS parameter group, slow query, IAM auth
platform-engineer — VPC topology, Lambda networking, multi-region
performance-profiler — Lambda cold start, p99 latency
finops-review — Budgets, Anomaly Detection, Reserved/Savings Plans
infrastructure-implementer — Terraform / CloudFormation IaC

Felsefe

IAM her şey demek. Least privilege default; Action: "*" yasak prod.
Block Public Access account-wide + bucket-level.
DenyInsecureTransport her S3 bucket policy'sinde.
RDS multi-AZ + encryption prod zorunlu; IAM auth pwd rotation'ı bitirir.
Lambda init pattern (module-level boto3); cold start p99 gerçek.
Region affinity; cross-region egress pahalı.
CloudTrail multi-region + log file integrity zorunlu.
DigitalOcean kullanıcısı için: AWS "daha güçlü değil daha kontrol edilebilir"; karmaşıklık IAM'de yoğunlaşır.

Ne Zaman Kullanılır

DO/CF kullanıcısı AWS'ye geçiş düşünüyor (cost, vendor lock, service inventory karşılaştırma)
Yeni AWS account onboarding (Organizations, Identity Center, baseline guardrails)
S3 bucket policy / public access audit (data leak şüphesi)
RDS performance/cost review (Aurora vs RDS karar)
Lambda cold start p99 regression
IAM least privilege audit (CloudTrail-driven, Access Analyzer)
Cost spike audit (Budget alert tetiklendi)
CloudTrail / Audit log gap (SOC 2 CC7.3 kontrolü)

Tooling Matrisi

Konu	Tool	Notlar
CLI	`aws` v2	Profile multi-account
Read-only inspect	Read API'ler (`s3api`, `iam`, `lambda`, `rds`, `cloudtrail`)	Profile read-only role
Policy lint	`cfn-lint`, `iam-policy-json-to-terraform`, `parliament`	Wildcard yakalama
Access analyzer	`aws accessanalyzer`	Unused permissions
Cost	`aws ce` (Cost Explorer), `aws budgets`	Tag dimension
Audit	`aws cloudtrail`, CloudTrail Lake	SQL-style query
IaC	Terraform `aws` provider, CDK	DOAP/DOKS Terraform paraleli
IAM simulation	`aws iam simulate-principal-policy`	Pre-deployment check

Workflow

1) Discovery — Account Inventory

# Active region + identity
aws sts get-caller-identity
aws ec2 describe-regions --query 'Regions[].RegionName' --output table

# Account-level BPA
aws s3control get-public-access-block --account-id "$(aws sts get-caller-identity --query Account --output text)"

# CloudTrail status
aws cloudtrail describe-trails --output table
aws cloudtrail get-trail-status --name <trail-name>

# IAM password policy
aws iam get-account-password-policy

# Org status
aws organizations describe-organization 2>/dev/null || echo "Standalone account"

2) S3 Audit

# Tüm bucket'lar + public erişim durumu
aws s3api list-buckets --query 'Buckets[].Name' --output text | tr '\t' '\n' | while read b; do
  bpa=$(aws s3api get-public-access-block --bucket "$b" 2>/dev/null \
        | jq -r '.PublicAccessBlockConfiguration | "BPA=\(.BlockPublicAcls)/\(.IgnorePublicAcls)/\(.BlockPublicPolicy)/\(.RestrictPublicBuckets)"')
  acl=$(aws s3api get-bucket-acl --bucket "$b" --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`].Permission' --output text)
  policy=$(aws s3api get-bucket-policy-status --bucket "$b" 2>/dev/null | jq -r '.PolicyStatus.IsPublic')
  echo "$b: $bpa acl_public=${acl:-none} policy_public=$policy"
done

# Encryption + versioning
for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do
  sse=$(aws s3api get-bucket-encryption --bucket "$b" 2>/dev/null | jq -r '.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm')
  ver=$(aws s3api get-bucket-versioning --bucket "$b" --query 'Status' --output text)
  echo "$b: sse=${sse:-NONE} versioning=${ver:-Disabled}"
done

3) RDS Audit

# Instances + engine + multi-AZ + encryption
aws rds describe-db-instances --query \
  'DBInstances[].{ID:DBInstanceIdentifier,Engine:Engine,Class:DBInstanceClass,MultiAZ:MultiAZ,Encrypted:StorageEncrypted,IAM:IAMDatabaseAuthenticationEnabled}' \
  --output table

# Backup retention
aws rds describe-db-instances --query \
  'DBInstances[].{ID:DBInstanceIdentifier,Backup:BackupRetentionPeriod,PITR:LatestRestorableTime}' \
  --output table

# Parameter group custom mı?
aws rds describe-db-instances --query \
  'DBInstances[].{ID:DBInstanceIdentifier,ParameterGroup:DBParameterGroups[0].DBParameterGroupName}' \
  --output table

# pg_stat_statements var mı (Postgres)?
psql -h <endpoint> -U <user> -c "SELECT * FROM pg_extension WHERE extname='pg_stat_statements';"

4) Lambda Audit

# Tüm function'lar + memory + timeout + runtime
aws lambda list-functions --query \
  'Functions[].{Name:FunctionName,Runtime:Runtime,Memory:MemorySize,Timeout:Timeout,Concurrency:ReservedConcurrentExecutions}' \
  --output table

# Cold start gözlem (X-Ray traces)
aws xray get-trace-summaries --start-time "$(date -d '-1 hour' +%s)" --end-time "$(date +%s)" \
  --filter-expression 'service("<svc-name>")' --output table

# Provisioned concurrency
aws lambda list-provisioned-concurrency-configs --function-name <fn>

5) IAM Audit — Least Privilege

# All roles
aws iam list-roles --output json | jq '.Roles[].RoleName' > /tmp/roles.txt

# Wildcard policy detect
aws iam list-policies --scope Local --output json | jq -r '.Policies[].Arn' | while read arn; do
  doc=$(aws iam get-policy-version --policy-arn "$arn" --version-id "$(aws iam get-policy --policy-arn "$arn" --query 'Policy.DefaultVersionId' --output text)")
  if echo "$doc" | jq -e '.PolicyVersion.Document.Statement[] | select(.Action == "*" or (.Action | type == "array" and contains(["*"])))' > /dev/null; then
    echo "WILDCARD: $arn"
  fi
done

# Access Analyzer findings
aws accessanalyzer list-findings --analyzer-arn arn:aws:access-analyzer:eu-west-1:123:analyzer/zone-trust \
  --filter '{"status":{"eq":["ACTIVE"]}}'

# Unused credentials
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d
# user, access_key_1_last_used_date, password_last_used → 90+ gün unused

6) CloudTrail-Driven Policy Generator

# Last 30 day action list for a role
ROLE="app-prod-role"
START=$(date -d '-30 days' --iso-8601=seconds)
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=$ROLE \
  --start-time "$START" --max-results 1000 \
  | jq '.Events[].CloudTrailEvent | fromjson | "\(.eventSource):\(.eventName)"' \
  | sort -u > /tmp/${ROLE}-actions.txt

# Bu liste → IAM policy Allow statement

7) Cost Audit

# Bu ayın toplam
aws ce get-cost-and-usage --time-period Start=$(date -d 'start of month' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
  --granularity MONTHLY --metrics UnblendedCost --output table

# Servis dağılımı
aws ce get-cost-and-usage --time-period Start=$(date -d '-30 days' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
  --granularity DAILY --metrics UnblendedCost \
  --group-by Type=DIMENSION,Key=SERVICE \
  --output table

# Tag policy uyumluluğu
aws ce get-cost-and-usage --time-period Start=$(date -d '-30 days' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
  --granularity MONTHLY --metrics UnblendedCost \
  --group-by Type=TAG,Key=Environment | jq '.GroupDefinitions, .ResultsByTime'

# Budget alarmları var mı?
aws budgets describe-budgets --account-id "$(aws sts get-caller-identity --query Account --output text)"

8) Bulgu Raporu

# AWS Findings: <account-id> (<env>)

## Critical
- [ ] 3 bucket BPA off (`acme-prod-uploads`, `acme-prod-static`, `legacy-bkt`) —
      data leak riski; per-bucket BPA + account-wide enforce
- [ ] `AdminAccessRole` 14 IAM user'a attached + MFA off 8 user — breach
      blast radius

## High
- [ ] RDS `prod-pg-main` multi-AZ off — HA yok, failover manuel
- [ ] RDS encryption at rest disabled (3 instance) — SOC 2 CC6.4 ihlal
- [ ] Lambda `extractor-svc` cold start p99 4.2s — provisioned concurrency
      yok, kritik path
- [ ] CloudTrail single-region (eu-west-1); us-east-1 IAM event capture yok

## Medium
- [ ] 12 IAM policy wildcard `Action: "*"` veya `Resource: "*"` — Access
      Analyzer ile shrink listesi var (`/tmp/access-findings.json`)
- [ ] Cost: NAT GW egress $480/ay; S3 VPC endpoint kurulumu → ~$100/ay
- [ ] Budget alert yok; Anomaly Detection off

## Low
- [ ] Tag policy yok — cost attribution Environment/Owner/Project
- [ ] IAM password policy zayıf (8 char, no MFA enforce)

Checklist

Antipattern

IAM *:* prod role'ünde.
Long-lived access key IAM user + prod.
Bucket public BPA off.
AllUsers ACL grant bucket policy yerine.
RDS multi-AZ off prod.
RDS unencrypted at rest prod.
Lambda handler içinde import boto3.
Provisioned concurrency + SnapStart yok p99 kritik.
VPC Lambda + NAT GW + S3 endpoint yok.
CloudTrail off / tek-region.
Root user post-setup kullanım.
MFA yok IAM user.
Cost Anomaly Detection off.
Budget alert yok.
AWSAdministratorAccess günlük rol.
Tag policy yok.
External ID yok third-party assume.
SCP yok Organizations seviyesi.
Region default us-east-1 her workload (latency).

Cross-Link

rules/aws.md — discipline rule.
rules/security.md, rules/owasp-top10.md — A01 IAM least privilege.
rules/postgres.md — RDS Postgres parameter group, pg_stat_statements.
rules/compliance.md — CloudTrail, SOC 2 CC6.4/CC7.3 evidence.
rules/finops.md — Budget, Anomaly Detection, Reserved/Savings.
rules/terraform.md — IaC AWS provider.
skills/owasp-top10/SKILL.md — A01 IDOR/IAM crossover.
skills/postgres-performance/SKILL.md — RDS Postgres tuning.
skills/finops-review/SKILL.md — AWS cost optimization.
agents/security-reviewer.md — IAM audit lider.
agents/database-optimizer.md — RDS sahiplik.
agents/platform-engineer.md — VPC, multi-region, EKS (ayrı skill).
commands/aws-review.md — slash entrypoint.