Tenn25 Blog
AWS上の不正操作を検知する
14.04.202010 Min Read — In others

概要

AWS アカウントのセキュリティ向上の流れをまとめる。

関連サービス

  • Security Hub
  • CroudTrail
  • Config

CroudTrail の有効化

SNS トピックの作成

アラートの設定

aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.1-UnauthorizedAPICalls --metric-transformations metricName=CIS-3.1-UnauthorizedAPICalls,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.2-ConsoleSigninWithoutMFA --metric-transformations metricName=CIS-3.2-ConsoleSigninWithoutMFA,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName="ConsoleLogin") && ($.additionalEventData.MFAUsed !="Yes")}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.3-RootAccountUsage --metric-transformations metricName=CIS-3.3-RootAccountUsage,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.4-IAMPolicyChanges --metric-transformations metricName=CIS-3.4-IAMPolicyChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.5-CloudTrailChanges --metric-transformations metricName=CIS-3.5-CloudTrailChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.6-ConsoleAuthenticationFailure --metric-transformations metricName=CIS-3.6-ConsoleAuthenticationFailure,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=ConsoleLogin) && ($.errorMessage="Failed authentication")}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.7-DisableOrDeleteCMK --metric-transformations metricName=CIS-3.7-DisableOrDeleteCMK,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.8-S3BucketPolicyChanges --metric-transformations metricName=CIS-3.8-S3BucketPolicyChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.9-AWSConfigChanges --metric-transformations metricName=CIS-3.9-AWSConfigChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.10-SecurityGroupChanges --metric-transformations metricName=CIS-3.10-SecurityGroupChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.11-NetworkACLChanges --metric-transformations metricName=CIS-3.11-NetworkACLChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.12-NetworkGatewayChanges --metric-transformations metricName=CIS-3.12-NetworkGatewayChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.13-RouteTableChanges --metric-transformations metricName=CIS-3.13-RouteTableChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-3.14-VPCChanges --metric-transformations metricName=CIS-3.14-VPCChanges,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}' --region ap-northeast-1 --profile *********
aws logs put-metric-filter --log-group-name CloudTrail/DefaultLogGroup --filter-name CIS-LoginsFromOutsideHome --metric-transformations metricName=CIS-LoginsFromOutsideTOC,metricNamespace=CIS-Benchmark,metricValue=1 --filter-pattern '{($.eventName="ConsoleLogin") && ($.sourceIPAddress !="***.***.***.***")}' --region ap-northeast-1


aws cloudwatch put-metric-alarm --alarm-name CIS-3.1-UnauthorizedAPICalls --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.1-UnauthorizedAPICalls --statistic Sum --period 300 --threshold 2 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.2-ConsoleSigninWithoutMFA --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.2-ConsoleSigninWithoutMFA --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.3-RootAccountUsage --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.3-RootAccountUsage --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.4-IAMPolicyChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.4-IAMPolicyChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.5-CloudTrailChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.5-CloudTrailChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.6-ConsoleAuthenticationFailure --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.6-ConsoleAuthenticationFailure --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.7-DisableOrDeleteCMK --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.7-DisableOrDeleteCMK --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.8-S3BucketPolicyChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.8-S3BucketPolicyChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.9-AWSConfigChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.9-AWSConfigChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.10-SecurityGroupChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.10-SecurityGroupChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.11-NetworkACLChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.11-NetworkACLChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.12-NetworkGatewayChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.12-NetworkGatewayChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.13-RouteTableChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.13-RouteTableChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-3.14-VPCChanges --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-3.14-VPCChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
aws cloudwatch put-metric-alarm --alarm-name CIS-LoginsFromOutsideHOME --alarm-description 'CloudWatch Logs: https://ap-northeast-1.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-1#logStream:group=CloudTrail/DefaultLogGroup' --metric-name CIS-LoginsFromOutsideTOC --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --treat-missing-data notBreaching --namespace CIS-Benchmark --alarm-actions arn:aws:sns:ap-northeast-1:************:Security-Alert --region ap-northeast-1 --profile *********
Tags:  AWS , システム運用 , セキュリティ
PreviousWindows10のWSL初期設定個人メモ
Nextブログをリニューアルしました