CISの3.1~3.14についてEventBridgeに置き換えられないか検討してみた。
AWSTemplateFormatVersion: 2010-09-09 Parameters: PrmSubscriptionEndPoint: Type: String Description: Enter Email Address. PrmSubscriptionProtocol: Type: String Description: The subscription protocol AllowedValues: - http - https - email - email-json - sms - sqs - application - lambda Default: email Resources: ResSNSTopic: Type: AWS::SNS::Topic Properties: TopicName: !Sub "AlarmEvents-${AWS::Region}" DisplayName: !Sub "AlarmEvents-${AWS::Region}" # KmsMasterKeyId: "alias/aws/sns" ResSNSSubscription: Type: AWS::SNS::Subscription Properties: Endpoint: Ref: PrmSubscriptionEndPoint Protocol: Ref: PrmSubscriptionProtocol TopicArn: Ref: ResSNSTopic EventTopicPolicy: Type: 'AWS::SNS::TopicPolicy' Properties: PolicyDocument: Statement: - Effect: Allow Principal: Service: events.amazonaws.com Action: 'sns:Publish' Resource: '*' Topics: - !Ref ResSNSTopic #[CIS 3.1] 不正な API 呼び出しに対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleUnauthorizedAPIcalls: Type: AWS::Events::Rule Properties: Description: 'Unauthorized API calls' EventPattern: !Sub | { "detail": { "errorCode": [{ "exists": true }] } } Name: 'AlarmUnauthorizedAPIcalls' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.2] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management ConsoleMFA なしでサインイン ResEventRuleSignInWithoutMFA: Type: AWS::Events::Rule Properties: Description: 'AWS Management Console sign-in without MFA' EventPattern: !Sub | { "detail": { "eventName": ["ConsoleLogin"], "additionalEventData": { "MFAUsed": [ { "anything-but": "Yes" } ] } } } Name: 'AlarmSignInWithoutMFA' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.3]「ルート」アカウントに対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleUsageRootUser: Type: AWS::Events::Rule Properties: Description: 'usage of root user' EventPattern: !Sub | { "detail": { "userIdentity": { "type": ["Root"], "invokedBy": [{ "exists": false }] }, "eventType": [{ "anything-but": ["AwsServiceEvent"] }] } } Name: 'AlarmUsageRootUser' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.4] IAM ポリシーの変更に対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleIamPolicyChanges: Type: AWS::Events::Rule Properties: Description: 'IAM policy changes' EventPattern: !Sub | { "detail": { "eventSource": ["iam.amazonaws.com"], "eventName": ["DeleteGroupPolicy", "DeleteRolePolicy", "DeleteUserPolicy", "DeletePolicy", "DeletePolicyVersion", "PutGroupPolicy", "PutRolePolicy", "PutUserPolicy", "CreatePolicy", "CreatePolicyVersion", "AttachRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "DetachRolePolicy", "DetachUserPolicy", "DetachGroupPolicy"] } } Name: 'AlarmIamPolicyChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.5] CloudTrail の設定の変更に対するログメトリクスフィルターとアラームが存在することを確認します ResEventRuleCloudTrailChanges: Type: AWS::Events::Rule Properties: Description: 'CloudTrail configuration changes' EventPattern: !Sub | { "detail": { "eventSource": ["cloudtrail.amazonaws.com"], "eventName": ["UpdateTrail", "CreateTrail", "DeleteTrail", "StartLogging", "StopLogging"] } } Name: 'AlarmCloudTrailChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.6] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management Console認証エラー ResEventRuleManagementConsoleFailures: Type: AWS::Events::Rule Properties: Description: 'Management Console authentication failures' EventPattern: !Sub | { "detail": { "eventName": ["ConsoleLogin"], "errorMessage": ["Failed authentication", "No username found in supplied account"] } } Name: 'AlarmManagementConsoleFailures' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.7] カスタマー管理キーの無効化またはスケジュールされた削除に対するログメトリクスフィルターとアラームが存在することを確認します ResEventRuleCustomerManagedKeysDeletion: Type: AWS::Events::Rule Properties: Description: 'disabling or scheduled deletion of customer managed keys' EventPattern: !Sub | { "detail": { "eventSource": ["kms.amazonaws.com"], "eventName": ["DisableKey", "ScheduleKeyDeletion"] } } Name: 'AlarmCustomerManagedKeysDeletion' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.8] S3 バケットの変更に対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleS3BucketPolicyChanges: Type: AWS::Events::Rule Properties: Description: 'S3 bucket policy changes' EventPattern: !Sub | { "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["PutAccountPublicAccessBlock", "PutBucketPublicAccessBlock", "PutBucketAcl", "PutBucketPolicy", "PutBucketCors", "PutBucketLifecycle", "PutBucketReplication", "DeleteBucketPolicy", "DeleteBucketCors", "DeleteBucketLifecycle", "DeleteBucketReplication"] } } Name: 'AlarmS3BucketPolicyChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.9] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Config設定変更 ResEventRuleConfigConfigurationChanges: Type: AWS::Events::Rule Properties: Description: 'Config configuration changes' EventPattern: !Sub | { "detail": { "eventSource": ["config.amazonaws.com"], "eventName": ["StopConfigurationRecorder", "DeleteDeliveryChannel", "PutDeliveryChannel", "PutConfigurationRecorder"] } } Name: 'AlarmConfigConfigurationChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.10] セキュリティグループの変更に対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleSecurityGroupChanges: Type: AWS::Events::Rule Properties: Description: 'security group changes' EventPattern: !Sub | { "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup"] } } Name: 'AlarmSecurityGroupChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.11] ネットワークアクセスコントロールリスト (NACL) への変更に対するログメトリクスとアラームが存在することを確認します ResEventRuleNetworkAccessControlListsChanges: Type: AWS::Events::Rule Properties: Description: 'Network Access Control Lists changes' EventPattern: !Sub | { "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateNetworkAcl", "CreateNetworkAclEntry", "DeleteNetworkAcl", "DeleteNetworkAclEntry", "ReplaceNetworkAclEntry", "ReplaceNetworkAclAssociation"] } } Name: 'AlarmNetworkAccessControlListsChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.12] ネットワークゲートウェイへの変更に対するログメトリクスフィルターとアラームが存在することを確認します ResEventRuleNetworkGatewaysChanges: Type: AWS::Events::Rule Properties: Description: 'network gateways changes' EventPattern: !Sub | { "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateCustomerGateway", "DeleteCustomerGateway", "AttachInternetGateway", "CreateInternetGateway", "DeleteInternetGateway", "DetachInternetGateway"] } } Name: 'AlarmNetworkGatewaysChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.13] ルートテーブルの変更に対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleRouteTableChanges: Type: AWS::Events::Rule Properties: Description: 'route table changes' EventPattern: !Sub | { "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateRoute", "CreateRouteTable", "ReplaceRoute", "ReplaceRouteTableAssociation", "DeleteRouteTable", "DeleteRoute", "DisassociateRouteTable"] } } Name: 'AlarmRouteTableChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic #[CIS 3.14] VPC の変更に対してログメトリクスフィルターとアラームが存在することを確認します ResEventRuleVPCChanges: Type: AWS::Events::Rule Properties: Description: 'VPC changes' EventPattern: !Sub | { "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateVpc", "DeleteVpc", "ModifyVpcAttribute", "AcceptVpcPeeringConnection", "CreateVpcPeeringConnection", "DeleteVpcPeeringConnection", "RejectVpcPeeringConnection", "AttachClassicLinkVpc", "DetachClassicLinkVpc", "DisableVpcClassicLink", "EnableVpcClassicLink"] } } Name: 'AlarmVPCChanges' State: 'ENABLED' Targets: - Arn: !Ref ResSNSTopic Id: sns-topic
[CIS 3.1] 不正な API 呼び出しに対してログメトリクスフィルターとアラームが存在することを確認します
EventBridgeワイルドカード使えない?ので、“errorCode”が含まれていたら全部取る?
{ "detail": { "errorCode": [{ "exists": true }] } }
[CIS 3.2] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management ConsoleMFA なしでサインイン
{ "source": ["aws.signin"], "detail-type": ["AWS Console Sign In via CloudTrail"], "detail": { "eventName": ["ConsoleLogin"], "additionalEventData": { "MFAUsed": [ { "anything-but": "Yes" } ] } } }
{ "source": ["aws.signin"], "detail-type": ["AWS Console Sign In via CloudTrail"], "detail": { "userIdentity": { "type": ["Root"], "invokedBy": [{ "exists": false }] }, "eventType": [{ "anything-but": ["AwsServiceEvent"] }] } }
[CIS 3.4] IAM ポリシーの変更に対してログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.iam"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["iam.amazonaws.com"], "eventName": ["DeleteGroupPolicy", "DeleteRolePolicy", "DeleteUserPolicy", "DeletePolicy", "DeletePolicyVersion", "PutGroupPolicy", "PutRolePolicy", "PutUserPolicy", "CreatePolicy", "CreatePolicyVersion", "AttachRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "DetachRolePolicy", "DetachUserPolicy", "DetachGroupPolicy"] } }
[CIS 3.5] CloudTrail の設定の変更に対するログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.cloudtrail"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["cloudtrail.amazonaws.com"], "eventName": ["UpdateTrail", "CreateTrail", "DeleteTrail", "StartLogging", "StopLogging"] } }
[CIS 3.6] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Management Console認証エラー
{ "source": ["aws.signin"], "detail-type": ["AWS Console Sign In via CloudTrail"], "detail": { "eventName": ["ConsoleLogin"], "errorMessage": ["Failed authentication", "No username found in supplied account"] } }
[CIS 3.7] カスタマー管理キーの無効化またはスケジュールされた削除に対するログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.kms"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["kms.amazonaws.com"], "eventName": ["DisableKey", "ScheduleKeyDeletion"] } }
[CIS 3.8] S3 バケットの変更に対してログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.s3"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["PutAccountPublicAccessBlock", "PutBucketPublicAccessBlock", "PutBucketAcl", "PutBucketPolicy", "PutBucketCors", "PutBucketLifecycle", "PutBucketReplication", "DeleteBucketPolicy", "DeleteBucketCors", "DeleteBucketLifecycle", "DeleteBucketReplication"] } }
[CIS 3.9] に対してログメトリクスフィルターとアラームが存在することを確認しますAWS Config設定変更
{ "source": ["aws.config"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["config.amazonaws.com"], "eventName": ["StopConfigurationRecorder", "DeleteDeliveryChannel", "PutDeliveryChannel", "PutConfigurationRecorder"] } }
[CIS 3.10] セキュリティグループの変更に対してログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.ec2"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup"] } }
[CIS 3.11] ネットワークアクセスコントロールリスト (NACL) への変更に対するログメトリクスとアラームが存在することを確認します
{ "source": ["aws.ec2"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateNetworkAcl", "CreateNetworkAclEntry", "DeleteNetworkAcl", "DeleteNetworkAclEntry", "ReplaceNetworkAclEntry", "ReplaceNetworkAclAssociation"] } }
[CIS 3.12] ネットワークゲートウェイへの変更に対するログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.ec2"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateCustomerGateway", "DeleteCustomerGateway", "AttachInternetGateway", "CreateInternetGateway", "DeleteInternetGateway", "DetachInternetGateway"] } }
[CIS 3.13] ルートテーブルの変更に対してログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.ec2"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateRoute", "CreateRouteTable", "ReplaceRoute", "ReplaceRouteTableAssociation", "DeleteRouteTable", "DeleteRoute", "DisassociateRouteTable"] } }
[CIS 3.14] VPC の変更に対してログメトリクスフィルターとアラームが存在することを確認します
{ "source": ["aws.ec2"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["CreateVpc", "DeleteVpc", "ModifyVpcAttribute", "AcceptVpcPeeringConnection", "CreateVpcPeeringConnection", "DeleteVpcPeeringConnection", "RejectVpcPeeringConnection", "AttachClassicLinkVpc", "DetachClassicLinkVpc", "DisableVpcClassicLink", "EnableVpcClassicLink"] } }