~~NOCACHE~~
~~DISCUSSION~~
## 30.CloudTrail
### 予備知識
[[Aws:SecurityManagement:CloudTrail#証跡保存用のS3バケット作成|・証跡保存用のS3バケットが必要です。]]
[[Aws:SecurityManagement:CloudTrail#CloudWatchLogs統合用リソース作成(CloudWatchLogGroup,IamPolicy,IamRole)|・CloudWatchLogsと統合します。(IamPolicyとIamRoleも必要)]]
[[Aws:SecurityManagement:CloudTrail#CloudTrail用Kmskey作成|・Kmskeysで暗号化します。]]
### 予防的対策
--> CloudTrailSampleTemplate#
AWSTemplateFormatVersion: 2010-09-09
Parameters:
PrmExampleAccessLogBucket:
Type: String
Resources:
ResCloudTrailBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "cloudtrail-${AWS::AccountId}"
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
ExpirationInDays: 180
NoncurrentVersionExpirationInDays: 1
Status: Enabled
AccessControl: LogDeliveryWrite
LoggingConfiguration:
DestinationBucketName: !Ref PrmExampleAccessLogBucket
LogFilePrefix: !Sub "ExamplePrefix/"
ResCloudTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ResCloudTrailBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
ResCloudTrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrail
RetentionInDays: 90
ResCloudTrailCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: CloudTrailLogsRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
ResCloudTrailCloudWatchLogsRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CloudTrailAllowPutLogs
Roles:
- !Ref ResCloudTrailCloudWatchLogsRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailCreateLogStream
Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
- Sid: AllowPutLogEvents
Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
ResCloudTrailKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
EnableKeyRotation: true
MultiRegion: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
Condition:
StringEquals:
'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
ResCloudTrailKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/CloudTrailKey
TargetKeyId: !Ref ResCloudTrailKey
ResCloudTrail:
Type: 'AWS::CloudTrail::Trail'
DependsOn:
- ResCloudTrailBucketPolicy
- ResCloudTrailLogGroup
- ResCloudTrailCloudWatchLogsRolePolicy
Properties:
TrailName: CloudTrail
IsLogging: true
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
S3BucketName: !Ref ResCloudTrailBucket
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
EventSelectors:
- DataResources:
- Type: 'AWS::S3::Object'
Values:
- 'arn:aws:s3'
- Type: 'AWS::Lambda::Function'
Values:
- 'arn:aws:lambda'
- Type: 'AWS::DynamoDB::Table'
Values:
- 'arn:aws:dynamodb'
IncludeManagementEvents: true
ReadWriteType: All
KMSKeyId: !Ref ResCloudTrailKey
<--
#### 標準対応項目
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.2|[CIS 2.2] CloudTrailのログファイル検証が有効になっていることを確認します]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-cloudtrail-3|[CloudTrail.3] CloudTrailログファイルの検証を有効にする必要があります]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-4|[CloudTrail.4] CloudTrail ログファイルの検証が有効であることを確認する]]
EnableLogFileValidation: true
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.7|[CIS 2.7] CloudTrail ログは保管時に、を使用して暗号化されていることを確認しますAWS KMS keys]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-cloudtrail-1|[PCI.CloudTrail.1] CloudTrailログは、保存時に暗号化する必要がありますAWS KMS keys]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-2|[CloudTrail.2] CloudTrail は保管時の暗号化を有効にする必要があります]]
KMSKeyId: !Ref ResCloudTrailKey
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.4|[CIS 2.4] CloudTrail がAmazon CloudWatch Logs と統合されていることを確認します]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-cloudtrail-4|[PCI.CloudTrail.4] CloudTrail 証跡は CloudWatch Logs と統合する必要があります]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-5|[CloudTrail.5] CloudTrail が Amazon CloudWatch Logs と統合されていることを確認します。]]
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.1|[CIS 2.1] すべてのリージョンで CloudTrail が有効になっていることを確認します]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-cloudtrail-2|[PCI.CloudTrail.2] CloudTrail を有効にする必要があります]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-1|[CloudTrail.1] CloudTrail を有効にし、読み取り管理イベントと書き込み管理イベントを含む少なくとも 1 つのマルチリージョンの証跡で設定する必要があります。]]
[IsMultiRegionTrail: true]で、全リージョンのログを特定リージョンのS3及びCloudWatchLogsに集約可能
全リージョンで、CloudTrailを有効にしたい場合は、下記テンプレートを全リージョンで実行する
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrail:
Type: 'AWS::CloudTrail::Trail'
DependsOn:
- ResCloudTrailBucketPolicy
- ResCloudTrailLogGroup
- ResCloudTrailCloudWatchLogsRole
Properties:
TrailName: CloudTrail
IsLogging: true
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
S3BucketName: !Ref ResCloudTrailBucket
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
EventSelectors:
- DataResources:
- Type: 'AWS::S3::Object'
Values:
- 'arn:aws:s3'
- Type: 'AWS::Lambda::Function'
Values:
- 'arn:aws:lambda'
- Type: 'AWS::DynamoDB::Table'
Values:
- 'arn:aws:dynamodb'
IncludeManagementEvents: true
ReadWriteType: All
KMSKeyId: !Ref ResCloudTrailKey
### 発見的対策
[[Aws:セキュリティ管理:90.発見的対策|Aws/SecurityHub/90.発見的対策]]
### 参考
#### 証跡保存用のS3バケット作成
AWSTemplateFormatVersion: 2010-09-09
Parameters:
PrmExampleAccessLogBucket:
Type: String
Resources:
ResCloudTrailBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "cloudtrail-${AWS::AccountId}"
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
ExpirationInDays: 180
NoncurrentVersionExpirationInDays: 1
Status: Enabled
AccessControl: LogDeliveryWrite
LoggingConfiguration:
DestinationBucketName: !Ref PrmExampleAccessLogBucket
LogFilePrefix: !Sub "ExamplePrefix/"
ResCloudTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ResCloudTrailBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
#### CloudWatchLogs統合用リソース作成(CloudWatchLogGroup,IamPolicy,IamRole)
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrail
RetentionInDays: 90
ResCloudTrailCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: CloudTrailLogsRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
ResCloudTrailCloudWatchLogsRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CloudTrailAllowPutLogs
Roles:
- !Ref ResCloudTrailCloudWatchLogsRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailCreateLogStream
Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
- Sid: AllowPutLogEvents
Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
#### CloudTrail用Kmskey作成
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrailKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
EnableKeyRotation: true
MultiRegion: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
Condition:
StringEquals:
'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
# - Sid: Allow CloudTrail to encrypt logs
# Effect: Allow
# Principal:
# Service: cloudtrail.amazonaws.com
# Action: 'kms:GenerateDataKey*'
# Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
# Condition:
# StringLike:
# 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub "arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*"
# StringEquals:
# 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
# - Sid: Allow CloudTrail to describe key
# Effect: Allow
# Principal:
# Service: cloudtrail.amazonaws.com
# Action:'kms:DescribeKey'
# Resource: "*"
# Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
# Condition:
# StringEquals:
# 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
ResCloudTrailKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/CloudTrailKey
TargetKeyId: !Ref ResCloudTrailKey
{{tag>AWS SecurityHub CloudFormation CloudTrail}}