概要
やりたいこと
Security Hub から結果アラート (Findings) をメールに飛ばしたい。
全体図
流れは Security Hub → EventBridge → SNS → EMail。
- SecuritHub : 各サービスからのアラート (Findings) を管理
- EventBridge : Security Hub のイベントを SNS にルーティング
- SNS : イベントを Email としては配信
Amazon EventBridge については以前の記事を参照。
Amazon SNS (Simple Notification System)
所有者としてトピックを作成し、そのトピックと通信できる発行者とサブスクライバーを決定するポリシーを定義する。
- トピック : 複数のサブスクライバーをまとめる論理アクセスポイント
- トピックポリシー : どのサブスクライバーにメッセージを届けるかの設定
- サブスクライバー : サブスクライブしているトピックに対して発行されたすべてのメッセージを受信
サブスクライバーは以下のサポートされているプロトコルの 1 つを使用して、メッセージを種々のサービスへ配信する。
- Amazon SQS
- HTTPS
- SMS
- Lambda
CloudFormation
StackSets 準備
SNS トピック作成
以下の AWS リソースを作成する。
SecurityHubTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub securityhub-topic-${AWS::AccountId}
DisplayName: AWS Config Notification Topic
SecurityHubSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref SecurityHubTopic
SecurityHubTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref SecurityHubTopic
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: SecurityHubSNSPolicy
Action:
- sns:Publish
Effect: Allow
Resource: !Ref SecurityHubTopic
Principal:
Service:
- events.amazonaws.com
デプロイ
aws --profile security-test-lac cloudformation create-stack-set \ --stack-set-name securityhub-mail-stackset \ --template-body file://securityhub_mail.yaml \ --parameters ParameterKey=NotificationEmail,[email protected] \ --administration-role-arn arn:aws:iam::111122223333:role/AWSCloudFormationStackSetAdministrationRole \ --execution-role-name AWSCloudFormationStackSetExecutionRole
「AWS Config Notification Topic」というメールが、登録した region 分届く。
You have chosen to subscribe to the topic:
arn:aws:sns:eu-west-3:1111222333:securityhub-topic-511845121418
To confirm this subscription, click or visit the link below (If this was in error no action is necessary):
Confirm subscription
Please do not reply directly to this email. If you wish to remove yourself from receiving all future SNS subscription confirmation requests please send an email to sns-opt-out
リンクの「Confirm subscription」をクリックし認証を済ます。
CloudWatch Events 作成
上記で作成した sns へメッセージを流す。
SecurityHubRule:
Type: AWS::Events::Rule
Properties:
Name: SecurityHub-Finding-To-Email
EventPattern:
source:
- aws.securityhub
detail-type:
- "Security Hub Findings - Imported"
State: 'ENABLED'
Targets:
- Arn: !Ref SecurityHubTopic
Id: TargetSNSTopic
同じファイルに追加したので、UPDATE をかける。
aws --profile security-test-lac cloudformation update-stack-set \ --stack-set-name securityhub-mail-stackset \ --template-body file://securityhub_mail.yaml \ --parameters ParameterKey=NotificationEmail,[email protected]
問題なく動いていれば「AWS Notification Message」というメールが来ている。
{
"version": "0",
"id": "0027d10f-c9a3-67ba-c84a-e476f7e874cd",
"detail-type": "Security Hub Findings - Imported",
"source": "aws.securityhub",
"account": "111122223333",
"time": "2020-07-25T07:06:27Z",
"region": "ap-southeast-2",
"resources": [
"arn:aws:securityhub:ap-southeast-2::product/aws/securityhub/arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/44b48891-0d82-4c27-b232-62da10c63645"
],
"detail": {
"findings": [
{
"ProductArn": "arn:aws:securityhub:ap-southeast-2::product/aws/securityhub",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.",
"SchemaVersion": "2018-10-08",
"Compliance": {
"Status": "FAILED",
"StatusReasons": [
{
"Description": "Multi region CloudTrail with the required configuration does not exist in the account",
"ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"
}
]
},
"GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4",
"FirstObservedAt": "2020-07-25T07:05:38.190Z",
"CreatedAt": "2020-07-25T07:05:38.190Z",
"RecordState": "ACTIVE",
"Title": "3.4 Ensure a log metric filter and alarm exist for IAM policy changes",
"Workflow": {
"Status": "NEW"
},
"LastObservedAt": "2020-07-25T07:06:12.243Z",
"Severity": {
"Normalized": 40,
"Label": "MEDIUM",
"Product": 40,
"Original": "MEDIUM"
},
"UpdatedAt": "2020-07-25T07:05:38.190Z",
"WorkflowState": "NEW",
"ProductFields": {
"StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
"StandardsGuideSubscriptionArn": "arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0",
"RuleId": "3.4",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation",
"StandardsControlArn": "arn:aws:securityhub:ap-southeast-2:111122223333:control/cis-aws-foundations-benchmark/v/1.2.0/3.4",
"aws/securityhub/SeverityLabel": "MEDIUM",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-southeast-2::product/aws/securityhub/arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/44b48891-0d82-4c27-b232-62da10c63645"
},
"AwsAccountId": "111122223333",
"Id": "arn:aws:securityhub:ap-southeast-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/44b48891-0d82-4c27-b232-62da10c63645",
"Remediation": {
"Recommendation": {
"Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation"
}
},
"Resources": [
{
"Partition": "aws",
"Type": "AwsAccount",
"Region": "ap-southeast-2",
"Id": "AWS::::Account:111122223333"
}
]
}
]
}
}
コメント