[アップデート] AWS Security Hub に CIS AWS Foundations Benchmark v3.0.0 のセキュリティ基準がリリースされました!

[アップデート] AWS Security Hub に CIS AWS Foundations Benchmark v3.0.0 のセキュリティ基準がリリースされました!

AWS Security Hub に CIS AWS Foundations Benchmark v3.0.0 が追加されました!
Clock Icon2024.05.14

こんにちは、AWS 事業本部の平木です!

今回、AWS Security Hub のアップデートで CIS AWS Foundations Benchmark v3.0.0 のセキュリティ基準がリリースされたためご紹介します。

CIS AWS Foundations Benchmark v3.0.0 のコントロール一覧

CIS AWS Foundations Benchmark v3.0.0 で対応しているコントロールの一覧を下記に示します。

今回の CIS AWS Foundations Benchmark v3.0.0 追加に伴い新規コントロールも追加されたため、そのコントロールは●マークが付いています。

※リージョンによっては対応していないコントロールもあります。

ID タイトル 重要度 新規追加されたコントロール
Account.1 Security contact information should be provided for an AWS account MEDIUM -
CloudTrail.1 CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events HIGH -
CloudTrail.2 CloudTrail should have encryption at-rest enabled MEDIUM -
CloudTrail.4 CloudTrail log file validation should be enabled LOW -
CloudTrail.7 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket LOW -
Config.1 AWS Config should be enabled MEDIUM -
EC2.2 VPC default security groups should not allow inbound or outbound traffic HIGH -
EC2.6 VPC flow logging should be enabled in all VPCs MEDIUM -
EC2.7 EBS default encryption should be enabled MEDIUM -
EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) HIGH -
EC2.21 Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 MEDIUM -
EC2.53 EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports HIGH
EC2.54 EC2 security groups should not allow ingress from ::/0 to remote server administration ports HIGH
EFS.1 Elastic File System should be configured to encrypt file data at-rest using AWS KMS MEDIUM -
IAM.2 IAM users should not have IAM policies attached LOW -
IAM.3 IAM users' access keys should be rotated every 90 days or less MEDIUM -
IAM.4 IAM root user access key should not exist CRITICAL -
IAM.5 MFA should be enabled for all IAM users that have a console password MEDIUM -
IAM.6 Hardware MFA should be enabled for the root user CRITICAL -
IAM.9 MFA should be enabled for the root user CRITICAL -
IAM.15 Ensure IAM password policy requires minimum password length of 14 or greater MEDIUM -
IAM.16 Ensure IAM password policy prevents password reuse LOW -
IAM.18 Ensure a support role has been created to manage incidents with AWS Support LOW -
IAM.22 IAM user credentials unused for 45 days should be removed MEDIUM -
IAM.26 Expired SSL/TLS certificates managed in IAM should be removed MEDIUM
IAM.27 IAM identities should not have the AWSCloudShellFullAccess policy attached MEDIUM
IAM.28 IAM Access Analyzer external access analyzer should be enabled HIGH
KMS.4 AWS KMS key rotation should be enabled MEDIUM -
RDS.2 RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration CRITICAL -
RDS.3 RDS DB instances should have encryption at-rest enabled MEDIUM -
RDS.13 RDS automatic minor version upgrades should be enabled HIGH -
S3.1 S3 general purpose buckets should have block public access settings enabled MEDIUM -
S3.5 S3 general purpose buckets should require requests to use SSL MEDIUM -
S3.8 S3 general purpose buckets should block public access-level HIGH -
S3.20 S3 general purpose buckets should have MFA delete enabled LOW -
S3.22 S3 general purpose buckets should log object-level write events MEDIUM
S3.23 S3 general purpose buckets should log object-level read events MEDIUM

CSV も掲載しているため使用したい方は下記「▶ 展開する」を押してご参照ください。

展開する
ID,title,severity,add control
Account.1,"Security contact information should be provided for an AWS account",MEDIUM,-
CloudTrail.1,"CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events",HIGH,-
CloudTrail.2,"CloudTrail should have encryption at-rest enabled",MEDIUM,-
CloudTrail.4,"CloudTrail log file validation should be enabled",LOW,-
CloudTrail.7,"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",LOW,-
Config.1,"AWS Config should be enabled",MEDIUM,-
EC2.2,"VPC default security groups should not allow inbound or outbound traffic",HIGH,-
EC2.6,"VPC flow logging should be enabled in all VPCs",MEDIUM,-
EC2.7,"EBS default encryption should be enabled",MEDIUM,-
EC2.8,"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)",HIGH,-
EC2.21,"Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389",MEDIUM,-
EC2.53,"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports",HIGH,*
EC2.54,"EC2 security groups should not allow ingress from ::/0 to remote server administration ports",HIGH,*
EFS.1,"Elastic File System should be configured to encrypt file data at-rest using AWS KMS",MEDIUM,-
IAM.2,"IAM users should not have IAM policies attached",LOW,-
IAM.3,"IAM users' access keys should be rotated every 90 days or less",MEDIUM,-
IAM.4,"IAM root user access key should not exist",CRITICAL,-
IAM.5,"MFA should be enabled for all IAM users that have a console password",MEDIUM,-
IAM.6,"Hardware MFA should be enabled for the root user",CRITICAL,-
IAM.9,"MFA should be enabled for the root user",CRITICAL,-
IAM.15,"Ensure IAM password policy requires minimum password length of 14 or greater",MEDIUM,-
IAM.16,"Ensure IAM password policy prevents password reuse",LOW,-
IAM.18,"Ensure a support role has been created to manage incidents with AWS Support",LOW,-
IAM.22,"IAM user credentials unused for 45 days should be removed",MEDIUM,-
IAM.26,"Expired SSL/TLS certificates managed in IAM should be removed",MEDIUM,*
IAM.27,"IAM identities should not have the AWSCloudShellFullAccess policy attached",MEDIUM,*
IAM.28,"IAM Access Analyzer external access analyzer should be enabled",HIGH,*
KMS.4,"AWS KMS key rotation should be enabled",MEDIUM,-
RDS.2,"RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration",CRITICAL,-
RDS.3,"RDS DB instances should have encryption at-rest enabled",MEDIUM,-
RDS.13,"RDS automatic minor version upgrades should be enabled",HIGH,-
S3.1,"S3 general purpose buckets should have block public access settings enabled",MEDIUM,-
S3.5,"S3 general purpose buckets should require requests to use SSL",MEDIUM,-
S3.8,"S3 general purpose buckets should block public access-level",HIGH,-
S3.20,"S3 general purpose buckets should have MFA delete enabled",LOW,-
S3.22,"S3 general purpose buckets should log object-level write events",MEDIUM,*
S3.23,"S3 general purpose buckets should log object-level read events",MEDIUM,*

CIS AWS Foundations Benchmark v1.4.0 と CIS AWS Foundations Benchmark v3.0.0 の違い

Security Hub で対応している CIS AWS Foundations Benchmark は今までの最新はv1.4.0でした。
v3.0.0 との差分を見ていこうと思います。

追加されたコントロール

下記 13 個がv1.4.0には無くv3.0.0で追加されたコントロールです。
新規追加されたコントロールが半数を占めています。

ID タイトル
Account.1 Security contact information should be provided for an AWS account
EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
EC2.53 EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports
EC2.54 EC2 security groups should not allow ingress from ::/0 to remote server administration ports
EFS.1 Elastic File System should be configured to encrypt file data at-rest using AWS KMS
IAM.2 IAM users should not have IAM policies attached
IAM.26 Expired SSL/TLS certificates managed in IAM should be removed
IAM.27 IAM identities should not have the AWSCloudShellFullAccess policy attached
IAM.28 IAM Access Analyzer external access analyzer should be enabled
RDS.2 RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration
RDS.13 RDS automatic minor version upgrades should be enabled
S3.22 S3 general purpose buckets should log object-level write events
S3.23 S3 general purpose buckets should log object-level read events

削除されたコントロール

下記 15 個がv1.4.0にはありv3.0.0で削除されたコントロールです。
CloudWatch 系が全て削除された印象を受けます。

ID タイトル
CloudTrail.5 CloudTrail trails should be integrated with Amazon CloudWatch Logs
CloudTrail.6 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
CloudWatch.1 A log metric filter and alarm should exist for usage of the "root" user
CloudWatch.4 Ensure a log metric filter and alarm exist for IAM policy changes
CloudWatch.5 Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes
CloudWatch.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
CloudWatch.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
CloudWatch.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
CloudWatch.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
CloudWatch.10 Ensure a log metric filter and alarm exist for security group changes
CloudWatch.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
CloudWatch.12 Ensure a log metric filter and alarm exist for changes to network gateways
CloudWatch.13 Ensure a log metric filter and alarm exist for route table changes
CloudWatch.14 Ensure a log metric filter and alarm exist for VPC changes
IAM.1 IAM policies should not allow full "*" administrative privileges

中央設定では管理可能か

組織管理している場合に中央設定していると Security Hub を非常に柔軟にかつ楽に運用できます。

そんな中央設定でも使えるか確認してみましたが問題なく設定できるようです。

有効化してみる

初めて Security Hub を使う場合

最初の有効化画面から「CIS AWS Foundations Benchmark v3.0.0 を有効化する」にチェックを入れていただくと有効化できます。

既に Security Hub を有効化している場合

セキュリティ基準の項目から「CIS AWS Foundations Benchmark v3.0.0」の「標準を有効化」を押下すると有効化できます。

※それぞれ有効化してからスコアが反映されるには時間がかかります。

参考

おわりに

AWS Security Hub で新規セキュリティ基準の CIS AWS Foundations Benchmark v3.0.0 をご紹介しました。

v2.0.0 を待っていたらまさかの飛ばして v3.0.0 で少し驚きました。

CIS AWS Foundations Benchmark をコンプライアンスチェックに活用しているユーザーは要チェックの内容になっているかと思いますので、ぜひバージョンアップの際のご参考にしていただければと思います。

この記事がどなたかの役に立つと嬉しいです。

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.