三歩あるけば物も忘れる

お腹のお肉がメタボックル

ユーザ用ツール

サイト用ツール


Aws:SecurityManagement:CloudTrail

30.CloudTrail

予備知識

予防的対策

CloudTrailSampleTemplate
AWSTemplateFormatVersion: 2010-09-09
Parameters:
 PrmExampleAccessLogBucket:
     Type: String
Resources:
  ResCloudTrailBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: !Sub "cloudtrail-${AWS::AccountId}"
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        BlockPublicAcls: true
        RestrictPublicBuckets: true
      LifecycleConfiguration: 
        Rules: 
          - Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
            ExpirationInDays: 180
            NoncurrentVersionExpirationInDays: 1
            Status: Enabled
      AccessControl: LogDeliveryWrite
      LoggingConfiguration:
        DestinationBucketName: !Ref PrmExampleAccessLogBucket
        LogFilePrefix: !Sub "ExamplePrefix/"

  ResCloudTrailBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ResCloudTrailBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Sid: AWSCloudTrailAclCheck
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:GetBucketAcl
          Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"
        - Sid: AWSCloudTrailWrite
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:PutObject
          Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
          Condition:
            StringEquals:
              s3:x-amz-acl: bucket-owner-full-control

  ResCloudTrailLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: CloudTrail
      RetentionInDays: 90

  ResCloudTrailCloudWatchLogsRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: CloudTrailLogsRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: 'sts:AssumeRole'

  ResCloudTrailCloudWatchLogsRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: CloudTrailAllowPutLogs
      Roles:
        - !Ref ResCloudTrailCloudWatchLogsRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSCloudTrailCreateLogStream
            Effect: Allow
            Action: 'logs:CreateLogStream'
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
          - Sid: AllowPutLogEvents
            Effect: Allow
            Action: 'logs:PutLogEvents'
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"

  ResCloudTrailKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Enabled: true
      EnableKeyRotation: true
      MultiRegion: true
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'

          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action:
              - 'kms:Encrypt'
              - 'kms:GenerateDataKey*'
              - 'kms:DescribeKey'
            Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
            Condition:
              StringEquals:
                'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"

  ResCloudTrailKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/CloudTrailKey
      TargetKeyId: !Ref ResCloudTrailKey

  ResCloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    DependsOn:
      - ResCloudTrailBucketPolicy
      - ResCloudTrailLogGroup
      - ResCloudTrailCloudWatchLogsRolePolicy
    Properties:
      TrailName: CloudTrail
      IsLogging: true
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
      S3BucketName: !Ref ResCloudTrailBucket
      CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
      CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
      EventSelectors:
        - DataResources:
            - Type: 'AWS::S3::Object'
              Values:
                - 'arn:aws:s3'
            - Type: 'AWS::Lambda::Function'
              Values:
                - 'arn:aws:lambda'
            - Type: 'AWS::DynamoDB::Table'
              Values:
                - 'arn:aws:dynamodb'
          IncludeManagementEvents: true
          ReadWriteType: All
      KMSKeyId: !Ref ResCloudTrailKey

標準対応項目

[CIS 2.2] CloudTrailのログファイル検証が有効になっていることを確認します
[CloudTrail.3] CloudTrailログファイルの検証を有効にする必要があります
[CloudTrail.4] CloudTrail ログファイルの検証が有効であることを確認する

      EnableLogFileValidation: true

[CIS 2.7] CloudTrail ログは保管時に、を使用して暗号化されていることを確認しますAWS KMS keys
[PCI.CloudTrail.1] CloudTrailログは、保存時に暗号化する必要がありますAWS KMS keys
[CloudTrail.2] CloudTrail は保管時の暗号化を有効にする必要があります

      KMSKeyId: !Ref ResCloudTrailKey

[CIS 2.4] CloudTrail がAmazon CloudWatch Logs と統合されていることを確認します
[PCI.CloudTrail.4] CloudTrail 証跡は CloudWatch Logs と統合する必要があります
[CloudTrail.5] CloudTrail が Amazon CloudWatch Logs と統合されていることを確認します。

      CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
      CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn

[CIS 2.1] すべてのリージョンで CloudTrail が有効になっていることを確認します
[PCI.CloudTrail.2] CloudTrail を有効にする必要があります
[CloudTrail.1] CloudTrail を有効にし、読み取り管理イベントと書き込み管理イベントを含む少なくとも 1 つのマルチリージョンの証跡で設定する必要があります。

[IsMultiRegionTrail: true]で、全リージョンのログを特定リージョンのS3及びCloudWatchLogsに集約可能
全リージョンで、CloudTrailを有効にしたい場合は、下記テンプレートを全リージョンで実行する

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ResCloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    DependsOn:
      - ResCloudTrailBucketPolicy
      - ResCloudTrailLogGroup
      - ResCloudTrailCloudWatchLogsRole
    Properties:
      TrailName: CloudTrail
      IsLogging: true
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
      S3BucketName: !Ref ResCloudTrailBucket
      CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
      CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
      EventSelectors:
        - DataResources:
            - Type: 'AWS::S3::Object'
              Values:
                - 'arn:aws:s3'
            - Type: 'AWS::Lambda::Function'
              Values:
                - 'arn:aws:lambda'
            - Type: 'AWS::DynamoDB::Table'
              Values:
                - 'arn:aws:dynamodb'
          IncludeManagementEvents: true
          ReadWriteType: All
      KMSKeyId: !Ref ResCloudTrailKey

発見的対策

参考

証跡保存用のS3バケット作成

AWSTemplateFormatVersion: 2010-09-09
Parameters:
 PrmExampleAccessLogBucket:
     Type: String
Resources:
  ResCloudTrailBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: !Sub "cloudtrail-${AWS::AccountId}"
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        BlockPublicAcls: true
        RestrictPublicBuckets: true
      LifecycleConfiguration: 
        Rules: 
          - Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
            ExpirationInDays: 180
            NoncurrentVersionExpirationInDays: 1
            Status: Enabled
      AccessControl: LogDeliveryWrite
      LoggingConfiguration:
        DestinationBucketName: !Ref PrmExampleAccessLogBucket
        LogFilePrefix: !Sub "ExamplePrefix/"

  ResCloudTrailBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ResCloudTrailBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Sid: AWSCloudTrailAclCheck
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:GetBucketAcl
          Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"

        - Sid: AWSCloudTrailWrite
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:PutObject
          Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
          Condition:
            StringEquals:
              s3:x-amz-acl: bucket-owner-full-control

CloudWatchLogs統合用リソース作成(CloudWatchLogGroup,IamPolicy,IamRole)

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ResCloudTrailLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: CloudTrail
      RetentionInDays: 90

  ResCloudTrailCloudWatchLogsRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: CloudTrailLogsRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: 'sts:AssumeRole'

  ResCloudTrailCloudWatchLogsRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: CloudTrailAllowPutLogs
      Roles:
        - !Ref ResCloudTrailCloudWatchLogsRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSCloudTrailCreateLogStream
            Effect: Allow
            Action: 'logs:CreateLogStream'
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
          - Sid: AllowPutLogEvents
            Effect: Allow
            Action: 'logs:PutLogEvents'
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"

CloudTrail用Kmskey作成

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ResCloudTrailKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Enabled: true
      EnableKeyRotation: true
      MultiRegion: true
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'

          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action:
              - 'kms:Encrypt'
              - 'kms:GenerateDataKey*'
              - 'kms:DescribeKey'
            Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
            Condition:
              StringEquals:
                'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"

#          - Sid: Allow CloudTrail to encrypt logs
#            Effect: Allow
#            Principal:
#              Service: cloudtrail.amazonaws.com
#            Action: 'kms:GenerateDataKey*'
#            Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
#            Condition:
#              StringLike:
#                'kms:EncryptionContext:aws:cloudtrail:arn': !Sub "arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*"
#              StringEquals:
#                'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"

#          - Sid: Allow CloudTrail to describe key
#            Effect: Allow
#            Principal:
#              Service: cloudtrail.amazonaws.com
#            Action:'kms:DescribeKey'
#            Resource: "*"
#            Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
#            Condition:
#              StringEquals:
#                'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"

  ResCloudTrailKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/CloudTrailKey
      TargetKeyId: !Ref ResCloudTrailKey

コメント

コメントを入力:
T I᠎ E G Y
 
Aws/SecurityManagement/CloudTrail.txt · 最終更新: 2022/05/27 by 127.0.0.1