AWS Security Hubのセキュリティ基準をCIS AWS Foundations Benchmark v1.2.0からv1.4.0に移行してみる

AWS Security Hubのセキュリティ基準をCIS AWS Foundations Benchmark v1.2.0からv1.4.0に移行してみる

Clock Icon2022.11.21

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

先日、AWS Security Hub のセキュリティ基準に CIS AWS Foundations Benchmark v1.4.0 が追加されました。今回は、CIS AWS Foundations Benchmark v1.2.0 を利用している環境において、v1.2.0 を無効化して v1.4.0 を有効化する作業を AWS Labs で公開されている スクリプト を用いて実施してみます。このスクリプトでは v1.2.0 で無効化しているコントロールに対応する v1.4.0 のコントロールを無効化することもできます。


CIS AWS Foundations Benchmark v1.4.0 のアップデート情報です。

AWS Security Hub が Center for Internet Security (CIS) の AWS Foundations Benchmark バージョン 1.4.0 のサポートを開始

ブログでもアップデートが紹介されています。

CIS AWS Foundations Benchmark v1.2.0 から v1.4.0 の移行に利用できるスクリプトです。v1.4.0 の有効化のみもできます。

aws-securityhub-multiaccount-scripts/cis14-enable at master · awslabs/aws-securityhub-multiaccount-scripts

試してみた

今回の検証構成です。非 AWS Organizations 環境であり、AWS Security Hub の管理者アカウントとメンバーアカウントの関係にある 2 つのアカウントを対象に移行してみます。

2 つのアカウントの AWS Security Hub の設定です。デフォルトで有効化されている全てのリージョンで同じ設定をしています。

  • AWS 基礎セキュリティのベストプラクティス v1.0.0 有効
  • CIS AWS Foundations Benchmark v1.2.0 有効
    • 無効化しているコントロール ID 1.10 1.11
  • CIS AWS Foundations Benchmark v1.4.0 無効

なお、無効化しているコントロールは移行の動作を確認するために、v1.4.0 に対応するコントロールがある項目とない項目を適当に選択したものですので、ご注意ください。

移行前のセキュリティ基準画面です。

無効化しているコントロールの確認画面です。

無効化しているコントロールと v1.4.0 のコントロールとの対応です。

v1.2.0 v1.4.0
1.10 1.9
1.11 (対応なし)

v1.2.0 と v1.4.0 の関係は次のユーザーガイドで確認できます。

CIS AWS Foundations Benchmark v1.2.0 compared to v1.4.0 - AWS Security Hub

移行に利用するスクリプトでは、v1.2.0 で無効化しているコントロールに対応する v1.4.0 がある場合に、v1.4.0 でも無効化する機能があります。


各AWSアカウントでの事前準備

2 つのアカウントを対象に CIS v1.4.0 への移行を試してみます。スクリプトは、各アカウントで事前作成した IAM ロールにスイッチロールして設定を変更します。

以降では次の通りアカウント ID を置換しています。

  • 管理者アカウント 111122223333
  • メンバーアカウント 444455556666

README.md に記載されている実行環境には次の 2 つがあります。

  • EC2 インスタンス
  • ローカル

今回はローカル環境で実行します。


AWS Security Hub の設定変更の役割を担う IAM ロールを作成する CloudFormation テンプレートが提供されているため、事前に作業対象の全てのアカウントで次のテンプレートを実行します。

aws-securityhub-multiaccount-scripts/enable-cis-14.yaml at master · awslabs/aws-securityhub-multiaccount-scripts

実行時のパラメータに関する補足説明です。

  • AdministratorAccountIdパラメータは、管理者アカウント(スクリプトを実行するアカウント)を指定します
  • CreateInstanceRoleパラメータは、EC2 インスタンスを実行環境とする場合に、EC2 インスタンスにアタッチする IAM ロールを作成する場合にYesを選択します。今回はローカル環境なので、説明通りNoを選択します

CloudFormation で作成される IAM ロールManageSecurityHubCISに付与されているポリシーは次の通りです。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "securityhub:BatchEnableStandards",
                "securityhub:BatchDisableStandards",
                "securityhub:GetEnabledStandards",
                "securityhub:DescribeStandardsControls",
                "securityhub:UpdateStandardsControl"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

信頼ポリシーは次の通りです。管理者アカウントを信頼しています。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


スクリプトの実行

管理者アカウントで作業します。

管理者アカウントに対する権限を持つローカル環境で git clone して進めます。

% git clone https://github.com/awslabs/aws-securityhub-multiaccount-scripts.git
% cd aws-securityhub-multiaccount-scripts/cis14-enable
% ls
README.md		enable-cis-14.yaml	enablecis14.py		utils.py

v1.4.0 を有効化するアカウント ID を記載するファイルを作成します。スクリプト実行時にこのファイルを引数として渡すことになります。

111122223333
444455556666

スクリプトを実行するコマンドです。

python3 enablecis14.py \
  --assume_role ManageSecurityHubCIS \
  --enabled_regions ap-south-1,eu-north-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,ca-central-1,sa-east-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2 \
  --map_cis12_disabled_controls Yes \
  --disable_cis12 Yes \
  --input_file accounts.txt

実行コマンドの説明は README.md に記載されています。

  • assume_roleでは作業対象アカウントに作成した信頼関係のある IAM ロール名を指定します
    • CloudFormation で作成される IAM ロール名はManageSecurityHubCISです
  • enabled_regionsは作業対象とするリージョンをカンマ区切りで指定します
  • map_cis12_disabled_controlsYesにすると、v1.2.0 で無効化しているコントロールに対応する v1.4.0 のコントロールを無効化します
  • disable_cis12Yesにすると、v1.2.0 を無効化します
  • input_fileでは作業対象のアカウント ID を記載したファイルを指定します

実行結果です。1 アカウント分の出力のみ記載しています。

% python3 enablecis14.py \
% python3 enablecis14.py \
  --assume_role ManageSecurityHubCIS \
  --enabled_regions ap-south-1,eu-north-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,ca-central-1,sa-east-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2 \
  --map_cis12_disabled_controls Yes \
  --disable_cis12 Yes \
  --input_file accounts.txt
Enabling members in these regions: ['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']
***********Account Loop***************
Assumed session for 111122223333.
-----------Region Loop--------------
Beginning 111122223333 in ap-south-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ap-south-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ap-south-1
-----------Region Loop--------------
Beginning 111122223333 in eu-north-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region eu-north-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region eu-north-1
-----------Region Loop--------------
Beginning 111122223333 in eu-west-3
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region eu-west-3
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region eu-west-3
-----------Region Loop--------------
Beginning 111122223333 in eu-west-2
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region eu-west-2
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region eu-west-2
-----------Region Loop--------------
Beginning 111122223333 in eu-west-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region eu-west-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region eu-west-1
-----------Region Loop--------------
Beginning 111122223333 in ap-northeast-3
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ap-northeast-3
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ap-northeast-3
-----------Region Loop--------------
Beginning 111122223333 in ap-northeast-2
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ap-northeast-2
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ap-northeast-2
-----------Region Loop--------------
Beginning 111122223333 in ap-northeast-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ap-northeast-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ap-northeast-1
-----------Region Loop--------------
Beginning 111122223333 in ca-central-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ca-central-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ca-central-1
-----------Region Loop--------------
Beginning 111122223333 in sa-east-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region sa-east-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region sa-east-1
-----------Region Loop--------------
Beginning 111122223333 in ap-southeast-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ap-southeast-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ap-southeast-1
-----------Region Loop--------------
Beginning 111122223333 in ap-southeast-2
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region ap-southeast-2
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region ap-southeast-2
-----------Region Loop--------------
Beginning 111122223333 in eu-central-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region eu-central-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region eu-central-1
-----------Region Loop--------------
Beginning 111122223333 in us-east-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region us-east-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region us-east-1
-----------Region Loop--------------
Beginning 111122223333 in us-east-2
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region us-east-2
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region us-east-2
-----------Region Loop--------------
Beginning 111122223333 in us-west-1
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region us-west-1
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region us-west-1
-----------Region Loop--------------
Beginning 111122223333 in us-west-2
Enabling CIS 1.4
Verifying the standard is enabled
Finished enabling standard CIS 1.4 on account 111122223333 for region us-west-2
-----------Map disabled controls loop-----------
Map disabled controls parameter is Yes.  Proceeding with map of disabled controls.
CIS 1.2 is Enabled.  Proceeding with disabled control mapping.
Checking for any disabled 1.2 controls
--Disabled 1.2 control: CIS.1.10
Mapped 1.4 control: CIS.1.9
Disabling the CIS 1.4 control
--Disabled 1.2 control: CIS.1.11
Disabled 1.2 control does not map to a 1.4 control.  Not disabling in 1.4
--------Disable CIS 1.2 step--------
Disabling CIS 1.2
Finished disabling CIS 1.2 on account 111122223333 for region us-west-2

出力結果より、v1.2.0 で無効化しているコントロールに対して、対応するコントロールがあるのかのチェックが行われていることが分かります。

スクリプト実行直後のセキュリティ基準画面です。v1.20 が無効化されており、v1.4.0 が有効化されています。

v1.2.0 で無効化していた1.10に対応する1.9が無効化されています。無効にする理由には v1.2.0 で無効化されていたことに対する整合性を取るためとの記載となっています。

スクリプト実行の 24 時間後に確認した画面です。無効のカウントが1になっています。

1 つのアカウントの各リージョンで有効化されているセキュリティ基準を AWS CLI で確認してみます。

実行コマンドです。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### ${region}"
aws --region ${region} securityhub get-enabled-standards --query "StandardsSubscriptions[].{StandardsArn: StandardsArn, StandardsStatus: StandardsStatus}"
done

実行結果です。v1.20 は有効化されておらず、v1.4.0 が有効化されていることが分かります。

$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text | while read region; do echo "##### ${region}"; aws --region ${region} securityhub get-enabled-standards --query "StandardsSubscriptions[].{StandardsArn: StandardsArn, StandardsStatus: StandardsStatus}"; done
##### ap-south-1
[
    {
        "StandardsArn": "arn:aws:securityhub:ap-south-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ap-south-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### eu-north-1
[
    {
        "StandardsArn": "arn:aws:securityhub:eu-north-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:eu-north-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### eu-west-3
[
    {
        "StandardsArn": "arn:aws:securityhub:eu-west-3::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:eu-west-3::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### eu-west-2
[
    {
        "StandardsArn": "arn:aws:securityhub:eu-west-2::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:eu-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### eu-west-1
[
    {
        "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### ap-northeast-3
[
    {
        "StandardsArn": "arn:aws:securityhub:ap-northeast-3::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ap-northeast-3::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### ap-northeast-2
[
    {
        "StandardsArn": "arn:aws:securityhub:ap-northeast-2::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ap-northeast-2::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### ap-northeast-1
[
    {
        "StandardsArn": "arn:aws:securityhub:ap-northeast-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ap-northeast-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### ca-central-1
[
    {
        "StandardsArn": "arn:aws:securityhub:ca-central-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ca-central-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### sa-east-1
[
    {
        "StandardsArn": "arn:aws:securityhub:sa-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:sa-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### ap-southeast-1
[
    {
        "StandardsArn": "arn:aws:securityhub:ap-southeast-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ap-southeast-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### ap-southeast-2
[
    {
        "StandardsArn": "arn:aws:securityhub:ap-southeast-2::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:ap-southeast-2::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### eu-central-1
[
    {
        "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### us-east-1
[
    {
        "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### us-east-2
[
    {
        "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### us-west-1
[
    {
        "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:us-west-1::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]
##### us-west-2
[
    {
        "StandardsArn": "arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0",
        "StandardsStatus": "READY"
    },
    {
        "StandardsArn": "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0",
        "StandardsStatus": "READY"
    }
]

次に、v1.4.0 で無効化されているコントロール一覧を確認します。queryオプションを利用してControlStatusDISABLEDであるコントロールのControlIdを表示します。

実行コマンドです。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "##### ${region}"
aws --region ${region} securityhub describe-standards-controls --standards-subscription-arn "arn:aws:securityhub:${region}:111122223333:subscription/cis-aws-foundations-benchmark/v/1.4.0" --query "Controls[?ControlStatus=='DISABLED'].{ControlId: ControlId}"
done

実行結果です。全てのリージョンで意図通り、1.9が無効化されています。

$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text | while read region; do echo "##### ${region}"; aws --region ${region} securityhub get-enabled-standards --query "StandardsSubscriptions[].{StandardsArn: StandardsArn, StandardsStatus: StandardsStatus}"; done
##### ap-south-1
[
    {
        "ControlId": "1.9"
    }
]
##### eu-north-1
[
    {
        "ControlId": "1.9"
    }
]
##### eu-west-3
[
    {
        "ControlId": "1.9"
    }
]
##### eu-west-2
[
    {
        "ControlId": "1.9"
    }
]
##### eu-west-1
[
    {
        "ControlId": "1.9"
    }
]
##### ap-northeast-3
[
    {
        "ControlId": "1.9"
    }
]
##### ap-northeast-2
[
    {
        "ControlId": "1.9"
    }
]
##### ap-northeast-1
[
    {
        "ControlId": "1.9"
    }
]
##### ca-central-1
[
    {
        "ControlId": "1.9"
    }
]
##### sa-east-1
[
    {
        "ControlId": "1.9"
    }
]
##### ap-southeast-1
[
    {
        "ControlId": "1.9"
    }
]
##### ap-southeast-2
[
    {
        "ControlId": "1.9"
    }
]
##### eu-central-1
[
    {
        "ControlId": "1.9"
    }
]
##### us-east-1
[
    {
        "ControlId": "1.9"
    }
]
##### us-east-2
[
    {
        "ControlId": "1.9"
    }
]
##### us-west-1
[
    {
        "ControlId": "1.9"
    }
]
##### us-west-2
[
    {
        "ControlId": "1.9"
    }
]

以上で終了です。


後始末

設定変更が確認できた後は、各アカウントで展開した CloudFormation を削除しておきます。

さいごに

AWS Labs において、AWS Secruity Hub のセキュリティ基準を CIS AWS Foundations Benchmark v1.2.0 から v1.4.0 から移行するスクリプトが公開されていたため試してみました。複数アカウントを一度に変更でき、v1.2.0 で無効化しているコントロールに対応する v1.4.0 のコントロールを無効化することも容易にできました。

各リージョンに対して AWS CLI のコマンドを実行する方法は次のブログを参考にしました。

以上、このブログがどなたかのご参考になれば幸いです。

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.