しばたです。
まだAWS公式のアナウンスは出ていないのですが新しいサービスと思しき「AWS Control Catalog」が増えています。
AWS API Changesの更新履歴によれば2024年4月8日に増えた模様です。
どんなサービス?
アナウンスは無いものの既にドキュメントは更新されていました。
こちらによると
The Control Catalog is a part of AWS Control Tower, which lists controls for several AWS services. It is a consolidated catalog of AWS controls.
とありControl Towerの一部でありコントロールに対するカタログ機能を提供するものだそうです。
また、
You do not need to set up AWS Control Tower to use the Control Catalog.
とある様にControl Towerがセットアップされていない環境でも利用可能です。
コントロールライブラリとは違う模様
Control Towerにおいて各コントロールをリストアップする機能として「コントロールライブラリ (Controls library)」が存在しますが、今回のAWS Control Catalogとは違う様です。
コントロールライブラリはContorl Towerで実際に使われる各コントロールをまとめたものですが、今回のAWS Control Catalogは各コントロールとの紐づきが無く内容もより抽象的なものとなっていました。
(AWS Control Catalogから得られる情報自体もコントロールライブラリと一致しません)
新サービスなのか?
ドキュメントでは「Control Towerの一部」と記載されているものの、AWS API Changesの更新履歴にある様に実装としては別の名前空間(controlcatalog)が割り当てられています。
専用のエンドポイント(controlcatalog.リージョン名.amazonaws.com)もありますし新サービスと見做して問題は無いでしょう。
ちなみにVPC Endpoint(PrivateLink)も既に提供されています。
REST API
本日時点でAPIとして以下の3アクションが公開されています。
- ListCommonControls
- ListDomains
- ListObjectives
詳細は後述しますが、「Domain → Objective → CommonControl」の階層構造から成る3種の情報を取得できます。
それぞれ基本情報として
- Arn
- Name
- Description
だけ持ち、現時点では「文章を得る」以上の行為はできない感じです。
試してみる
ここからは簡単に試してみます。
Control Towerがセットアップされていない私の検証用AWSアカウントを使います。
利用可能リージョンは明記されていませんでしたが東京リージョンで試したところ利用できました。
大阪リージョンやソウルリージョンはエンドポイントが無い旨のエラーとなり、Contorl Towerをサポートするリージョンとは別管理の様です。
AWS CLIはVer.2.15.37およびVer.1.32.80からサポートされています。
本日時点でCloudShellのAWS CLIがちょうどVer.2.15.37だったので東京リージョンのCloudShellで動作確認をしていきます。
1. aws controlcatalog list-domains
最初にaws controlcatalog list-domainsコマンドを使うとDomainの一覧を取得できます。
実行結果はこんな感じになります。
# Name, Description, Arnだけ取得
$ aws controlcatalog list-domains --query 'Domains[].{Name:Name, Description:Description, Arn:Arn}'
[
{
"Name": "Asset management",
"Description": "This control domain focuses on asset management and the systematic tracking and maintenance of physical or digital assets throughout their lifecycle, including acquisition, utilization, and disposal. This reduces risks related to accidents, malfunctions, and other issues that may cause damage to property or harm to people.",
"Arn": "arn:aws:controlcatalog:::domain/d4msesd9vvmzmmuvlv06m92uq"
},
{
"Name": "Business continuity and recovery",
"Description": "This control domain focuses on planning and preparation of procedures and resources to ensure the continued operation of critical business functions in the event of a disruption, and to facilitate the recovery of normal operations afterwards.",
"Arn": "arn:aws:controlcatalog:::domain/33mjpzadrlwo1by3c1012ai5i"
},
{
"Name": "Data protection",
"Description": "This control domain focuses on data protection measures and practices used to safeguard information, including confidentiality, integrity, and availability, while ensuring compliance with applicable laws and regulations governing data handling, cryptography, and encryption key management. This supports an organization's ability to safeguard important information from corruption, compromise, or loss.",
"Arn": "arn:aws:controlcatalog:::domain/884eyhr622uy73h6i1mjb9lfb"
},
{
"Name": "Identity and access management",
"Description": "This control domain focuses on identity and access management (IAM) policies and technologies used to control and manage access to digital resources, systems, and data based on the identity and roles of users and devices.",
"Arn": "arn:aws:controlcatalog:::domain/avh1ncrx6oyndrbsv0rfywvat"
},
{
"Name": "Incident management",
"Description": "This control domain focuses on incident management processes including, identifying, analyzing, and resolving security incidents, to restore normal operations quickly and reduce the risk of adverse impact to business operations.",
"Arn": "arn:aws:controlcatalog:::domain/acslzu9jr992jv4hjejegjnf0"
},
{
"Name": "Legal",
"Description": "This control domain focuses on legal matters encompassing practices, systems, or actions that are in accordance with established laws and regulations.",
"Arn": "arn:aws:controlcatalog:::domain/1yz9ep0ymkt1vufn0y3kyyhzv"
},
{
"Name": "Log monitoring and accountability",
"Description": "This control domain focuses on the organization's ability to maintain complete and accurate audit and security log records to reduce the risk of fraud, unauthorized access and modification of data, and data loss, theft, or misuse. This involves establishing logging criteria and thresholds, maintaining logs in accordance with data backup and retention policies and procedures, integrating monitoring processes with the organization's incident response function, and securely purging audit and log records at the end of their lifecycle.",
"Arn": "arn:aws:controlcatalog:::domain/996b3qixyfm57kat9vwwu8hy1"
},
{
"Name": "Network security",
"Description": "This control domain focuses on the practices and technologies used to protect computer networks from unauthorized access, attacks, and data breaches, while ensuring confidentiality, integrity, and availability of network resources.",
"Arn": "arn:aws:controlcatalog:::domain/2oc9yao2szxsquya737481hw9"
},
{
"Name": "Physical security",
"Description": "This control domain focuses on physical security measures and practices used to protect physical assets, such as buildings and equipment, from unauthorized access, theft, damage, or interference.",
"Arn": "arn:aws:controlcatalog:::domain/bn9ck1b74fp4b4wdysq0fanpc"
},
{
"Name": "Risk management and security assessments",
"Description": "This control domain focuses on managing IT risks, vulnerability management, and security testing programs for identifying, prioritizing, and addressing security threats and vulnerabilities in systems, applications, and networks. This involves conducting different types of security assessments and monitoring of the organization's infrastructure and software to identify risks, threats, and vulnerabilities to reduce the risk of attacks and exploitation by malicious actors.",
"Arn": "arn:aws:controlcatalog:::domain/70qzkmyi2s3oxheokg6jqqiy7"
},
{
"Name": "Secure development lifecycle and change management",
"Description": "This control domain focuses on system and software development, change, and configuration management processes used to plan, design, develop, test, implement, and maintain software and systems, while ensuring that changes are managed effectively and do not negatively impact environment stability or security.",
"Arn": "arn:aws:controlcatalog:::domain/eyrstdrz8kmo28x5j8vgal6au"
},
{
"Name": "Security strategy, governance, and compliance",
"Description": "This control domain focuses on security strategies and program management, including development and maintenance of security governance policies, security awareness and training programs, and acceptable use policies. It also includes compliance program management ensuring that organizations comply with relevant regulations and industry standards.",
"Arn": "arn:aws:controlcatalog:::domain/bqimrxnye01kph8z4lvy0ndp8"
},
{
"Name": "Vendor and supply chain management",
"Description": "This control domain focuses on processes for identifying, assessing, and managing risks associated with third-party entities, including vendors, suppliers, and service providers, that provide goods or services to an organization. It involves establishing criteria for vendor selection, monitoring vendor performance, and mitigating potential vendor-associated risks.",
"Arn": "arn:aws:controlcatalog:::domain/22ctir35fm1yojdh1sr4iucq7"
}
]現時点では13のDomainがありました。
見やすい様に表形式にするとこんな感じです。
| Domain | Description |
|---|---|
| Asset management | This control domain focuses on asset management and the systematic tracking and maintenance of physical or digital assets throughout their lifecycle, including acquisition, utilization, and disposal. This reduces risks related to accidents, malfunctions, and other issues that may cause damage to property or harm to people. |
| Business continuity and recovery | This control domain focuses on planning and preparation of procedures and resources to ensure the continued operation of critical business functions in the event of a disruption, and to facilitate the recovery of normal operations afterwards. |
| Data protection | This control domain focuses on data protection measures and practices used to safeguard information, including confidentiality, integrity, and availability, while ensuring compliance with applicable laws and regulations governing data handling, cryptography, and encryption key management. This supports an organization's ability to safeguard important information from corruption, compromise, or loss. |
| Identity and access management | This control domain focuses on identity and access management (IAM) policies and technologies used to control and manage access to digital resources, systems, and data based on the identity and roles of users and devices. |
| Incident management | This control domain focuses on incident management processes including, identifying, analyzing, and resolving security incidents, to restore normal operations quickly and reduce the risk of adverse impact to business operations. |
| Legal | This control domain focuses on legal matters encompassing practices, systems, or actions that are in accordance with established laws and regulations. |
| Log monitoring and accountability | This control domain focuses on the organization's ability to maintain complete and accurate audit and security log records to reduce the risk of fraud, unauthorized access and modification of data, and data loss, theft, or misuse. This involves establishing logging criteria and thresholds, maintaining logs in accordance with data backup and retention policies and procedures, integrating monitoring processes with the organization's incident response function, and securely purging audit and log records at the end of their lifecycle. |
| Network security | This control domain focuses on the practices and technologies used to protect computer networks from unauthorized access, attacks, and data breaches, while ensuring confidentiality, integrity, and availability of network resources. |
| Physical security | This control domain focuses on physical security measures and practices used to protect physical assets, such as buildings and equipment, from unauthorized access, theft, damage, or interference. |
| Risk management and security assessments | This control domain focuses on managing IT risks, vulnerability management, and security testing programs for identifying, prioritizing, and addressing security threats and vulnerabilities in systems, applications, and networks. This involves conducting different types of security assessments and monitoring of the organization's infrastructure and software to identify risks, threats, and vulnerabilities to reduce the risk of attacks and exploitation by malicious actors. |
| Secure development lifecycle and change management | This control domain focuses on system and software development, change, and configuration management processes used to plan, design, develop, test, implement, and maintain software and systems, while ensuring that changes are managed effectively and do not negatively impact environment stability or security. |
| Security strategy, governance, and compliance | This control domain focuses on security strategies and program management, including development and maintenance of security governance policies, security awareness and training programs, and acceptable use policies. It also includes compliance program management ensuring that organizations comply with relevant regulations and industry standards. |
| Vendor and supply chain management | This control domain focuses on processes for identifying, assessing, and managing risks associated with third-party entities, including vendors, suppliers, and service providers, that provide goods or services to an organization. It involves establishing criteria for vendor selection, monitoring vendor performance, and mitigating potential vendor-associated risks. |
最初の「Asset management」を見ると、
This control domain focuses on asset management and the systematic tracking and maintenance of physical or digital assets throughout their lifecycle, including acquisition, utilization, and disposal.
This reduces risks related to accidents, malfunctions, and other issues that may cause damage to property or harm to people.
というDescriptionになっており、このDomainは物理・デジタル両方の資産管理に関する領域であることが見て取れます。
2. aws controlcatalog list-objectives
次にaws controlcatalog list-objectivesコマンドでObjectiveの取得が可能です。
このコマンドでは--objective-filterパラメーターで親となるDomainを指定できます。
前述の「Asset management」を親とするObjectiveは次のコマンドで取得できます。
# Asset management : arn:aws:controlcatalog:::domain/d4msesd9vvmzmmuvlv06m92uq を親とするObjectiveの一覧
$ aws controlcatalog list-objectives \
> --objective-filter "Domains=[{Arn=arn:aws:controlcatalog:::domain/d4msesd9vvmzmmuvlv06m92uq}]" \
> --query 'Objectives[].{Name:Name, Description:Description, Arn:Arn}'
[
{
"Name": "Asset inventory management",
"Description": "This control objective focuses on maintaining an accurate and up-to-date inventory of assets, including hardware, software, and data, to protect organization investments from harm or loss.",
"Arn": "arn:aws:controlcatalog:::objective/ad11p1961s8erra9m185wa1nn"
},
{
"Name": "Asset classification",
"Description": "This control objective focuses on classifying assets based on their value, sensitivity, and criticality to the organization to manage investment risk and unauthorized access to assets and information.",
"Arn": "arn:aws:controlcatalog:::objective/90gifwthorhxhxq7m0rtss98u"
},
{
"Name": "Asset maintenance",
"Description": "This control objective focuses on maintaining the availability and integrity of assets, including performance management, regular maintenance, and repairs to protect and extract the maximum value of the organization's IT investments.",
"Arn": "arn:aws:controlcatalog:::objective/3frxxgl64u9kzttiuheywykf7"
},
{
"Name": "Asset lifecycle management",
"Description": "This control objective focuses on managing assets throughout their entire lifecycle, including acquisition, deployment, use, and retirement. This helps manage risks associated with asset costs by ensuring optimum asset productivity, performance, efficiency, and profitability.",
"Arn": "arn:aws:controlcatalog:::objective/5ve4jodybrg8wnky75fp50sbf"
},
{
"Name": "Asset loss prevention, response, and recovery",
"Description": "This control objective focuses on preventing asset loss, and responding to and recovering lost, stolen, or damaged assets to contribute to the organization's profitability by reducing losses.",
"Arn": "arn:aws:controlcatalog:::objective/ags5wgkyvwriix77zegtwhyo9"
}
]現時点では5つのObjectiveがありました。
最初の「Asset inventory management」を確認すると
This control objective focuses on maintaining an accurate and up-to-date inventory of assets, including hardware, software, and data, to protect organization investments from harm or loss.
とあり、「資産管理のためのインベントリを作って維持していこう」という目標であることが分かります。
3. aws controlcatalog list-common-controls
最後にaws controlcatalog list-common-controlsコマンドでCommonControlの取得が可能です。
このコマンドでは--common-control-filterパラメーターで親となるObjectiveを指定できます。
前述の「Asset inventory management」を親とするObjectiveは次のコマンドで取得できます。
# Asset inventory management : arn:aws:controlcatalog:::objective/ad11p1961s8erra9m185wa1nn を親とするCommonControlの一覧
$ aws controlcatalog list-common-controls \
> --common-control-filter "Objectives=[{Arn=arn:aws:controlcatalog:::objective/ad11p1961s8erra9m185wa1nn}]" \
> --query 'CommonControls[].{Name:Name, Description:Description, Arn:Arn}'
[
{
"Name": "Asset inventory reconciliation and audit",
"Description": "Reconcile the organization's asset inventory with other data sources, and conduct asset audits to verify the accuracy of the asset inventory.",
"Arn": "arn:aws:controlcatalog:::common-control/d4s7ik8fgv8082v3x31hifzcc"
},
{
"Name": "Inventory of authorized assets and automated discovery",
"Description": "Maintain an asset inventory of organization authorized and existing hardware, software, and media. Where possible, utilize automated tools to facilitate the discovery and ongoing tracking of such assets.",
"Arn": "arn:aws:controlcatalog:::common-control/1ukpmkewk4i92tjmhsvewi4y7"
},
{
"Name": "Unauthorized asset management",
"Description": "Take appropriate actions to identify and resolve unauthorized assets within the network environment on a periodic and consistent basis. Appropriate actions include, but are not limited to, removing the asset from the network, quarantining the asset, or denying connectivity to the asset.",
"Arn": "arn:aws:controlcatalog:::common-control/c0qrxhefhmxkbq22tiejp3enn"
},
{
"Name": "Asset tracking",
"Description": "Track all physical and digital assets to ensure proper use and protection. Monitor status of digital assets like systems, devices, software, applications, and data throughout their lifecycle. Use real-time location tracking for physical assets through technologies like GPS and RFID where possible.",
"Arn": "arn:aws:controlcatalog:::common-control/5u2qgwuw3z1y0lrof60yf6264"
},
{
"Name": "Asset inventory analysis and reporting",
"Description": "Regularly analyze hardware and software assets to assess criticality, usage, value, and other key metrics. Generate comprehensive reports on the asset inventory.",
"Arn": "arn:aws:controlcatalog:::common-control/1tejgq26c0djpzgskw31uscm4"
},
{
"Name": "Asset ownership",
"Description": "Define asset owners, including who has responsibility for managing each asset.",
"Arn": "arn:aws:controlcatalog:::common-control/eg1hxxu2e77a7w2wv79quwaxl"
},
{
"Name": "Asset status tracking",
"Description": "Track and monitor asset status, including whether they are operational, in maintenance, or out of service.",
"Arn": "arn:aws:controlcatalog:::common-control/ec1fxlvgtcxlf2nzremqcca7r"
}
]現時点では7つのCommonControlがありました。
最初の「Asset inventory reconciliation and audit」を確認すると
Reconcile the organization's asset inventory with other data sources, and conduct asset audits to verify the accuracy of the asset inventory.
とあり、「インベントリ管理のために監査を行う。 *1」というコントロールが定義されています。
補足 : Asset management まとめ
今回試した「Asset management」に関して一覧をまとめると以下となります。
画面表示の都合CommonControlにだけDescriptionを付けました。
| Domain | Objective | CommonControl | CommonControl Description |
|---|---|---|---|
| Asset management | Asset inventory management | Asset inventory reconciliation and audit | Reconcile the organization's asset inventory with other data sources, and conduct asset audits to verify the accuracy of the asset inventory. |
| Inventory of authorized assets and automated discovery | Maintain an asset inventory of organization authorized and existing hardware, software, and media. Where possible, utilize automated tools to facilitate the discovery and ongoing tracking of such assets. | ||
| Unauthorized asset management | Take appropriate actions to identify and resolve unauthorized assets within the network environment on a periodic and consistent basis. Appropriate actions include, but are not limited to, removing the asset from the network, quarantining the asset, or denying connectivity to the asset. | ||
| Asset tracking | Track all physical and digital assets to ensure proper use and protection. Monitor status of digital assets like systems, devices, software, applications, and data throughout their lifecycle. Use real-time location tracking for physical assets through technologies like GPS and RFID where possible. | ||
| Asset inventory analysis and reporting | Regularly analyze hardware and software assets to assess criticality, usage, value, and other key metrics. Generate comprehensive reports on the asset inventory. | ||
| Asset ownership | Define asset owners, including who has responsibility for managing each asset. | ||
| Asset status tracking | Track and monitor asset status, including whether they are operational, in maintenance, or out of service. | ||
| Asset classification | Asset valuation | Assign a value to assets based on their cost, replacement value, or other relevant factors. | |
| Asset sensitivity | Define the sensitivity of assets, including their required level of confidentiality, integrity, and availability. | ||
| Asset criticality | Define the criticality of assets, including their importance to business operations and the potential impact of their loss or compromise. | ||
| Asset classification and categorization | Classify or categorize assets, including systems, data, media, etc., into different groups based on their characteristics, such as sensitivity and criticality. | ||
| Asset labeling | Label assets with unique identifiers. | ||
| Asset maintenance | Asset performance management | Monitor and optimize the performance and security of assets, including hardware and software. | |
| Asset maintenance scheduling | Schedule and track maintenance activities for assets, including preventive maintenance and repairs. | ||
| Asset lifecycle management | Asset acquisition | Assess potential security and compliance risks as part of the asset acquisition process. | |
| Asset deployment | Configure assets securely prior to deployment in the environment. Confirm the proper integration of new assets with existing systems. | ||
| Asset retirement and disposition | Retire and dispose of assets, including media, that are no longer needed. Securely erase or destroy any sensitive data before asset disposal. | ||
| Secure asset management | Implement asset management processes to securely track, control, and document all organizational assets. Maintain configuration control of systems undergoing service, repair, or pending return to service. | ||
| Asset loss prevention, response, and recovery | Asset loss prevention, recovery, and response | Define and implement actions to prevent the accidental or malicious loss or theft of assets their recovery. Include notification reporting to the appropriate authorities and stakeholders. | |
| Asset damage prevention and response | Define and implement procedures for preventing, managing, and mitigating asset damage, including implementing asset protection mechanisms, assessing the extent of any identified damage, and taking steps to repair or replace the asset. | ||
| Asset security incident response | Define and implement procedures for identifying, assessing, and responding to asset-related security incidents. |
他のDomainについては...興味がある方は是非ご自身で確認してみてください。
最後に
以上となります。
現時点ではちょっとサービスの用途を計りきれないのですが、企業セキュリティおよび統制に特化したWell-Architected Frameworkみたいなものと考えれば良いのでしょうか?
正式にAWSからのアナウンスが出れば用途についても明らかになると思うので期待して待つことにします。
脚注
- 最初の「インベントリの調整」についてはちょっと意味を把握しきれませんでした... ↩