この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
先日のアップデートで AWS Config の適合パック(コンフォーマンスパック)に以下 2 つのテンプレートが追加されました。
- CISコンプライアンスパックテンプレート
- CIS 要件への準拠を検証するのに役立ちます。ただし、すべての CIS 要件すべてをカバーするものではありません。Config ルールを使用してカバーできる要件のみであることに注意してください。
- AWS Control Tower Detective Guardrails Conformance Pack
- AWS Control Tower の AWS Config ルールベースのガードレールがすべて含まれています。この適合パックを使用して、AWS Control Tower に登録する前に AWS Control Tower 検出ガードレールを既存のアカウントに適用するか、現在 AWS Control Tower でサポートされていないリージョンのアカウントのリソースを管理することもできます。
何がうれしいのか
適合パックとは?
適合パックは AWS Config ルールと修復アクションの集まりであり、アカウントやリージョン、または AWS Organizations の組織全体に 1 つのエンティティとして簡単にデプロイできます。
CloudFormation でデプロイされるのでカスタマイズが可能
今回リリースされた 「CIS コンプライアンスパックテンプレート」 を例にすると、CIS ベンチマーク向けの AWS Config ルールであれば AWS Security Hub の 「CIS AWS Foundations Benchmark v1.2.0」 を有効にしたら良いのでは? と思いますよね。私も思いました。
社内のメンバーに「これって、Security Hub でえぇんちゃうの?」て聞いたところ、Security Hub の場合、ルールはフルマネージドであるため個別調整できるのは有効か無効の二択のみ。
一方、適合パックの場合はカスタマイズが可能なので、スコープのチューニングなどの個別調整がきく点がメリット、とのことです。なるほど!
あと、Security Hub や Control Tower が利用できないリージョンの場合、この適合パックで代用することも可能ですね。
やってみる
それでは、さっそくやってみましょう。
手順
適合パックをデプロイするまでの手順は、以下の 3 ステップ。
- Service-Linked Roleの作成
- テンプレート配置用のS3バケットの作成およびバケットポリシーの作成
- 適合パックのデプロイ
Service-Linked Role の作成
Service-Linked Role の作成は、公式ガイドに従い、AWS CLI で作成します。
$ aws iam create-service-linked-role --aws-service-name config-conforms.amazonaws.com \
--description "my service linked role for config-conforms"
Role:
Arn: arn:aws:iam::xxxxxxxxxxxx:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- config-conforms.amazonaws.com
Version: '2012-10-17'
CreateDate: '2020-04-30T08:52:00+00:00'
Path: /aws-service-role/config-conforms.amazonaws.com/
RoleId: AROAXXXXXXXXXXXXXXXXX
RoleName: AWSServiceRoleForConfigConforms
テンプレート配置用のS3バケットの作成およびバケットポリシーの作成
次に、テンプレートを配置するための S3 バケットを作成し、先程の Service-Linked Role がアクセスできるようにバケットポリシーを記載します。<AccountId>
, <delivery-bucket-name>
, <[optional] prefix>
は環境によって読み替えてください。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigConformsBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AccountId>:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::<delivery-bucket-name>"
},
{
"Sid": "AWSConfigConformsBucketDelivery",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AccountId>:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<delivery-bucket-name>/<[optional] prefix>/AWSLogs/<AccountId>/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " AWSConfigConformsBucketReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AccountId>:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<delivery-bucket-name>/<[optional] prefix>/AWSLogs/<AccountId>/Config/*"
}
]
}
AWS Config 管理コンソールを開き、[適合パックをデプロイ] をクリックします。
[サンプルテンプレートを使用] を選択し、サンプルテンプレートをプルダウンメニューから選びます。AWS Control Tower Detective Guardrails
および Operational Best Practices for CIS
が追加されていますね。
今回は Operational Best Practices for CIS
を試してみましょう。
任意の適合パック名を入力し、先程、作成した S3 バケットを選択し、次へ。
内容を確認し、[適合パックをデプロイ]をクリックします。
しばらく待つとデプロイが完了します。
確認
デプロイされた適合パックを確認してみると、以下のようなルールとなっていました。修復アクションは組み込まれていないようですね。
サンプルテンプレート
テンプレートは yaml で記述された CloudFormation です。サンプルテンプレートをもとに個別カスタマイズしてデプロイすることも可能です。
CIS コンプライアンスパックテンプレート
################################################################################
#
# Conformance Pack:
# CIS compliance rules
#
# This conformance pack helps verify compliance with CIS requirements. Note that
# this will not cover all CIS requirements but only those that can be covered
# using Config Rules
################################################################################
Resources:
MFAEnabledForIamConsoleAccess:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: MFAEnabledForIamConsoleAccess
Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled
for all AWS Identity and Access Management (IAM) users that use a console
password. The rule is compliant if MFA is enabled.
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
MaximumExecutionFrequency: Twelve_Hours
IAMUserUnusedCredentialCheck:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IAMUserUnusedCredentialCheck
Description: Checks whether your AWS Identity and Access Management (IAM) users
have passwords or active access keys that have not been used within the specified
number of days you provided.
InputParameters:
maxCredentialUsageAge: 90
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
MaximumExecutionFrequency: Twelve_Hours
AccessKeysRotated:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: AccessKeysRotated
Description: Checks whether the active access keys are rotated within the number
of days specified in maxAccessKeyAge. The rule is non-compliant if the access
keys have not been rotated for more than maxAccessKeyAge number of days.
InputParameters:
maxAccessKeyAge: 90
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: Twelve_Hours
IAMPasswordPolicyCheck:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IAMPasswordPolicyCheck
Description: Checks whether the account password policy for IAM users meets
the specified requirements.
InputParameters:
RequireUppercaseCharacters: true
RequireLowercaseCharacters: true
RequireSymbols: true
RequireNumbers: true
MinimumPasswordLength: 14
PasswordReusePrevention: 24
MaxPasswordAge: 90
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
MaximumExecutionFrequency: Twelve_Hours
IAMRootAccessKeyCheck:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IAMRootAccessKeyCheck
Description: Checks whether the root user access key is available.
The rule is compliant if the user access key does not exist.
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: Twelve_Hours
RootAccountMFAEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: RootAccountMFAEnabled
Description: Checks whether the root user of your AWS account requires multi-factor
authentication for console sign-in.
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: Twelve_Hours
RootAccountHardwareMFAEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: RootAccountHardwareMFAEnabled
Description: Checks whether your AWS account is enabled to use multi-factor
authentication (MFA) hardware device to sign in with root credentials.
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
MaximumExecutionFrequency: Twelve_Hours
IAMUserNoPoliciesCheck:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IAMUserNoPoliciesCheck
Description: Checks that none of your IAM users have policies attached. IAM
users must inherit permissions from IAM groups or roles.
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
IAMSupportPolicyInUse:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IAMSupportPolicyInUse
Description: Checks that the 'AWSSupportAccess' managed policy is attached to any IAM user, group, or role
InputParameters:
policyARN: arn:aws:iam::aws:policy/AWSSupportAccess
policyUsageType: ANY
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_IN_USE
MaximumExecutionFrequency: Twelve_Hours
IAMPolicyNoStatementWithAdminAccess:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IAMPolicyNoStatementWithAdminAccess
Description: Checks whether the default version of AWS Identity and Access
Management (IAM) policies do not have administrator access.
Scope:
ComplianceResourceTypes:
- AWS::IAM::Policy
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
MultiRegionCloudTrailEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: MultiRegionCloudTrailEnabled
Description: Checks that there is at least one multi-region AWS CloudTrail.
The rule is non-compliant if the trails do not match input parameters
Source:
Owner: AWS
SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: Twelve_Hours
CloudTrailLogFileValidationEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CloudTrailLogFileValidationEnabled
Description: Checks whether AWS CloudTrail creates a signed digest file with
logs
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
MaximumExecutionFrequency: Twelve_Hours
S3BucketPublicReadProhibited:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
Description: Checks that your Amazon S3 buckets do not allow public read access.
The rule checks the Block Public Access settings, the bucket policy, and the
bucket access control list (ACL).
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
MaximumExecutionFrequency: Twelve_Hours
S3BucketPublicWriteProhibited:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: S3BucketPublicWriteProhibited
Description: Checks that your Amazon S3 buckets do not allow public write access.
The rule checks the Block Public Access settings, the bucket policy, and the
bucket access control list (ACL).
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
MaximumExecutionFrequency: Twelve_Hours
CloudTrailCloudWatchLogsEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CloudTrailCloudWatchLogsEnabled
Description: Checks whether AWS CloudTrail trails are configured to send logs
to Amazon CloudWatch logs.
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
MaximumExecutionFrequency: Twelve_Hours
S3BucketLoggingEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: S3BucketLoggingEnabled
Description: Checks whether logging is enabled for your S3 buckets.
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
CloudTrailEncryptionEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CloudTrailEncryptionEnabled
Description: Checks whether AWS CloudTrail is configured to use the server side
encryption (SSE) AWS Key Management Service (AWS KMS) customer master key
(CMK) encryption.
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
MaximumExecutionFrequency: Twelve_Hours
CMKBackingKeyRotationEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CMKBackingKeyRotationEnabled
Description: Checks that key rotation is enabled for each key and matches to
the key ID of the customer created customer master key (CMK). The rule is
compliant, if the key rotation is enabled for specific key object.
Source:
Owner: AWS
SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
MaximumExecutionFrequency: Twelve_Hours
VPCFlowLogsEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: VPCFlowLogsEnabled
Description: Checks whether Amazon Virtual Private Cloud flow logs are found
and enabled for Amazon VPC.
InputParameters:
trafficType: REJECT
Source:
Owner: AWS
SourceIdentifier: VPC_FLOW_LOGS_ENABLED
MaximumExecutionFrequency: Twelve_Hours
IncomingSSHDisabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: IncomingSSHDisabled
Description: Checks whether the incoming SSH traffic for the security groups is accessible.
The rule is COMPLIANT when the IP addresses of the incoming SSH traffic in the security
groups are restricted. This rule applies only to IPv4.
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
RestrictedIncomingTraffic:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: RestrictedIncomingTraffic
Description: Checks whether security groups that are in use disallow unrestricted
incoming TCP traffic to the specified ports.
InputParameters:
blockedPort1: 3389
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
VPCDefaultSecurityGroupClosed:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: VPCDefaultSecurityGroupClosed
Description: Checks that the default security group of any Amazon Virtual Private
Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant
if the default security group has one or more inbound or outbound traffic.
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
AWS Control Tower Detective Guardrails Conformance Pack
###################################################################################
#
# Conformance Pack:
# AWS Control Tower Detective Guardrails Conformance Pack
#
# The AWS Control Tower detective guardrails conformance pack contains all of the
# AWS Config Rules based guardrails from AWS Control Tower. Use this conformance
# pack to apply AWS Control Tower detective guardrails to your existing accounts
# prior to enrolling them in AWS Control Tower or to manage resources in your
# accounts in regions not currently supported by AWS Control Tower.
###################################################################################
Resources:
CheckForEbsOptimizedInstance:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForEbsOptimizedInstance
Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized
Source:
Owner: AWS
SourceIdentifier: EBS_OPTIMIZED_INSTANCE
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
CheckForEc2VolumesInUse:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForEc2VolumesInUs
Description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances
InputParameters:
deleteOnTermination: None
Source:
Owner: AWS
SourceIdentifier: EC2_VOLUME_INUSE_CHECK
Scope:
ComplianceResourceTypes:
- AWS::EC2::Volume
CheckForEncryptedVolumes:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForEncryptedVolumes
Description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted.
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
Scope:
ComplianceResourceTypes:
- AWS::EC2::Volume
CheckForIAMUserMFA:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForIAMUserMFA
Description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. The rule is COMPLIANT if MFA is enabled.
Source:
Owner: AWS
SourceIdentifier: IAM_USER_MFA_ENABLED
MaximumExecutionFrequency: One_Hour
CheckForIAMUserConsoleMFA:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForIAMUserConsoleMFA
Description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
MaximumExecutionFrequency: One_Hour
CheckForRdsPublicAccess:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForRdsPublicAccess
Description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.
Source:
Owner: AWS
SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
CheckForPublicRdsSnapshots:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForPublicRdsSnapshots
Description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBSnapshot
CheckForRdsStorageEncryption:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForRdsStorageEncryption
Description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances.
Source:
Owner: AWS
SourceIdentifier: RDS_STORAGE_ENCRYPTED
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
CheckForRestrictedCommonPortsPolicy:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForRestrictedCommonPortsPolicy
Description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports.
InputParameters:
blockedPort1: 20
blockedPort2: 21
blockedPort3: 3389
blockedPort4: 3306
blockedPort5: 4333
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
CheckForRestrictedSshPolicy:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForRestrictedSshPolicy
Description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
CheckForRootMfa:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForRootMfa
Description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: One_Hour
CheckForS3PublicRead:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForS3PublicRead
Description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
CheckForS3PublicWrite:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForS3PublicWrite
Description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
CheckForS3VersioningEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: CheckForS3VersioningEnabled
Description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets.
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
さいごに
Security Hub のセキュリティ基準を使用すると同様に AWS Config でルールのデプロイが出来ますが、ルール毎の個別調整は ON か OFF しか出来ません。個別ルールのスコープ調整などの自由度が必要な場合は適合パックを検討してみてはいかがでしょうか。
以上!大阪オフィスの丸毛(@marumo1981)でした!