この検出結果はいつ検出されて、いつ変更されたのか簡単に後追いしたいな
こんにちは、のんピ(@non____97)です。
皆さんはAWS Security Hubを使用しているときに「この検出結果(Findings)はいつ検出されて、いつ変更されたのか簡単に後追いしたいな」と思ったことはありますか? 私はあります。
CloudTrailで追跡しようにもイベント毎にdiffをしていくことになるので大変です。
本日のアップデートでAWS Security Hub で検出結果に対する履歴を確認できるようになりました。
直近90日の履歴を確認できるようです。
Finding history is a Security Hub feature that lets you track changes made to a finding during the last 90 days. It's available for active and archived findings. Finding history provides an immutable trail of changes made to a finding over time, including what the change was, when it occurred, and by which user.
追跡できる項目としてはASFFの変更のようです。
In particular, you can track changes made to fields in the AWS Security Finding Format (ASFF).
早速触ってみたので紹介します。
やってみた
テスト用のセキュリティグループの作成
まず、テスト用のセキュリティグループを作成します。
作成したセキュリティグループには何もルールを設定していません。
$ aws ec2 describe-security-groups --group-ids sg-069a1c7dd156c44ef
{
"SecurityGroups": [
{
"Description": "findings-history-test-sg",
"GroupName": "findings-history-test-sg",
"IpPermissions": [],
"OwnerId": "<AWSアカウントID>",
"GroupId": "sg-069a1c7dd156c44ef",
"IpPermissionsEgress": [],
"VpcId": "vpc-0e0796981cea634c1"
}
]
}
$ aws ec2 describe-security-group-rules \
--filters Name=group-id,Values=sg-069a1c7dd156c44ef
{
"SecurityGroupRules": []
}この状態でSecurity Hubのコンソールから、セキュリティグループIDに対して検出結果を確認すると1件ヒットしました。
Historyというタブがあったためこちらをクリックすると、いつ、誰によってこの検出結果が作成されたのか確認できました。
AWS CLIからでも確認しましょう。
AWS CLIで検出結果の履歴を確認する際は、get-finding-historyを叩きます。
その引数として検出結果のIDとプロダクトARNが必要になるため、get-findingsで事前に確認します。
$ aws securityhub get-findings \
--filters '{"ResourceId":[{"Value": "arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef","Comparison":"EQUALS"}]}'
{
"Findings": [
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/EC2.19",
"AwsAccountId": "<AWSアカウントID>",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2023-05-05T00:04:59.186Z",
"LastObservedAt": "2023-05-05T00:05:03.609Z",
"CreatedAt": "2023-05-05T00:04:59.186Z",
"UpdatedAt": "2023-05-05T00:04:59.186Z",
"Severity": {
"Product": 0,
"Label": "INFORMATIONAL",
"Normalized": 0,
"Original": "INFORMATIONAL"
},
"Title": "EC2.19 Security groups should not allow unrestricted access to ports with high risk",
"Description": "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control fails if any of the rules in a security group allow ingress traffic from 0.0.0.0/0 or ::/0 for those ports.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0",
"ControlId": "EC2.19",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation",
"RelatedAWSResources:0/name": "securityhub-vpc-sg-restricted-common-ports-b8bb6fd1",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7"
},
"Resources": [
{
"Type": "AwsEc2SecurityGroup",
"Id": "arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef",
"Partition": "aws",
"Region": "us-east-1",
"Details": {
"AwsEc2SecurityGroup": {
"GroupName": "findings-history-test-sg",
"GroupId": "sg-069a1c7dd156c44ef",
"OwnerId": "<AWSアカウントID>",
"VpcId": "vpc-0e0796981cea634c1"
}
}
}
],
"Compliance": {
"Status": "PASSED",
"SecurityControlId": "EC2.19",
"AssociatedStandards": [
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "RESOLVED"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "INFORMATIONAL",
"Original": "INFORMATIONAL"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
]
}
}
]
}IdとProductArnをget-finding-historyの引数に指定して実行します。
$ aws securityhub get-finding-history \
--finding-identifier Id="arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
{
"Records": [
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:05:06.438Z",
"FindingCreated": "true",
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": []
}
]
}マネジメントコンソールで確認できることと同等の情報が確認できますね。
テスト用セキュリティグループのインバウンドルールにTCP/3389を0.0.0.0/0で許可するルールを追加
次にテスト用セキュリティグループのインバウンドルールにTCP/3389を0.0.0.0/0で許可するルール追加したときの挙動を確認します。
テスト用セキュリティグループのインバウンドルールにTCP/3389を0.0.0.0/0で許可するルールを追加します。
$ aws ec2 describe-security-group-rules \
--filters Name=group-id,Values=sg-069a1c7dd156c44ef
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0732ad8b6205cfd2f",
"GroupId": "sg-069a1c7dd156c44ef",
"GroupOwnerId": "<AWSアカウントID>",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
}
]
}すると、新しく検出結果が2つ作成され、先ほど確認していた検出結果はアーカイブされました。
AWS CLIからでも、いつ、誰によってアーカイブされたのか確認できます。変更点はOldValueとNewValueと変更前後の情報があるのでありがたいですね。
$ aws securityhub get-finding-history \
--finding-identifier Id="arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
{
"Records": [
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:34:59.353Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": [
{
"UpdatedField": "LastObservedAt",
"OldValue": "2023-05-05T00:05:03.609Z",
"NewValue": "2023-05-05T00:34:57.605Z"
},
{
"UpdatedField": "RecordState",
"OldValue": "ACTIVE",
"NewValue": "ARCHIVED"
},
{
"UpdatedField": "UpdatedAt",
"OldValue": "2023-05-05T00:04:59.186Z",
"NewValue": "2023-05-05T00:34:57.629Z"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:05:06.438Z",
"NewValue": "2023-05-05T00:34:59.353Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/3bae8a87-0020-4d84-9441-73ba5cb5a6f7",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:05:06.438Z",
"FindingCreated": "true",
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": []
}
]
}次に、新しく作成された検出結果を確認します。
こちらの検出結果のJSONは以下のようになっています。
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/EC2.19",
"AwsAccountId": "<AWSアカウントID>",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2023-05-05T00:34:54.154Z",
"LastObservedAt": "2023-05-05T00:34:57.621Z",
"CreatedAt": "2023-05-05T00:34:54.154Z",
"UpdatedAt": "2023-05-05T00:34:54.154Z",
"Severity": {
"Product": 90,
"Label": "CRITICAL",
"Normalized": 90,
"Original": "CRITICAL"
},
"Title": "EC2.19 Security groups should not allow unrestricted access to ports with high risk",
"Description": "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control fails if any of the rules in a security group allow ingress traffic from 0.0.0.0/0 or ::/0 for those ports.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0",
"ControlId": "EC2.19",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation",
"RelatedAWSResources:0/name": "securityhub-vpc-sg-restricted-common-ports-b8bb6fd1",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/annotation": "Security group allows a port that is blocked.",
"Resources:0/Id": "arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72"
},
"Resources": [
{
"Type": "AwsEc2SecurityGroup",
"Id": "arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef",
"Partition": "aws",
"Region": "us-east-1",
"Details": {
"AwsEc2SecurityGroup": {
"GroupName": "findings-history-test-sg",
"GroupId": "sg-069a1c7dd156c44ef",
"OwnerId": "<AWSアカウントID>",
"VpcId": "vpc-0e0796981cea634c1",
"IpPermissions": [
{
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
]
}
]
}
}
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "EC2.19",
"AssociatedStandards": [
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "CRITICAL",
"Original": "CRITICAL"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
]
},
"ProcessedAt": "2023-05-05T00:34:59.353Z"
}インバウンドルールにTCP/3389を0.0.0.0/0で許可するルールが検出されていますね。
AWS CLIからでも検出結果履歴を確認します。
$ aws securityhub get-finding-history \
--finding-identifier Id="arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
{
"Records": [
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:34:59.353Z",
"FindingCreated": "true",
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": []
}
]
}今のところは検出結果が新規作成されたという履歴のみが確認できます。
テスト用セキュリティグループのインバウンドルールにTCP/22を0.0.0.0/0で許可するルール追加
この状態でさらにテスト用セキュリティグループのインバウンドルールにTCP/22を0.0.0.0/0で許可するルールを追加します。
$ aws ec2 describe-security-group-rules \
--filters Name=group-id,Values=sg-069a1c7dd156c44ef
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0732ad8b6205cfd2f",
"GroupId": "sg-069a1c7dd156c44ef",
"GroupOwnerId": "<AWSアカウントID>",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-0f9c3ccfc34461310",
"GroupId": "sg-069a1c7dd156c44ef",
"GroupOwnerId": "<AWSアカウントID>",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
}
]
}この状態でしばらく待つと、履歴が更新され、TCP/22を0.0.0.0/0で許可するインバウンドルールが検出されました。
AWS CLIからでも確認します。
$ aws securityhub get-finding-history \
--finding-identifier Id="arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
{
"Records": [
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:45:05.108Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": [
{
"UpdatedField": "LastObservedAt",
"OldValue": "2023-05-05T00:34:57.621Z",
"NewValue": "2023-05-05T00:45:02.356Z"
},
{
"UpdatedField": "ProductFields.aws/securityhub/annotation",
"OldValue": "Security group allows a port that is blocked.",
"NewValue": "Security group allows a port that is blocked..Security group allows a port that is blocked."
},
{
"UpdatedField": "UpdatedAt",
"OldValue": "2023-05-05T00:34:54.154Z",
"NewValue": "2023-05-05T00:44:56.344Z"
},
{
"UpdatedField": "Resources",
"OldValue": "[{\"Partition\":\"aws\",\"Region\":\"us-east-1\",\"Type\":\"AwsEc2SecurityGroup\",\"Id\":\"arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef\",\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupName\":\"findings-history-test-sg\",\"OwnerId\":\"<AWSアカウントID>\",\"VpcId\":\"vpc-0e0796981cea634c1\",\"IpPermissions\":[{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":3389,\"ToPort\":3389}],\"GroupId\":\"sg-069a1c7dd156c44ef\"}}}]",
"NewValue": "[{\"Partition\":\"aws\",\"Region\":\"us-east-1\",\"Type\":\"AwsEc2SecurityGroup\",\"Id\":\"arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef\",\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupName\":\"findings-history-test-sg\",\"OwnerId\":\"<AWSアカウントID>\",\"VpcId\":\"vpc-0e0796981cea634c1\",\"IpPermissions\":[{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":22,\"ToPort\":22},{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":3389,\"ToPort\":3389}],\"GroupId\":\"sg-069a1c7dd156c44ef\"}}}]"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:34:59.353Z",
"NewValue": "2023-05-05T00:45:05.108Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:34:59.353Z",
"FindingCreated": "true",
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": []
}
]
}"UpdatedField": "Resources"でリソースの更新状態を確認できますね。
検出結果のワークフローのステータスを通知済みに変更
次に検出結果のワークフローのステータスを通知済みに変更した場合の挙動を確認します。
マネジメントコンソールからワークフローのステータスを通知済みに変更します。
変更後、Historyタブを確認すると、ワークフローのステータスが通知済みに変更されたことを確認できました。
AWS CLIからでも履歴を確認すると、Assume RoleしたユーザーがワークフローのステータスをNEWからNOTIFIEDに変更したことが分かります。
$ aws securityhub get-finding-history \
--finding-identifier Id="arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
{
"Records": [
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:49:43.052Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_UPDATE_FINDINGS",
"Identity": "arn:aws:sts::<AWSアカウントID>:assumed-role/<IAMロール名>/<IAMユーザー名>"
},
"Updates": [
{
"UpdatedField": "Workflow.Status",
"OldValue": "NEW",
"NewValue": "NOTIFIED"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:45:05.108Z",
"NewValue": "2023-05-05T00:49:43.052Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:45:05.108Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": [
{
"UpdatedField": "LastObservedAt",
"OldValue": "2023-05-05T00:34:57.621Z",
"NewValue": "2023-05-05T00:45:02.356Z"
},
{
"UpdatedField": "ProductFields.aws/securityhub/annotation",
"OldValue": "Security group allows a port that is blocked.",
"NewValue": "Security group allows a port that is blocked..Security group allows a port that is blocked."
},
{
"UpdatedField": "UpdatedAt",
"OldValue": "2023-05-05T00:34:54.154Z",
"NewValue": "2023-05-05T00:44:56.344Z"
},
{
"UpdatedField": "Resources",
"OldValue": "[{\"Partition\":\"aws\",\"Region\":\"us-east-1\",\"Type\":\"AwsEc2SecurityGroup\",\"Id\":\"arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef\",\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupName\":\"findings-history-test-sg\",\"OwnerId\":\"<AWSアカウントID>\",\"VpcId\":\"vpc-0e0796981cea634c1\",\"IpPermissions\":[{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":3389,\"ToPort\":3389}],\"GroupId\":\"sg-069a1c7dd156c44ef\"}}}]",
"NewValue": "[{\"Partition\":\"aws\",\"Region\":\"us-east-1\",\"Type\":\"AwsEc2SecurityGroup\",\"Id\":\"arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef\",\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupName\":\"findings-history-test-sg\",\"OwnerId\":\"<AWSアカウントID>\",\"VpcId\":\"vpc-0e0796981cea634c1\",\"IpPermissions\":[{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":22,\"ToPort\":22},{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":3389,\"ToPort\":3389}],\"GroupId\":\"sg-069a1c7dd156c44ef\"}}}]"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:34:59.353Z",
"NewValue": "2023-05-05T00:45:05.108Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:34:59.353Z",
"FindingCreated": "true",
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": []
}
]
}セキュリティグループのインバウンドルールの削除
最後にセキュリティグループのインバウンドルールを削除した際の挙動を確認します。
セキュリティグループのインバウンドルールを削除します。
$ aws ec2 describe-security-group-rules \
--filters Name=group-id,Values=sg-069a1c7dd156c44ef
{
"SecurityGroupRules": []
}その後、マネジメントコンソールから検出結果の履歴を確認すると、アーカイブされたことが確認できました。
AWS CLIからでも同様の内容を確認できました。
$ aws securityhub get-finding-history \
--finding-identifier Id="arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
{
"Records": [
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:55:42.749Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": [
{
"UpdatedField": "LastObservedAt",
"OldValue": "2023-05-05T00:45:02.356Z",
"NewValue": "2023-05-05T00:55:39.378Z"
},
{
"UpdatedField": "RecordState",
"OldValue": "ACTIVE",
"NewValue": "ARCHIVED"
},
{
"UpdatedField": "UpdatedAt",
"OldValue": "2023-05-05T00:44:56.344Z",
"NewValue": "2023-05-05T00:55:39.412Z"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:49:43.052Z",
"NewValue": "2023-05-05T00:55:42.749Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:49:43.052Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_UPDATE_FINDINGS",
"Identity": "arn:aws:sts::<AWSアカウントID>:assumed-role/cm-yamamoto.ryota/cm-yamamoto.ryota"
},
"Updates": [
{
"UpdatedField": "Workflow.Status",
"OldValue": "NEW",
"NewValue": "NOTIFIED"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:45:05.108Z",
"NewValue": "2023-05-05T00:49:43.052Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:45:05.108Z",
"FindingCreated": false,
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": [
{
"UpdatedField": "LastObservedAt",
"OldValue": "2023-05-05T00:34:57.621Z",
"NewValue": "2023-05-05T00:45:02.356Z"
},
{
"UpdatedField": "ProductFields.aws/securityhub/annotation",
"OldValue": "Security group allows a port that is blocked.",
"NewValue": "Security group allows a port that is blocked..Security group allows a port that is blocked."
},
{
"UpdatedField": "UpdatedAt",
"OldValue": "2023-05-05T00:34:54.154Z",
"NewValue": "2023-05-05T00:44:56.344Z"
},
{
"UpdatedField": "Resources",
"OldValue": "[{\"Partition\":\"aws\",\"Region\":\"us-east-1\",\"Type\":\"AwsEc2SecurityGroup\",\"Id\":\"arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef\",\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupName\":\"findings-history-test-sg\",\"OwnerId\":\"<AWSアカウントID>\",\"VpcId\":\"vpc-0e0796981cea634c1\",\"IpPermissions\":[{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":3389,\"ToPort\":3389}],\"GroupId\":\"sg-069a1c7dd156c44ef\"}}}]",
"NewValue": "[{\"Partition\":\"aws\",\"Region\":\"us-east-1\",\"Type\":\"AwsEc2SecurityGroup\",\"Id\":\"arn:aws:ec2:us-east-1:<AWSアカウントID>:security-group/sg-069a1c7dd156c44ef\",\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupName\":\"findings-history-test-sg\",\"OwnerId\":\"<AWSアカウントID>\",\"VpcId\":\"vpc-0e0796981cea634c1\",\"IpPermissions\":[{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":22,\"ToPort\":22},{\"IpProtocol\":\"tcp\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}],\"FromPort\":3389,\"ToPort\":3389}],\"GroupId\":\"sg-069a1c7dd156c44ef\"}}}]"
},
{
"UpdatedField": "ProcessedAt",
"OldValue": "2023-05-05T00:34:59.353Z",
"NewValue": "2023-05-05T00:45:05.108Z"
}
]
},
{
"FindingIdentifier": {
"Id": "arn:aws:securityhub:us-east-1:<AWSアカウントID>:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bb4a3a94-a2e7-4195-8a36-6066da4b0f72",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"UpdateTime": "2023-05-05T00:34:59.353Z",
"FindingCreated": "true",
"UpdateSource": {
"Type": "BATCH_IMPORT_FINDINGS",
"Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
},
"Updates": []
}
]
}この検出結果、誰がステータスを変更したんだ? が確認しやすくなりました
AWS Security Hub で検出結果に対する履歴を確認できるようになったアップデートを紹介しました。
検出結果毎に履歴を時系列で確認できるので、「この検出結果、誰がステータスを変更したんだ?」という運用がしやすくなりました。
この記事が誰かの助けになれば幸いです。
以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!
14
