こんにちはカスタマーソリューション部のこーへいです!
今回はAWS Security Hub(以降Security Hub)にて統合されたコントロールの検出結果をオンにすることで、オフ状態だと各セキュリティ基準でバラついている検出結果のフィールドや値が統一されるのか確認してみました。
Security Hubとは
AWS Security Hubのメイン機能としては、「セキュリティ基準機能」と呼ばれるものが挙げられます。これは、Cloud Security Posture Management(CSPM)に相当するサービスで、「AWSリソースのセキュリティ設定がベストプラクティスから逸脱していないか」を自動でチェックします。
【初心者向け】AWS Security Hubとは?概要からメリット、料金まで解説より引用
上記の説明が分かりやすく、Security HubはAWSアカウント内に存在する危険な設定があった場合にユーザーにお知らせしてくれます。
例えばS3バケットが意図せずパブリック公開されていると、Security Hubがその状態を検知しユーザーに教えてくれるので、それに対してパブリック公開の設定を是正することで脅威イベントを未然に防ぐことが可能です。
統合されたコントロールの検出結果とは
Security Hub上の設定パラメータの1つです。
簡単に説明すると以下の画面のように複数のセキュリティ基準を有効化している場合において、同じチェック項目の検出結果の値を統一させる設定です。
例えばコントロール項目「CloudTrail.2」は「AWS 基礎セキュリティのベストプラクティス v1.0.0」と「CIS AWS Foundations Benchmark v1.2.0」のどちらもチェック対象に含まれています。
ですがそれぞれのセキュリティ基準でチェックしているため、検出結果のフィールドや値の一部が異なります。
本設定を有効化するとセキュリティ基準間での検出結果が統一されるので、利用者目線で結果をより便利に見やすくなります(そして実際に統一されるのか確認するのが本記事の内容です)。
統合されたコントロールの検出結果に関する詳細は以下をご覧ください。
今回具体的に知りたかったこと
- 統合されたコントロールの検出結果がオフ時の「コントロール」「セキュリティ基準」の検出結果
- 「セキュリティ基準」ではセキュリティ基準毎に別の検出結果が出力される
- 疑問点として「コントロール」での検出結果は何が表示されるか分からなかった
- 予想としてはどちらかのセキュリティ基準の検出結果が出力される
- 統合されたコントロールの検出結果がオン時の「コントロール」「セキュリティ基準」の検出結果
- 事前予想としてはオン状態だと検出結果が各セキュリティ基準間で統一される
実際に見てみます
事前準備として今回はセキュリティ基準で「AWS 基礎セキュリティのベストプラクティス v1.0.0」と「CIS AWS Foundations Benchmark v1.2.0」を有効化済み。
統合されたコントロールの検出結果がオフ時
コントロールの検出結果
では、統合されたコントロールの検出結果がオフの時のコントロールの検出結果を見てみましょう。
左のナビゲーションバーから「コントロール」を選択し、確認したいコントロール項目を選択します。
画面右下の「検出結果.JSON」を選択しましょう。
下記に私が調べた際の検出結果を載せておきます(一部ボカシあり)。
コントロール側の検出結果(JSON)
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/3570xxxx-xxxx-xxxx-xxxx-xxxxxx74908b",
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "ap-northeast-1",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"AwsAccountId": "xxxxxxxxxxxx",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2023-10-13T06:59:07.101Z",
"LastObservedAt": "2023-10-15T15:54:25.552Z",
"CreatedAt": "2023-10-13T06:59:07.101Z",
"UpdatedAt": "2023-10-15T15:54:09.614Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/aws-foundational-security-best-practices/v/1.0.0",
"ControlId": "CloudTrail.2",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-e3cb750a",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub/arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/3570xxxx-xxxx-xxxx-xxxx-xxxxxx74908b"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"Partition": "aws",
"Region": "ap-northeast-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"HomeRegion": "ap-northeast-1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"LogFileValidationEnabled": true,
"Name": "Members",
"S3BucketName": "cm-members-cloudtrail-xxxxxxxxxxxx"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
]
},
"ProcessedAt": "2023-10-15T15:54:28.447Z"
}セキュリティ基準の検出結果
次に、統合されたコントロールの検出結果がオフの時のセキュリティ基準の検出結果を見てみましょう。
左のナビゲーションバーから「セキュリティ基準」を選択し、AWS 基礎セキュリティのベストプラクティス v1.0.0を選択します。
先ほど「コントロール」と同じコントロール項目を選択します。
画面右下の「検出結果.JSON」を選択しましょう。
AWS 基礎セキュリティのベストプラクティス v1.0.0側の検出結果(JSON)
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/3570xxxx-xxxx-xxxx-xxxx-xxxxxx74908b",
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "ap-northeast-1",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"AwsAccountId": "xxxxxxxxxxxx",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2023-10-13T06:59:07.101Z",
"LastObservedAt": "2023-10-15T15:54:25.552Z",
"CreatedAt": "2023-10-13T06:59:07.101Z",
"UpdatedAt": "2023-10-15T15:54:09.614Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/aws-foundational-security-best-practices/v/1.0.0",
"ControlId": "CloudTrail.2",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-e3cb750a",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub/arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/3570xxxx-xxxx-xxxx-xxxx-xxxxxx74908b"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"Partition": "aws",
"Region": "ap-northeast-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"HomeRegion": "ap-northeast-1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"LogFileValidationEnabled": true,
"Name": "Members",
"S3BucketName": "cm-members-cloudtrail-xxxxxxxxxxxx"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
]
},
"ProcessedAt": "2023-10-15T15:54:28.447Z"
}同様の流れで次はCIS AWS Foundations Benchmark v1.2.0を選択します。
先ほどと同じコントロール項目を選択します。
画面右下の「検出結果.JSON」を選択しましょう。
CIS AWS Foundations Benchmark v1.2.0側の検出結果(JSON)
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/6d7dxxxx-xxxx-xxxx-xxxx-xxxxxxc38879",
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "ap-northeast-1",
"GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7",
"AwsAccountId": "xxxxxxxxxxxx",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"FirstObservedAt": "2023-10-13T06:59:07.102Z",
"LastObservedAt": "2023-10-15T15:54:20.026Z",
"CreatedAt": "2023-10-13T06:59:07.102Z",
"UpdatedAt": "2023-10-15T15:54:09.614Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
"Description": "AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
"StandardsGuideSubscriptionArn": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/cis-aws-foundations-benchmark/v/1.2.0",
"RuleId": "2.7",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-e3cb750a",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:control/cis-aws-foundations-benchmark/v/1.2.0/2.7",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub/arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/6d7dxxxx-xxxx-xxxx-xxxx-xxxxxxc38879"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"Partition": "aws",
"Region": "ap-northeast-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"HomeRegion": "ap-northeast-1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"LogFileValidationEnabled": true,
"Name": "Members",
"S3BucketName": "cm-members-cloudtrail-xxxxxxxxxxxx"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
]
},
"ProcessedAt": "2023-10-15T15:54:24.807Z"
}結果
- AWS 基礎セキュリティのベストプラクティス v1.0.0側の検出結果とCIS AWS Foundations Benchmark v1.2.0側の検出結果は、一部フィールドや値が異なっていた。
- コントロール側の検出結果はAWS 基礎セキュリティのベストプラクティス v1.0.0側の検出結果が使用されており、恐らく複数のセキュリティ基準が有効になっている場合は何かしらの優先順位がありいずれか1つの検出結果が表示される
統合されたコントロールの検出結果がオン時
コントロールの検出結果
次は統合されたコントロールの検出結果をオンにした状態で確認してみましょう(有効化してから18時間ほどの待機が必要です)。
検出結果の取得手順は上記を同じ流れなので省略いたします。
コントロール側の検出結果(JSON)
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f",
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "ap-northeast-1",
"GeneratorId": "security-control/CloudTrail.2",
"AwsAccountId": "xxxxxxxxxxxx",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2023-10-13T18:58:48.627Z",
"LastObservedAt": "2023-10-14T18:59:18.265Z",
"CreatedAt": "2023-10-13T18:58:48.627Z",
"UpdatedAt": "2023-10-14T18:59:10.375Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-cbfb05c1",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub/arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"Partition": "aws",
"Region": "ap-northeast-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"HomeRegion": "ap-northeast-1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"LogFileValidationEnabled": true,
"Name": "Members",
"S3BucketName": "cm-members-cloudtrail-xxxxxxxxxxxx"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v1.2.0/2.7"
],
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
},
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2023-10-14T18:59:21.011Z"
}セキュリティ基準の検出結果
AWS 基礎セキュリティのベストプラクティス v1.0.0側の検出結果(JSON)
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f",
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "ap-northeast-1",
"GeneratorId": "security-control/CloudTrail.2",
"AwsAccountId": "xxxxxxxxxxxx",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2023-10-13T18:58:48.627Z",
"LastObservedAt": "2023-10-14T18:59:18.265Z",
"CreatedAt": "2023-10-13T18:58:48.627Z",
"UpdatedAt": "2023-10-14T18:59:10.375Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-cbfb05c1",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub/arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"Partition": "aws",
"Region": "ap-northeast-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"HomeRegion": "ap-northeast-1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"LogFileValidationEnabled": true,
"Name": "Members",
"S3BucketName": "cm-members-cloudtrail-xxxxxxxxxxxx"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v1.2.0/2.7"
],
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
},
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2023-10-14T18:59:21.011Z"
}CIS AWS Foundations Benchmark v1.2.0側の検出結果(JSON)
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f",
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "ap-northeast-1",
"GeneratorId": "security-control/CloudTrail.2",
"AwsAccountId": "xxxxxxxxxxxx",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2023-10-13T18:58:48.627Z",
"LastObservedAt": "2023-10-14T18:59:18.265Z",
"CreatedAt": "2023-10-13T18:58:48.627Z",
"UpdatedAt": "2023-10-14T18:59:10.375Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-cbfb05c1",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/securityhub/arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/Members",
"Partition": "aws",
"Region": "ap-northeast-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"HomeRegion": "ap-northeast-1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"LogFileValidationEnabled": true,
"Name": "Members",
"S3BucketName": "cm-members-cloudtrail-xxxxxxxxxxxx"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v1.2.0/2.7"
],
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
},
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2023-10-14T18:59:21.011Z"
}結果
3つとも全く同じJSON結果が返ってきました。
一部ぼかしていますが下記のIdも同じ値だったので、きちんと検出結果が統合されていることがわかります。
"Id": "arn:aws:securityhub:ap-northeast-1:xxxxxxxxxxxx:security-control/CloudTrail.2/finding/d67axxxx-xxxx-xxxx-xxxx-xxxxxx98399f",また、Compliance.AssociatedStandardsフィールドを見ても「AWS 基礎セキュリティのベストプラクティス v1.0.0」と「CIS AWS Foundations Benchmark v1.2.0」が統合されていることがわかります。
"AssociatedStandards": [
{
"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
},
{
"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
}まとめ
実際に統合されたコントロールの検出結果をオンにすると、セキュリティ基準間で検出結果が統一されることがわかりました。
一方で、統合されたコントロールの検出結果がオフ状態だと、セキュリティ基準毎で検出結果がばらついていました。
またオフ状態だと「コントロール」からも1つのセキュリティ基準の検出結果しか確認できなかったため、オン状態にしてより統一感を持った結果が得られるようにするのが良いでしょう。
5
