AWS Security Hubのセキュリティ基準をCIS AWS Foundations Benchmark v1.2.0からv1.4.0に移行してみる
先日、AWS Security Hub のセキュリティ基準に CIS AWS Foundations Benchmark v1.4.0 が追加されました。今回は、CIS AWS Foundations Benchmark v1.2.0 を利用している環境において、v1.2.0 を無効化して v1.4.0 を有効化する作業を AWS Labs で公開されている スクリプト を用いて実施してみます。このスクリプトでは v1.2.0 で無効化しているコントロールに対応する v1.4.0 のコントロールを無効化することもできます。
CIS AWS Foundations Benchmark v1.4.0 のアップデート情報です。
ブログでもアップデートが紹介されています。
CIS AWS Foundations Benchmark v1.2.0 から v1.4.0 の移行に利用できるスクリプトです。v1.4.0 の有効化のみもできます。
試してみた
今回の検証構成です。非 AWS Organizations 環境であり、AWS Security Hub の管理者アカウントとメンバーアカウントの関係にある 2 つのアカウントを対象に移行してみます。
2 つのアカウントの AWS Security Hub の設定です。デフォルトで有効化されている全てのリージョンで同じ設定をしています。
- AWS 基礎セキュリティのベストプラクティス v1.0.0
有効
- CIS AWS Foundations Benchmark v1.2.0
有効
- 無効化しているコントロール ID
1.10
1.11
- 無効化しているコントロール ID
- CIS AWS Foundations Benchmark v1.4.0
無効
なお、無効化しているコントロールは移行の動作を確認するために、v1.4.0 に対応するコントロールがある項目とない項目を適当に選択したものですので、ご注意ください。
移行前のセキュリティ基準画面です。
無効化しているコントロールの確認画面です。
無効化しているコントロールと v1.4.0 のコントロールとの対応です。
v1.2.0 | v1.4.0 |
---|---|
1.10 | 1.9 |
1.11 | (対応なし) |
v1.2.0 と v1.4.0 の関係は次のユーザーガイドで確認できます。
CIS AWS Foundations Benchmark v1.2.0 compared to v1.4.0 - AWS Security Hub
移行に利用するスクリプトでは、v1.2.0 で無効化しているコントロールに対応する v1.4.0 がある場合に、v1.4.0 でも無効化する機能があります。
各AWSアカウントでの事前準備
2 つのアカウントを対象に CIS v1.4.0 への移行を試してみます。スクリプトは、各アカウントで事前作成した IAM ロールにスイッチロールして設定を変更します。
以降では次の通りアカウント ID を置換しています。
- 管理者アカウント
111122223333
- メンバーアカウント
444455556666
README.md に記載されている実行環境には次の 2 つがあります。
- EC2 インスタンス
- ローカル
今回はローカル環境で実行します。
AWS Security Hub の設定変更の役割を担う IAM ロールを作成する CloudFormation テンプレートが提供されているため、事前に作業対象の全てのアカウントで次のテンプレートを実行します。
実行時のパラメータに関する補足説明です。
AdministratorAccountId
パラメータは、管理者アカウント(スクリプトを実行するアカウント)を指定しますCreateInstanceRole
パラメータは、EC2 インスタンスを実行環境とする場合に、EC2 インスタンスにアタッチする IAM ロールを作成する場合にYes
を選択します。今回はローカル環境なので、説明通りNo
を選択します
CloudFormation で作成される IAM ロールManageSecurityHubCIS
に付与されているポリシーは次の通りです。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "securityhub:BatchEnableStandards", "securityhub:BatchDisableStandards", "securityhub:GetEnabledStandards", "securityhub:DescribeStandardsControls", "securityhub:UpdateStandardsControl" ], "Resource": "*", "Effect": "Allow" } ] }
信頼ポリシーは次の通りです。管理者アカウントを信頼しています。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole" } ] }
スクリプトの実行
管理者アカウントで作業します。
管理者アカウントに対する権限を持つローカル環境で git clone して進めます。
% git clone https://github.com/awslabs/aws-securityhub-multiaccount-scripts.git % cd aws-securityhub-multiaccount-scripts/cis14-enable % ls README.md enable-cis-14.yaml enablecis14.py utils.py
v1.4.0 を有効化するアカウント ID を記載するファイルを作成します。スクリプト実行時にこのファイルを引数として渡すことになります。
111122223333 444455556666
スクリプトを実行するコマンドです。
python3 enablecis14.py \ --assume_role ManageSecurityHubCIS \ --enabled_regions ap-south-1,eu-north-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,ca-central-1,sa-east-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2 \ --map_cis12_disabled_controls Yes \ --disable_cis12 Yes \ --input_file accounts.txt
実行コマンドの説明は README.md に記載されています。
assume_role
では作業対象アカウントに作成した信頼関係のある IAM ロール名を指定します- CloudFormation で作成される IAM ロール名は
ManageSecurityHubCIS
です
- CloudFormation で作成される IAM ロール名は
enabled_regions
は作業対象とするリージョンをカンマ区切りで指定しますmap_cis12_disabled_controls
をYes
にすると、v1.2.0 で無効化しているコントロールに対応する v1.4.0 のコントロールを無効化しますdisable_cis12
をYes
にすると、v1.2.0 を無効化しますinput_file
では作業対象のアカウント ID を記載したファイルを指定します
実行結果です。1 アカウント分の出力のみ記載しています。
% python3 enablecis14.py \ % python3 enablecis14.py \ --assume_role ManageSecurityHubCIS \ --enabled_regions ap-south-1,eu-north-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,ca-central-1,sa-east-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2 \ --map_cis12_disabled_controls Yes \ --disable_cis12 Yes \ --input_file accounts.txt Enabling members in these regions: ['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'] ***********Account Loop*************** Assumed session for 111122223333. -----------Region Loop-------------- Beginning 111122223333 in ap-south-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ap-south-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ap-south-1 -----------Region Loop-------------- Beginning 111122223333 in eu-north-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region eu-north-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region eu-north-1 -----------Region Loop-------------- Beginning 111122223333 in eu-west-3 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region eu-west-3 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region eu-west-3 -----------Region Loop-------------- Beginning 111122223333 in eu-west-2 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region eu-west-2 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region eu-west-2 -----------Region Loop-------------- Beginning 111122223333 in eu-west-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region eu-west-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region eu-west-1 -----------Region Loop-------------- Beginning 111122223333 in ap-northeast-3 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ap-northeast-3 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ap-northeast-3 -----------Region Loop-------------- Beginning 111122223333 in ap-northeast-2 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ap-northeast-2 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ap-northeast-2 -----------Region Loop-------------- Beginning 111122223333 in ap-northeast-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ap-northeast-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ap-northeast-1 -----------Region Loop-------------- Beginning 111122223333 in ca-central-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ca-central-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ca-central-1 -----------Region Loop-------------- Beginning 111122223333 in sa-east-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region sa-east-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region sa-east-1 -----------Region Loop-------------- Beginning 111122223333 in ap-southeast-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ap-southeast-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ap-southeast-1 -----------Region Loop-------------- Beginning 111122223333 in ap-southeast-2 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region ap-southeast-2 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region ap-southeast-2 -----------Region Loop-------------- Beginning 111122223333 in eu-central-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region eu-central-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region eu-central-1 -----------Region Loop-------------- Beginning 111122223333 in us-east-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region us-east-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region us-east-1 -----------Region Loop-------------- Beginning 111122223333 in us-east-2 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region us-east-2 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region us-east-2 -----------Region Loop-------------- Beginning 111122223333 in us-west-1 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region us-west-1 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region us-west-1 -----------Region Loop-------------- Beginning 111122223333 in us-west-2 Enabling CIS 1.4 Verifying the standard is enabled Finished enabling standard CIS 1.4 on account 111122223333 for region us-west-2 -----------Map disabled controls loop----------- Map disabled controls parameter is Yes. Proceeding with map of disabled controls. CIS 1.2 is Enabled. Proceeding with disabled control mapping. Checking for any disabled 1.2 controls --Disabled 1.2 control: CIS.1.10 Mapped 1.4 control: CIS.1.9 Disabling the CIS 1.4 control --Disabled 1.2 control: CIS.1.11 Disabled 1.2 control does not map to a 1.4 control. Not disabling in 1.4 --------Disable CIS 1.2 step-------- Disabling CIS 1.2 Finished disabling CIS 1.2 on account 111122223333 for region us-west-2
出力結果より、v1.2.0 で無効化しているコントロールに対して、対応するコントロールがあるのかのチェックが行われていることが分かります。
スクリプト実行直後のセキュリティ基準画面です。v1.20 が無効化されており、v1.4.0 が有効化されています。
v1.2.0 で無効化していた1.10
に対応する1.9
が無効化されています。無効にする理由には v1.2.0 で無効化されていたことに対する整合性を取るためとの記載となっています。
スクリプト実行の 24 時間後に確認した画面です。無効のカウントが1
になっています。
1 つのアカウントの各リージョンで有効化されているセキュリティ基準を AWS CLI で確認してみます。
実行コマンドです。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### ${region}" aws --region ${region} securityhub get-enabled-standards --query "StandardsSubscriptions[].{StandardsArn: StandardsArn, StandardsStatus: StandardsStatus}" done
実行結果です。v1.20 は有効化されておらず、v1.4.0 が有効化されていることが分かります。
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text | while read region; do echo "##### ${region}"; aws --region ${region} securityhub get-enabled-standards --query "StandardsSubscriptions[].{StandardsArn: StandardsArn, StandardsStatus: StandardsStatus}"; done ##### ap-south-1 [ { "StandardsArn": "arn:aws:securityhub:ap-south-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ap-south-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### eu-north-1 [ { "StandardsArn": "arn:aws:securityhub:eu-north-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:eu-north-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### eu-west-3 [ { "StandardsArn": "arn:aws:securityhub:eu-west-3::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:eu-west-3::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### eu-west-2 [ { "StandardsArn": "arn:aws:securityhub:eu-west-2::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:eu-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### eu-west-1 [ { "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### ap-northeast-3 [ { "StandardsArn": "arn:aws:securityhub:ap-northeast-3::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ap-northeast-3::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### ap-northeast-2 [ { "StandardsArn": "arn:aws:securityhub:ap-northeast-2::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ap-northeast-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### ap-northeast-1 [ { "StandardsArn": "arn:aws:securityhub:ap-northeast-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ap-northeast-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### ca-central-1 [ { "StandardsArn": "arn:aws:securityhub:ca-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ca-central-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### sa-east-1 [ { "StandardsArn": "arn:aws:securityhub:sa-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:sa-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### ap-southeast-1 [ { "StandardsArn": "arn:aws:securityhub:ap-southeast-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ap-southeast-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### ap-southeast-2 [ { "StandardsArn": "arn:aws:securityhub:ap-southeast-2::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:ap-southeast-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### eu-central-1 [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### us-east-1 [ { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### us-east-2 [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### us-west-1 [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ] ##### us-west-2 [ { "StandardsArn": "arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" }, { "StandardsArn": "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsStatus": "READY" } ]
次に、v1.4.0 で無効化されているコントロール一覧を確認します。query
オプションを利用してControlStatus
がDISABLED
であるコントロールのControlId
を表示します。
実行コマンドです。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \ | while read region; do echo "##### ${region}" aws --region ${region} securityhub describe-standards-controls --standards-subscription-arn "arn:aws:securityhub:${region}:111122223333:subscription/cis-aws-foundations-benchmark/v/1.4.0" --query "Controls[?ControlStatus=='DISABLED'].{ControlId: ControlId}" done
実行結果です。全てのリージョンで意図通り、1.9
が無効化されています。
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text | while read region; do echo "##### ${region}"; aws --region ${region} securityhub get-enabled-standards --query "StandardsSubscriptions[].{StandardsArn: StandardsArn, StandardsStatus: StandardsStatus}"; done ##### ap-south-1 [ { "ControlId": "1.9" } ] ##### eu-north-1 [ { "ControlId": "1.9" } ] ##### eu-west-3 [ { "ControlId": "1.9" } ] ##### eu-west-2 [ { "ControlId": "1.9" } ] ##### eu-west-1 [ { "ControlId": "1.9" } ] ##### ap-northeast-3 [ { "ControlId": "1.9" } ] ##### ap-northeast-2 [ { "ControlId": "1.9" } ] ##### ap-northeast-1 [ { "ControlId": "1.9" } ] ##### ca-central-1 [ { "ControlId": "1.9" } ] ##### sa-east-1 [ { "ControlId": "1.9" } ] ##### ap-southeast-1 [ { "ControlId": "1.9" } ] ##### ap-southeast-2 [ { "ControlId": "1.9" } ] ##### eu-central-1 [ { "ControlId": "1.9" } ] ##### us-east-1 [ { "ControlId": "1.9" } ] ##### us-east-2 [ { "ControlId": "1.9" } ] ##### us-west-1 [ { "ControlId": "1.9" } ] ##### us-west-2 [ { "ControlId": "1.9" } ]
以上で終了です。
後始末
設定変更が確認できた後は、各アカウントで展開した CloudFormation を削除しておきます。
さいごに
AWS Labs において、AWS Secruity Hub のセキュリティ基準を CIS AWS Foundations Benchmark v1.2.0 から v1.4.0 から移行するスクリプトが公開されていたため試してみました。複数アカウントを一度に変更でき、v1.2.0 で無効化しているコントロールに対応する v1.4.0 のコントロールを無効化することも容易にできました。
各リージョンに対して AWS CLI のコマンドを実行する方法は次のブログを参考にしました。
以上、このブログがどなたかのご参考になれば幸いです。