[アップデート]AWS Security Hubのセキュリティ標準で『Service-Managed Standard: Control Tower』が利用可能になりました
みなさん、こんにちは。
AWS事業本部コンサルティング部の芦沢(@ashi_ssan)です。
Security HubとControl Towerが統合され、Security Hubのセキュリティ標準に『Service-Managed Standard: Control Tower』が追加されました。
いきなりまとめ
- 『Service-Managed Standard』は、他のAWSサービスが管理するSecurity Hubのセキュリティ標準
- コントロール標準の1つとして「AWS 基礎セキュリティのベストプラクティス v1.0.0(AFSBP)」などとは別で登録される
- コントロールの管理(有効化/無効化)はコントロールの管理サービス側で行われる。デフォルトは無効状態で個別に有効化する必要がある。
- 『Service-Managed Standard: AWS Control Tower』は、Control Towerが管理するセキュリティ標準
- AFSBPのコントロールのサブセットをサポートしているので、内容はAFSBPとほぼ同じ(CTの方が少し古い)
- コントロールはSecurity Hubの検出結果に表示され、ワークフローのステータス更新も可能
Service-Managed Standardとは
以下の公式ドキュメントから確認した結果を箇条書きで簡潔にまとめてみました(日本語のページがまだないため、英語のページを自動翻訳を使って確認しています)
Service-managed standards - AWS Security Hub
- 他のAWSサービスが管理するSecurity Hubのセキュリティ標準
- 例)AWS Control Towerが管理する 『Service-Managed Standard: AWS Control Tower』
- 2022/12/19現在、利用可能なService-Managed Standardは『Service-Managed Standard: AWS Control Tower』のみです。
- 「AWS 基礎セキュリティのベストプラクティス v1.0.0(AWS Foundational Security Best Practices, 以下AFSBPと略します)」や「CIS AWS Foundations Benchmark v1.2.0」などと並ぶ、
コントロール標準の1つ
として表示される - 以下の点でSecutiry Hubが管理するセキュリティ標準と異なる
- 『Service-Managed Standard』の
作成・削除は管理サービス側
で行われる。サービス側で標準を有効化するまで、Security Hubコンソールに表示されない - 『Service-Managed Standard』は
1つのコントロール単位で有効化する必要
があり、新規のコントロールが追加されても自動で有効化されない
- 『Service-Managed Standard』の
ポイントは、『サービス側で標準を有効化するまで、Security Hubコンソールに表示されない』と『新規のコントロールが追加されても自動で有効化されない』の2点でしょうか。
Security HubのAFSBPでは、コントロールを有効化すると自動ですべてのコントロールが有効され、新規コントロールも自動で追加されます。
『Service-Managed Standard』とは逆の性質を持っている事がわかります。
Service-Managed Standard: AWS Control Towerとは
こちらも公式ドキュメントから確認した結果を箇条書きで簡潔にまとめてみました。
Service-Managed Standard: AWS Control Tower - AWS Security Hub
- Control Towerが管理するセキュリティ標準
Control Tower側のコンソール上でのみ
コントロールを有効化 / 無効化する事ができる- コントロールの有効化 / 無効化はAWSアカウントおよびリージョンごとに指定できる。アカウントやリージョンを跨いだ影響はない
- Security Hubが新しいコントロールを追加しても『Service-Managed Standard: AWS Control Tower』で自動的に有効化されない
- 『Service-Managed Standard: AWS Control Tower』 のコントロールを有効にすると、Security Hubがコントロールの結果を生成するのに
最大 18 時間かかる場合
がある - 結果はASFFの形式で出力される
- コントロールの内容は、
AFSBPのコントロールのサブセット
をサポート- 実行するAPIによってコントロールIDのフォーマットが変化する
- SH.ACM.1:Control Towerのコンソール(API)で表示させた場合
- CT.ACM.1:Security Hubのコンソール(API)で表示させた場合
- 実行するAPIによってコントロールIDのフォーマットが変化する
ポイントは「Control Tower側のコンソール上でのみ
コントロールを有効化 / 無効化する事ができる」と「実行するAPIによってコントロールIDのフォーマットが変化する
」の2点だと思います。
前者のコントロールの有効化/無効化に関連して、Security Hub側で抑制等のワークフローステータスの変更が可能か気になりました。ドキュメント上では判断できなかったため、後ほど行う検証にて確認したいと思います。
後者のコントロールIDの変化については、「Security Hub → Control Tower」、「Control Tower → Security Hub」のどちらのサービス側から見ても対向のサービス関連のコントロールであるとわかるような作りになっているようですね。
本記事執筆時のコントロールIDの一覧がこちらです。
ヘッダーを含め163行ありますので、気になる方は以下トグルをクリックしてください。
クリックすると開きます
"コンプライアンスのステータス","重要度","ID","タイトル","不合格のチェック","不明なチェック","利用不可のチェック","合格したチェック","関連する要件:" "NO_DATA","MEDIUM","CT.ACM.1","Imported and ACM-issued certificates should be renewed after a specified time period","0","0","0","0","" "NO_DATA","MEDIUM","CT.APIGateway.1","API Gateway REST and WebSocket API execution logging should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.APIGateway.2","API Gateway REST API stages should be configured to use SSL certificates for backend authentication","0","0","0","0","" "NO_DATA","LOW","CT.APIGateway.3","API Gateway REST API stages should have AWS X-Ray tracing enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.APIGateway.4","API Gateway should be associated with a WAF Web ACL","0","0","0","0","" "NO_DATA","MEDIUM","CT.APIGateway.5","API Gateway REST API cache data should be encrypted at rest","0","0","0","0","" "NO_DATA","LOW","CT.AutoScaling.1","Auto scaling groups associated with a load balancer should use load balancer health checks","0","0","0","0","" "NO_DATA","MEDIUM","CT.AutoScaling.2","Amazon EC2 Auto Scaling group should cover multiple Availability Zones","0","0","0","0","" "NO_DATA","HIGH","CT.AutoScaling.3","Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)","0","0","0","0","" "NO_DATA","HIGH","CT.AutoScaling.4","Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1","0","0","0","0","" "NO_DATA","MEDIUM","CT.AutoScaling.6","Auto Scaling groups should use multiple instance types in multiple Availability Zones","0","0","0","0","" "NO_DATA","MEDIUM","CT.AutoScaling.9","EC2 Auto Scaling groups should use EC2 launch templates","0","0","0","0","" "NO_DATA","HIGH","CT.Autoscaling.5","Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses","0","0","0","0","" "NO_DATA","HIGH","CT.CloudTrail.1","CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events","0","0","0","0","" "NO_DATA","MEDIUM","CT.CloudTrail.2","CloudTrail should have encryption at-rest enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.CloudTrail.4","CloudTrail log file validation should be enabled","0","0","0","0","" "NO_DATA","LOW","CT.CloudTrail.5","CloudTrail trails should be integrated with Amazon CloudWatch Logs","0","0","0","0","" "NO_DATA","CRITICAL","CT.CodeBuild.1","CodeBuild GitHub or Bitbucket source repository URLs should use OAuth","0","0","0","0","" "NO_DATA","CRITICAL","CT.CodeBuild.2","CodeBuild project environment variables should not contain clear text credentials","0","0","0","0","" "NO_DATA","MEDIUM","CT.CodeBuild.4","CodeBuild project environments should have a logging configuration","0","0","0","0","" "NO_DATA","HIGH","CT.CodeBuild.5","CodeBuild project environments should not have privileged mode enabled","0","0","0","0","" "NO_DATA","CRITICAL","CT.DMS.1","Database Migration Service replication instances should not be public","0","0","0","0","" "NO_DATA","MEDIUM","CT.DynamoDB.1","DynamoDB tables should automatically scale capacity with demand","0","0","0","0","" "NO_DATA","MEDIUM","CT.DynamoDB.2","DynamoDB tables should have point-in-time recovery enabled","0","0","0","0","" "NO_DATA","CRITICAL","CT.EC2.1","EBS snapshots should not be publicly restorable","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.10","Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.15","EC2 subnets should not automatically assign public IP addresses","0","0","0","0","" "NO_DATA","LOW","CT.EC2.16","Unused Network Access Control Lists should be removed","0","0","0","0","" "NO_DATA","LOW","CT.EC2.17","EC2 instances should not use multiple ENIs","0","0","0","0","" "NO_DATA","HIGH","CT.EC2.18","Security groups should only allow unrestricted incoming traffic for authorized ports","0","0","0","0","" "NO_DATA","CRITICAL","CT.EC2.19","Security groups should not allow unrestricted access to ports with high risk","0","0","0","0","" "NO_DATA","HIGH","CT.EC2.2","The VPC default security group should not allow inbound and outbound traffic","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.20","Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.21","Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.22","Unused EC2 security groups should be removed","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.3","Attached EBS volumes should be encrypted at-rest","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.4","Stopped EC2 instances should be removed after a specified time period","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.6","VPC flow logging should be enabled in all VPCs","0","0","0","0","" "NO_DATA","MEDIUM","CT.EC2.7","EBS default encryption should be enabled","0","0","0","0","" "NO_DATA","HIGH","CT.EC2.8","EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","0","0","0","0","" "NO_DATA","HIGH","CT.EC2.9","EC2 instances should not have a public IPv4 address","0","0","0","0","" "NO_DATA","HIGH","CT.ECR.1","ECR private repositories should have image scanning configured","0","0","0","0","" "NO_DATA","MEDIUM","CT.ECR.2","ECR private repositories should have tag immutability configured","0","0","0","0","" "NO_DATA","MEDIUM","CT.ECR.3","ECR repositories should have at least one lifecycle policy configured","0","0","0","0","" "NO_DATA","HIGH","CT.ECS.1","Amazon ECS task definitions should have secure networking modes and user definitions.","0","0","0","0","" "NO_DATA","MEDIUM","CT.ECS.10","ECS Fargate services should run on the latest Fargate platform version","0","0","0","0","" "NO_DATA","MEDIUM","CT.ECS.12","ECS clusters should use Container Insights","0","0","0","0","" "NO_DATA","HIGH","CT.ECS.2","ECS services should not have public IP addresses assigned to them automatically","0","0","0","0","" "NO_DATA","HIGH","CT.ECS.3","ECS task definitions should not share the host's process namespace","0","0","0","0","" "NO_DATA","HIGH","CT.ECS.4","ECS containers should run as non-privileged","0","0","0","0","" "NO_DATA","HIGH","CT.ECS.5","ECS containers should be limited to read-only access to root filesystems","0","0","0","0","" "NO_DATA","HIGH","CT.ECS.8","Secrets should not be passed as container environment variables","0","0","0","0","" "NO_DATA","MEDIUM","CT.EFS.1","Elastic File System should be configured to encrypt file data at-rest using AWS KMS","0","0","0","0","" "NO_DATA","MEDIUM","CT.EFS.2","Amazon EFS volumes should be in backup plans","0","0","0","0","" "NO_DATA","MEDIUM","CT.EFS.3","EFS access points should enforce a root directory","0","0","0","0","" "NO_DATA","MEDIUM","CT.EFS.4","EFS access points should enforce a user identity","0","0","0","0","" "NO_DATA","HIGH","CT.EKS.2","EKS clusters should run on a supported Kubernetes version","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELBv2.1","Application Load Balancer should be configured to redirect all HTTP requests to HTTPS","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.10","Classic Load Balancer should span multiple Availability Zones","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.12","Application Load Balancer should be configured with defensive or strictest desync mitigation mode","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.13","Application, Network and Gateway Load Balancers should span multiple Availability Zones","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.14","Classic Load Balancer should be configured with defensive or strictest desync mitigation mode","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.2","Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.3","Classic Load Balancer listeners should be configured with HTTPS or TLS termination","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.4","Application load balancer should be configured to drop http headers","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.5","Application and Classic Load Balancers logging should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.6","Application Load Balancer deletion protection should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.7","Classic Load Balancers should have connection draining enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.8","Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration","0","0","0","0","" "NO_DATA","MEDIUM","CT.ELB.9","Classic Load Balancers should have cross-zone load balancing enabled","0","0","0","0","" "NO_DATA","HIGH","CT.EMR.1","Amazon Elastic MapReduce cluster master nodes should not have public IP addresses","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.1","Elasticsearch domains should have encryption at-rest enabled","0","0","0","0","" "NO_DATA","CRITICAL","CT.ES.2","Elasticsearch domains should be in a VPC","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.3","Elasticsearch domains should encrypt data sent between nodes","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.4","Elasticsearch domain error logging to CloudWatch Logs should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.5","Elasticsearch domains should have audit logging enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.6","Elasticsearch domains should have at least three data nodes","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.7","Elasticsearch domains should be configured with at least three dedicated master nodes","0","0","0","0","" "NO_DATA","MEDIUM","CT.ES.8","Connections to Elasticsearch domains should be encrypted using TLS 1.2","0","0","0","0","" "NO_DATA","LOW","CT.ElasticBeanstalk.1","Elastic Beanstalk environments should have enhanced health reporting enabled","0","0","0","0","" "NO_DATA","HIGH","CT.ElasticBeanstalk.2","Elastic Beanstalk managed platform updates should be enabled","0","0","0","0","" "NO_DATA","HIGH","CT.GuardDuty.1","GuardDuty should be enabled","0","0","0","0","" "NO_DATA","HIGH","CT.IAM.1","IAM policies should not allow full "*" administrative privileges","0","0","0","0","" "NO_DATA","LOW","CT.IAM.2","IAM users should not have IAM policies attached","0","0","0","0","" "NO_DATA","LOW","CT.IAM.21","IAM customer managed policies that you create should not allow wildcard actions for services","0","0","0","0","" "NO_DATA","MEDIUM","CT.IAM.3","IAM users' access keys should be rotated every 90 days or less","0","0","0","0","" "NO_DATA","CRITICAL","CT.IAM.4","IAM root user access key should not exist","0","0","0","0","" "NO_DATA","MEDIUM","CT.IAM.5","MFA should be enabled for all IAM users that have a console password","0","0","0","0","" "NO_DATA","CRITICAL","CT.IAM.6","Hardware MFA should be enabled for the root user","0","0","0","0","" "NO_DATA","MEDIUM","CT.IAM.7","Password policies for IAM users should have strong configurations","0","0","0","0","" "NO_DATA","MEDIUM","CT.IAM.8","Unused IAM user credentials should be removed","0","0","0","0","" "NO_DATA","MEDIUM","CT.KMS.1","IAM customer managed policies should not allow decryption actions on all KMS keys","0","0","0","0","" "NO_DATA","MEDIUM","CT.KMS.2","IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys","0","0","0","0","" "NO_DATA","CRITICAL","CT.KMS.3","AWS KMS keys should not be deleted unintentionally","0","0","0","0","" "NO_DATA","MEDIUM","CT.Kinesis.1","Kinesis streams should be encrypted at rest","0","0","0","0","" "NO_DATA","CRITICAL","CT.Lambda.1","Lambda function policies should prohibit public access","0","0","0","0","" "NO_DATA","MEDIUM","CT.Lambda.2","Lambda functions should use supported runtimes","0","0","0","0","" "NO_DATA","MEDIUM","CT.Lambda.5","VPC Lambda functions should operate in more than one Availability Zone","0","0","0","0","" "NO_DATA","MEDIUM","CT.NetworkFirewall.3","Network Firewall policies should have at least one rule group associated","0","0","0","0","" "NO_DATA","MEDIUM","CT.NetworkFirewall.4","The default stateless action for Network Firewall policies should be drop or forward for full packets","0","0","0","0","" "NO_DATA","MEDIUM","CT.NetworkFirewall.5","The default stateless action for Network Firewall policies should be drop or forward for fragmented packets","0","0","0","0","" "NO_DATA","MEDIUM","CT.NetworkFirewall.6","Stateless network firewall rule group should not be empty","0","0","0","0","" "NO_DATA","MEDIUM","CT.Opensearch.1","OpenSearch domains should have encryption at rest enabled","0","0","0","0","" "NO_DATA","CRITICAL","CT.Opensearch.2","OpenSearch domains should be in a VPC","0","0","0","0","" "NO_DATA","MEDIUM","CT.Opensearch.3","OpenSearch domains should encrypt data sent between nodes","0","0","0","0","" "NO_DATA","MEDIUM","CT.Opensearch.4","OpenSearch domain error logging to CloudWatch Logs should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.Opensearch.5","OpenSearch domains should have audit logging enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.Opensearch.6","OpenSearch domains should have at least three data nodes","0","0","0","0","" "NO_DATA","HIGH","CT.Opensearch.7","OpenSearch domains should have fine-grained access control enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.Opensearch.8","Connections to OpenSearch domains should be encrypted using TLS 1.2","0","0","0","0","" "NO_DATA","CRITICAL","CT.RDS.1","RDS snapshot should be private","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.10","IAM authentication should be configured for RDS instances","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.11","RDS instances should have automatic backups enabled","0","0","0","0","" "NO_DATA","HIGH","CT.RDS.13","RDS automatic minor version upgrades should be enabled","0","0","0","0","" "NO_DATA","LOW","CT.RDS.17","RDS DB instances should be configured to copy tags to snapshots","0","0","0","0","" "NO_DATA","HIGH","CT.RDS.18","RDS instances should be deployed in a VPC","0","0","0","0","" "NO_DATA","LOW","CT.RDS.19","An RDS event notifications subscription should be configured for critical cluster events","0","0","0","0","" "NO_DATA","CRITICAL","CT.RDS.2","RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration","0","0","0","0","" "NO_DATA","LOW","CT.RDS.20","An RDS event notifications subscription should be configured for critical database instance events","0","0","0","0","" "NO_DATA","LOW","CT.RDS.21","An RDS event notifications subscription should be configured for critical database parameter group events","0","0","0","0","" "NO_DATA","LOW","CT.RDS.22","An RDS event notifications subscription should be configured for critical database security group events","0","0","0","0","" "NO_DATA","LOW","CT.RDS.23","RDS instances should not use a database engine default port","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.25","RDS database instances should use a custom administrator username","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.3","RDS DB instances should have encryption at-rest enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.4","RDS cluster snapshots and database snapshots should be encrypted at rest","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.5","RDS DB instances should be configured with multiple Availability Zones","0","0","0","0","" "NO_DATA","LOW","CT.RDS.6","Enhanced monitoring should be configured for RDS DB instances","0","0","0","0","" "NO_DATA","LOW","CT.RDS.8","RDS DB instances should have deletion protection enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.RDS.9","Database logging should be enabled","0","0","0","0","" "NO_DATA","CRITICAL","CT.Redshift.1","Amazon Redshift clusters should prohibit public access","0","0","0","0","" "NO_DATA","MEDIUM","CT.Redshift.2","Connections to Amazon Redshift clusters should be encrypted in transit","0","0","0","0","" "NO_DATA","MEDIUM","CT.Redshift.4","Amazon Redshift clusters should have audit logging enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.Redshift.6","Amazon Redshift should have automatic upgrades to major versions enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.Redshift.7","Redshift clusters should use enhanced VPC routing","0","0","0","0","" "NO_DATA","MEDIUM","CT.Redshift.8","Amazon Redshift clusters should not use the default Admin username","0","0","0","0","" "NO_DATA","MEDIUM","CT.Redshift.9","Redshift clusters should not use the default database name","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.1","S3 Block Public Access setting should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.10","S3 buckets with versioning enabled should have lifecycle policies configured","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.11","S3 buckets should have event notifications enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.12","S3 access control lists (ACLs) should not be used to manage user access to buckets","0","0","0","0","" "NO_DATA","LOW","CT.S3.13","S3 buckets should have lifecycle policies configured","0","0","0","0","" "NO_DATA","CRITICAL","CT.S3.2","S3 buckets should prohibit public read access","0","0","0","0","" "NO_DATA","CRITICAL","CT.S3.3","S3 buckets should prohibit public write access","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.4","S3 buckets should have server-side encryption enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.5","S3 buckets should require requests to use Secure Socket Layer","0","0","0","0","" "NO_DATA","HIGH","CT.S3.6","S3 permissions granted to other AWS accounts in bucket policies should be restricted","0","0","0","0","" "NO_DATA","HIGH","CT.S3.8","S3 Block Public Access setting should be enabled at the bucket-level","0","0","0","0","" "NO_DATA","MEDIUM","CT.S3.9","S3 bucket server access logging should be enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.SNS.1","SNS topics should be encrypted at-rest using AWS KMS","0","0","0","0","" "NO_DATA","MEDIUM","CT.SNS.2","Logging of delivery status should be enabled for notification messages sent to a topic","0","0","0","0","" "NO_DATA","MEDIUM","CT.SQS.1","Amazon SQS queues should be encrypted at rest","0","0","0","0","" "NO_DATA","MEDIUM","CT.SSM.1","EC2 instances should be managed by AWS Systems Manager","0","0","0","0","" "NO_DATA","HIGH","CT.SSM.2","EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation","0","0","0","0","" "NO_DATA","LOW","CT.SSM.3","EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT","0","0","0","0","" "NO_DATA","CRITICAL","CT.SSM.4","SSM documents should not be public","0","0","0","0","" "NO_DATA","HIGH","CT.SageMaker.1","Amazon SageMaker notebook instances should not have direct internet access","0","0","0","0","" "NO_DATA","MEDIUM","CT.SecretsManager.1","Secrets Manager secrets should have automatic rotation enabled","0","0","0","0","" "NO_DATA","MEDIUM","CT.SecretsManager.2","Secrets Manager secrets configured with automatic rotation should rotate successfully","0","0","0","0","" "NO_DATA","MEDIUM","CT.SecretsManager.3","Remove unused Secrets Manager secrets","0","0","0","0","" "NO_DATA","MEDIUM","CT.SecretsManager.4","Secrets Manager secrets should be rotated within a specified number of days","0","0","0","0","" "NO_DATA","MEDIUM","CT.WAF.2","A WAF Regional rule should have at least one condition","0","0","0","0","" "NO_DATA","MEDIUM","CT.WAF.3","A WAF Regional rule group should have at least one rule","0","0","0","0","" "NO_DATA","MEDIUM","CT.WAF.4","A WAF Regional web ACL should have at least one rule or rule group","0","0","0","0",""
一覧をみて察した方もいるかと思いますが、各コントロールはASFBPと似た内容になっています。
ドキュメントに以下とあるように、基本的にはASFBPのサブセットなのでほぼ同じであると考えても良いでしょう。
Service-Managed Standard: AWS Control Tower supports a subset of controls in the AWS Foundational Security Best Practices (FSBP) standard.
ただ、最新のASFBPよりは数が少ないため、最新のコントロールを反映しているわけではないようです。
やってみた
ここからは『Service-Managed Standard: Control Tower』を実際に有効化してみます。
以下の手順で検証を進めていきます。
- 対象アカウントに対して『Service-Managed Standard: Control Tower』のコントロールを1つ有効化する(Control Tower管理アカウント)
- Security Hubコンソールにアクセスする(メンバーアカウント)
Service-Managed Standard: Control Towerの有効化
Control Tower管理アカウントにログインして以下作業を実施します
まずは、Control Towerコンソールのコントロールライブラリで『Service-Managed Standard: Control Tower』のコントロールを探しましょう。
"コントロールを検索"からコントロールオーナー = AWS Security Hub
で検索するとフィルタできます。
今回は、[SH.EC2.18] セキュリティグループは、許可されたポートへの無制限の受信トラフィックのみを許可する必要があります
を有効化してみます。
コントロールを有効化してしばらく(数十秒程度)待つと、OUは有効です
タブやアカウント
タブに有効化したOUやアカウントの情報が表示されます。
メンバーアカウント側での確認
メンバーアカウントにログインして以下作業を実施します
Security Hubコンソールを確認すると、セキュリティ標準に『Service-Managed Standard: Control Tower』が追加されていました。
Control Tower側からのコントロール有効化直後はメンバーアカウント側へコントロールの有効化が反映されておらず、セキュリティスコアも登録されていませんでした。
各コントロールのステータスもすべてデータなし・無効となっています。
ドキュメントの以下のような但し書きがあったので、ここから一旦1日程度待った方が良さそうです。
Service-Managed Standard: AWS Control Tower のコントロールを有効にすると、Security Hub は、既存の AWS Config サービスにリンクされたルールを使用するコントロールの結果を生成するのに最大 18 時間かかる場合があります。
1日程度待ってから確認した結果がこちらです。
スコアが100%と表示されました。コントロールを1つしか有効化していないため、有効なコントロールは1つだけ表示されていますね。
検出結果でのコントロールの表示も可能でした。
タイトルはCT.EC2.18 Security groups should only allow unrestricted incoming traffic for authorized ports
とタイトル頭のコントロールIDに『CT.』が付与されたものになっています。
他コントロールと同様、ワークフローのステータス変更も可能でした。
以上で検証を終わります。
まとめ
- 『Service-Managed Standard』は、他のAWSサービスが管理するSecurity Hubのセキュリティ標準
- コントロール標準の1つとして「AWS 基礎セキュリティのベストプラクティス v1.0.0(AFSBP)」などとは別で登録される
- コントロールの管理(有効化/無効化)はコントロールの管理サービス側で行われる。デフォルトは無効状態で個別に有効化する必要がある。
- 『Service-Managed Standard: AWS Control Tower』は、Control Towerが管理するセキュリティ標準
- AFSBPのコントロールのサブセットをサポートしているので、内容はAFSBPとほぼ同じ(CTの方が少し古い)
- コントロールはSecurity Hubの検出結果に表示され、ワークフローのステータス更新も可能
最後に
今回は、AWS Security Hubのセキュリティ標準に追加された『Service-Managed Standard: Control Tower』について調べてみました。
今月行われたre:Invent2022のアップデートでのControl Towerの管理画面が強化と本記事のアップデートが合わさることで、これまでやりづらかったControl Towerのコントロール(ガードレール)とSecurity Hubのコントロールの統合管理の1つの解決策になりうるのではないでしょうか?
この記事があなたの役に立てれば幸いです。
以上、AWS事業本部コンサルティング部の芦沢(@ashi_ssan)でした。