VPC上にデプロイしたSIEM on Amazon ESで既存S3バケットのログを分析してみた
既にS3バケットにログを収集しているんだけど、このままだとSIEM on Amazon ESで分析できない?
こんにちは、のんピ です。
前回、以下の記事を投稿しました。
内容は、SIEM on Amazon ESのスタックが作成したログ収集用S3バケットに、CloudTrailや、VPC Flow Logs、FSx for Windows File Serverのファイルアクセス監査ログを保存して、可視化するといったものです。
以下、AWS公式ドキュメントの図を見ると、ログ収集用S3バケットのデータ保存は3パターンがあることがわかります。
抜粋: SIEM on Amazon Elasticsearch Service - アーキテクチャ
- Kienesis Data Firehoseを使用して、ログ収集用S3バケットにログを転送する
- サービスのログの出力先を、ログ収集用S3バケットに指定する
- 既存のS3バケット内のオブジェクトから、ログ収集用S3バケットにレプリケーションする
それでは、既にログをS3バケットに集約している場合は、どの方法を選択すれば良いでしょうか。
1
と、2
のように、わざわざ全てのログの出力先を変更するのは手間なので、もう少し楽をしたいですよね。
今回は、3. 既存のS3バケット内のオブジェクトから、ログ収集用S3バケットにレプリケーションする
をして、過去ログをSIEM on Amazon ESに読み込ませたいと思います。
また、実は既存のS3バケットをSIEM on Amazon ESのログ収集用S3バケットとして取り込むこともできます。
公式ドキュメントに以下のような記載があります。
すでにお持ちの S3 バケットを SIEM on Amazon ES の CloudFormation スタックに取り込み、AWS CDK で管理します。ログ取り込み用にS3 バケットポリシーを追加・修正します。S3 のバケットポリシーやその他のバケット設定は上書きされるのでご注意ください。SIEM on Amazon ES の初期インストール時にのみ設定可能です。 既存の S3 バケットから SIEM on Amazon ES にログを送信しつつ、S3 バケットポリシー等はご自身で引き続き管理する場合は、この手順はスキップしてください。
「S3 のバケットポリシーやその他のバケット設定は上書きされるのでご注意ください。」という文章がかなり要注意ですね。また、AWS CDKで管理する必要があるというのもポイントです。
今回は、以下のログを保存したS3バケットを作成して、そのS3バケット内にあるログをSIEM on Amazon ESに読み込ませたいと思います。
- CloudTrail
- Security Hub
- Amazon Linux 2の /var/log/messages
いきなりまとめ
- 既存S3バケットをインポートすることで、過去のログを取り込むことができるが、S3のバケットポリシーの変更や、AWS CDKによる管理が発生するなど制約があるため要注意
- お試しでSIEM on Amazon ESを使ってみたいなら、Same-Region レプリケーションでSIEM on Amazon ESのログ収集S3バケットにレプリケーションする方が良いかも
検証環境
検証を行う環境は以下の通りです。
既存S3バケットのログをSIEM on Amazon ESに読み込ませる方法として、以下のパターンを検証します。
- Same-Region レプリケーション(SRR)を使用して、既存S3バケットのログSIEM on Amazon ESのログ収集S3バケットにレプリケーションする
- AWS DataSyncを使用して、既存S3バケットのログSIEM on Amazon ESのログ収集S3バケットにレプリケーションする
- 既存S3バケットをSIEM on Amazon ESにインポートする
ログを出力するリソースのデプロイ
AWS CDKの構成
デプロイ
まずはCloudTrailや、Security Hubなどのログを出力する環境をAWS CDKで作成していきます。
AWS CDKの実行環境のディレクトリの構成は以下の通りです。
> tree . ├── .gitignore ├── .npmignore ├── README.md ├── bin │ └── log-resorce.ts ├── cdk.context.json ├── cdk.json ├── jest.config.js ├── lib │ └── log-resorce-stack.ts ├── package-lock.json ├── package.json ├── src │ ├── cloudWatch │ │ └── AmazonCloudWatch-linux.json │ ├── ec2 │ │ └── userDataAmazonLinux2.sh │ └── lambda │ └── functions │ ├── add-newline-to-json.ts │ ├── package-lock.json │ └── package.json ├── test │ └── log-resorce.test.ts └── tsconfig.json 8 directories, 17 files
メインで動かすのは./lib/log-resorce-stack.ts
です。ここで全てのリソースを作成しています。
./lib/log-resorce-stack.ts
の大まかな処理の流れは以下の通りです。
- ログ収集用のS3バケットの作成
- Security Hubの検知内容に、レコード毎に改行を追加するLambda関数の宣言
- Amazon Linux 2の /var/log/messagesのCloudWatch Logs用のロググループの作成
- SSM用のIAMロールの作成
- Kinesis Data Firehose用のIAMロールの作成
- Security Hubの検知内容をS3バケットに配信する用
- CloudWatch Logsに出力したAmazon Linux 2の /var/log/messagesをS3バケットに出力する用
- Kinesis Data Firehose配信ストリームの作成
- Security Hubの検知内容をS3バケットに配信する用
- CloudWatch Logsに出力したAmazon Linux 2の /var/log/messagesをS3バケットに出力する用
- CloudTrailの設定
- GuardDuryの設定
- IAM Access Analyzerの設定
- Security Hubの設定
- VPCの作成
- Kibanaにアクセスする際に使用するポートフォワーディング用のEC2インスタンスにアタッチするセキュリティグループの作成
- EC2インスタンスの作成
- CloudWatch Agentの設定ファイルの読み込み
実際のコードは以下の通りです。
import * as cdk from "@aws-cdk/core"; import * as s3 from "@aws-cdk/aws-s3"; import * as logs from "@aws-cdk/aws-logs"; import * as lambda from "@aws-cdk/aws-lambda"; import * as nodejs from "@aws-cdk/aws-lambda-nodejs"; import * as iam from "@aws-cdk/aws-iam"; import * as kinesisfirehose from "@aws-cdk/aws-kinesisfirehose"; import * as cloudtrail from "@aws-cdk/aws-cloudtrail"; import * as guardduty from "@aws-cdk/aws-guardduty"; import * as securityhub from "@aws-cdk/aws-securityhub"; import * as accessanalyzer from "@aws-cdk/aws-accessanalyzer"; import * as events from "@aws-cdk/aws-events"; import * as eventsTargets from "@aws-cdk/aws-events-targets"; import * as ec2 from "@aws-cdk/aws-ec2"; import * as ssm from "@aws-cdk/aws-ssm"; import * as fs from "fs"; export class LogResorceStack extends cdk.Stack { constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); // Declare AWS account ID, region and stackName. const { accountId, region, stackName } = new cdk.ScopedAws(this); // My IP address const myIpAddress: string = this.node.tryGetContext("myIpAddress"); // S3 Bucket for centralized log const centralizedBucket = new s3.Bucket(this, "CentralizedBucket", { encryption: s3.BucketEncryption.S3_MANAGED, versioned: true, blockPublicAccess: new s3.BlockPublicAccess({ blockPublicAcls: true, blockPublicPolicy: true, ignorePublicAcls: true, restrictPublicBuckets: true, }), lifecycleRules: [ { enabled: true, expiration: cdk.Duration.days(10), noncurrentVersionExpiration: cdk.Duration.days(10), }, ], }); // Lambda Function to add a new line to json const addNewLineToJsonFunction = new nodejs.NodejsFunction( this, "AddNewLineToJsonFunction", { entry: "src/lambda/functions/add-newline-to-json.ts", runtime: lambda.Runtime.NODEJS_14_X, bundling: { minify: true, }, timeout: cdk.Duration.seconds(180), } ); // Create CloudWatch Logs for Linux OS log const linuxOsLogGroup = new logs.LogGroup(this, "LinuxOsLogGroup", { retention: logs.RetentionDays.THREE_DAYS, logGroupName: "/var/log/messages", }); // Create SSM IAM role const ssmIamRole = new iam.Role(this, "SsmIamRole", { assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName( "AmazonSSMManagedInstanceCore" ), iam.ManagedPolicy.fromAwsManagedPolicyName( "CloudWatchAgentAdminPolicy" ), ], }); // Create Delivery Stream IAM role const deliveryStreamIamRole = new iam.Role(this, "DeliveryStreamIamRole", { assumedBy: new iam.ServicePrincipal("firehose.amazonaws.com"), }); // Create Delivery Stream IAM Policy const deliveryStreamIamPolicy = new iam.Policy( this, "DeliveryStreamIamPolicy", { statements: [ new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: ["iam:PassRole"], resources: [deliveryStreamIamRole.roleArn], }), new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject", ], resources: [ centralizedBucket.bucketArn, `${centralizedBucket.bucketArn}/*`, ], }), new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: [ "lambda:InvokeFunction", "lambda:GetFunctionConfiguration", ], resources: [addNewLineToJsonFunction.functionArn], }), new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: ["logs:PutLogEvents"], resources: [ `arn:aws:logs:${region}:${accountId}:log-group:/aws/kinesisfirehose/*:log-stream:*`, ], }), ], } ); // Atach Delivery Stream IAM Policy deliveryStreamIamRole.attachInlinePolicy(deliveryStreamIamPolicy); // Create Kinesis Firehose subscription filter IAM role const deliveryStreamSubscriptionIamRole = new iam.Role( this, "DeliveryStreamSubscriptionIamRole", { assumedBy: new iam.ServicePrincipal(`logs.${region}.amazonaws.com`), } ); // Create Kinesis Firehose subscription filter IAM Policy const deliveryStreamSubscriptionIamPolicy = new iam.Policy( this, "DeliveryStreamSubscriptionIamPolicy", { statements: [ new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: ["iam:PassRole"], resources: [deliveryStreamSubscriptionIamRole.roleArn], }), new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: [ "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", ], resources: [ `arn:aws:firehose:${region}:${accountId}:deliverystream/*`, ], }), ], } ); // Atach Kinesis Firehose subscription filter IAM Policy deliveryStreamSubscriptionIamRole.attachInlinePolicy( deliveryStreamSubscriptionIamPolicy ); // Create Delivery Stream for Security Hub to S3 Bucket findings const securityHubFindingsDeliveryStream = new kinesisfirehose.CfnDeliveryStream( this, "SecurityHubFindingsDeliveryStream", { deliveryStreamName: `firehose-securityhub-${stackName}`, deliveryStreamType: "DirectPut", extendedS3DestinationConfiguration: { bucketArn: centralizedBucket.bucketArn, roleArn: deliveryStreamIamRole.roleArn, compressionFormat: "GZIP", prefix: `AWSLogs/${accountId}/SecurityHub/${region}/`, errorOutputPrefix: `AWSLogs/${accountId}/SecurityHub/${region}/error/`, processingConfiguration: { enabled: true, processors: [ { type: "Lambda", parameters: [ { parameterName: "LambdaArn", parameterValue: addNewLineToJsonFunction.functionArn, }, ], }, ], }, }, } ); // Create Delivery Stream for Linux OS Log to S3 Bucket findings const linuxOsLogsDeliveryStream = new kinesisfirehose.CfnDeliveryStream( this, "LinuxOsLogsDeliveryStream", { deliveryStreamName: `firehose-linux-os-${stackName}`, deliveryStreamType: "DirectPut", extendedS3DestinationConfiguration: { bucketArn: centralizedBucket.bucketArn, roleArn: deliveryStreamIamRole.roleArn, prefix: `AWSLogs/${accountId}/EC2/Linux/${region}/`, errorOutputPrefix: `AWSLogs/${accountId}/EC2/Linux/${region}/error/`, }, } ); // Enabled CloudTrail new cloudtrail.Trail(this, "CloudTrail", { bucket: centralizedBucket, }); // Enabled GuardDuty new guardduty.CfnDetector(this, "Guardduty", { enable: true, findingPublishingFrequency: "FIFTEEN_MINUTES", }); // Enabled IMA Access Analyzer new accessanalyzer.CfnAnalyzer(this, "AccessAnalyzer", { type: "ACCOUNT", }); // Enabled Securityhub new securityhub.CfnHub(this, "Securityhub"); // Delivery Security Hub events const deliveryEventSecurityHubFindings = new events.Rule( this, "DeliveryEventSecurityHubFindings", { eventPattern: { source: ["aws.securityhub"], detailType: ["Security Hub Findings - Imported"], }, } ); deliveryEventSecurityHubFindings.addTarget( new eventsTargets.KinesisFirehoseStream(securityHubFindingsDeliveryStream) ); new logs.CfnSubscriptionFilter(this, "DeliveryStreamSubscription", { logGroupName: linuxOsLogGroup.logGroupName, destinationArn: linuxOsLogsDeliveryStream.attrArn, filterPattern: " ", roleArn: deliveryStreamSubscriptionIamRole.roleArn, }); // Create VPC const vpc = new ec2.Vpc(this, "Vpc", { cidr: "10.0.0.0/16", enableDnsHostnames: true, enableDnsSupport: true, natGateways: 1, maxAzs: 3, subnetConfiguration: [ { name: "Public", subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24 }, { name: "Private", subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24 }, ], }); // Security Group const ec2InstanceSg = new ec2.SecurityGroup(this, "Ec2InstanceSg", { allowAllOutbound: true, vpc: vpc, }); ec2InstanceSg.addIngressRule( ec2.Peer.ipv4(myIpAddress), ec2.Port.tcp(22), "allow ssh" ); // User data for Amazon Linux 2 const userDataParameter = fs.readFileSync( "./src/ec2/userDataAmazonLinux2.sh", "utf8" ); const userDataAmazonLinux2 = ec2.UserData.forLinux({ shebang: "#!/bin/bash", }); userDataAmazonLinux2.addCommands(userDataParameter); // Create EC2 instance new ec2.Instance(this, `Ec2Instance`, { machineImage: ec2.MachineImage.latestAmazonLinux({ generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, }), instanceType: new ec2.InstanceType("t3.micro"), vpc: vpc, vpcSubnets: vpc.selectSubnets({ subnetGroupName: "Public", }), securityGroup: ec2InstanceSg, role: ssmIamRole, userData: userDataAmazonLinux2, keyName: this.node.tryGetContext("key-pair"), }); // Read CloudWatch parameters for Linux const cloudWatchParameter = fs.readFileSync( "./src/cloudWatch/AmazonCloudWatch-linux.json", "utf8" ); // Create a new SSM Parameter for CloudWatch new ssm.StringParameter(this, "CloudWatchParameter", { description: "CloudWatch parameters for Linux", parameterName: "AmazonCloudWatch-linux", stringValue: cloudWatchParameter, }); } }
また、AWS CDK で3つ以上の AZ に Subnet を作成する際には、以下記事の通り、AWSアカウントIDとリージョン名を指定する必要があります。
そのため、以下のように環境変数を使って、AWSアカウントIDとリージョン名を指定する指定してあげます。
#!/usr/bin/env node import "source-map-support/register"; import * as cdk from "@aws-cdk/core"; import { LogResorceStack } from "../lib/log-resorce-stack"; const app = new cdk.App(); new LogResorceStack(app, "LogResorceStack", { env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION, }, });
続いて、今回作成したLambda関数について補足します。
JSONオブジェクトはKinesis Data Firehoseに送られると、1行に複数のJSONオブジェクトが保存されます。
Q8. Amazon Kinesis Firehose を利用してCloudWatch LogsをS3に転送してそれをAthena で分析したいのですが、Kinesis Firehoseを通すと{json}{json}のように1行に複数のJSONオブジェクトが保存されるようです。このデータを効率的にAthenaで分析するにはどういった方法がありますか?? A8. Amazon Kinesis FirehoseにはData TransformationをAWS Lambdaで行う機能がございますので,こちらを使って所望の形式に変換すると良いです.
そのため、以下Lambda関数を使って、Security Hubの検知内容をJSONオブジェクト毎に改行を追加してあげます。
import { Context, Callback } from "aws-lambda"; interface Record { recordId: string; approximateArrivalTimestamp?: string; result?: string; data: string; } interface OutputRecords { records: Record[]; } // Function to add a new line to json. const addNewLineToJson = async (record: Record): Promise<Record> => { const payload: string = Buffer.from(record.data, "base64").toString("utf-8"); console.log("Decoded payload:", payload); return new Promise((resolve, reject) => { resolve({ recordId: record.recordId, result: "Ok", data: Buffer.from(payload + "\n", "utf8").toString("base64"), }); }); }; // main exports.handler = async ( event: any, context: Context, callback: Callback ): Promise<OutputRecords> => { console.log(event); /* Process the list of records and transform them */ const output: Record[] = await Promise.all( event.records.map(async (record: Record) => { return await addNewLineToJson(record); }) ); console.log(`Processing completed.`); console.log("output"); console.log(output); return { records: output }; };
あとは、cdk deploy
を実行することで、各種リソースがデプロイされます。
CloudWatch Logsの設定
/var/log/messages
をCloudWatch Logsに出力したいので、EC2インスタンスにCloudWatchの設定を行います。
設定は以下記事のCloudWatch Agentのインストール・設定
と同じ手順で行いました。
実行すると、以下の通りCloudWatch Logsに/var/log/messages
に出力されています。
S3バケットに出力されたログの確認
各種ログがS3バケットに出力されているか確認します。
対象のS3バケットを確認すると以下のようになっており、正常にログが出力されているようでした。
試しにSecurity Hubのログを開いてみると、以下の様にJSONオブジェクト毎に改行されていました。
{"version":"0","id":"90eb73a6-59e3-9af9-47ca-79677d4193a2","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:32Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/055680ef-2e34-4864-a8d4-ffc9b409df2d"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.","Compliance":{"Status":"FAILED"},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:30.133Z","CreatedAt":"2021-04-20T02:33:30.133Z","LastObservedAt":"2021-07-04T11:07:26.790Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"MEDIUM"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"2.5","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/2.5","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/055680ef-2e34-4864-a8d4-ffc9b409df2d"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5","RecordState":"ACTIVE","Title":"2.5 Ensure AWS Config is enabled","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"MEDIUM"},"UpdatedAt":"2021-07-04T11:07:25.831Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/055680ef-2e34-4864-a8d4-ffc9b409df2d","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"f14e8b1c-a578-cbd5-da2a-329847ff52a6","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:39Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/20d809e6-6618-4978-ad83-93f5a24319f1"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:35.681Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.6","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.6","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/20d809e6-6618-4978-ad83-93f5a24319f1"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6","RecordState":"ACTIVE","Title":"3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.934Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/20d809e6-6618-4978-ad83-93f5a24319f1","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"c209e754-adc1-4bfc-1efe-c4bc9ed87a49","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:39Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/bdbff8a3-56bf-425e-870b-bc01d511a226"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.643Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.5","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.5","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/bdbff8a3-56bf-425e-870b-bc01d511a226"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5","RecordState":"ACTIVE","Title":"3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.933Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/bdbff8a3-56bf-425e-870b-bc01d511a226","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"709cbdfc-a1c4-c47e-3ede-8f6d9ec228f6","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:40Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/0680985f-a3c4-418e-97c8-344075e7783a"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.248Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.7","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.7","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/0680985f-a3c4-418e-97c8-344075e7783a"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7","RecordState":"ACTIVE","Title":"3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.934Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/0680985f-a3c4-418e-97c8-344075e7783a","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"9bc23701-c0df-fa0a-d715-371c57ba3c70","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:40Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/2d04cf0b-d944-4761-bfd9-50e02f4817b1"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.","Compliance":{"Status":"FAILED"},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:27:15.806Z","CreatedAt":"2021-04-20T02:27:15.806Z","LastObservedAt":"2021-07-04T11:07:35.473Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"MEDIUM"}},"ProductFields":{"StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0","StandardsSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0","ControlId":"Config.1","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/aws-foundational-security-best-practices/v/1.0.0/Config.1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/2d04cf0b-d944-4761-bfd9-50e02f4817b1"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"aws-foundational-security-best-practices/v/1.0.0/Config.1","RecordState":"ACTIVE","Title":"Config.1 AWS Config should be enabled","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"MEDIUM"},"UpdatedAt":"2021-07-04T11:07:34.233Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/2d04cf0b-d944-4761-bfd9-50e02f4817b1","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"57781366-a1d3-bc6c-4337-eb8a9c6ca298","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:40Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/7e0640e0-fabe-40de-89e1-f0d3a6e0b69e"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.889Z","CreatedAt":"2021-04-20T02:33:26.889Z","LastObservedAt":"2021-07-04T11:07:35.793Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.1","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/7e0640e0-fabe-40de-89e1-f0d3a6e0b69e"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1","RecordState":"ACTIVE","Title":"3.1 Ensure a log metric filter and alarm exist for unauthorized API calls","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.928Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/7e0640e0-fabe-40de-89e1-f0d3a6e0b69e","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"3498bea3-4c2c-c5ce-fb7e-15a590e8a1b9","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:40Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/273e096a-6cb6-497a-9a01-c7d465b6e7cf"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.590Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.8","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.8","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/273e096a-6cb6-497a-9a01-c7d465b6e7cf"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8","RecordState":"ACTIVE","Title":"3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.934Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/273e096a-6cb6-497a-9a01-c7d465b6e7cf","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"44692fef-f097-5481-d313-0b2e7a11c65e","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:41Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/30601880-d776-49e5-9cd9-acb033b0b4e6"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.597Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.3","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.3","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/30601880-d776-49e5-9cd9-acb033b0b4e6"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3","RecordState":"ACTIVE","Title":"3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.933Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/30601880-d776-49e5-9cd9-acb033b0b4e6","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"9df4f143-72d5-5675-ff37-389c9e8b8e4a","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:41Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/bbb97a8a-b3c8-474f-8b32-383b756133eb"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.889Z","CreatedAt":"2021-04-20T02:33:26.889Z","LastObservedAt":"2021-07-04T11:07:36.577Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.13","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.13","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/bbb97a8a-b3c8-474f-8b32-383b756133eb"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13","RecordState":"ACTIVE","Title":"3.13 Ensure a log metric filter and alarm exist for route table changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.929Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/bbb97a8a-b3c8-474f-8b32-383b756133eb","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"da9553c6-768b-5af3-8a30-46e4dd512f2c","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:42Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/b859b7aa-958e-4d19-9b9d-c4807c7f35fa"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.694Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.9","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.9","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/b859b7aa-958e-4d19-9b9d-c4807c7f35fa"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9","RecordState":"ACTIVE","Title":"3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.934Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/b859b7aa-958e-4d19-9b9d-c4807c7f35fa","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"a6efc655-6f6a-4ab1-7dfe-5f4fff36f7fc","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:42Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/4f1fb97c-9166-4733-9c89-9dc847ce9431"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.889Z","CreatedAt":"2021-04-20T02:33:26.889Z","LastObservedAt":"2021-07-04T11:07:37.162Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.12","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.12","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/4f1fb97c-9166-4733-9c89-9dc847ce9431"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12","RecordState":"ACTIVE","Title":"3.12 Ensure a log metric filter and alarm exist for changes to network gateways","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.929Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/4f1fb97c-9166-4733-9c89-9dc847ce9431","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"67e8daee-f962-91c7-f0f2-bab3d4395156","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:42Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/22b5706b-fddb-47e6-8657-05eca393fab7"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:37.161Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.14","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.14","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/22b5706b-fddb-47e6-8657-05eca393fab7"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14","RecordState":"ACTIVE","Title":"3.14 Ensure a log metric filter and alarm exist for VPC changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.933Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/22b5706b-fddb-47e6-8657-05eca393fab7","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"29ac49ff-96ec-4864-a474-32cd93cee439","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:42Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/24cdc2c5-a866-4c6e-b72c-fe0207cc2a03"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.889Z","CreatedAt":"2021-04-20T02:33:26.889Z","LastObservedAt":"2021-07-04T11:07:36.553Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.11","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.11","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/24cdc2c5-a866-4c6e-b72c-fe0207cc2a03"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11","RecordState":"ACTIVE","Title":"3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.929Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/24cdc2c5-a866-4c6e-b72c-fe0207cc2a03","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"d2a7b223-81a6-54d2-7466-33b6e55b4bd2","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:42Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/cba3d059-9c51-41be-972b-796e9b3b90ac"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.889Z","CreatedAt":"2021-04-20T02:33:26.889Z","LastObservedAt":"2021-07-04T11:07:36.508Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.10","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.10","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/cba3d059-9c51-41be-972b-796e9b3b90ac"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10","RecordState":"ACTIVE","Title":"3.10 Ensure a log metric filter and alarm exist for security group changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.928Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/cba3d059-9c51-41be-972b-796e9b3b90ac","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"6f1a91d7-39d3-d418-a4b1-a7a9e773292b","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:42Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/bab84034-12f9-4e45-85ba-4f9cd98073ef"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.793Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.4","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.4","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/bab84034-12f9-4e45-85ba-4f9cd98073ef"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4","RecordState":"ACTIVE","Title":"3.4 Ensure a log metric filter and alarm exist for IAM policy changes","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.933Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/bab84034-12f9-4e45-85ba-4f9cd98073ef","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"6725790f-13b8-a727-556c-b224a0113297","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:43Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/fc8b592d-810a-4abb-b8f6-bbfdaeb95dcc"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:26.890Z","CreatedAt":"2021-04-20T02:33:26.890Z","LastObservedAt":"2021-07-04T11:07:36.740Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"3.2","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/3.2","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/fc8b592d-810a-4abb-b8f6-bbfdaeb95dcc"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2","RecordState":"ACTIVE","Title":"3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:34.933Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/fc8b592d-810a-4abb-b8f6-bbfdaeb95dcc","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"57447363-9ece-b305-63e9-940d0cd2fbb4","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:44Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.6/finding/50aeebb5-bc26-4e9e-a0fb-23f3b66031da"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","Compliance":{"Status":"WARNING","StatusReasons":[{"Description":"Unable to describe the supporting AWS Config Rule, Please verify that you have enabled AWS Config.","ReasonCode":"CONFIG_ACCESS_DENIED"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-06-24T07:38:28.665Z","CreatedAt":"2021-06-24T07:38:28.665Z","LastObservedAt":"2021-07-04T11:07:40.957Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":1,"Label":"LOW","Product":1,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"2.6","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.6/remediation","RelatedAWSResources:0/name":"cloudtrail-s3-bucket-properties-test","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/2.6","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Unable to describe the supporting AWS Config Rule, Please verify that you have enabled AWS Config.","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.6/finding/50aeebb5-bc26-4e9e-a0fb-23f3b66031da"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.6/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.6","RecordState":"ACTIVE","Title":"2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","Workflow":{"Status":"NEW"},"Severity":{"Normalized":1,"Label":"LOW","Product":1,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:38.896Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.6/finding/50aeebb5-bc26-4e9e-a0fb-23f3b66031da","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"4fda7f73-0319-1ed3-dce1-36ac8bbc0825","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:44Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.3/finding/dc1869c6-0355-4d8e-8a63-f466febcf242"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"Details: 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","Compliance":{"Status":"WARNING","StatusReasons":[{"Description":"Unable to describe the supporting AWS Config Rule, Please verify that you have enabled AWS Config.","ReasonCode":"CONFIG_ACCESS_DENIED"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-06-24T07:38:28.651Z","CreatedAt":"2021-06-24T07:38:28.651Z","LastObservedAt":"2021-07-04T11:07:41.015Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":90,"Label":"CRITICAL","Product":90,"Original":"CRITICAL"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"2.3","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.3/remediation","RelatedAWSResources:0/name":"cloudtrail-s3-bucket-properties-test","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/2.3","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Unable to describe the supporting AWS Config Rule, Please verify that you have enabled AWS Config.","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.3/finding/dc1869c6-0355-4d8e-8a63-f466febcf242"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.3/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.3","RecordState":"ACTIVE","Title":"2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","Workflow":{"Status":"NEW"},"Severity":{"Normalized":90,"Label":"CRITICAL","Product":90,"Original":"CRITICAL"},"UpdatedAt":"2021-07-04T11:07:39.906Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.3/finding/dc1869c6-0355-4d8e-8a63-f466febcf242","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}} {"version":"0","id":"6e95fed6-796d-57b8-9330-d699533fe3df","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"<AWSアカウントID>","time":"2021-07-04T11:07:45Z","region":"us-east-1","resources":["arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/9ce0abee-b23d-4f82-b23d-26d81f81f022"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Description":"The \"root\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.","Compliance":{"Status":"FAILED","StatusReasons":[{"Description":"Multi region CloudTrail with the required configuration does not exist in the account","ReasonCode":"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT"}]},"ProductName":"Security Hub","FirstObservedAt":"2021-04-20T02:33:30.860Z","CreatedAt":"2021-04-20T02:33:30.860Z","LastObservedAt":"2021-07-04T11:07:40.355Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"}},"ProductFields":{"StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0","StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0","RuleId":"1.1","RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation","StandardsControlArn":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/cis-aws-foundations-benchmark/v/1.2.0/1.1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"Multi region CloudTrail with the required configuration does not exist in the account","Resources:0/Id":"arn:aws:iam::<AWSアカウントID>:root","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/9ce0abee-b23d-4f82-b23d-26d81f81f022"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation"}},"SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1","RecordState":"ACTIVE","Title":"1.1 Avoid the use of the \"root\" account","Workflow":{"Status":"NEW"},"Severity":{"Normalized":30,"Label":"LOW","Product":30,"Original":"LOW"},"UpdatedAt":"2021-07-04T11:07:38.436Z","WorkflowState":"NEW","AwsAccountId":"<AWSアカウントID>","Region":"us-east-1","Id":"arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/9ce0abee-b23d-4f82-b23d-26d81f81f022","Resources":[{"Partition":"aws","Type":"AwsAccount","Region":"us-east-1","Id":"AWS::::Account:<AWSアカウントID>"}]}]}}
SIEM on Amazon ESをVPC上にデプロイ
AWS CDKの構成
デプロイ
途中までは、以下記事と同じ手順になります。SIEM on Amazon ESのデプロイ
の章のデプロイ準備
と、デプロイ 1. ソースコードのクローン - 4. AWS CDKのセットアップ
を参考にしながら進めます。
SIEM on Amazon ESをパブリックアクセス (Amazon VPC 内)にデプロイ
以下コマンドで、SIEM on Amazon ESをデプロイします。
# SIEM on Amazon ES をパブリックアクセス環境にデプロイする場合のcdk.jsonを作成 > cp -a cdk.json.vpc.sample cdk.json # 既存のVPC、サブネットのIDをcdk.jsonに記載する # 変更箇所 # - vpc_type: 既存のVPC上にデプロイするため"import"に変更 # - imported_vpc_id: デプロイ先のVPCのIDを入力 # - imported_vpc_subnets: デプロイ先のサブネットのIDを3つ以上入力 > vi cdk.json # 変更前と変更後の差分情報の確認 > diff -u cdk.json.vpc.sample cdk.json 日 7/ 4 20:57:44 2021 --- cdk.json.vpc.sample 2021-07-04 20:08:42.000000000 +0900 +++ cdk.json 2021-07-04 20:56:50.000000000 +0900 @@ -4,14 +4,14 @@ "versionReporting": false, "aws-cdk:enableDiffNoFail": "true", "vpc_type_comment": "vpc_type is new or import", - "vpc_type": "new", - "imported_vpc_id": "vpc-abcd1234", - "imported_vpc_subnets": ["", "", ""], + "vpc_type": "import", + "imported_vpc_id": "vpc-0143ddee55c093e56", + "imported_vpc_subnets": ["subnet-006e39c066567245c", "subnet-02eb3117da3292a14", "subnet-08b7784ff187f0608"], "imported_vpc_subnets_sample": ["subnet-example1111111111", "subnet-example2222222222", "subnet-example3333333333"], "new_vpc_nw_cidr_block": "172.30.0.0/24", "new_vpc_subnet_cidr_mask": "26", "aes_domain_name": "aes-siem", - "s3_bucket_name":{ + "s3_bucket_name": { "log": "", "snapshot": "", "geo": "" @@ -38,4 +38,4 @@ "additional_kms_cmks": [], "additional_kms_cmks_sample": ["arn:aws:kms:ap-northeast-1:123456789012:key/abcd12345678-1234", "this-must-be-arn"] } -} +} \ No newline at end of file # AllowedSourceIpAddresses: SIEM on Amazon ES をデプロイした時に、アクセスを許可するIPアドレス。複数アドレスはスペース区切り # GeoLite2LicenseKey: Maxmindのライセンスキー。IP アドレスに国情報を付与 > npx cdk deploy \ 日 7/ 4 20:58:53 2021 --parameters AllowedSourceIpAddresses="10.0.0.0/16" \ --parameters GeoLite2LicenseKey=<事前に取得したGeoLite2のライセンスキー> MFA token for arn:aws:iam::<AWSアカウントID>:mfa/<IAMロール名>: 639956 2.3.2 cdk.json validation for vpc configuration is starting... vpc_type: import checking vpc... Enter MFA code for arn:aws:iam::<AWSアカウントID>:mfa/<IAMロール名>: checking vpc id...: vpc-0143ddee55c093e56 checking dns support...: True checking dns hostname...: True checking vpc is... [PASS] checking subnet... subnet-006e39c066567245c is private subnet-02eb3117da3292a14 is private subnet-08b7784ff187f0608 is private checking subnet is... [PASS] IGNORE Following Warning. "No routeTableId was provided to the subnet..." Using default bucket names Using default bucket names Using default bucket names [Warning at /aes-siem/Subenet1] No routeTableId was provided to the subnet 'subnet-006e39c066567245c'. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171) [Warning at /aes-siem/Subenet2] No routeTableId was provided to the subnet 'subnet-02eb3117da3292a14'. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171) [Warning at /aes-siem/Subenet3] No routeTableId was provided to the subnet 'subnet-08b7784ff187f0608'. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171) This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening). Please confirm you intend to make the following modifications: IAM Statement Changes . . (中略) . . (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299) Do you wish to deploy these changes (y/n)? y aes-siem: deploying... [0%] start: Publishing 964423b5a8fd7c9b58c82439bdc07be7fab893f23a10292768a5a02f2e6bcb04:current [25%] success: Published 964423b5a8fd7c9b58c82439bdc07be7fab893f23a10292768a5a02f2e6bcb04:current [25%] start: Publishing bab31c9fa40d0b7c60eaded745ca336ec7cfbf59598c6b4997d366d27015d3f0:current [50%] success: Published bab31c9fa40d0b7c60eaded745ca336ec7cfbf59598c6b4997d366d27015d3f0:current [50%] start: Publishing 6fc2d9a1d0110a94dfcc1d1c6e7c456ccd73ec40199b8d76842d753bff556580:current [75%] success: Published 6fc2d9a1d0110a94dfcc1d1c6e7c456ccd73ec40199b8d76842d753bff556580:current [75%] start: Publishing efa2026068032a616c836413a8a6939c98975ee8bacaa6083d37f1dc69938a63:current [100%] success: Published efa2026068032a616c836413a8a6939c98975ee8bacaa6083d37f1dc69938a63:current aes-siem: creating CloudFormation changeset... ✅ aes-siem Outputs: aes-siem.KibanaAdmin = aesadmin aes-siem.KibanaPassword = koq5Jv%2 aes-siem.KibanaUrl = https://vpc-aes-siem-xxxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana/ aes-siem.RoleDeploy = arn:aws:iam::<AWSアカウントID>:role/aes-siem-deploy-role-for-lambda Stack ARN: arn:aws:cloudformation:us-east-1:<AWSアカウントID>:stack/aes-siem/b5f30900-dcbf-11eb-b078-0a392ab5a299
20〜30分ほどでデプロイは完了し、KibanaのURLやID、パスワードが発行されます。
デプロイが完了したら、Amazon ESのコンソールを確認してみます。以下のように、ドメインが作成されていることが確認できます。
Same-Region レプリケーション(SRR)のパターン
レプリケーションルールの作成
それでは、Same-Region レプリケーション(SRR)のパターンから試してみます。
既存のログ収集用S3バケットを選択し、管理
タブからレプリケーションルールを作成
をクリックします。
レプリケーションルール名や、ソースバケットのスコープ、送信先のバケット名を選択します。
レプリケーションに必要なIAMロールを指定し、暗号化の設定を行います。
既存のログ収集用S3バケットにログが出力されたら、なるべく早くレプリケーションして欲しいので、レプリケーション時間のコントロール(RTC)
を有効にして、保存
をクリックします。
レプリケーションルールが正常に作成されると、以下のような画面になります。
しばらく待つと、以下のようにログファイルが同期され始めます。
Same-Region レプリケーションの注意点としては、以下記事に記載の通り、レプリケーション設定前に存在しているオブジェクトはレプリケーションされません。
基本的に CRR と同じく以下のようなものがあげられます。
- レプリケーション設定前に存在しているオブジェクトはレプリケーションされません
- 既存オブジェクトは AWS CLI などを使ってコピーする必要があります
- 双方のバケットでバージョニングの有効化が必要
- バケット所有者が権限を持っていない場合はレプリケーションされません
- GLACIER または DEEP_ARCHIVE ストレージクラスに格納されているオブジェクトはレプリケーションされません
- 多段レプリケーションはできません
- ライフサイクル構成によって実行されるアクションはレプリケーションされません
- バケットレベルのサブリソースの更新はレプリケーションされません
- たとえば、ライフサイクル設定を変更したり、通知設定をソースバケットに追加した場合、これらの変更は宛先バケットに適用されません
そのため、既存のログファイルについては、AWS CLIなどで自分でレプリケーションする必要があります。
今回は、以下のように、aws s3 sync
コマンドを使ってレプリケーションをしました。
aws s3 sync s3://logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/ s3://aes-siem-<AWSアカウントID>-log/ . . (中略) . . copy: s3://logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/SecurityHub/us-east-1/2021/07/04/10/firehose-securityhub-LogResorceStack-1-2021-07-04-10-34-38-03a9a4fb-abfa-4030-a7d9-557a9301e9dd.gz to s3://aes-siem-<AWSアカウントID>-log/AWSLogs/<AWSアカウントID>/SecurityHub/us-east-1/2021/07/04/10/firehose-securityhub-LogResorceStack-1-2021-07-04-10-34-38-03a9a4fb-abfa-4030-a7d9-557a9301e9dd.gz copy: s3://logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/EC2/Linux/us-east-1/2021/07/04/12/firehose-linux-os-LogResorceStack-1-2021-07-04-12-40-43-babcc148-cfcf-4f8d-83ce-16e5f3a1d8b6 to s3://aes-siem-<AWSアカウントID>-log/AWSLogs/<AWSアカウントID>/EC2/Linux/us-east-1/2021/07/04/12/firehose-linux-os-LogResorceStack-1-2021-07-04-12-40-43-babcc148-cfcf-4f8d-83ce-16e5f3a1d8b6 copy: s3://logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/SecurityHub/us-east-1/2021/07/04/11/firehose-securityhub-LogResorceStack-1-2021-07-04-11-07-33-0f6cc758-83aa-4a37-8c1c-14b470545645.gz to s3://aes-siem-<AWSアカウントID>-log/AWSLogs/<AWSアカウントID>/SecurityHub/us-east-1/2021/07/04/11/firehose-securityhub-LogResorceStack-1-2021-07-04-11-07-33-0f6cc758-83aa-4a37-8c1c-14b470545645.gz copy: s3://logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/SecurityHub/us-east-1/2021/07/04/10/firehose-securityhub-LogResorceStack-1-2021-07-04-10-55-05-9f61dd14-189d-4ef2-a83b-b77b8cc7202c.gz to s3://aes-siem-<AWSアカウントID>-log/AWSLogs/<AWSアカウントID>/SecurityHub/us-east-1/2021/07/04/10/firehose-securityhub-LogResorceStack-1-2021-07-04-10-55-05-9f61dd14-189d-4ef2-a83b-b77b8cc7202c.gz copy: s3://logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/EC2/Linux/us-east-1/2021/07/04/11/firehose-linux-os-LogResorceStack-1-2021-07-04-11-31-50-2d9e9760-4ad9-4d25-b98e-40187cafe37a to s3://aes-siem-<AWSアカウントID>-log/AWSLogs/<AWSアカウントID>/EC2/Linux/us-east-1/2021/07/04/11/firehose-linux-os-LogResorceStack-1-2021-07-04-11-31-50-2d9e9760-4ad9-4d25-b98e-40187cafe37a
すると、以下のように、Security Hub
や、CloudTrail-Digest
もレプリケーションされていました。
ログをKibanaで確認する
ログファイルをSIEM on Amazon ESのS3バケットにレプリケーションしたので、Kibanaでログが正常に読み込めているか確認してみます。
まず、今回はVPC上にSIEM on Amazon ESをデプロイしたので、外部からでもアクセスできるようにポートフォワーディングをします。
ポートフォワーディングをする際は、以下コマンドで、Public SubnetにデプロイしたEC2インスタンスを使用します。
ssh -i "<キーペア名>.pem" [email protected] -N -L 10443:vpc-aes-siem-xxxxxx.us-east-1.es.amazonaws.com:443
ポートフォワーディングをした状態で、https://localhost:10443/_plugin/kibana/
にアクセスします。
保護されていない通信
と表示されますが、Kibanaのログイン画面が表示されることが確認できました。続けて認証情報を入力してLog In
をクリックします。
Kibanaの初期設定は、以下記事のログの可視化
の章のKibanaの設定
を参考にしながら進めます。
初期設定が完了したら、ドロワーメニューより、Discover
をクリックして、読み込んだログの一覧を出力します。
Security Hubのログの一覧も表示してみます。
Amazon Linux 2の /var/log/messagesのログの一覧も表示してみます。
いずれも正常にログを読み込めていそうですね。
レプリケーションルールの削除
次の検証に影響が出るので、作成したレプリケーションルールを削除します。
既存ログ収集用S3バケットの管理
タブから、作成したレプリケーションルールを選択して、削除
をクリックします。
確認のウィンドウが表示されるので、レプリケーションルールを削除
をクリックします。
レプリケーションルールが削除されたことが確認できました。
AWS DataSyncのパターン
古いログファイルの削除
事前準備として、SIEM on Amazon ESのS3バケット上のログファイルを削除します。
AWSLogs/
を選択して、削除
をクリックします。
確認の画面が表示されるので、テキストフィールドに削除
と入力し、オブジェクトの削除
をクリックします。
全てのログファイルが削除されたことが確認できました。
インデックスの削除
続いて、Amazon ESが読み込んだログのインデックスを削除します。
KibanaのドロワーメニューからDev tools
をクリックして、ConsoleにDELETE /log-*
を入力して、▶︎
をクリックします。
再度、ドロワーメニューより、Discover
をクリックして、読み込んだログの一覧を出力します。
No results match your search criteria
と表示され、インデックスが正常に削除されたことが確認できます。
タスクの作成
それでは、DataSyncのタスクを作成します。
DataSyncのコンソールに移動して、左メニューのTask
から、Create task
をクリックします。
送信元のS3バケットの設定をします。情報を入力して、Next
をクリックします。
次に送信先のS3バケットの設定をします。情報を入力して、Next
をクリックします。
続いてタスクの設定をしていきます。ここでは、スケジュールやフィルタリングルールなどを設定します。情報を入力して、Next
をクリックします。
最後に設定の再確認です。設定に問題がなければ、Create task
をクリックします。
毎時0分に実行するようスケジュールしたので、23:00になってしばらくすると、タスクが実行されました。
タスクが完了すると、以下のようにステータスがSuccess
になります。
SIEM on Amazon ESのS3バケットを確認すると、ログがレプリケーションされていることがわかります。
ログをKibanaで確認する
ポートフォワーディングをした状態で、https://localhost:10443/_plugin/kibana/
にアクセスします。
Amazon Linux 2の /var/log/messagesのログの一覧も表示してみます。
いずれも正常にログを読み込めていそうですね。
確認ができたので、後片付けとして、DataSyncのタスクを削除します。
既存S3バケットをSIEM on Amazon ESにインポートするパターン
SIEM on Amazon ESの削除
改めて公式ドキュメントを確認すると、既存のS3バケットをインポートする場合、SIEM on Amazon ES の初期インストール時にのみ設定可能と記載があります。
すでにお持ちの S3 バケットを SIEM on Amazon ES の CloudFormation スタックに取り込み、AWS CDK で管理します。ログ取り込み用にS3 バケットポリシーを追加・修正します。S3 のバケットポリシーやその他のバケット設定は上書きされるのでご注意ください。SIEM on Amazon ES の初期インストール時にのみ設定可能です。 既存の S3 バケットから SIEM on Amazon ES にログを送信しつつ、S3 バケットポリシー等はご自身で引き続き管理する場合は、この手順はスキップしてください。
そのため、デプロイ済みのSIEM on Amazon ESを削除してから、再度デプロイします。
削除方法は、cdk destroy
をした後に、公式ドキュメントのクリーンナップに記載のリソースを手動で削除します。
> npx cdk destroy 122ms 日 7/ 4 21:39:50 2021 MFA token for arn:aws:iam::<AWSアカウントID>:mfa/<IAMロール名>: 554542 2.3.2 cdk.json validation for vpc configuration is starting... vpc_type: import checking vpc... Enter MFA code for arn:aws:iam::<AWSアカウントID>:mfa/<IAMロール名>: checking vpc id...: vpc-0143ddee55c093e56 checking dns support...: True checking dns hostname...: True checking vpc is... [PASS] checking subnet... subnet-006e39c066567245c is private subnet-02eb3117da3292a14 is private subnet-08b7784ff187f0608 is private checking subnet is... [PASS] IGNORE Following Warning. "No routeTableId was provided to the subnet..." Using default bucket names Using default bucket names Using default bucket names Are you sure you want to delete: aes-siem (y/n)? y aes-siem: destroying... ✅ aes-siem: destroyed
以下リソースはcdk destroy
をしても、削除されないので、手動で削除します。
- Amazon ES ドメイン: aes-siem
- Amazon S3 バケット: aes-siem-[AWS_Account]-log
- Amazon S3 バケット: aes-siem-[AWS_Account]-snapshot
- Amazon S3 バケット: aes-siem-[AWS_Account]-geo
- AWS KMS カスタマーマネジメントキー: aes-siem-key
- SecurityGroup: aes-siem-vpc-sg
参考: SIEM on Amazon Elasticsearch Service - クリーンアップ
既存のログ収集用S3バケットのインポート
S3バケットのインポートの流れは以下の通りです。
- CloudFormation スタックに取り込みたい S3 バケットの名前を確認してください
- Github からソースコード一式を git clone するか、Github ここインポート用CloudFormationテンプレートをダウンロード
- GitHub から clone またはダウンロードした CloudFormationテンプレートの
deployment/siem-on-amazon-elasticsearch-import-exist-s3bucket.template
を編集する。BucketName の [change-me-to-your-bucket] をスタックに取り込みたい S3 バケット名に変更 - AWS マネジメントコンソールで CloudFormation に移動
- [スタック] のメニューから、右上のプルダウンメニューの [スタックの作成] から [既存のリソースを使用(リソースをインポート)] を選択
- [次へ]を選択して、[テンプレートの指定] 画面にて、編集したテンプレートの
siem-on-amazon-elasticsearch-import-exist-s3bucket.template
をアップロードし、[次へ] を選択 - [リソースを識別] 画面にて、[識別子の値] にスタックへ [インポートしたい S3 バケット名] を入力して、[次へ] を選択
- [スタックの詳細を指定] 画面にて、スタック名に [aes-siem] と入力して [次へ] を選択
- [概要をインポート] 画面にて、[リソースのインポート] を選択して完了
- 次のセクションの [AWS CDK によるデプロイ] の [5-3. その他の共通設定] で cdk.json を編集してください。スタックにインポートする S3 バケット名を s3_bucket_name.log に指定をしてください。
それではやってみます。
CloudFormationで既存のリソースを使用(リソースをインポート)
をクリックします。
既存リソースのインポートに必要なものを確認します。
BucketName の [change-me-to-your-bucket] をスタックに取り込みたい S3 バケット名に変更したdeployment/siem-on-amazon-elasticsearch-import-exist-s3bucket.template
をアップロードして、次へ
をクリックします。
識別子の値にインポートするS3バケット名を入力して、次へ
をクリックします。
スタックの名前にaes-siem
と入力して、次へ
をクリックします。
最後に、インポートする内容を確認します。
どうやらインポートするS3バケットが別のスタックで管理されていることが原因でエラーが出力されています。インポートするS3バケットをデプロイしていたAWS CDKで、S3バケット関連の処理を削除して再度デプロイした後、もう一度確認してみます。
出力されていたエラーが消えたのを確認して、リソースをインポート
をクリックします。
しばらく待つと、無事IMPORT_COMPLETEになりました。
cdk.json
でインポートするS3バケットの名前を指定して、SIEM on Amazon ESをVPC上にデプロイします。
> cp -a cdk.json cdk.json.(date +"%Y%m%d") # インポートするS3バケットの名前を指定 > vi cdk.json # 差分を確認 > diff -u cdk.json.(date +"%Y%m%d") cdk.json --- cdk.json.20210705 2021-07-04 20:59:15.000000000 +0900 +++ cdk.json 2021-07-05 12:19:55.000000000 +0900 @@ -12,7 +12,7 @@ "new_vpc_subnet_cidr_mask": "26", "aes_domain_name": "aes-siem", "s3_bucket_name": { - "log": "", + "log": "logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y", "snapshot": "", "geo": "" }, # SIEM on Amazon ESをVPC上にデプロイ > npx cdk deploy \ --parameters AllowedSourceIpAddresses="10.0.0.0/16" \ --parameters GeoLite2LicenseKey=<事前に取得したGeoLite2のライセンスキー> MFA token for arn:aws:iam::<AWSアカウントID>:mfa/<IAMロール名>: 829124 2.3.2 cdk.json validation for vpc configuration is starting... vpc_type: import checking vpc... Enter MFA code for arn:aws:iam::<AWSアカウントID>:mfa/<IAMロール名>: checking vpc id...: vpc-0143ddee55c093e56 checking dns support...: True checking dns hostname...: True checking vpc is... [PASS] checking subnet... subnet-006e39c066567245c is private subnet-02eb3117da3292a14 is private subnet-08b7784ff187f0608 is private checking subnet is... [PASS] IGNORE Following Warning. "No routeTableId was provided to the subnet..." Using default bucket names Using default bucket names [Warning at /aes-siem/Subenet1] No routeTableId was provided to the subnet 'subnet-006e39c066567245c'. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171) [Warning at /aes-siem/Subenet2] No routeTableId was provided to the subnet 'subnet-02eb3117da3292a14'. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171) [Warning at /aes-siem/Subenet3] No routeTableId was provided to the subnet 'subnet-08b7784ff187f0608'. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171) This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening). Please confirm you intend to make the following modifications: IAM Statement Changes ┌───┬────────────────────────────────────────┬────────┬────────────────────────────────────────┬────────────────────────────────────────┬───────────────────────────────────────────┐ │ │ Resource │ Effect │ Action │ Principal │ Condition │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${AesSiemDeployRoleForLambda.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${AesSiemDlq.Arn} │ Allow │ sqs:DeleteMessage* │ AWS:${AesSiemEsLoaderEC2Role} │ │ │ │ │ │ sqs:GetQueue* │ │ │ │ │ │ │ sqs:ListQueues* │ │ │ │ │ │ │ sqs:ReceiveMessage* │ │ │ │ + │ ${AesSiemDlq.Arn} │ Allow │ sqs:SendMessage │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ + │ ${AesSiemDlq.Arn} │ Allow │ sqs:DeleteMessage │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ │ │ │ sqs:GetQueueAttributes │ │ │ │ │ │ │ sqs:ReceiveMessage │ │ │ │ │ │ │ sqs:SendMessage │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${AesSiemEsLoaderEC2Role.Arn} │ Allow │ sts:AssumeRole │ Service:ec2.amazonaws.com │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${AesSiemSnapshotRole.Arn} │ Allow │ sts:AssumeRole │ Service:es.amazonaws.com │ │ │ + │ ${AesSiemSnapshotRole.Arn} │ Allow │ iam:PassRole │ AWS:${AesSiemDeployRoleForLambda} │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${AesSiemSnsRole.Arn} │ Allow │ sts:AssumeRole │ Service:es.amazonaws.com │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${AesSiemSqsSplitLogs.Arn} │ Allow │ sqs:DeleteMessage │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ │ │ │ sqs:GetQueueAttributes │ │ │ │ │ │ │ sqs:ReceiveMessage │ │ │ │ │ │ │ sqs:SendMessage │ │ │ │ + │ ${AesSiemSqsSplitLogs.Arn} │ Allow │ sqs:ChangeMessageVisibility │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ │ │ │ sqs:DeleteMessage │ │ │ │ │ │ │ sqs:GetQueueAttributes │ │ │ │ │ │ │ sqs:GetQueueUrl │ │ │ │ │ │ │ sqs:ReceiveMessage │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${BucketNotificationsHandler050a0587b7 │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │ │ │ 544547bf325f094a3db834/Role.Arn} │ │ │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:CancelKeyDeletion │ AWS:arn:${AWS::Partition}:iam::9849002 │ │ │ │ │ │ kms:Create* │ 17833:root │ │ │ │ │ │ kms:Delete* │ │ │ │ │ │ │ kms:Describe* │ │ │ │ │ │ │ kms:Disable* │ │ │ │ │ │ │ kms:Enable* │ │ │ │ │ │ │ kms:GenerateDataKey │ │ │ │ │ │ │ kms:Get* │ │ │ │ │ │ │ kms:List* │ │ │ │ │ │ │ kms:Put* │ │ │ │ │ │ │ kms:Revoke* │ │ │ │ │ │ │ kms:ScheduleKeyDeletion │ │ │ │ │ │ │ kms:TagResource │ │ │ │ │ │ │ kms:UntagResource │ │ │ │ │ │ │ kms:Update* │ │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:GenerateDataKey │ Service:guardduty.amazonaws.com │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:Decrypt │ Service:delivery.logs.amazonaws.com │ │ │ │ │ │ kms:DescribeKey │ │ │ │ │ │ │ kms:Encrypt │ │ │ │ │ │ │ kms:GenerateDataKey* │ │ │ │ │ │ │ kms:ReEncrypt* │ │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:DescribeKey │ AWS:arn:${AWS::Partition}:iam::${AWS:: │ │ │ │ │ │ kms:ReEncryptFrom │ AccountId}:root │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:Decrypt │ AWS:arn:${AWS::Partition}:iam::${AWS:: │ "ForAnyValue:StringEquals": { │ │ │ │ │ kms:DescribeKey │ AccountId}:root │ "aws:CalledVia": "athena.amazonaws.com" │ │ │ │ │ kms:Encrypt │ │ } │ │ │ │ │ kms:GenerateDataKey* │ │ │ │ │ │ │ kms:ReEncrypt* │ │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:DescribeKey │ Service:cloudtrail.amazonaws.com │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:GenerateDataKey* │ Service:cloudtrail.amazonaws.com │ "StringLike": { │ │ │ │ │ │ │ "kms:EncryptionContext:aws:cloudtrail:a │ │ │ │ │ │ │ rn": [ │ │ │ │ │ │ │ "arn:aws:cloudtrail:*:${AWS::AccountI │ │ │ │ │ │ │ d}:trail/*" │ │ │ │ │ │ │ ] │ │ │ │ │ │ │ } │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:Decrypt │ AWS:${LambdaEsLoader/ServiceRole.Arn} │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:Decrypt │ AWS:${AesSiemEsLoaderEC2Role.Arn} │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:Decrypt │ AWS:${AesSiemEsLoaderEC2Role} │ │ │ + │ ${KmsAesSiemLog.Arn} │ Allow │ kms:Decrypt │ AWS:${LambdaEsLoader/ServiceRole} │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${LambdaEsLoader.Arn} │ Allow │ lambda:InvokeFunction │ Service:s3.amazonaws.com │ "ArnLike": { │ │ │ │ │ │ │ "AWS:SourceArn": "${S3BucketForLog.Arn} │ │ │ │ │ │ │ " │ │ │ │ │ │ │ }, │ │ │ │ │ │ │ "StringEquals": { │ │ │ │ │ │ │ "AWS:SourceAccount": "<AWSアカウントID>" │ │ │ │ │ │ │ } │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${LambdaEsLoader/ServiceRole.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${LambdaGeoipDownloader.Arn} │ Allow │ lambda:InvokeFunction │ Service:events.amazonaws.com │ "ArnLike": { │ │ │ │ │ │ │ "AWS:SourceArn": "${CwlRuleLambdaGeoipD │ │ │ │ │ │ │ ownloaderDilly.Arn}" │ │ │ │ │ │ │ } │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${LambdaGeoipDownloader/ServiceRole.Ar │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │ │ │ n} │ │ │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForGeoip.Arn} │ Allow │ s3:GetBucket* │ AWS:${AesSiemEsLoaderEC2Role} │ │ │ │ ${S3BucketForGeoip.Arn}/* │ │ s3:GetObject* │ │ │ │ │ │ │ s3:List* │ │ │ │ + │ ${S3BucketForGeoip.Arn} │ Allow │ s3:GetBucket* │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ │ ${S3BucketForGeoip.Arn}/* │ │ s3:GetObject* │ │ │ │ │ │ │ s3:List* │ │ │ │ + │ ${S3BucketForGeoip.Arn} │ Allow │ s3:Abort* │ AWS:${LambdaGeoipDownloader/ServiceRol │ │ │ │ ${S3BucketForGeoip.Arn}/* │ │ s3:DeleteObject* │ e} │ │ │ │ │ │ s3:GetBucket* │ │ │ │ │ │ │ s3:GetObject* │ │ │ │ │ │ │ s3:List* │ │ │ │ │ │ │ s3:PutObject* │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForGeoip.Arn}/* │ Allow │ s3:DeleteObject │ AWS:${LambdaEsLoader/ServiceRole.Arn} │ │ │ │ │ │ s3:GetObject │ AWS:${LambdaGeoipDownloader/ServiceRol │ │ │ │ │ │ s3:PutObject │ e.Arn} │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForLog.Arn} │ Allow │ s3:GetBucketAcl │ Service:delivery.logs.amazonaws.com │ │ │ │ │ │ s3:ListBucket │ │ │ │ + │ ${S3BucketForLog.Arn} │ Allow │ s3:GetBucketAcl │ Service:cloudtrail.amazonaws.com │ │ │ + │ ${S3BucketForLog.Arn} │ Allow │ s3:GetBucketLocation │ Service:guardduty.amazonaws.com │ │ │ + │ ${S3BucketForLog.Arn} │ Allow │ s3:GetBucketAcl │ Service:config.amazonaws.com │ │ │ │ │ │ s3:ListBucket │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForLog.Arn} │ Allow │ s3:GetBucket* │ AWS:${AesSiemEsLoaderEC2Role} │ │ │ │ ${S3BucketForLog.Arn}/* │ │ s3:GetObject* │ │ │ │ │ │ │ s3:List* │ │ │ │ + │ ${S3BucketForLog.Arn} │ Allow │ s3:GetBucket* │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ │ ${S3BucketForLog.Arn}/* │ │ s3:GetObject* │ │ │ │ │ │ │ s3:List* │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForLog.Arn}/* │ Allow │ s3:PutObject │ Service:guardduty.amazonaws.com │ │ │ + │ ${S3BucketForLog.Arn}/* │ Deny │ s3:* │ * │ "Bool": { │ │ │ │ │ │ │ "aws:SecureTransport": "false" │ │ │ │ │ │ │ } │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForLog.Arn}/AWSLogs/${AWS::A │ Allow │ s3:PutObject │ AWS:arn:${AWS::Partition}:iam::{"Fn::F │ │ │ │ ccountId}/* │ │ │ indInMap":["ELBv2AccountMap","${AWS::R │ │ │ │ │ │ │ egion}","accountid"]}:root │ │ │ + │ ${S3BucketForLog.Arn}/AWSLogs/${AWS::A │ Allow │ s3:PutObject │ Service:delivery.logs.amazonaws.com │ "StringEquals": { │ │ │ ccountId}/* │ │ │ │ "s3:x-amz-acl": "bucket-owner-full-cont │ │ │ │ │ │ │ rol" │ │ │ │ │ │ │ } │ │ + │ ${S3BucketForLog.Arn}/AWSLogs/${AWS::A │ Allow │ s3:PutObject │ Service:cloudtrail.amazonaws.com │ "StringEquals": { │ │ │ ccountId}/* │ │ │ │ "s3:x-amz-acl": "bucket-owner-full-cont │ │ │ │ │ │ │ rol" │ │ │ │ │ │ │ } │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForLog.Arn}/AWSLogs/${AWS::A │ Allow │ s3:PutObject │ Service:config.amazonaws.com │ "StringEquals": { │ │ │ ccountId}/Config/* │ │ │ │ "s3:x-amz-acl": "bucket-owner-full-cont │ │ │ │ │ │ │ rol" │ │ │ │ │ │ │ } │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForSnapshot.Arn} │ Allow │ s3:ListBucket │ AWS:${AesSiemSnapshotRole} │ │ │ + │ ${S3BucketForSnapshot.Arn} │ Allow │ s3:ListBucket │ AWS:${AesSiemDeployRoleForLambda} │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${S3BucketForSnapshot.Arn}/* │ Allow │ s3:DeleteObject │ AWS:${AesSiemSnapshotRole} │ │ │ │ │ │ s3:GetObject │ │ │ │ │ │ │ s3:PutObject │ │ │ │ + │ ${S3BucketForSnapshot.Arn}/* │ Allow │ s3:DeleteObject │ AWS:${AesSiemDeployRoleForLambda} │ │ │ │ │ │ s3:GetObject │ │ │ │ │ │ │ s3:PutObject │ │ │ │ + │ ${S3BucketForSnapshot.Arn}/* │ Allow │ s3:DeleteObject │ AWS:${AesSiemSnapshotRole.Arn} │ │ │ │ │ │ s3:GetObject │ │ │ │ │ │ │ s3:PutObject │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ ${SnsTopic} │ Allow │ sns:Publish │ AWS:${AesSiemSnsRole} │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ * │ Allow │ events:DeleteRule │ AWS:${AesSiemDeployRoleForLambda} │ │ │ │ │ │ events:ListRules │ │ │ │ │ │ │ events:PutRule │ │ │ │ │ │ │ events:PutTargets │ │ │ │ │ │ │ events:RemoveTargets │ │ │ │ │ │ │ lambda:AddPermission │ │ │ │ │ │ │ lambda:RemovePermission │ │ │ │ + │ * │ Allow │ s3:PutBucketNotification │ AWS:${BucketNotificationsHandler050a05 │ │ │ │ │ │ │ 87b7544547bf325f094a3db834/Role} │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ arn:aws:es:${AWS::Region}:${AWS::Accou │ Allow │ es:* │ AWS:${LambdaEsLoader/ServiceRole} │ │ │ │ ntId}:domain/aes-siem/* │ │ │ │ │ │ + │ arn:aws:es:${AWS::Region}:${AWS::Accou │ Allow │ es:* │ AWS:${AesSiemEsLoaderEC2Role} │ │ │ │ ntId}:domain/aes-siem/* │ │ │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ arn:aws:logs:${AWS::Region}:${AWS::Acc │ Allow │ logs:DescribeLogGroups │ AWS:${AesSiemDeployRoleForLambda} │ │ │ │ ountId}:* │ │ logs:DescribeLogStreams │ │ │ │ │ │ │ logs:PutResourcePolicy │ │ │ ├───┼────────────────────────────────────────┼────────┼────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────┤ │ + │ arn:aws:logs:${AWS::Region}:${AWS::Acc │ Allow │ logs:CreateLogGroup │ AWS:${AesSiemDeployRoleForLambda} │ │ │ │ ountId}:log-group:/aws/aes/domains/aes │ │ logs:CreateLogStream │ │ │ │ │ -siem/* │ │ logs:PutLogEvents │ │ │ │ │ arn:aws:logs:${AWS::Region}:${AWS::Acc │ │ logs:PutRetentionPolicy │ │ │ │ │ ountId}:log-group:/aws/lambda/aes-siem │ │ │ │ │ │ │ -* │ │ │ │ │ └───┴────────────────────────────────────────┴────────┴────────────────────────────────────────┴────────────────────────────────────────┴───────────────────────────────────────────┘ IAM Policy Changes ┌───┬────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ │ Resource │ Managed Policy ARN │ ├───┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${AesSiemDeployRoleForLambda} │ arn:${AWS::Partition}:iam::aws:policy/AmazonESFullAccess │ │ + │ ${AesSiemDeployRoleForLambda} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │ │ + │ ${AesSiemDeployRoleForLambda} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole │ ├───┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │ ├───┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${LambdaEsLoader/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │ │ + │ ${LambdaEsLoader/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole │ ├───┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${LambdaGeoipDownloader/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │ └───┴────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Security Group Changes ┌───┬─────────────────────────────────────────────┬─────┬────────────┬─────────────────┐ │ │ Group │ Dir │ Protocol │ Peer │ ├───┼─────────────────────────────────────────────┼─────┼────────────┼─────────────────┤ │ + │ ${AesSiemVpcNoinboundSecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │ ├───┼─────────────────────────────────────────────┼─────┼────────────┼─────────────────┤ │ + │ ${AesSiemVpcSecurityGroup.GroupId} │ In │ TCP 443 │ 10.0.0.0/16 │ │ + │ ${AesSiemVpcSecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │ └───┴─────────────────────────────────────────────┴─────┴────────────┴─────────────────┘ (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299) Do you wish to deploy these changes (y/n)? y aes-siem: deploying... [0%] start: Publishing 964423b5a8fd7c9b58c82439bdc07be7fab893f23a10292768a5a02f2e6bcb04:current [25%] success: Published 964423b5a8fd7c9b58c82439bdc07be7fab893f23a10292768a5a02f2e6bcb04:current [25%] start: Publishing bab31c9fa40d0b7c60eaded745ca336ec7cfbf59598c6b4997d366d27015d3f0:current [50%] success: Published bab31c9fa40d0b7c60eaded745ca336ec7cfbf59598c6b4997d366d27015d3f0:current [50%] start: Publishing 571aee6a1eddb073c2ad27504c96d3364e6a02a404a8546f527aa22447b24104:current [75%] success: Published 571aee6a1eddb073c2ad27504c96d3364e6a02a404a8546f527aa22447b24104:current [75%] start: Publishing 87d36af3545f90ddce1792a35f3153f4869f2c9873b32f1a86a65f59bec20ea5:current [100%] success: Published 87d36af3545f90ddce1792a35f3153f4869f2c9873b32f1a86a65f59bec20ea5:current aes-siem: creating CloudFormation changeset... ✅ aes-siem Outputs: aes-siem.KibanaAdmin = aesadmin aes-siem.KibanaPassword = 0pW7Mt$d aes-siem.KibanaUrl = https://vpc-aes-siem-xxxxx.us-east-1.es.amazonaws.com/_plugin/kibana/ aes-siem.RoleDeploy = arn:aws:iam::<AWSアカウントID>:role/aes-siem-deploy-role-for-lambda Stack ARN: arn:aws:cloudformation:us-east-1:<AWSアカウントID>:stack/aes-siem/12209c50-dd3e-11eb-bcf5-0a99f4b9302b
無事リソースがデプロイされました。インポートしたS3バケットのバケットポリシーがどのように変化しているのか確認してみます。 元々は、CloudTrail関連のバケットポリシーしかありませんでしたが、インポート後はELBや、GuardDutyなどのSIEM on Amazon ESでサポートされているサービスからのログ出力を受け付けるように変更されています。
> diff -u before-s3bucket-policy.json after-s3bucket-policy.json 月 7/12 10:47:25 2021 --- before-s3bucket-policy.json 2021-07-12 10:47:10.000000000 +0900 +++ after-s3bucket-policy.json 2021-07-12 10:47:01.000000000 +0900 @@ -2,6 +2,42 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "ELB Policy", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::127311923021:root" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/*" + }, + { + "Sid": "AWSLogDeliveryAclCheck For ALB NLB R53Resolver Flowlogs", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Action": [ + "s3:GetBucketAcl", + "s3:ListBucket" + ], + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y" + }, + { + "Sid": "AWSLogDeliveryWrite For ALB NLB R53Resolver Flowlogs", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + }, + { + "Sid": "AWSLogDeliveryAclCheck For Cloudtrail", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" @@ -10,6 +46,7 @@ "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y" }, { + "Sid": "AWSLogDeliveryWrite For CloudTrail", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" @@ -21,6 +58,62 @@ "s3:x-amz-acl": "bucket-owner-full-control" } } + }, + { + "Sid": "Allow GuardDuty to use the getBucketLocation operation", + "Effect": "Allow", + "Principal": { + "Service": "guardduty.amazonaws.com" + }, + "Action": "s3:GetBucketLocation", + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y" + }, + { + "Sid": "Allow GuardDuty to upload objects to the bucket", + "Effect": "Allow", + "Principal": { + "Service": "guardduty.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/*" + }, + { + "Sid": "Deny non-HTTPS access", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + } + }, + { + "Sid": "AWSConfig BucketPermissionsCheck and BucketExistenceCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": [ + "s3:GetBucketAcl", + "s3:ListBucket" + ], + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y" + }, + { + "Sid": "AWSConfigBucketDelivery", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y/AWSLogs/<AWSアカウントID>/Config/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } } ] -} +}
それでは、Kibanaにログインしてログが読み込まれているか確認します。
ドロワーメニューより、Discoverをクリックして、読み込んだログの一覧を出力しても、No results match your search criteri
と表示され、ログが読み込まれていないことが確認できます。
原因は、ログを正規化してAmazon ES へロードするLambda関数である、es-loaderの実行タイミングです。
es-loaderは、S3バケットにログがPUTされたタイミングで実行されます。
そのため、既にS3 バケットに保存されている過去のログについては、es-loaderは実行されず、Amazon ES にロードもされません。
対応として、es-loader をローカル環境で実行することで、S3 バケットに保存されている過去のログを SIEM on Amazon ES に取り込むことができます。
S3 バケットに保存された過去データの取り込み
環境準備
公式ドキュメントのこちらの手順に従い、環境準備を行います。
最初の準備項目に、1. Amazon ES へ通信ができる VPC 内に Amazon Linux 2 で EC2 インスタンスをプロビジョニング
とありますが、今回は既にデプロイ済みのポートフォワーディング用のEC2インスタンスを使って行います。
まず、es-loader をローカル環境で実行できるようにポートフォワーディング用のEC2インスタンスのIAMロールにaes-siem-es-loader-for-ec2
をアタッチします。
続いて、ポートフォワーディング用のEC2インスタンスにSSHで接続して、以下コマンドを実行します。
# 必要なモジュールのインストール > sudo yum groups mark install -y "Development Tools" > sudo yum install -y amazon-linux-extras > sudo amazon-linux-extras enable python3.8 > sudo yum install -y python38 python38-devel git jq > sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.8 1 > sudo update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.8 1 # GitHub レポジトリからコードを clone >git clone https://github.com/aws-samples/siem-on-amazon-elasticsearch.git
以下コマンドで、Pythonのモジュールをインストールします。
# 仮想環境のセットアップ > cd siem-on-amazon-elasticsearch/source/lambda/es_loader/ > python3 -m venv .env > source .env/bin/activate # Pythonのモジュールをインストール > pip3 install -r requirements.txt -U -t .
次に、AWSマネージメントコンソールで aes-siem-es-loader 関数に移動して、以下の 2 つの環境変数名と値をメモします。
- ES_ENDPOINT
- GEOIP_BUCKET
確認した環境変数をEC2インスタンスの環境変数に設定します。
> export ES_ENDPOINT=search-aes-siem-xxxxx.ap-northeast-1.es.amazonaws.com > export GEOIP_BUCKET=aes-siem-<AWSアカウントID>-geo
S3 バケットのオブジェクトリストからの取り込み
es-loaderのディレクトリに移動して、S3 バケットからオブジェクトリスト (s3-list.txt
) を作成します。
> cd > cd siem-on-amazon-elasticsearch/source/lambda/es_loader/ export AWS_ACCOUNT=<AWSアカウントID> export LOG_BUCKET=aes-siem-${AWS_ACCOUNT}-log aws s3 ls ${LOG_BUCKET} --recursive > s3-list.txt
作成されたs3-list.txt
を確認すると、オブジェクトのリストが作成されていることが分かります。
> head s3-list.txt 2021-07-04 10:23:41 0 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/ 2021-07-04 10:32:10 395 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T102341Z.json.gz 2021-07-04 11:32:09 766 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T112341Z.json.gz 2021-07-04 12:32:09 766 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T122341Z.json.gz 2021-07-04 13:32:27 768 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T132341Z.json.gz 2021-07-04 14:32:09 765 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T142341Z.json.gz 2021-07-04 15:32:41 764 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T152341Z.json.gz 2021-07-04 16:32:26 767 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T162341Z.json.gz 2021-07-04 17:32:30 770 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T172341Z.json.gz 2021-07-04 18:32:10 767 AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T182341Z.json.gz
作成した S3 リストのオブジェクトを es-loader にログを流し込みます。
# 対象の S3 バケットにある全てのオブジェクトを流し込む > ./index.py -b ${LOG_BUCKET} -l s3-list.txt {"level": "INFO", "message": "version: 2.3.2", "location": "<module>:23", "timestamp": "2021-07-05 05:48:16,172", "service": "service_undefined", "sampling_rate": 0.0} {"level": "INFO", "message": "{'cloudtrail': {'userAgent': re.compile('.*AesSiemEsLoader.*')}, 's3accesslog': {'UserAgent': re.compile('.*AesSiemEsLoader.*')}}", "location": "merge_csv_into_log_patterns:419", "timestamp": "2021-07-05 05:48:16,340", "service": "service_undefined", "sampling_rate": 0.0} {"level": "INFO", "message": "downloading GeoLite2-City.mmdb was success", "location": "_download_geoip_database:95", "timestamp": "2021-07-05 05:48:16,824", "service": "service_undefined", "sampling_rate": 0.0} {"level": "INFO", "message": "downloading GeoLite2-ASN.mmdb was success", "location": "_download_geoip_database:95", "timestamp": "2021-07-05 05:48:17,058", "service": "service_undefined", "sampling_rate": 0.0} {"level": "INFO", "message": {"directory": "/tmp", "files": "['.Test-unix', '.font-unix', '.X11-unix', '.XIM-unix', '.ICE-unix', 'motd.bHI3Q', 'motd.partAAQ6m', 'motd.B2j0i', 'motd.partiLXym', 'systemd-private-9b3b110ff21a46c7a566e3ea5041fde1-chronyd.service-TxwTfx', 'tmpv46bc_1w', 'GeoLite2-City.mmdb', 'GeoLite2-ASN.mmdb']"}, "location": "show_local_dir:451", "timestamp": "2021-07-05 05:48:17,060", "service": "service_undefined", "sampling_rate": 0.0} {"level": "INFO", "message": {"directory": "/opt", "files": "['aws', 'rh']"}, "location": "show_local_dir:451", "timestamp": "2021-07-05 05:48:17,060", "service": "service_undefined", "sampling_rate": 0.0} 2.3.2 startting main logic on local shell {"level": "INFO", "message": {"msg": "Invoked es-loader", "s3_bucket": "logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y", "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/", "logtype": "nodata", "start_number": 0, "end_number": 0}, "location": "__init__:43", "timestamp": "2021-07-05 05:48:17,080", "service": "service_undefined", "sampling_rate": 0.0, "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/"} ./index.py:261: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead logger.warn(f'Skipped S3 object because {logfile.ignored_reason}') {"level": "WARNING", "message": "Skipped S3 object because this s3 key is just path, AWSLogs/<AWSアカウントID>/CloudTrail-Digest/", "location": "lambda_handler:261", "timestamp": "2021-07-05 05:48:17,081", "service": "service_undefined", "sampling_rate": 0.0, "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/"} {"level": "INFO", "message": {"msg": "Invoked es-loader", "s3_bucket": "logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y", "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T102341Z.json.gz", "logtype": "cloudtrail", "start_number": 0, "end_number": 0}, "location": "__init__:43", "timestamp": "2021-07-05 05:48:17,084", "service": "service_undefined", "sampling_rate": 0.0, "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T102341Z.json.gz"} ./index.py:261: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead logger.warn(f'Skipped S3 object because {logfile.ignored_reason}') {"level": "WARNING", "message": "Skipped S3 object because \"s3_key_ignored\" re.compile('CloudTrail-Digest') matched with AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T102341Z.json.gz", "location": "lambda_handler:261", "timestamp": "2021-07-05 05:48:17,085", "service": "service_undefined", "sampling_rate": 0.0, "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T102341Z.json.gz"} {"level": "INFO", "message": {"msg": "Invoked es-loader", "s3_bucket": "logresorcestack-centralizedbucketa7c16f21-dhgqky8w3f6y", "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T112341Z.json.gz", "logtype": "cloudtrail", "start_number": 0, "end_number": 0}, "location": "__init__:43", "timestamp": "2021-07-05 05:48:17,087", "service": "service_undefined", "sampling_rate": 0.0, "s3_key": "AWSLogs/<AWSアカウントID>/CloudTrail-Digest/af-south-1/2021/07/04/<AWSアカウントID>_CloudTrail-Digest_af-south-1_LogResorceStack-CloudTrailA62D711D-1N4NV7LHMQHDZ_us-east-1_20210704T112341Z.json.gz"} ./index.py:261: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead logger.warn(f'Skipped S3 object because {logfile.ignored_reason}') . . (中略) . . The above exception was the direct cause of the following exception: Traceback (most recent call last): File "./index.py", line 426, in <module> res.get() File "/usr/lib64/python3.8/multiprocessing/pool.py", line 771, in get raise self._value elasticsearch.exceptions.TransportError: TransportError(429, '429 Too Many Requests /_bulk') 837 logs are not loaded to ES. See for details, s3-list.txt.error_debug.log INFO: Finishaed batch loading
リクエスト量が多すぎて、読み込まれなかったログがいくつかある様です。
失敗したオブジェクトリストは、s3-list.txt.error.log
に保存されています。
> ls -l s3-list.txt* -rw-rw-r-- 1 ec2-user ec2-user 404185 7月 5 05:46 s3-list.txt -rw-rw-r-- 1 ec2-user ec2-user 138754 7月 5 05:51 s3-list.txt.error.log -rw-rw-r-- 1 ec2-user ec2-user 1953558 7月 5 05:51 s3-list.txt.error_debug.log -rw-rw-r-- 1 ec2-user ec2-user 322747 7月 5 05:50 s3-list.txt.finish.log >head s3-list.txt.error.log 2021-07-05 05:50:07.696605+00:00 1510 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_KxLpMkCAPkqIAXc9.json.gz 2021-07-05 05:50:07.763515+00:00 1511 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_ThjRVSz1AbqDHKiU.json.gz 2021-07-05 05:50:07.866250+00:00 1512 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_XOYRwnVP47KHWuq7.json.gz 2021-07-05 05:50:07.929522+00:00 1513 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_daPgYFzibLZhCw0j.json.gz 2021-07-05 05:50:08.010617+00:00 1514 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_kmigDjrnSTHcxuBA.json.gz 2021-07-05 05:50:08.071987+00:00 1515 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_m3zkQKf0LP7tSp9R.json.gz 2021-07-05 05:50:08.125686+00:00 1516 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_pqPkIu08uBihbhZr.json.gz 2021-07-05 05:50:08.208802+00:00 1517 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_sKgTQswBmOsa2imS.json.gz 2021-07-05 05:50:08.276431+00:00 1518 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1205Z_yVeTEbMh6oSwQvDI.json.gz 2021-07-05 05:50:08.404525+00:00 1519 AWSLogs/<AWSアカウントID>/CloudTrail/us-east-1/2021/07/04/<AWSアカウントID>_CloudTrail_us-east-1_20210704T1210Z_9Wq0QBq22SYmgFTJ.json.gz
失敗したオブジェクトリストを指定して、 再度es-loader にログを流し込みます。
> ./index.py -b ${LOG_BUCKET} -l s3-list.txt.error.log
ログをKibanaで確認する
es-loader にログを流し込み終わったあと、再度ポートフォワーディングをした状態で、Kibanaにアクセスします。
Amazon Linux 2の /var/log/messagesのログの一覧も表示してみます。
Security Hubのログの一覧も表示してみます。
いずれも正常にログを読み込めていそうですね。
お試しでSIEM on Amazon ESを使ってみたいなら、Same-Region レプリケーションで読み込ませるのが良いかも
以下3パターンでSIEM on Amazon ESで既存S3バケットのログを分析してみました。
- Same-Region レプリケーション(SRR)を使用して、既存S3バケットのログSIEM on Amazon ESのログ収集S3バケットにレプリケーションする
- AWS DataSyncを使用して、既存S3バケットのログSIEM on Amazon ESのログ収集S3バケットにレプリケーションする
- 既存S3バケットをSIEM on Amazon ESにインポートする
個人的には、お試しでSIEM on Amazon ESを使ってみたいなら、Same-Region レプリケーション(SRR)を使用するパターンが良いのかなと思いました。
他のパターンと比べて良いと思ったポイントは以下の通りです。
- DataSyncのパターンと比較して、レプリケーション間隔が短い
- SSR: おおよそ15分以内にレプリケーション(オブジェクトのサイズなどによって、数時間かかることもある)
- DataSync: 最も短くて1時間間隔でレプリケーション
- S3バケットのインポートするパターンと比較して、以下のような手間がかからない
- 上書きされるS3 のバケットポリシーやその他バケット設定の影響度合いの確認
- AWS CDKの管理の手間
- インポートされたS3バケット上のログを手動でes-loaderに読み込ませる
もちろん、SSRのパターンを選択した場合は、二重にS3のストレージの料金がかかりますし、レプリケーションをする際の PUT リクエストにも課金が発生します。
そのため、課金額を抑えたいという方、構成をシンプルにされたい方は、S3バケットのインポートするパターンを選択されると良いと思います。
この記事が誰かの助けになれば幸いです。
以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!