Network Firewallで提供されているAWS Managed Rule GroupのARNを取得する

2022.05.26

はじめに

こんにちは。大阪オフィスの林です。

AWS Network Firewallで提供されているAWS Managed Rule GroupのARNを取得したかったので取得方法をまとめておきたいと思います。

困っていたこと

なぜAWS Managed Rule GroupのARNを取得したかったというと、"CloudFormationで"Network Firewall Policyに、ルールグループを関連付ける場合、ルールグループのARNが必要となります。
これはAWS Managed threat signaturesやAWS Managed Dmain ListsなどのAWS Managed Rule Groupを関連付ける場合でも例外では無く、AWS Managed threat signaturesやAWS Managed Dmain Listsの各ルールグループのARNが必要となります。
しかし、マネージメントコンソールのどこを見てもAWS Managed Rule GroupのARNが見当たりません。

AWS Managed threat signaturesのルールグループの中身を見ても見当たりません。(普段ならこの辺にありそうなのに・・・)

ということでAWS CLIを使ってAWS Managed Rule GroupのARNを取得していきたいと思います。

やってみた

AWS CLIの下記コマンドでAWS Managed RuleのARNを取得できます。

  • AWS Managed threat signaturesのARNを取得(結果は東京リージョンのもの)
[cloudshell-user@ip-10-0-122-111 ~]$ aws network-firewall list-rule-groups --scope MANAGED --managed-type AWS_MANAGED_THREAT_SIGNATURES
{
    "RuleGroups": [
        {
            "Name": "ThreatSignaturesBotnetStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetStrictOrder"
        },
        {
            "Name": "ThreatSignaturesBotnetWindowsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetWindowsActionOrder"
        },
        {
            "Name": "ThreatSignaturesFUPActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesFUPActionOrder"
        },
        {
            "Name": "ThreatSignaturesScannersStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesScannersStrictOrder"
        },
        {
            "Name": "ThreatSignaturesBotnetWindowsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetWindowsStrictOrder"
        },
        {
            "Name": "ThreatSignaturesSuspectStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesSuspectStrictOrder"
        },
        {
            "Name": "ThreatSignaturesMalwareActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesMalwareActionOrder"
        },
        {
            "Name": "ThreatSignaturesEmergingEventsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesEmergingEventsStrictOrder"
        },
        {
            "Name": "ThreatSignaturesWebAttacksStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesWebAttacksStrictOrder"
        },
        {
            "Name": "ThreatSignaturesWebAttacksActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesWebAttacksActionOrder"
        },
        {
            "Name": "ThreatSignaturesIOCStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesIOCStrictOrder"
        },
        {
            "Name": "ThreatSignaturesEmergingEventsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesEmergingEventsActionOrder"
        },
        {
            "Name": "ThreatSignaturesIOCActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesIOCActionOrder"
        },
        {
            "Name": "ThreatSignaturesFUPStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesFUPStrictOrder"
        },
        {
            "Name": "ThreatSignaturesMalwareWebStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesMalwareWebStrictOrder"
        },
        {
            "Name": "ThreatSignaturesExploitsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesExploitsStrictOrder"
        },
        {
            "Name": "ThreatSignaturesSuspectActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesSuspectActionOrder"
        },
        {
            "Name": "ThreatSignaturesBotnetWebActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetWebActionOrder"
        },
        {
            "Name": "ThreatSignaturesDoSStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesDoSStrictOrder"
        },
        {
            "Name": "ThreatSignaturesDoSActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesDoSActionOrder"
        },
        {
            "Name": "ThreatSignaturesBotnetActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetActionOrder"
        },
        {
            "Name": "ThreatSignaturesMalwareWebActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesMalwareWebActionOrder"
        },
        {
            "Name": "ThreatSignaturesExploitsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesExploitsActionOrder"
        },
        {
            "Name": "ThreatSignaturesScannersActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesScannersActionOrder"
        },
        {
            "Name": "ThreatSignaturesMalwareStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesMalwareStrictOrder"
        },
        {
            "Name": "ThreatSignaturesBotnetWebStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetWebStrictOrder"
        }
    ]
}
  • AWS Managed Dmain ListsのARNを取得(結果は東京リージョンのもの)
[cloudshell-user@ip-10-0-122-111 ~]$ aws network-firewall list-rule-groups --scope MANAGED --managed-type AWS_MANAGED_DOMAIN_LISTS
{
    "RuleGroups": [
        {
            "Name": "BotNetCommandAndControlDomainsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/BotNetCommandAndControlDomainsActionOrder"
        },
        {
            "Name": "AbusedLegitBotNetCommandAndControlDomainsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/AbusedLegitBotNetCommandAndControlDomainsActionOrder"
        },
        {
            "Name": "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/AbusedLegitBotNetCommandAndControlDomainsStrictOrder"
        },
        {
            "Name": "MalwareDomainsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/MalwareDomainsActionOrder"
        },
        {
            "Name": "BotNetCommandAndControlDomainsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/BotNetCommandAndControlDomainsStrictOrder"
        },
        {
            "Name": "MalwareDomainsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/MalwareDomainsStrictOrder"
        },
        {
            "Name": "AbusedLegitMalwareDomainsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/AbusedLegitMalwareDomainsStrictOrder"
        },
        {
            "Name": "AbusedLegitMalwareDomainsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-1:aws-managed:stateful-rulegroup/AbusedLegitMalwareDomainsActionOrder"
        }
    ]
}

ARNにはアカウント固有の情報は入っていないので、リージョンの部分だけ変更すれば他のリージョンのARNとしても使えそうです。
コマンドラインのオプションでリージョン指定するだけで簡単に他のリージョンのARNも取得できます。

[cloudshell-user@ip-10-0-122-111 ~]$ aws network-firewall list-rule-groups --scope MANAGED --managed-type AWS_MANAGED_THREAT_SIGNATURES --region ap-northeast-3
{
    "RuleGroups": [
        {
            "Name": "ThreatSignaturesDoSStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-3:aws-managed:stateful-rulegroup/ThreatSignaturesDoSStrictOrder"
        },
        {
            "Name": "ThreatSignaturesEmergingEventsStrictOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-3:aws-managed:stateful-rulegroup/ThreatSignaturesEmergingEventsStrictOrder"
        },
        {
            "Name": "ThreatSignaturesDoSActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-3:aws-managed:stateful-rulegroup/ThreatSignaturesDoSActionOrder"
        },
        {
            "Name": "ThreatSignaturesExploitsActionOrder",
            "Arn": "arn:aws:network-firewall:ap-northeast-3:aws-managed:stateful-rulegroup/ThreatSignaturesExploitsActionOrder"
        },

        (省略)

まとめ

AWSマネージメントコンソールで出来ないこと/見えないものはAWS CLIを使って解決しそうか試してみるのが良さそうです。
この記事がどなたかの参考になりましたら幸いです。

以上、大阪オフィスの林がお送りしました!

リファレンス