~~NOCACHE~~ ~~DISCUSSION~~ ## (書きかけ)93.EventBridge02 「ログメトリクスフィルターとアラームが存在すること」系をEventBridgeに置き換えられないか検討してみた。 ### 発見的対策 --> EventsBridgeSampleTemplate# AWSTemplateFormatVersion: 2010-09-09 <-- #### 対応項目 [[https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/securityhub-cwe-all-findings.html|Security Hub のイベント取得]] { "source": ["aws.securityhub"], "detail-type": ["Security Hub Findings - Imported"], "detail": { "findings": { "Compliance": { "Status": [{ "anything-but": "PASSED" }] }, "RecordState": ["ACTIVE"], "Resources": { "Type": [{ "anything-but": "AwsAccount" }] }, "Workflow": { "Status": ["NEW"] } } } } [[https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/access-analyzer-eventbridge.html#access-analyzer-create-rule|Access Analyzer のイベント取得]] { "source": [ "aws.access-analyzer" ], "detail-type": [ "Access Analyzer Finding","Access Preview State Change" ] } [[https://aws.amazon.com/jp/premiumsupport/knowledge-center/guardduty-eventbridge-sns-rule/|GuardDuty のイベント取得]] { "source": [ "aws.guardduty" ], "detail": { "type": [ "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom" ] } } 追加したConfigルールのチェック { "detail": { "eventSource": [ "config.amazonaws.com" ], "eventName": [ "PutEvaluations" ], "requestParameters": { "evaluations": { "complianceType": [ "NON_COMPLIANT" ] } }, "additionalEventData": { "managedRuleIdentifier": ["LAMBDA_INSIDE_VPC","EIP_ATTACHED","CLOUD_TRAIL_ENABLED"] } } } {{tag>AWS AccessAnalyzer SecurityHub EventBridge}}