【CDK】验证安全相关服务在Slack上的通知
首先
这次我用CDK试图实现了关于安全方面的Slack通知。与Chatbot没有直接集成的服务将通过EventBridge触发事件,然后通过SNS->Chatbot流程进行通知。
* 由于这次内容有点长,所以我折叠了几个项目。
・相关文章
【CDK】由于Cost Anomaly Detection与Chatbot集成,我在CDK中进行了实现【更新】
【CDK】通过chatbot将ECR镜像扫描结果通知到slack上
安全中心
Q:AWS Security Hub 是什么?
AWS Security Hub 在AWS内提供综合性的安全状态,并指出其是否符合安全标准和最佳实践。通过将AWS账户、服务和受支持的第三方合作伙伴的安全检测结果集中化和优先级排序,AWS Security Hub可分析安全趋势并确定最重要的安全问题。
总而言之
-
- セキュリティデータの集約と一元的な可視化
- 業界標準やベストプラクティスに基づいた自動コンプライアンスチェック
目标
Amazon GuardDuty
关于威胁检测的所有检测结果
Amazon Inspector
通过安全评估的所有检测结果
Amazon Macie
违反策略时的检测结果
AWS IAM Access Analyzer
检测到在自己账户内允许外部访问的策略描述时的检测结果
AWS Firewall Manager
AWS WAF策略或Web ACL规则不符合合规性时的检测结果;未受AWS Shield Advanced保护或检测到攻击时的检测结果
AWS Systems Manager Patch Manager
检测到EC2实例不符合基于补丁基线的合规性规则时的检测结果
AWS基础安全的最佳实践 v1.0.0
这是一组自动化的安全检查,用于检测AWS账户和部署的资源是否符合最佳安全实践。此标准由AWS安全专家定义。这个经过精选的一系列控制有助于改进AWS的安全体系,并涵盖了AWS最受欢迎的基础服务。
CIS AWS Foundations Benchmark v1.2.0
Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0是AWS安全设置的最佳实践集。这个Security Hub标准会自动检查CIS要求的子集的合规准备情况。
PCI DSS v3.2.1
Payment Card Industry Data Security Standard (PCI DSS) v3.2.1是一项适用于存储、处理和传输持卡人数据的实体的信息安全标准。这个Security Hub标准会自动检查PCI DSS要求的子集的合规准备情况。
请为我提供一个选项的汉语同义词。
AWS黑带-AWSSecurityHub
配置
AWS Config是什么?
AWS Config提供了AWS账户中AWS资源的详细配置视图。这包括资源之间的关系和配置历史,使您能够查看配置和关系随着时间的推移而发生的变化。
总之
AWSリソースなどの構成変更をロギング (どのサービスを、誰が、いつ、何をしたかを記録)
※他にもConfigRuleという評価機能がありますがここでは割愛
支持的资源类型
请参阅
AWS-黑带_配置
守卫义务
问:Amazon GuardDuty 是什么?
Amazon GuardDuty 是一种持续监控和保护AWS账户、工作负载以及存储在Amazon Simple Storage Service (Amazon S3) 上的数据的威胁检测功能。GuardDuty 分析来自账户生成的持续元数据流以及AWS CloudTrail事件、Amazon Virtual Private Cloud (VPC) 流日志和域名系统 (DNS) 日志中的网络活动。此外,GuardDuty 使用已知的恶意 IP 地址、异常检测、集成的威胁情报如机器学习 (ML) 来更准确地识别威胁。
总之
-
- CloudTrail Event Logs、VPCFlowlog、DNSログをデータソースとして分析して驚異リスクを検知
-
- 悪意のあるIPアドレスやドメイン、異常検出、機械学習を使用して脅威を識別
- S3に保存されたデータの保護(データアクセスイベントと設定のモニタリングとプロファイリング)
分类
恶意扫描
实例侦查:• 端口探测/通信接受• 端口扫描(VPC内部)• 暴力破解攻击(IP地址)• 放置点(IP地址)• Tor通信账户侦查:• Tor API调用(失败)账户侦查:• Tor API调用(失败)
对实例的威胁
• C&C活动• 恶意域名请求• EC2威胁列表• 放置点IP地址• 恶意通信(ASIS)• 挖矿比特币• 出站DDoS• 垃圾邮件机器人活动• 出站SSH暴力破解• 异常网络端口• 异常流量量/流向• 异常DNS请求• 域名生成算法
对帐户的威胁
• 恶意API调用(恶意IP地址)• Tor API调用(已接受)• CloudTrail已禁用• 密码策略更改• 实例启动异常• 异常地区活动• 可疑控制台登录• 异常ISP调用者• 变异的API调用(创建、更新、删除)• 高数量的Describe调用• 异常IAM用户添加
资源
数据源
严重程度
后门:EC2 / C&CActivity.B
EC2
VPC流量日志
高
后门:EC2 / C&CActivity.B!DNS
EC2
DNS日志
高
后门:EC2 / DenialOfService.Dns
EC2
VPC流量日志
高
后门:EC2 / DenialOfService.Tcp
EC2
VPC流量日志
高
后门:EC2 / DenialOfService.Udp
EC2
VPC流量日志
高
后门:EC2 / DenialOfService.UdpOnTcpPorts
EC2
VPC流量日志
高
后门:EC2 / DenialOfService.UnusualProtocol
EC2
VPC流量日志
高
后门:EC2 / Spambot
EC2
VPC流量日志
中
行为:EC2 / NetworkPortUnusual
EC2
VPC流量日志
中
行为:EC2 / TrafficVolumeUnusual
EC2
VPC流量日志
中
凭证访问:IAM用户/异常行为
IAM
CloudTrail管理事件
中
凭证访问:Kubernetes / 恶意IP调用者
Kubernetes
Kubernetes审计日志
高
凭证访问:Kubernetes / 恶意IP调用者.Custom
Kubernetes
Kubernetes审计日志
高
凭证访问:Kubernetes / 成功匿名访问
Kubernetes
Kubernetes审计日志
高
凭证访问:Kubernetes / TorIP调用者
Kubernetes
Kubernetes审计日志
高
加密货币:EC2 / BitcoinTool.B
EC2
VPC流量日志
高
加密货币:EC2 / BitcoinTool.B!DNS
EC2
DNS日志
高
防御规避:IAM用户/异常行为
IAM
CloudTrail管理事件
中
防御规避:Kubernetes / 恶意IP调用者
Kubernetes
Kubernetes审计日志
高
防御规避:Kubernetes / 恶意IP调用者.Custom
Kubernetes
Kubernetes审计日志
高
防御规避:Kubernetes / 成功匿名访问
Kubernetes
Kubernetes审计日志
高
防御规避:Kubernetes / TorIP调用者
Kubernetes
Kubernetes审计日志
高
发现:IAM用户/异常行为
IAM
CloudTrail管理事件
低
发现:Kubernetes / 恶意IP调用者
Kubernetes
Kubernetes审计日志
中
发现:Kubernetes / 恶意IP调用者.Custom
Kubernetes
Kubernetes审计日志
中
发现:Kubernetes / 成功匿名访问
Kubernetes
Kubernetes审计日志
中
发现:Kubernetes / TorIP调用者
Kubernetes
Kubernetes审计日志
中
发现:S3 / 恶意IP调用者
S3
CloudTrail S3数据事件
高
发现:S3 / 恶意IP调用者.Custom
S3
CloudTrail S3数据事件
高
发现:S3 / TorIP调用者
S3
CloudTrail S3数据事件
中
执行:Kubernetes / ExecInKubeSystemPod
Kubernetes
Kubernetes审计日志
中
渗透:IAM用户 / KaliLinux
IAM
CloudTrail管理事件
中
渗透:IAM用户 / ParrotLinux
IAM
CloudTrail管理事件
中
渗透:IAM用户 / PentooLinux
IAM
CloudTrail管理事件
中
渗透:S3 / KaliLinux
S3
CloudTrail S3数据事件
中
渗透:S3 / ParrotLinux
S3
CloudTrail S3数据事件
中
渗透:S3 / PentooLinux
S3
CloudTrail S3数据事件
中
持久化:IAM用户 / 异常行为
IAM
CloudTrail管理事件
中
持久化:Kubernetes / 具有敏感挂载的容器
Kubernetes
Kubernetes审计日志
中
持久化:Kubernetes / 恶意IP调用者
Kubernetes
Kubernetes审计日志
中
持久化:Kubernetes / 恶意IP调用者.Custom
Kubernetes
Kubernetes审计日志
中
持久化:Kubernetes / 成功匿名访问
Kubernetes
Kubernetes审计日志
高
持久化:Kubernetes / TorIP调用者
Kubernetes
Kubernetes审计日志
中
策略:IAM用户 / 根凭据使用
IAM
CloudTrail管理事件或CloudTrail数据事件
低
策略:Kubernetes / 对默认服务帐户的管理访问
Kubernetes
Kubernetes审计日志
高
策略:Kubernetes / 授予匿名访问权限
Kubernetes
Kubernetes审计日志
高
策略:Kubernetes / Kubeflow仪表板暴露
Kubernetes
Kubernetes审计日志
中
策略:Kubernetes / 暴露的仪表板
Kubernetes
Kubernetes审计日志
中
策略:S3 / 禁用帐户公共访问块
S3
CloudTrail管理事件
低
策略:S3 / 存储桶授予匿名访问权限
S3
CloudTrail管理事件
高
策略:S3 / 存储桶禁用公共访问块
S3
CloudTrail管理事件
低
策略:S3 / 存储桶授予公共访问权限
S3
CloudTrail管理事件
高
权限提升:IAM用户 / 异常行为
IAM
CloudTrail管理事件
中
权限提升:Kubernetes / 特权容器
Kubernetes
Kubernetes审计日志
中
侦察:EC2 / PortProbeEMRUnprotectedPort
EC2
VPC流量日志
高
侦察:EC2 / PortProbeUnprotectedPort
EC2
VPC流量日志
低
侦察:EC2 / Portscan
EC2
VPC流量日志
中
侦察:IAM用户 / 恶意IP调用者
IAM
CloudTrail管理事件
中
侦察:IAM用户 / 恶意IP调用者.Custom
IAM
CloudTrail管理事件
中
侦察:IAM用户 / TorIP调用者
IAM
CloudTrail管理事件
中
隐匿性:IAM用户 / 禁用CloudTrail日志记录
IAM
CloudTrail管理事件
低
隐匿性:IAM用户 / 密码策略更改
IAM
CloudTrail管理事件
低
隐匿性:S3 / 禁用服务器访问日志记录
S3
CloudTrail管理事件
低
特洛伊木马:EC2 / BlackholeTraffic
EC2
VPC流量日志
中
特洛伊木马:EC2 / BlackholeTraffic!DNS
EC2
DNS日志
中
特洛伊木马:EC2 / DGADomainRequest.B
EC2
DNS日志
高
特洛伊木马:EC2 / DGADomainRequest.C!DNS
EC2
DNS日志
高
特洛伊木马:EC2 / DNSDataExfiltration
EC2
DNS日志
高
特洛伊木马:EC2 / DriveBySourceTraffic!DNS
EC2
DNS日志
高
特洛伊木马:EC2 / DropPoint
EC2
VPC流量日志
中
特洛伊木马:EC
如果您查看上面的搜索类型列表,会发现GuardDuty会分析VPC流量日志等数据源,并根据每个EC2、IAM、S3和EKS是否具有潜在风险来提供通知。
请提供下列参考。
AWS-黑带_亚马逊-守卫监督
云跟踪
Q: AWS CloudTrail とは何ですか?
AWS CloudTrail是通过跟踪用户活动和API的使用情况来实现审计、安全监控和操作故障排除的工具。CloudTrail会记录与客户的AWS基础设施相关的账户活动,并持续监控、保留、存储、分析和控制修复操作。
简而言之
- AWSに対するAPI操作を記録、保存、分析
CloudTrail Topics
Support began
Alexa for Business
Logging Alexa for Business Administration Calls Using AWS CloudTrail
11/29/2017
AWS Amplify
Logging Amplify API calls using AWS CloudTrail
11/30/2020
AWS Audit Manager
Logging AWS Audit Manager API calls with AWS CloudTrail
12/07/2020
Amazon API Gateway
Log API management calls to Amazon API Gateway Using AWS CloudTrail
07/09/2015
Amazon Connect
Logging Amazon Connect API Calls with AWS CloudTrail
12/11/2019
Application Auto Scaling
Logging Application Auto Scaling API calls with AWS CloudTrail
10/31/2016
AWS Application Discovery Service
Logging Application Discovery Service API Calls with AWS CloudTrail
05/12/2016
Amazon AppFlow
Logging Amazon AppFlow API calls with AWS CloudTrail
04/22/2020
AWS App Mesh
Logging App Mesh API Calls with AWS CloudTrail
AWS App Mesh 10/30/2019
App Mesh Envoy Management Service 03/18/2022
AWS App Runner
Logging App Runner API calls with AWS CloudTrail
05/18/2021
Amazon AppStream 2.0
Logging Amazon AppStream 2.0 API Calls with AWS CloudTrail
04/25/2019
AWS AppSync
Logging AWS AppSync API Calls with AWS CloudTrail
02/13/2018
Amazon Athena
Logging Amazon Athena API Calls with AWS CloudTrail
05/19/2017
AWS Auto Scaling
Logging AWS Auto Scaling API Calls By Using CloudTrail
08/15/2018
AWS Backup
Logging AWS Backup API Calls with AWS CloudTrail
02/04/2019
AWS Batch
Logging AWS Batch API Calls with AWS CloudTrail
1/10/2018
AWS Billing and Cost Management
Logging AWS Billing and Cost Management API Calls with AWS CloudTrail
06/07/2018
AWS BugBust
Logging BugBust API calls using CloudTrail
06/24/2021
AWS Certificate Manager
Using AWS CloudTrail
03/25/2016
AWS Certificate Manager Private Certificate Authority
Using CloudTrail
06/06/2019
Amazon Chime
Log Amazon Chime Administration Calls Using AWS CloudTrail
09/27/2017
Amazon Cloud Directory
Logging Amazon Cloud Directory API Calls Using AWS CloudTrail
01/26/2017
AWS Cloud9
Logging AWS Cloud9 API Calls with AWS CloudTrail
01/21/2019
AWS CloudFormation
Logging AWS CloudFormation API Calls in AWS CloudTrail
04/02/2014
Amazon CloudFront
Using AWS CloudTrail to Capture Requests Sent to the CloudFront API
05/28/2014
AWS CloudHSM
Logging AWS CloudHSM API Calls By Using AWS CloudTrail
01/08/2015
AWS Cloud Map
Logging AWS Cloud Map API Calls with AWS CloudTrail
11/28/2018
Amazon CloudSearch
Logging Amazon CloudSearch Configuration Service Calls Using AWS CloudTrail
10/16/2014
AWS CloudTrail
AWS CloudTrail API Reference (All CloudTrail API calls are logged by CloudTrail.)
11/13/2013
Amazon CloudWatch
Logging Amazon CloudWatch API Calls in AWS CloudTrail
04/30/2014
CloudWatch Events
Logging Amazon CloudWatch Events API Calls in AWS CloudTrail
01/16/2016
CloudWatch Logs
Logging Amazon CloudWatch Logs API Calls in AWS CloudTrail
03/10/2016
AWS CodeBuild
Logging AWS CodeBuild API Calls with AWS CloudTrail
12/01/2016
AWS CodeCommit
Logging AWS CodeCommit API Calls with AWS CloudTrail
01/11/2017
AWS CodeDeploy
Monitoring Deployments with AWS CloudTrail
12/16/2014
Amazon CodeGuru Reviewer
Logging Amazon CodeGuru Reviewer API Calls with AWS CloudTrail
12/02/2019
AWS CodePipeline
Logging CodePipeline API Calls By Using AWS CloudTrail
07/09/2015
AWS CodeStar
Logging AWS CodeStar API Calls with AWS CloudTrail
06/14/2017
AWS CodeStar Notifications
Logging AWS CodeStar Notifications API Calls with AWS CloudTrail
11/05/2019
Amazon Cognito
Logging Amazon Cognito API Calls with AWS CloudTrail
02/18/2016
Amazon Comprehend
Logging Amazon Comprehend API Calls with AWS CloudTrail
01/17/2018
Amazon Comprehend Medical
Logging Amazon Comprehend Medical API Calls by Using AWS CloudTrail
11/27/2018
AWS Config
Logging AWS Config API Calls By with AWS CloudTrail
02/10/2015
AWS Control Tower
Logging AWS Control Tower Actions with AWS CloudTrail
08/12/2019
Amazon Data Lifecycle Manager
Logging Amazon Data Lifecycle Manager API Calls Using AWS CloudTrail
07/24/2018
AWS Data Pipeline
Logging AWS Data Pipeline API Calls by using AWS CloudTrail
12/02/2014
AWS Database Migration Service (AWS DMS)
Logging AWS Database Migration Service API Calls Using AWS CloudTrail
02/04/2016
AWS DataSync
Logging AWS DataSync API Calls with AWS CloudTrail
11/26/2018
Amazon Detective
Logging Amazon Detective API calls with AWS CloudTrail
03/31/2020
AWS Device Farm
Logging AWS Device Farm API Calls By Using AWS CloudTrail
07/13/2015
AWS Direct Connect
Logging AWS Direct Connect API Calls in AWS CloudTrail
03/08/2014
AWS Directory Service
Logging AWS Directory Service API Calls by Using CloudTrail
05/14/2015
Amazon DocumentDB (with MongoDB compatibility)
Logging Amazon DocumentDB API Calls with AWS CloudTrail
01/09/2019
Amazon DynamoDB
Logging DynamoDB Operations By Using AWS CloudTrail
05/28/2015
Amazon Elastic Container Registry (Amazon ECR)
Logging Amazon ECR API Calls By Using AWS CloudTrail
12/21/2015
Amazon Elastic Container Service (Amazon ECS)
Logging Amazon ECS API Calls By Using AWS CloudTrail
04/09/2015
AWS Elastic Beanstalk (Elastic Beanstalk)
Using Elastic Beanstalk API Calls with AWS CloudTrail
03/31/2014
Amazon Elastic Block Store (Amazon EBS)
Logging API Calls Using AWS CloudTrail
Amazon EBS: 11/13/2013
EBS direct APIs
Log API Calls for the EBS direct APIs with AWS CloudTrail
EBS direct APIs: 06/30/2020
Amazon Elastic Compute Cloud (Amazon EC2)
Logging API Calls Using AWS CloudTrail
11/13/2013
Amazon EC2 Auto Scaling
Logging Auto Scaling API Calls By Using CloudTrail
07/16/2014
Amazon EC2 Image Builder
Logging EC2 Image Builder API calls using CloudTrail
12/02/2019
Amazon Elastic File System (Amazon EFS)
Logging Amazon EFS API Calls with AWS CloudTrail
06/28/2016
Amazon Fraud Detector
Logging Amazon Fraud Detector API Calls with AWS CloudTrail
01/09/2020
Amazon GameSparks
Log GameSparks API calls with AWS CloudTrail
03/23/2022
Amazon Elastic Kubernetes Service (Amazon EKS)
Logging Amazon EKS API Calls with AWS CloudTrail
06/05/2018
Elastic Load Balancing
AWS CloudTrail Logging for Your Classic Load Balancer and AWS CloudTrail Logging for Your Application Load Balancer
04/04/2014
Amazon Elastic Transcoder
Logging Amazon Elastic Transcoder API Calls with AWS CloudTrail
10/27/2014
Amazon ElastiCache
Logging Amazon ElastiCache API Calls Using AWS CloudTrail
09/15/2014
Amazon OpenSearch Service
Auditing Amazon OpenSearch Service Domains with AWS CloudTrail
10/01/2015
AWS Elemental MediaConnect
Logging AWS Elemental MediaConnect API Calls with AWS CloudTrail
11/27/2018
AWS Elemental MediaConvert
Logging AWS Elemental MediaConvert API Calls with CloudTrail
11/27/2017
AWS Elemental MediaLive
Logging MediaLive API Calls with AWS CloudTrail
01/19/2019
AWS Elemental MediaPackage
Logging AWS Elemental MediaPackage API Calls with AWS CloudTrail
12/21/2018
AWS Elemental MediaStore
Logging AWS Elemental MediaStore API Calls with CloudTrail
11/27/2017
AWS Elemental MediaTailor
Logging AWS Elemental MediaTailor API Calls with AWS CloudTrail
02/11/2019
Amazon EMR
Logging Amazon EMR API Calls in AWS CloudTrail
04/04/2014
Amazon EMR on EKS
Logging Amazon EMR on EKS API calls using AWS CloudTrail
12/09/2020
AWS Fault Injection Simulator
Log API calls with AWS CloudTrail
03/15/2021
AWS Firewall Manager
Logging AWS Firewall Manager API Calls with AWS CloudTrail
04/05/2018
Amazon Forecast
Logging Amazon Forecast API Calls with AWS CloudTrail
11/28/2018
FreeRTOS Over-the-Air Updates (OTA)
Logging AWS IoT OTA API Calls with AWS CloudTrail
05/22/2019
Amazon FSx for Lustre
Logging Amazon FSx for Lustre API Calls with AWS CloudTrail
01/11/2019
Amazon FSx for Windows File Server
Monitoring with AWS CloudTrail
11/28/2018
Amazon GameLift
Logging Amazon GameLift API Calls with AWS CloudTrail
01/27/2016
Amazon S3 Glacier
Logging S3 Glacier API Calls By Using AWS CloudTrail
12/11/2014
AWS Global Accelerator
Logging AWS Global Accelerator API Calls with AWS CloudTrail
11/26/2018
AWS Glue
Logging AWS Glue Operations Using AWS CloudTrail
11/07/2017
AWS Ground Station
Logging AWS Ground Station API Calls with AWS CloudTrail
05/31/2019
Amazon GuardDuty
Logging Amazon GuardDuty API Calls with AWS CloudTrail
02/12/2018
AWS Health
Logging AWS Health API Calls with AWS CloudTrail
11/21/2016
Amazon HealthLake
Logging Amazon HealthLake API calls with AWS CloudTrail
12/07/2020
Amazon Honeycode
Logging Amazon Honeycode API Calls with AWS CloudTrail
06/24/2020
Amazon Inspector
Logging Amazon Inspector API calls with AWS CloudTrail
04/20/2016
Amazon Interactive Video Service
Logging Amazon IVS API Calls with AWS CloudTrail
07/15/2020
AWS IoT
Logging AWS IoT API Calls with AWS CloudTrail
04/11/2016
AWS IoT Analytics
Logging AWS IoT Analytics API calls with AWS CloudTrail
04/23/2018
AWS IoT 1-Click
Logging AWS IoT 1-Click API Calls with AWS CloudTrail
05/14/2018
AWS IoT Events
Logging AWS IoT Events API Calls with AWS CloudTrail
06/11/2019
AWS IoT Greengrass
Logging AWS IoT Greengrass API Calls with AWS CloudTrail
10/29/2018
AWS IoT Greengrass V2
Log AWS IoT Greengrass V2 API calls with AWS CloudTrail
12/14/2020
AWS IoT SiteWise
Logging AWS IoT SiteWise API calls with AWS CloudTrail
04/29/2020
AWS IoT Things Graph
Logging AWS IoT Things Graph API Calls with AWS CloudTrail
05/31/2019
AWS Identity and Access Management (IAM)
Logging IAM Events with AWS CloudTrail
11/13/2013
Amazon Kendra
Logging Amazon Kendra API calls with AWS CloudTrail
05/11/2020
AWS Key Management Service (AWS KMS)
Logging AWS KMS API Calls using AWS CloudTrail
11/12/2014
Amazon Kinesis Data Analytics
Monitoring Amazon Kinesis Data Analytics with AWS CloudTrail (SQL Applications) and Monitoring Amazon Kinesis Data Analytics with AWS CloudTrail (Apache Flink Applications)
03/22/2019
Amazon Kinesis Data Firehose
Monitoring Amazon Kinesis Data Firehose API Calls with AWS CloudTrail
03/17/2016
Amazon Kinesis Data Streams
Logging Amazon Kinesis Data Streams API Calls Using AWS CloudTrail
04/25/2014
Amazon Kinesis Video Streams
Logging Kinesis Video Streams API Calls with AWS CloudTrail
05/24/2018
AWS Lake Formation
Logging AWS Lake Formation API Calls Using AWS CloudTrail
08/09/2019
AWS Lambda
Logging AWS Lambda API Calls By Using AWS CloudTrail
Management events: 04/09/2015
Using Lambda with AWS CloudTrail
Data events: 11/30/2017
Amazon Lex
Logging Amazon Lex API Calls with CloudTrail
08/15/2017
AWS License Manager
Logging AWS License Manager API Calls with AWS CloudTrail
03/01/2019
Amazon Lightsail
Logging Lightsail API Calls with AWS CloudTrail
12/23/2016
Amazon Location Service
Logging and monitoring with AWS CloudTrail
12/15/2020
Amazon Lookout for Vision
Logging Amazon Lookout for Vision calls with AWS CloudTrail
12/01/2020
Amazon Lookout for Equipment
Monitoring Amazon Lookout for Equipment calls with AWS CloudTrail
12/01/2020
Amazon Lookout for Metrics
Viewing Amazon Lookout for Metrics API activity in AWS CloudTrail
12/08/2020
Amazon Machine Learning
Logging Amazon ML API Calls By Using AWS CloudTrail
12/10/2015
Amazon Macie
Log Amazon Macie API calls using AWS CloudTrail
05/13/2020
Amazon Managed Blockchain
Logging Amazon Managed Blockchain API calls using AWS CloudTrail
04/01/2019
Logging Ethereum for Managed Blockchain API calls using AWS CloudTrail (Preview)
Amazon Managed Grafana
Logging Amazon Managed Grafana API calls using AWS CloudTrail
12/15/2020
Amazon Managed Service for Prometheus
Logging Amazon Managed Service for Prometheus API calls using AWS CloudTrail
12/15/2020
Amazon Keyspaces (for Apache Cassandra)
Logging Amazon Keyspaces API calls with AWS CloudTrail
01/13/2020
AWS Managed Services
AWS Managed Services
12/21/2016
Amazon Managed Streaming for Apache Kafka
Logging Amazon MSK API Calls with AWS CloudTrail
12/11/2018
Amazon Managed Workflows for Apache Airflow
Monitoring Amazon MWAA API activity with AWS CloudTrail
11/24/2020
AWS Marketplace
Logging AWS Marketplace API Calls with AWS CloudTrail
05/02/2017
AWS Marketplace Metering Service
Logging AWS Marketplace API Calls with AWS CloudTrail
08/22/2018
AWS Migration Hub
Logging AWS Migration Hub API Calls with AWS CloudTrail
08/14/2017
AWS Mobile Hub
Logging AWS Mobile CLI API Calls with AWS CloudTrail
06/29/2018
Amazon MQ
Logging Amazon MQ API Calls Using AWS CloudTrail
07/19/2018
Amazon Neptune
Logging Amazon Neptune API Calls Using AWS CloudTrail
05/30/2018
AWS Network Firewall
Logging calls to the AWS Network Firewall API with AWS CloudTrail
11/17/2020
AWS OpsWorks for Chef Automate
Logging AWS OpsWorks for Chef Automate API Calls with AWS CloudTrail
07/16/2018
AWS OpsWorks for Puppet Enterprise
Logging OpsWorks for Puppet Enterprise API Calls with AWS CloudTrail
07/16/2018
AWS OpsWorks Stacks
Logging AWS OpsWorks Stacks API Calls with AWS CloudTrail
06/04/2014
AWS Organizations
Logging AWS Organizations Events with AWS CloudTrail
02/27/2017
AWS Outposts
Logging AWS Outposts API calls with AWS CloudTrail
02/04/2020
AWS Health Dashboard
Logging AWS Health API Calls with AWS CloudTrail
12/01/2016
Amazon Personalize
Logging Amazon Personalize API Calls with AWS CloudTrail
11/28/2018
Amazon Pinpoint
Logging Amazon Pinpoint API Calls with AWS CloudTrail
02/06/2018
Amazon Pinpoint SMS and Voice API
Logging Amazon Pinpoint API Calls with AWS CloudTrail
11/16/2018
Amazon Polly
Logging Amazon Polly API Calls with AWS CloudTrail
11/30/2016
Amazon Quantum Ledger Database (Amazon QLDB)
Logging Amazon QLDB API Calls with AWS CloudTrail
09/10/2019
AWS Certificate Manager Private Certificate Authority
Using CloudTrail
04/04/2018
Amazon QuickSight
Logging Operations with CloudTrail
04/28/2017
Amazon Redshift
Logging Amazon Redshift API Calls with AWS CloudTrail
06/10/2014
Amazon Rekognition
Logging Amazon Rekognition API Calls Using AWS CloudTrail
04/6/2018
Amazon Relational Database Service (Amazon RDS)
Logging Amazon RDS API Calls Using AWS CloudTrail
11/13/2013
Amazon RDS Performance Insights
Logging Amazon RDS API Calls Using AWS CloudTrail
06/21/2018
The Amazon RDS Performance Insights API is a subset of the Amazon RDS API.
AWS Resilience Hub
AWS CloudTrail
11/10/2021
AWS Resource Access Manager (AWS RAM)
Logging AWS RAM API Calls with AWS CloudTrail
11/20/2018
AWS Resource Groups
Logging AWS Resource Groups API Calls with AWS CloudTrail
06/29/2018
AWS RoboMaker
Logging AWS RoboMaker API Calls with AWS CloudTrail
01/16/2019
Amazon Route 53
Using AWS CloudTrail to Capture Requests Sent to the Route 53 API
02/11/2015
Amazon Route 53 Application Recovery Controller
Logging Amazon Route 53 Application Recovery Controller API calls using AWS CloudTrail
07/27/2021
Amazon SageMaker
Logging Amazon SageMaker API Calls with AWS CloudTrail
01/11/2018
AWS Secrets Manager
Monitor the Use of Your AWS Secrets Manager Secrets
04/05/2018
AWS Security Hub
Logging AWS Security Hub API Calls with AWS CloudTrail
11/27/2018
AWS Security Token Service (AWS STS)
Logging IAM Events with AWS CloudTrail
11/13/2013
The IAM topic includes information for AWS STS.
AWS Server Migration Service
AWS SMS API Reference
11/14/2016
AWS Serverless Application Repository
Logging AWS Serverless Application Repository API Calls with AWS CloudTrail
02/20/2018
AWS Service Catalog
Logging AWS Service Catalog API Calls with AWS CloudTrail
07/06/2016
Service Quotas
06/24/2019
AWS Shield
Logging Shield Advanced API Calls with AWS CloudTrail
02/08/2018
Amazon Simple Email Service (Amazon SES)
Logging Amazon SES API Calls By Using AWS CloudTrail
05/07/2015
Amazon Simple Notification Service (Amazon SNS)
Logging Amazon Simple Notification Service API Calls By Using AWS CloudTrail
10/09/2014
Amazon Simple Queue Service (Amazon SQS)
Logging Amazon SQS API Actions Using AWS CloudTrail
07/16/2014
Amazon Simple Storage Service
Logging Amazon S3 API Calls By Using AWS CloudTrail
Management events: 09/01/2015
Data events: 11/21/2016
Amazon Simple Workflow Service (Amazon SWF)
Logging Amazon Simple Workflow Service API Calls with AWS CloudTrail
05/13/2014
AWS Single Sign-On (AWS SSO)
Logging AWS SSO API Calls with AWS CloudTrail
12/07/2017
AWS Snowball
Logging AWS Snowball API Calls with AWS CloudTrail
01/25/2019
AWS Snowball Edge
Logging AWS Snowball Edge API Calls with AWS CloudTrail
01/25/2019
AWS Step Functions
Logging AWS Step Functions API Calls with AWS CloudTrail
12/01/2016
Storage Gateway
Logging Storage Gateway API Calls by Using AWS CloudTrail
12/16/2014
AWS Support
Logging AWS Support API Calls with AWS CloudTrail
04/21/2016
AWS Systems Manager
Logging AWS Systems Manager API Calls with AWS CloudTrail
11/13/2013
AWS Systems Manager Incident Manager
Logging AWS Systems Manager Incident Manager API calls using AWS CloudTrail
05/10/2021
Amazon Textract
Logging Amazon Textract API Calls with AWS CloudTrail
05/29/2019
Amazon Transcribe
Logging Amazon Transcribe API Calls with AWS CloudTrail
06/28/2018
AWS Transfer for SFTP
Logging AWS Transfer for SFTP API Calls with AWS CloudTrail
01/08/2019
Amazon Translate
Logging Amazon Translate API Calls with AWS CloudTrail
04/04/2018
AWS Transit Gateway
Logging API Calls for Your Transit Gateway Using AWS CloudTrail
11/26/2018
AWS Trusted Advisor
Logging AWS Trusted Advisor console actions with AWS CloudTrail
10/22/2020
Amazon Virtual Private Cloud (Amazon VPC)
Logging API Calls Using AWS CloudTrail
11/13/2013
The Amazon VPC API is a subset of the Amazon EC2 API.
AWS WAF
Logging AWS WAF API Calls with AWS CloudTrail
04/28/2016
AWS Well-Architected Tool
Logging AWS Well-Architected Tool API Calls with AWS CloudTrail
12/15/2020
Amazon WorkDocs
Logging Amazon WorkDocs API Calls By Using AWS CloudTrail
08/27/2014
Amazon WorkLink
Logging Amazon WorkLink API Calls with AWS CloudTrail
01/23/2019
Amazon WorkMail
Logging Amazon WorkMail API Calls Using AWS CloudTrail
12/12/2017
Amazon WorkSpaces
Logging Amazon WorkSpaces API Calls by Using CloudTrail
04/09/2015
Amazon WorkSpaces Web
Logging Amazon WorkSpaces Web API calls using AWS CloudTrail
11/30/2021
AWS X-Ray
Logging AWS X-Ray API Calls With CloudTrail
04/25/2018
AWS Import/Export 2020年6月17日
AWS Price List 2018年12月17日
AWS Deep Learning AMI 2017年11月15日
Amazon WorkSpaces Application Manager 2015年4月9日
AWS Artifact 2016年11月30日
AWS DeepComposer 2019年12月2日
AWS DeepLens 2017年11月29日
AWS DeepRacer 2019年4月29日
AWS Snowmobile 2016年11月30日
Amazon Sumerian 2018年5月15日
请提供下述的参考资料。
亚马逊网络服务黑带_云跟踪
事前准备 (Shì
CDK
我們將在本次進行中使用多個Stack來部署相關資源。
檢查者可根據需要指定Context的slackWorkspaceId和slackChannelId。
{
“app”: “npx ts-node –prefer-ts-exts bin/src.ts”,
“watch”: {
“include”: [
“**”
],
“exclude”: [
“README.md”,
“cdk*.json”,
“**/*.d.ts”,
“**/*.js”,
“tsconfig.json”,
“package*.json”,
“yarn.lock”,
“node_modules”,
“test”
]
},
“context”: {
“@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId”: true,
“@aws-cdk/core:stackRelativeExports”: true,
“@aws-cdk/aws-rds:lowercaseDbIdentifier”: true,
“@aws-cdk/aws-lambda:recognizeVersionProps”: true,
“@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021”: true,
“@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver”: true,
“@aws-cdk/core:target-partitions”: [
“aws”,
“aws-cn”
],
“prefix”: “样本”,
“slackWorkspaceId”:”xxxxxxxxx”,
“slackChannelId”:”xxxxxxxxxx”,
}
}
#!/usr/bin/env node
import * as cdk from “aws-cdk-lib”;
import { SnsStack } from “../lib/sns-stack”;
import { ChatbotStack } from “../lib/chatbot-stack”;
import { SecrityStack } from “../lib/secrity-stack”;const app = new cdk.App();
const prefix = app.node.tryGetContext(“prefix”); // 获取Context中指定的prefix
const snsStack = new SnsStack(app, `${prefix}-sns-stack`);
const chatbotStack = new ChatbotStack(app, `${prefix}-chatbot-stack`, snsStack);
const securityStack = new SecrityStack(app, `${prefix}-security-stack`, snsStack);
chatbotStack.addDependency(snsStack);
securityStack.addDependency(snsStack);
import * as cdk from “aws-cdk-lib”;
import * as sns from “aws-cdk-lib/aws-sns”;
import * as iam from ‘aws-cdk-lib/aws-iam’;
export interface SnsStackProps {
readonly snsTopic: sns.Topic
}
export class SnsStack extends cdk.Stack {
public readonly snsTopic: sns.Topic
// 创建SNS主题
private createSnsTopic(name: string): sns.Topic {
const snsTopic = new sns.Topic(this, `${name}`, {
displayName: “安全通知”,
topicName: name,
});
snsTopic.addToResourcePolicy(new iam.PolicyStatement({
sid: ‘SNSPublishingPermissions’,
effect: iam.Effect.ALLOW,
principals: [
new iam.ServicePrincipal(‘config.amazonaws.com’),
new iam.ServicePrincipal(‘events.amazonaws.com’)
],
actions: [‘SNS:Publish’],
resources: [snsTopic.topicArn],
}));
return snsTopic;
}
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const prefix = this.node.tryGetContext(“prefix”); // 获取上下文中指定的前缀
this.snsTopic = this.createSnsTopic(`${prefix}-sns-topic`);
}
}
import * as cdk from “aws-cdk-lib”;
import * as sns from “aws-cdk-lib/aws-sns”;
import type { SnsStackProps } from “./sns-stack”
import * as chatbot from “aws-cdk-lib/aws-chatbot”;
export class ChatbotStack extends cdk.Stack {
// 聊天机器人
private createChatbot(name: string, sns: sns.Topic): chatbot.SlackChannelConfiguration {
const slackWorkspaceId = this.node.tryGetContext(“slackWorkspaceId”); // 获取上下文中指定的slackworkspaceid
const slackChannelId = this.node.tryGetContext(“slackChannelId”); // 获取上下文中指定的slackchannelid
const slackchatbot = new chatbot.SlackChannelConfiguration(this, `${name}`, {
slackChannelConfigurationName: name,
slackWorkspaceId: slackWorkspaceId, // 预先在控制台上向chatbot授予访问slackworkspace的权限
slackChannelId: slackChannelId,
loggingLevel: chatbot.LoggingLevel.INFO,
notificationTopics: [sns],
});
return slackchatbot;
}
constructor(scope: cdk.App, id: string, SnsStack: SnsStackProps, props?: cdk.StackProps) {
super(scope, id, props);
const prefix = this.node.tryGetContext(“prefix”); // 获取上下文中指定的前缀
this.createChatbot(`${prefix}-chatbot`, SnsStack.snsTopic);
}
}
安全堆栈
创建资源
1年後にGlacierへ移行
パブリック・アクセスブロック
削除ポリシー(Destroy)SecurityHub基礎セキュリティのベストプラクティスの自動チェック有効化GuardDutyGuardDuty有効化CloudTrailCloudWatchlogsへ配信有効化
ログファイルの整合性の検証を有効Configサポートされている全てのサービスを記録(グローバルサービス含む)
24時間毎に記録情報をS3、snsに配信EventBridgeGuardDuty->重要度:高以上で通知
SecurityHub->コンプライアンスチェックにPassしなかったもので、重要度がMIDDLE以上の新規項目を通知
Config->リソース設定などが変更されたものを通知
Trail->RootユーザによるAWSコンソールログインを通知
除了默认的应用设置之外的项目
import * as cdk from "aws-cdk-lib";
import type { SnsStackProps } from "./sns-stack"
import * as iam from 'aws-cdk-lib/aws-iam';
import * as sns from 'aws-cdk-lib/aws-sns';
import * as s3 from "aws-cdk-lib/aws-s3";
import * as sechub from 'aws-cdk-lib/aws-securityhub';
import * as guardduty from 'aws-cdk-lib/aws-guardduty';
import * as config from 'aws-cdk-lib/aws-config';
import * as trail from 'aws-cdk-lib/aws-cloudtrail';
import * as events from "aws-cdk-lib/aws-events";
import * as targets from "aws-cdk-lib/aws-events-targets";
export interface SecrityStackProps {
readonly s3bucket: s3.Bucket;
}
export class SecrityStack extends cdk.Stack {
public readonly s3bucket: s3.Bucket;
// S3
private createS3Bucket(name: string): s3.Bucket {
const accountId = cdk.Stack.of(this).account;
const s3bucket = new s3.Bucket(this, `${name}`, {
bucketName: name,
encryption: s3.BucketEncryption.S3_MANAGED,
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
removalPolicy: cdk.RemovalPolicy.DESTROY, // 動作確認後に削除させるため'DESTROY'
lifecycleRules: [{
id: `${name}-lifecycleRule`,
transitions: [
{storageClass: s3.StorageClass.GLACIER, transitionAfter: cdk.Duration.days(365)}, // 1年後Glacierへ
]
}]
});
s3bucket.addToResourcePolicy(new iam.PolicyStatement({
sid: `AWSConfigBucketPermissionsCheck`,
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal(`config.amazonaws.com`)],
actions: ["s3:GetBucketAcl"],
resources: [s3bucket.bucketArn],
}))
s3bucket.addToResourcePolicy(new iam.PolicyStatement({
sid: `AWSConfigBucketDelivery`,
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal(`config.amazonaws.com`)],
actions: ["s3:PutObject"],
resources: [s3bucket.bucketArn + "/AWSLogs/" + accountId + "/*"],
}))
return s3bucket;
}
// securityhub
private createSecurityHub(name: string): void {
const securityhub = new sechub.CfnHub(this, `${name}`, {
tags: {
key: "Name",
value: `${name}`,
},
});
}
// GuardDuty
private createGuardDuty(name: string): void {
const detector = new guardduty.CfnDetector(this, `${name}`, {
enable: true,
});
}
// Config
private createConfig(name: string, sns: sns.Topic, s3: s3.IBucket): void {
const configrole = new iam.Role(this, `${name}-configrole`, {
roleName: name,
path: '/',
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('config.amazonaws.com')
),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWS_ConfigRole'),
]
});
const recorder = new config.CfnConfigurationRecorder(this, `${name}-configdetector`, {
name: name,
recordingGroup: {
allSupported: true, // サポートされている全てのサービスを記録
includeGlobalResourceTypes: true // グローバルリソースを含める
},
roleArn: configrole.roleArn
});
const deliverychannel = new config.CfnDeliveryChannel(this, `${name}-cinfigdeliverychannel`, {
name: name,
s3BucketName: s3.bucketName,
configSnapshotDeliveryProperties: {deliveryFrequency: 'TwentyFour_Hours'}, // 24時間毎に記録情報を配信
snsTopicArn: sns.topicArn,
});
}
// CloudTrail
private createCloudTrail(name: string, s3: s3.Bucket): void {
const cloudtrail = new trail.Trail(this, `${name}`, {
trailName: name,
sendToCloudWatchLogs: true, // logs送信を有効
enableFileValidation: true, // ログファイルの整合性の検証を有効
bucket: s3,
});
}
// EventBridge
private createEvent(name: string, sns: sns.Topic): void {
// GuardDuty(脅威検出のEvent通知)
const guardDutyRule = new events.Rule(this, `${name}-guardduty`, {
eventPattern: {
source: ['aws.guardduty'],
detailType: ['GuardDuty Finding'],
detail: {
severity:[{numeric: [">=", 7]}] // 重要度:高 以上で通知。 低:0.1〜3.9,中:4.0〜6.9,高:7.0〜8.9
}
},
ruleName: `${name}-guardduty`,
});
guardDutyRule.addTarget(new targets.SnsTopic(sns))
// SecurityHub(セキュリティチェック結果のEvent通知)
const secrityHubRule = new events.Rule(this, `${name}-sechub`, {
eventPattern: {
source: ['aws.securityhub'],
detailType: ['Security Hub Findings - Imported'],
detail: {
findings: {
Compliance: { Status: ['FAILED', 'WARNING', 'NOT_AVAILABLE']}, //セキュリティチェックに"PASSED"しなかったもの以外
RecordState: ['ACTIVE'],
Severity: { Label: ['MEDIUM' ,'HIGH', 'CRITICAL']}, // 重要度がMEDIUM、HIGH、CRITICALのものを対象
Workflow: { Status: ['NEW']} // 通知済のものは除外して、新規のものだけ
}
}
},
ruleName: `${name}-sechub`,
});
secrityHubRule.addTarget(new targets.SnsTopic(sns))
// Config(リソース各種の設定変更でEvent通知)
// ※通知が非常に多くなるので実際には対象を絞るなりする
const configRule = new events.Rule(this, `${name}-config`, {
eventPattern: {
source: ['aws.config'],
detailType: ['Config Configuration Item Change'],
detail: {
messageType:['ConfigurationItemChangeNotification']
}
},
ruleName: `${name}-config`,
});
configRule.addTarget(new targets.SnsTopic(sns))
// root login(rootユーザによるAWSコンソールログインでEvent通知)
const rootloginRule = new events.Rule(this, `${name}-rootlogin`, {
eventPattern: {
detailType: ['AWS Console Sign In via CloudTrail'],
detail: {
userIdentity: {
type: ['Root']
}
}
},
ruleName: `${name}-rootlogin`,
});
rootloginRule.addTarget(new targets.SnsTopic(sns))
}
constructor(scope: cdk.App, id: string, SnsStack: SnsStackProps, props?: cdk.StackProps) {
super(scope, id, props);
const prefix = this.node.tryGetContext("prefix"); // Contextで指定したprefixを取得
this.s3bucket = this.createS3Bucket(`${prefix}-s3bucket`);
this.createSecurityHub(`${prefix}-securityhub`);
this.createGuardDuty(`${prefix}-detector`);
this.createConfig(`${prefix}-config`, SnsStack.snsTopic, this.s3bucket);
this.createCloudTrail(`${prefix}-trail`,this.s3bucket);
this.createEvent(`${prefix}-event`, SnsStack.snsTopic);
}
}
确认动作通过Slack通知
安全中心
安全卫士
配置
云迹(RootLogin)
最后
以前我们必须使用Lambda之类的工具来进行一些复杂操作,但由于这个原因,现在即使在CDK中,只要充分利用EventBridge,我们也能基本完成,感觉上ChatOps的未来会更顺利。
我看起来像一个经常使用CDK将通知发送到Slack的人,但由于已经适应了,所以下次我打算写点不同的东西!
请参考
以下是一些AWS CDK中与安全相关的模块的文档链接:
1. AWS GuardDuty模块文档:https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_guardduty-readme.html
2. AWS Config模块文档:https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_config-readme.html
3. AWS SecurityHub模块文档:https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_securityhub-readme.html
4. AWS CloudTrail模块文档:https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudtrail-readme.html
