Aws:SecurityManagement:CloudTrail
30.CloudTrail
予備知識
予防的対策
- CloudTrailSampleTemplate
-
AWSTemplateFormatVersion: 2010-09-09 Parameters: PrmExampleAccessLogBucket: Type: String Resources: ResCloudTrailBucket: Type: "AWS::S3::Bucket" Properties: BucketName: !Sub "cloudtrail-${AWS::AccountId}" VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: IgnorePublicAcls: true BlockPublicPolicy: true BlockPublicAcls: true RestrictPublicBuckets: true LifecycleConfiguration: Rules: - Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01" ExpirationInDays: 180 NoncurrentVersionExpirationInDays: 1 Status: Enabled AccessControl: LogDeliveryWrite LoggingConfiguration: DestinationBucketName: !Ref PrmExampleAccessLogBucket LogFilePrefix: !Sub "ExamplePrefix/" ResCloudTrailBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ResCloudTrailBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSCloudTrailAclCheck Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}" - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*" Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control ResCloudTrailLogGroup: Type: 'AWS::Logs::LogGroup' Properties: LogGroupName: CloudTrail RetentionInDays: 90 ResCloudTrailCloudWatchLogsRole: Type: 'AWS::IAM::Role' Properties: RoleName: CloudTrailLogsRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: 'sts:AssumeRole' ResCloudTrailCloudWatchLogsRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: CloudTrailAllowPutLogs Roles: - !Ref ResCloudTrailCloudWatchLogsRole PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSCloudTrailCreateLogStream Effect: Allow Action: 'logs:CreateLogStream' Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*" - Sid: AllowPutLogEvents Effect: Allow Action: 'logs:PutLogEvents' Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*" ResCloudTrailKey: Type: 'AWS::KMS::Key' Properties: Enabled: true EnableKeyRotation: true MultiRegion: true KeyPolicy: Version: 2012-10-17 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: 'kms:*' Resource: '*' - Sid: Allow use of the key Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: - 'kms:Encrypt' - 'kms:GenerateDataKey*' - 'kms:DescribeKey' Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" Condition: StringEquals: 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail" ResCloudTrailKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: alias/CloudTrailKey TargetKeyId: !Ref ResCloudTrailKey ResCloudTrail: Type: 'AWS::CloudTrail::Trail' DependsOn: - ResCloudTrailBucketPolicy - ResCloudTrailLogGroup - ResCloudTrailCloudWatchLogsRolePolicy Properties: TrailName: CloudTrail IsLogging: true EnableLogFileValidation: true IncludeGlobalServiceEvents: true IsMultiRegionTrail: true S3BucketName: !Ref ResCloudTrailBucket CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn EventSelectors: - DataResources: - Type: 'AWS::S3::Object' Values: - 'arn:aws:s3' - Type: 'AWS::Lambda::Function' Values: - 'arn:aws:lambda' - Type: 'AWS::DynamoDB::Table' Values: - 'arn:aws:dynamodb' IncludeManagementEvents: true ReadWriteType: All KMSKeyId: !Ref ResCloudTrailKey
標準対応項目
[CIS 2.2] CloudTrailのログファイル検証が有効になっていることを確認します
[CloudTrail.3] CloudTrailログファイルの検証を有効にする必要があります
[CloudTrail.4] CloudTrail ログファイルの検証が有効であることを確認する
EnableLogFileValidation: true
[CIS 2.7] CloudTrail ログは保管時に、を使用して暗号化されていることを確認しますAWS KMS keys
[PCI.CloudTrail.1] CloudTrailログは、保存時に暗号化する必要がありますAWS KMS keys
[CloudTrail.2] CloudTrail は保管時の暗号化を有効にする必要があります
KMSKeyId: !Ref ResCloudTrailKey
[CIS 2.4] CloudTrail がAmazon CloudWatch Logs と統合されていることを確認します
[PCI.CloudTrail.4] CloudTrail 証跡は CloudWatch Logs と統合する必要があります
[CloudTrail.5] CloudTrail が Amazon CloudWatch Logs と統合されていることを確認します。
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
[CIS 2.1] すべてのリージョンで CloudTrail が有効になっていることを確認します
[PCI.CloudTrail.2] CloudTrail を有効にする必要があります
[CloudTrail.1] CloudTrail を有効にし、読み取り管理イベントと書き込み管理イベントを含む少なくとも 1 つのマルチリージョンの証跡で設定する必要があります。
[IsMultiRegionTrail: true]で、全リージョンのログを特定リージョンのS3及びCloudWatchLogsに集約可能
全リージョンで、CloudTrailを有効にしたい場合は、下記テンプレートを全リージョンで実行する
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrail:
Type: 'AWS::CloudTrail::Trail'
DependsOn:
- ResCloudTrailBucketPolicy
- ResCloudTrailLogGroup
- ResCloudTrailCloudWatchLogsRole
Properties:
TrailName: CloudTrail
IsLogging: true
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
S3BucketName: !Ref ResCloudTrailBucket
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
EventSelectors:
- DataResources:
- Type: 'AWS::S3::Object'
Values:
- 'arn:aws:s3'
- Type: 'AWS::Lambda::Function'
Values:
- 'arn:aws:lambda'
- Type: 'AWS::DynamoDB::Table'
Values:
- 'arn:aws:dynamodb'
IncludeManagementEvents: true
ReadWriteType: All
KMSKeyId: !Ref ResCloudTrailKey
発見的対策
参考
証跡保存用のS3バケット作成
AWSTemplateFormatVersion: 2010-09-09
Parameters:
PrmExampleAccessLogBucket:
Type: String
Resources:
ResCloudTrailBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "cloudtrail-${AWS::AccountId}"
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
ExpirationInDays: 180
NoncurrentVersionExpirationInDays: 1
Status: Enabled
AccessControl: LogDeliveryWrite
LoggingConfiguration:
DestinationBucketName: !Ref PrmExampleAccessLogBucket
LogFilePrefix: !Sub "ExamplePrefix/"
ResCloudTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ResCloudTrailBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
CloudWatchLogs統合用リソース作成(CloudWatchLogGroup,IamPolicy,IamRole)
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrail
RetentionInDays: 90
ResCloudTrailCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: CloudTrailLogsRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
ResCloudTrailCloudWatchLogsRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CloudTrailAllowPutLogs
Roles:
- !Ref ResCloudTrailCloudWatchLogsRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailCreateLogStream
Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
- Sid: AllowPutLogEvents
Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
CloudTrail用Kmskey作成
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrailKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
EnableKeyRotation: true
MultiRegion: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
Condition:
StringEquals:
'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
# - Sid: Allow CloudTrail to encrypt logs
# Effect: Allow
# Principal:
# Service: cloudtrail.amazonaws.com
# Action: 'kms:GenerateDataKey*'
# Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
# Condition:
# StringLike:
# 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub "arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*"
# StringEquals:
# 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
# - Sid: Allow CloudTrail to describe key
# Effect: Allow
# Principal:
# Service: cloudtrail.amazonaws.com
# Action:'kms:DescribeKey'
# Resource: "*"
# Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
# Condition:
# StringEquals:
# 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
ResCloudTrailKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/CloudTrailKey
TargetKeyId: !Ref ResCloudTrailKey
Aws/SecurityManagement/CloudTrail.txt · 最終更新: 2022/05/27 by 127.0.0.1
コメント