AWS Security Hub の検出結果を CLI で取得・確認する

AWS Security Hub の検出結果を CLI で取得・確認する

Clock Icon2025.04.05

こんにちは、製造ビジネステクノロジー部の若槻です。

AWS Security Hub では、AWS アカウントのセキュリティ上の問題や改善点を検出結果として確認することができます。

https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/what-is-securityhub.html

今回は Security Hub の検出結果を AWS CLI を使用して取得・確認するスクリプトをご紹介します。

CLI での検出結果の取得

失敗している検出結果を取得する

まず、重要度が MEDIUM 以上で失敗している検出結果を取得するコマンドです。

aws securityhub get-findings \
  --filters '{
    "SeverityLabel": [
      {"Value": "MEDIUM","Comparison": "EQUALS"},
      {"Value": "HIGH","Comparison": "EQUALS"},
      {"Value": "CRITICAL","Comparison": "EQUALS"}
    ],
    "ComplianceStatus": [
      {"Value": "FAILED","Comparison": "EQUALS"}
    ],
    "WorkflowStatus": [
      {"Value": "NEW","Comparison": "EQUALS"},
      {"Value": "NOTIFIED","Comparison": "EQUALS"},
      {"Value": "RESOLVED","Comparison": "EQUALS"}
    ],
    "RecordState": [
      {"Value": "ACTIVE","Comparison": "EQUALS"}
    ]
  }' \
  --output json > output_failed.json

このコマンドでは以下のフィルタを指定しています:

  • 重要度: MEDIUMHIGHCRITICAL
  • コンプライアンス状態: FAILED
  • ワークフロー状態: NEWNOTIFIEDRESOLVED
  • レコード状態: ACTIVE

上記を実行すると下記例のような実行結果がファイルで取得できます。例では 1 件のみの検出結果が取得されていますが、実際には Findings 配下に複数の検出結果が含まれます。

output_failed.json
{
  "Findings": [
    {
      "SchemaVersion": "2018-10-08",
      "Id": "arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:subscription/cis-aws-foundations-benchmark/v/1.4.0/2.1.2/finding/4f8c67e1-ca7d-4845-ac11-015b526aae96",
      "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
      "ProductName": "Security Hub",
      "CompanyName": "AWS",
      "Region": "us-east-1",
      "GeneratorId": "cis-aws-foundations-benchmark/v/1.4.0/2.1.2",
      "AwsAccountId": "XXXXXXXXXXXX",
      "Types": [
        "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
      ],
      "FirstObservedAt": "2025-02-03T08:41:56.916Z",
      "LastObservedAt": "2025-02-20T19:50:54.289Z",
      "CreatedAt": "2025-02-03T08:42:04.762Z",
      "UpdatedAt": "2025-03-10T07:51:07.302Z",
      "Severity": {
        "Product": 40,
        "Label": "MEDIUM",
        "Normalized": 40,
        "Original": "MEDIUM"
      },
      "Title": "2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests",
      "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
      "Remediation": {
        "Recommendation": {
          "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
          "Url": "https://docs.aws.amazon.com/console/securityhub/S3.5/remediation"
        }
      },
      "ProductFields": {
        "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:subscription/cis-aws-foundations-benchmark/v/1.4.0",
        "ControlId": "2.1.2",
        "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/S3.5/remediation",
        "RelatedAWSResources:0/name": "securityhub-s3-bucket-ssl-requests-only-c8ec9b70",
        "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
        "StandardsControlArn": "arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:control/cis-aws-foundations-benchmark/v/1.4.0/2.1.2",
        "aws/securityhub/ProductName": "Security Hub",
        "aws/securityhub/CompanyName": "AWS",
        "Resources:0/Id": "arn:aws:s3:::cdktoolkit-stagingbucket-xgr9z7hyji0m",
        "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:subscription/cis-aws-foundations-benchmark/v/1.4.0/2.1.2/finding/4f8c67e1-ca7d-4845-ac11-015b526aae96"
      },
      "Resources": [
        {
          "Type": "AwsS3Bucket",
          "Id": "arn:aws:s3:::cdktoolkit-stagingbucket-xgr9z7hyji0m",
          "Partition": "aws",
          "Region": "us-east-1",
          "Details": {
            "AwsS3Bucket": {
              "OwnerId": "d1bafa3f4ff9faaeee0ca8b4177610fda65af06596e8c430cd47af8e107ae82b",
              "CreatedAt": "2021-05-22T09:32:48.000Z",
              "Name": "cdktoolkit-stagingbucket-xgr9z7hyji0m"
            }
          }
        }
      ],
      "Compliance": {
        "Status": "FAILED",
        "RelatedRequirements": ["CIS AWS Foundations Benchmark v1.4.0/2.1.2"],
        "SecurityControlId": "S3.5",
        "AssociatedStandards": [
          {
            "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"
          }
        ]
      },
      "WorkflowState": "NEW",
      "Workflow": {
        "Status": "NOTIFIED"
      },
      "RecordState": "ACTIVE",
      "FindingProviderFields": {
        "Severity": {
          "Label": "MEDIUM",
          "Original": "MEDIUM"
        },
        "Types": [
          "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
        ]
      },
      "ProcessedAt": "2025-03-10T07:51:17.685Z"
    }
  ]
}

検出結果をタイトルでグループ化する

取得した検出結果をタイトルでグループ化して集計するコマンドです。

jq '.Findings | group_by(.Title) | map({
  Title: .[0].Title,
  Count: length,
  Findings: map({
    Region: .Region,
    ResourceType: .Resources[0].Type,
    ResourceId: .Resources[0].Id,
    Severity: .Severity.Label
  })
})' output_failed.json > grouped_by_title.json

下記がグループ化された検出結果の例です。

grouped_by_title.json
[
  {
    "Title": "1.14 Ensure hardware MFA is enabled for the root user",
    "Count": 1,
    "Findings": [
      {
        "Region": "us-east-1",
        "ResourceType": "AwsAccount",
        "ResourceId": "AWS::::Account:XXXXXXXXXXXX",
        "Severity": "CRITICAL"
      }
    ]
  },
  {
    "Title": "1.9 Ensure IAM password policy requires minimum password length of 14 or greater",
    "Count": 2,
    "Findings": [
      {
        "Region": "us-east-1",
        "ResourceType": "AwsAccount",
        "ResourceId": "AWS::::Account:XXXXXXXXXXXX",
        "Severity": "MEDIUM"
      },
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsAccount",
        "ResourceId": "AWS::::Account:XXXXXXXXXXXX",
        "Severity": "MEDIUM"
      }
    ]
  },
  {
    "Title": "2.5 AWS Config should be enabled and use the service-linked role for resource recording",
    "Count": 2,
    "Findings": [
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsAccount",
        "ResourceId": "AWS::::Account:XXXXXXXXXXXX",
        "Severity": "CRITICAL"
      },
      {
        "Region": "us-east-1",
        "ResourceType": "AwsAccount",
        "ResourceId": "AWS::::Account:XXXXXXXXXXXX",
        "Severity": "CRITICAL"
      }
    ]
  },
  {
    "Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
    "Count": 2,
    "Findings": [
      {
        "Region": "us-east-1",
        "ResourceType": "AwsCloudTrailTrail",
        "ResourceId": "arn:aws:cloudtrail:ap-northeast-1:XXXXXXXXXXXX:trail/Members",
        "Severity": "MEDIUM"
      },
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsCloudTrailTrail",
        "ResourceId": "arn:aws:cloudtrail:ap-northeast-1:XXXXXXXXXXXX:trail/Members",
        "Severity": "MEDIUM"
      }
    ]
  },
  {
    "Title": "2.9 Ensure VPC flow logging is enabled in all VPCs",
    "Count": 3,
    "Findings": [
      {
        "Region": "us-east-1",
        "ResourceType": "AwsEc2Vpc",
        "ResourceId": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:vpc/vpc-0bc0e8722314e9b2a",
        "Severity": "MEDIUM"
      },
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsEc2Vpc",
        "ResourceId": "arn:aws:ec2:ap-northeast-1:XXXXXXXXXXXX:vpc/vpc-00f7c95d9d38a1100",
        "Severity": "MEDIUM"
      },
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsEc2Vpc",
        "ResourceId": "arn:aws:ec2:ap-northeast-1:XXXXXXXXXXXX:vpc/vpc-00a2fd087eaed20bd",
        "Severity": "MEDIUM"
      }
    ]
  },
  {
    "Title": "4.3 Ensure the default security group of every VPC restricts all traffic",
    "Count": 4,
    "Findings": [
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsEc2SecurityGroup",
        "ResourceId": "arn:aws:ec2:ap-northeast-1:XXXXXXXXXXXX:security-group/sg-07e05a0864259d6b4",
        "Severity": "HIGH"
      },
      {
        "Region": "us-east-1",
        "ResourceType": "AwsEc2SecurityGroup",
        "ResourceId": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:security-group/sg-076920d0518f21c34",
        "Severity": "HIGH"
      },
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsEc2SecurityGroup",
        "ResourceId": "arn:aws:ec2:ap-northeast-1:XXXXXXXXXXXX:security-group/sg-04da5003fe1ad4fe5",
        "Severity": "HIGH"
      },
      {
        "Region": "ap-northeast-1",
        "ResourceType": "AwsEc2SecurityGroup",
        "ResourceId": "arn:aws:ec2:ap-northeast-1:XXXXXXXXXXXX:security-group/sg-0c5b8c034e554faf9",
        "Severity": "HIGH"
      }
    ]
  }
]

これにより、同じタイトルの検出結果がグループ化され、件数や関連リソースの情報が確認しやすくなります。

出力結果ファイルを VS Code で開けば、Json ツリーを適切に折りたたんでさらに見やすく表示することも可能です。

おわりに

Security Hub の検出結果を AWS CLI を使用して取得・確認するスクリプトをご紹介しました。

AWS CLI を使用することで、Security Hub の検出結果を効率的に取得・分析することができます。本記事で紹介したコマンドやスクリプトを活用して、セキュリティ対策の改善にお役立てください。

以上

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.