Security Hub の結果アラート (Findings) を EventBridge/SNS 経由でメールに飛ばす

2020年9月9日

概要

やりたいこと

Security Hub から結果アラート (Findings) をメールに飛ばしたい。

全体図

流れは Security Hub → EventBridge → SNS → EMail。

  • SecuritHub : 各サービスからのアラート (Findings) を管理
  • EventBridge : Security Hub のイベントを SNS にルーティング
  • SNS : イベントを Email としては配信

Amazon EventBridge については以前の記事を参照。

Amazon SNS (Simple Notification System)

所有者としてトピックを作成し、そのトピックと通信できる発行者とサブスクライバーを決定するポリシーを定義する。

  • トピック : 複数のサブスクライバーをまとめる論理アクセスポイント
  • トピックポリシー : どのサブスクライバーにメッセージを届けるかの設定
  • サブスクライバー : サブスクライブしているトピックに対して発行されたすべてのメッセージを受信

サブスクライバーは以下のサポートされているプロトコルの 1 つを使用して、メッセージを種々のサービスへ配信する。

  • Amazon SQS
  • HTTPS
  • Email
  • SMS
  • Lambda

CloudFormation

StackSets 準備

SNS トピック作成

以下の AWS リソースを作成する。

  SecurityHubTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Sub securityhub-topic-${AWS::AccountId}
      DisplayName: AWS Config Notification Topic

  SecurityHubSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      Endpoint: !Ref NotificationEmail
      Protocol: email
      TopicArn: !Ref SecurityHubTopic
 
  SecurityHubTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref SecurityHubTopic
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: SecurityHubSNSPolicy
            Action:
              - sns:Publish
            Effect: Allow
            Resource: !Ref SecurityHubTopic
            Principal:
              Service:
                - events.amazonaws.com

デプロイ

aws --profile security-test-lac cloudformation create-stack-set \
--stack-set-name securityhub-mail-stackset \
--template-body file://securityhub_mail.yaml \
--parameters ParameterKey=NotificationEmail,[email protected] \
--administration-role-arn arn:aws:iam::111122223333:role/AWSCloudFormationStackSetAdministrationRole \
--execution-role-name AWSCloudFormationStackSetExecutionRole

「AWS Config Notification Topic」というメールが、登録した region 分届く。

You have chosen to subscribe to the topic:
arn:aws:sns:eu-west-3:1111222333:securityhub-topic-511845121418

To confirm this subscription, click or visit the link below (If this was in error no action is necessary):
Confirm subscription

Please do not reply directly to this email. If you wish to remove yourself from receiving all future SNS subscription confirmation requests please send an email to sns-opt-out

リンクの「Confirm subscription」をクリックし認証を済ます。

CloudWatch Events 作成

上記で作成した sns へメッセージを流す。

  SecurityHubRule:
    Type: AWS::Events::Rule
    Properties:
      Name: SecurityHub-Finding-To-Email
      EventPattern:
        source:
          - aws.securityhub
        detail-type:
          - "Security Hub Findings - Imported"
      State: 'ENABLED'
      Targets:
        - Arn: !Ref SecurityHubTopic
          Id: TargetSNSTopic

同じファイルに追加したので、UPDATE をかける。

aws --profile security-test-lac cloudformation update-stack-set \
--stack-set-name securityhub-mail-stackset \
--template-body file://securityhub_mail.yaml \
--parameters ParameterKey=NotificationEmail,[email protected]

問題なく動いていれば「AWS Notification Message」というメールが来ている。

{
    "version": "0",
    "id": "0027d10f-c9a3-67ba-c84a-e476f7e874cd",
    "detail-type": "Security Hub Findings - Imported",
    "source": "aws.securityhub",
    "account": "111122223333",
    "time": "2020-07-25T07:06:27Z",
    "region": "ap-southeast-2",
    "resources": [
        "arn:aws:securityhub:ap-southeast-2::product/aws/securityhub/arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/44b48891-0d82-4c27-b232-62da10c63645"
    ],
    "detail": {
        "findings": [
            {
                "ProductArn": "arn:aws:securityhub:ap-southeast-2::product/aws/securityhub",
                "Types": [
                    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
                ],
                "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.",
                "SchemaVersion": "2018-10-08",
                "Compliance": {
                    "Status": "FAILED",
                    "StatusReasons": [
                        {
                            "Description": "Multi region CloudTrail with the required configuration does not exist in the account",
                            "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"
                        }
                    ]
                },
                "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4",
                "FirstObservedAt": "2020-07-25T07:05:38.190Z",
                "CreatedAt": "2020-07-25T07:05:38.190Z",
                "RecordState": "ACTIVE",
                "Title": "3.4 Ensure a log metric filter and alarm exist for IAM policy changes",
                "Workflow": {
                    "Status": "NEW"
                },
                "LastObservedAt": "2020-07-25T07:06:12.243Z",
                "Severity": {
                    "Normalized": 40,
                    "Label": "MEDIUM",
                    "Product": 40,
                    "Original": "MEDIUM"
                },
                "UpdatedAt": "2020-07-25T07:05:38.190Z",
                "WorkflowState": "NEW",
                "ProductFields": {
                    "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
                    "StandardsGuideSubscriptionArn": "arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0",
                    "RuleId": "3.4",
                    "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation",
                    "StandardsControlArn": "arn:aws:securityhub:ap-southeast-2:111122223333:control/cis-aws-foundations-benchmark/v/1.2.0/3.4",
                    "aws/securityhub/SeverityLabel": "MEDIUM",
                    "aws/securityhub/ProductName": "Security Hub",
                    "aws/securityhub/CompanyName": "AWS",
                    "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account",
                    "aws/securityhub/FindingId": "arn:aws:securityhub:ap-southeast-2::product/aws/securityhub/arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/44b48891-0d82-4c27-b232-62da10c63645"
                },
                "AwsAccountId": "111122223333",
                "Id": "arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/44b48891-0d82-4c27-b232-62da10c63645",
                "Remediation": {
                    "Recommendation": {
                        "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.",
                        "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation"
                    }
                },
                "Resources": [
                    {
                        "Partition": "aws",
                        "Type": "AwsAccount",
                        "Region": "ap-southeast-2",
                        "Id": "AWS::::Account:111122223333"
                    }
                ]
            }
        ]
    }
}

参考

セキュリティイベントを Security Hub から検出通知する

CloudWatch イベント による AWS Security Hub の自動化