~~NOCACHE~~
~~DISCUSSION~~
## 93.EventBridge01
CISの3.1~3.14についてEventBridgeに置き換えられないか検討してみた。
### 発見的対策
--> EventsBridgeSampleTemplate#
AWSTemplateFormatVersion: 2010-09-09
Parameters:
PrmSubscriptionEndPoint:
Type: String
Description: Enter Email Address.
PrmSubscriptionProtocol:
Type: String
Description: The subscription protocol
AllowedValues:
- http
- https
- email
- email-json
- sms
- sqs
- application
- lambda
Default: email
Resources:
ResSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "AlarmEvents-${AWS::Region}"
DisplayName: !Sub "AlarmEvents-${AWS::Region}"
# KmsMasterKeyId: "alias/aws/sns"
ResSNSSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint:
Ref: PrmSubscriptionEndPoint
Protocol:
Ref: PrmSubscriptionProtocol
TopicArn:
Ref: ResSNSTopic
EventTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource: '*'
Topics:
- !Ref ResSNSTopic
#[CIS 3.1] 不正な API 呼び出しに対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleUnauthorizedAPIcalls:
Type: AWS::Events::Rule
Properties:
Description: 'Unauthorized API calls'
EventPattern: !Sub |
{
"detail": {
"errorCode": [{
"exists": true
}]
}
}
Name: 'AlarmUnauthorizedAPIcalls'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.2] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management ConsoleMFA なしでサインイン
ResEventRuleSignInWithoutMFA:
Type: AWS::Events::Rule
Properties:
Description: 'AWS Management Console sign-in without MFA'
EventPattern: !Sub |
{
"detail": {
"eventName": ["ConsoleLogin"],
"additionalEventData": {
"MFAUsed": [ { "anything-but": "Yes" } ]
}
}
}
Name: 'AlarmSignInWithoutMFA'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.3]「ルート」アカウントに対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleUsageRootUser:
Type: AWS::Events::Rule
Properties:
Description: 'usage of root user'
EventPattern: !Sub |
{
"detail": {
"userIdentity": {
"type": ["Root"],
"invokedBy": [{
"exists": false
}]
},
"eventType": [{
"anything-but": ["AwsServiceEvent"]
}]
}
}
Name: 'AlarmUsageRootUser'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.4] IAM ポリシーの変更に対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleIamPolicyChanges:
Type: AWS::Events::Rule
Properties:
Description: 'IAM policy changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": ["DeleteGroupPolicy", "DeleteRolePolicy", "DeleteUserPolicy", "DeletePolicy", "DeletePolicyVersion", "PutGroupPolicy", "PutRolePolicy", "PutUserPolicy", "CreatePolicy", "CreatePolicyVersion", "AttachRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "DetachRolePolicy", "DetachUserPolicy", "DetachGroupPolicy"]
}
}
Name: 'AlarmIamPolicyChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.5] CloudTrail の設定の変更に対するログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleCloudTrailChanges:
Type: AWS::Events::Rule
Properties:
Description: 'CloudTrail configuration changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"],
"eventName": ["UpdateTrail", "CreateTrail", "DeleteTrail", "StartLogging", "StopLogging"]
}
}
Name: 'AlarmCloudTrailChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.6] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management Console認証エラー
ResEventRuleManagementConsoleFailures:
Type: AWS::Events::Rule
Properties:
Description: 'Management Console authentication failures'
EventPattern: !Sub |
{
"detail": {
"eventName": ["ConsoleLogin"],
"errorMessage": ["Failed authentication", "No username found in supplied account"]
}
}
Name: 'AlarmManagementConsoleFailures'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.7] カスタマー管理キーの無効化またはスケジュールされた削除に対するログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleCustomerManagedKeysDeletion:
Type: AWS::Events::Rule
Properties:
Description: 'disabling or scheduled deletion of customer managed keys'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["kms.amazonaws.com"],
"eventName": ["DisableKey", "ScheduleKeyDeletion"]
}
}
Name: 'AlarmCustomerManagedKeysDeletion'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.8] S3 バケットの変更に対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleS3BucketPolicyChanges:
Type: AWS::Events::Rule
Properties:
Description: 'S3 bucket policy changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutAccountPublicAccessBlock", "PutBucketPublicAccessBlock", "PutBucketAcl", "PutBucketPolicy", "PutBucketCors", "PutBucketLifecycle", "PutBucketReplication", "DeleteBucketPolicy", "DeleteBucketCors", "DeleteBucketLifecycle", "DeleteBucketReplication"]
}
}
Name: 'AlarmS3BucketPolicyChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.9] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Config設定変更
ResEventRuleConfigConfigurationChanges:
Type: AWS::Events::Rule
Properties:
Description: 'Config configuration changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["config.amazonaws.com"],
"eventName": ["StopConfigurationRecorder", "DeleteDeliveryChannel", "PutDeliveryChannel", "PutConfigurationRecorder"]
}
}
Name: 'AlarmConfigConfigurationChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.10] セキュリティグループの変更に対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleSecurityGroupChanges:
Type: AWS::Events::Rule
Properties:
Description: 'security group changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup"]
}
}
Name: 'AlarmSecurityGroupChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.11] ネットワークアクセスコントロールリスト (NACL) への変更に対するログメトリクスとアラームが存在することを確認します
ResEventRuleNetworkAccessControlListsChanges:
Type: AWS::Events::Rule
Properties:
Description: 'Network Access Control Lists changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateNetworkAcl", "CreateNetworkAclEntry", "DeleteNetworkAcl", "DeleteNetworkAclEntry", "ReplaceNetworkAclEntry", "ReplaceNetworkAclAssociation"]
}
}
Name: 'AlarmNetworkAccessControlListsChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.12] ネットワークゲートウェイへの変更に対するログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleNetworkGatewaysChanges:
Type: AWS::Events::Rule
Properties:
Description: 'network gateways changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateCustomerGateway", "DeleteCustomerGateway", "AttachInternetGateway", "CreateInternetGateway", "DeleteInternetGateway", "DetachInternetGateway"]
}
}
Name: 'AlarmNetworkGatewaysChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.13] ルートテーブルの変更に対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleRouteTableChanges:
Type: AWS::Events::Rule
Properties:
Description: 'route table changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateRoute", "CreateRouteTable", "ReplaceRoute", "ReplaceRouteTableAssociation", "DeleteRouteTable", "DeleteRoute", "DisassociateRouteTable"]
}
}
Name: 'AlarmRouteTableChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
#[CIS 3.14] VPC の変更に対してログメトリクスフィルターとアラームが存在することを確認します
ResEventRuleVPCChanges:
Type: AWS::Events::Rule
Properties:
Description: 'VPC changes'
EventPattern: !Sub |
{
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateVpc", "DeleteVpc", "ModifyVpcAttribute", "AcceptVpcPeeringConnection", "CreateVpcPeeringConnection", "DeleteVpcPeeringConnection", "RejectVpcPeeringConnection", "AttachClassicLinkVpc", "DetachClassicLinkVpc", "DisableVpcClassicLink", "EnableVpcClassicLink"]
}
}
Name: 'AlarmVPCChanges'
State: 'ENABLED'
Targets:
- Arn: !Ref ResSNSTopic
Id: sns-topic
<--
#### 対応項目
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.1|[CIS 3.1] 不正な API 呼び出しに対してログメトリクスフィルターとアラームが存在することを確認します]]
EventBridgeワイルドカード使えない?ので、"errorCode"が含まれていたら全部取る?
{
"detail": {
"errorCode": [{
"exists": true
}]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.2|[CIS 3.2] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management ConsoleMFA なしでサインイン]]
{
"source": ["aws.signin"],
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"eventName": ["ConsoleLogin"],
"additionalEventData": {
"MFAUsed": [ { "anything-but": "Yes" } ]
}
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.3|[CIS 3.3]「ルート」アカウントに対してログメトリクスフィルターとアラームが存在することを確認します]]
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-cw-1|[PCI.CW.1] 「root」ユーザーの使用には、ログメトリクスフィルターとアラームが存在する必要があります。]]
{
"source": ["aws.signin"],
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"userIdentity": {
"type": ["Root"],
"invokedBy": [{
"exists": false
}]
},
"eventType": [{
"anything-but": ["AwsServiceEvent"]
}]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.4|[CIS 3.4] IAM ポリシーの変更に対してログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": ["DeleteGroupPolicy", "DeleteRolePolicy", "DeleteUserPolicy", "DeletePolicy", "DeletePolicyVersion", "PutGroupPolicy", "PutRolePolicy", "PutUserPolicy", "CreatePolicy", "CreatePolicyVersion", "AttachRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "DetachRolePolicy", "DetachUserPolicy", "DetachGroupPolicy"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.5|[CIS 3.5] CloudTrail の設定の変更に対するログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"],
"eventName": ["UpdateTrail", "CreateTrail", "DeleteTrail", "StartLogging", "StopLogging"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.6|[CIS 3.6] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management Console認証エラー]]
{
"source": ["aws.signin"],
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"eventName": ["ConsoleLogin"],
"errorMessage": ["Failed authentication", "No username found in supplied account"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.7|[CIS 3.7] カスタマー管理キーの無効化またはスケジュールされた削除に対するログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.kms"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["kms.amazonaws.com"],
"eventName": ["DisableKey", "ScheduleKeyDeletion"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.8|[CIS 3.8] S3 バケットの変更に対してログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutAccountPublicAccessBlock", "PutBucketPublicAccessBlock", "PutBucketAcl", "PutBucketPolicy", "PutBucketCors", "PutBucketLifecycle", "PutBucketReplication", "DeleteBucketPolicy", "DeleteBucketCors", "DeleteBucketLifecycle", "DeleteBucketReplication"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.9|[CIS 3.9] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Config設定変更]]
{
"source": ["aws.config"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["config.amazonaws.com"],
"eventName": ["StopConfigurationRecorder", "DeleteDeliveryChannel", "PutDeliveryChannel", "PutConfigurationRecorder"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.10|[CIS 3.10] セキュリティグループの変更に対してログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.11|[CIS 3.11] ネットワークアクセスコントロールリスト (NACL) への変更に対するログメトリクスとアラームが存在することを確認します]]
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateNetworkAcl", "CreateNetworkAclEntry", "DeleteNetworkAcl", "DeleteNetworkAclEntry", "ReplaceNetworkAclEntry", "ReplaceNetworkAclAssociation"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.12|[CIS 3.12] ネットワークゲートウェイへの変更に対するログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateCustomerGateway", "DeleteCustomerGateway", "AttachInternetGateway", "CreateInternetGateway", "DeleteInternetGateway", "DetachInternetGateway"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.13|[CIS 3.13] ルートテーブルの変更に対してログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateRoute", "CreateRouteTable", "ReplaceRoute", "ReplaceRouteTableAssociation", "DeleteRouteTable", "DeleteRoute", "DisassociateRouteTable"]
}
}
[[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.14|[CIS 3.14] VPC の変更に対してログメトリクスフィルターとアラームが存在することを確認します]]
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateVpc", "DeleteVpc", "ModifyVpcAttribute", "AcceptVpcPeeringConnection", "CreateVpcPeeringConnection", "DeleteVpcPeeringConnection", "RejectVpcPeeringConnection", "AttachClassicLinkVpc", "DetachClassicLinkVpc", "DisableVpcClassicLink", "EnableVpcClassicLink"]
}
}
{{tag>AWS SecurityHub EventBridge}}