こんにちは、AWS 事業本部の平木です!
今回、AWS Security Hub のアップデートで CIS AWS Foundations Benchmark v3.0.0 のセキュリティ基準がリリースされたためご紹介します。
CIS AWS Foundations Benchmark v3.0.0 のコントロール一覧
CIS AWS Foundations Benchmark v3.0.0 で対応しているコントロールの一覧を下記に示します。
今回の CIS AWS Foundations Benchmark v3.0.0 追加に伴い新規コントロールも追加されたため、そのコントロールは●マークが付いています。
※リージョンによっては対応していないコントロールもあります。
| ID | タイトル | 重要度 | 新規追加されたコントロール |
|---|---|---|---|
| Account.1 | Security contact information should be provided for an AWS account | MEDIUM | - |
| CloudTrail.1 | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | HIGH | - |
| CloudTrail.2 | CloudTrail should have encryption at-rest enabled | MEDIUM | - |
| CloudTrail.4 | CloudTrail log file validation should be enabled | LOW | - |
| CloudTrail.7 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | LOW | - |
| Config.1 | AWS Config should be enabled | MEDIUM | - |
| EC2.2 | VPC default security groups should not allow inbound or outbound traffic | HIGH | - |
| EC2.6 | VPC flow logging should be enabled in all VPCs | MEDIUM | - |
| EC2.7 | EBS default encryption should be enabled | MEDIUM | - |
| EC2.8 | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | HIGH | - |
| EC2.21 | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | MEDIUM | - |
| EC2.53 | EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports | HIGH | ● |
| EC2.54 | EC2 security groups should not allow ingress from ::/0 to remote server administration ports | HIGH | ● |
| EFS.1 | Elastic File System should be configured to encrypt file data at-rest using AWS KMS | MEDIUM | - |
| IAM.2 | IAM users should not have IAM policies attached | LOW | - |
| IAM.3 | IAM users' access keys should be rotated every 90 days or less | MEDIUM | - |
| IAM.4 | IAM root user access key should not exist | CRITICAL | - |
| IAM.5 | MFA should be enabled for all IAM users that have a console password | MEDIUM | - |
| IAM.6 | Hardware MFA should be enabled for the root user | CRITICAL | - |
| IAM.9 | MFA should be enabled for the root user | CRITICAL | - |
| IAM.15 | Ensure IAM password policy requires minimum password length of 14 or greater | MEDIUM | - |
| IAM.16 | Ensure IAM password policy prevents password reuse | LOW | - |
| IAM.18 | Ensure a support role has been created to manage incidents with AWS Support | LOW | - |
| IAM.22 | IAM user credentials unused for 45 days should be removed | MEDIUM | - |
| IAM.26 | Expired SSL/TLS certificates managed in IAM should be removed | MEDIUM | ● |
| IAM.27 | IAM identities should not have the AWSCloudShellFullAccess policy attached | MEDIUM | ● |
| IAM.28 | IAM Access Analyzer external access analyzer should be enabled | HIGH | ● |
| KMS.4 | AWS KMS key rotation should be enabled | MEDIUM | - |
| RDS.2 | RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration | CRITICAL | - |
| RDS.3 | RDS DB instances should have encryption at-rest enabled | MEDIUM | - |
| RDS.13 | RDS automatic minor version upgrades should be enabled | HIGH | - |
| S3.1 | S3 general purpose buckets should have block public access settings enabled | MEDIUM | - |
| S3.5 | S3 general purpose buckets should require requests to use SSL | MEDIUM | - |
| S3.8 | S3 general purpose buckets should block public access-level | HIGH | - |
| S3.20 | S3 general purpose buckets should have MFA delete enabled | LOW | - |
| S3.22 | S3 general purpose buckets should log object-level write events | MEDIUM | ● |
| S3.23 | S3 general purpose buckets should log object-level read events | MEDIUM | ● |
CSV も掲載しているため使用したい方は下記「▶ 展開する」を押してご参照ください。
展開する
ID,title,severity,add control
Account.1,"Security contact information should be provided for an AWS account",MEDIUM,-
CloudTrail.1,"CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events",HIGH,-
CloudTrail.2,"CloudTrail should have encryption at-rest enabled",MEDIUM,-
CloudTrail.4,"CloudTrail log file validation should be enabled",LOW,-
CloudTrail.7,"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",LOW,-
Config.1,"AWS Config should be enabled",MEDIUM,-
EC2.2,"VPC default security groups should not allow inbound or outbound traffic",HIGH,-
EC2.6,"VPC flow logging should be enabled in all VPCs",MEDIUM,-
EC2.7,"EBS default encryption should be enabled",MEDIUM,-
EC2.8,"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)",HIGH,-
EC2.21,"Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389",MEDIUM,-
EC2.53,"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports",HIGH,*
EC2.54,"EC2 security groups should not allow ingress from ::/0 to remote server administration ports",HIGH,*
EFS.1,"Elastic File System should be configured to encrypt file data at-rest using AWS KMS",MEDIUM,-
IAM.2,"IAM users should not have IAM policies attached",LOW,-
IAM.3,"IAM users' access keys should be rotated every 90 days or less",MEDIUM,-
IAM.4,"IAM root user access key should not exist",CRITICAL,-
IAM.5,"MFA should be enabled for all IAM users that have a console password",MEDIUM,-
IAM.6,"Hardware MFA should be enabled for the root user",CRITICAL,-
IAM.9,"MFA should be enabled for the root user",CRITICAL,-
IAM.15,"Ensure IAM password policy requires minimum password length of 14 or greater",MEDIUM,-
IAM.16,"Ensure IAM password policy prevents password reuse",LOW,-
IAM.18,"Ensure a support role has been created to manage incidents with AWS Support",LOW,-
IAM.22,"IAM user credentials unused for 45 days should be removed",MEDIUM,-
IAM.26,"Expired SSL/TLS certificates managed in IAM should be removed",MEDIUM,*
IAM.27,"IAM identities should not have the AWSCloudShellFullAccess policy attached",MEDIUM,*
IAM.28,"IAM Access Analyzer external access analyzer should be enabled",HIGH,*
KMS.4,"AWS KMS key rotation should be enabled",MEDIUM,-
RDS.2,"RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration",CRITICAL,-
RDS.3,"RDS DB instances should have encryption at-rest enabled",MEDIUM,-
RDS.13,"RDS automatic minor version upgrades should be enabled",HIGH,-
S3.1,"S3 general purpose buckets should have block public access settings enabled",MEDIUM,-
S3.5,"S3 general purpose buckets should require requests to use SSL",MEDIUM,-
S3.8,"S3 general purpose buckets should block public access-level",HIGH,-
S3.20,"S3 general purpose buckets should have MFA delete enabled",LOW,-
S3.22,"S3 general purpose buckets should log object-level write events",MEDIUM,*
S3.23,"S3 general purpose buckets should log object-level read events",MEDIUM,*CIS AWS Foundations Benchmark v1.4.0 と CIS AWS Foundations Benchmark v3.0.0 の違い
Security Hub で対応している CIS AWS Foundations Benchmark は今までの最新はv1.4.0でした。
v3.0.0 との差分を見ていこうと思います。
追加されたコントロール
下記 13 個がv1.4.0には無くv3.0.0で追加されたコントロールです。
新規追加されたコントロールが半数を占めています。
| ID | タイトル |
|---|---|
| Account.1 | Security contact information should be provided for an AWS account |
| EC2.8 | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) |
| EC2.53 | EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports |
| EC2.54 | EC2 security groups should not allow ingress from ::/0 to remote server administration ports |
| EFS.1 | Elastic File System should be configured to encrypt file data at-rest using AWS KMS |
| IAM.2 | IAM users should not have IAM policies attached |
| IAM.26 | Expired SSL/TLS certificates managed in IAM should be removed |
| IAM.27 | IAM identities should not have the AWSCloudShellFullAccess policy attached |
| IAM.28 | IAM Access Analyzer external access analyzer should be enabled |
| RDS.2 | RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration |
| RDS.13 | RDS automatic minor version upgrades should be enabled |
| S3.22 | S3 general purpose buckets should log object-level write events |
| S3.23 | S3 general purpose buckets should log object-level read events |
削除されたコントロール
下記 15 個がv1.4.0にはありv3.0.0で削除されたコントロールです。
CloudWatch 系が全て削除された印象を受けます。
| ID | タイトル |
|---|---|
| CloudTrail.5 | CloudTrail trails should be integrated with Amazon CloudWatch Logs |
| CloudTrail.6 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| CloudWatch.1 | A log metric filter and alarm should exist for usage of the "root" user |
| CloudWatch.4 | Ensure a log metric filter and alarm exist for IAM policy changes |
| CloudWatch.5 | Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes |
| CloudWatch.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| CloudWatch.7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys |
| CloudWatch.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
| CloudWatch.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| CloudWatch.10 | Ensure a log metric filter and alarm exist for security group changes |
| CloudWatch.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
| CloudWatch.12 | Ensure a log metric filter and alarm exist for changes to network gateways |
| CloudWatch.13 | Ensure a log metric filter and alarm exist for route table changes |
| CloudWatch.14 | Ensure a log metric filter and alarm exist for VPC changes |
| IAM.1 | IAM policies should not allow full "*" administrative privileges |
中央設定では管理可能か
組織管理している場合に中央設定していると Security Hub を非常に柔軟にかつ楽に運用できます。
そんな中央設定でも使えるか確認してみましたが問題なく設定できるようです。
有効化してみる
初めて Security Hub を使う場合
最初の有効化画面から「CIS AWS Foundations Benchmark v3.0.0 を有効化する」にチェックを入れていただくと有効化できます。
既に Security Hub を有効化している場合
セキュリティ基準の項目から「CIS AWS Foundations Benchmark v3.0.0」の「標準を有効化」を押下すると有効化できます。
※それぞれ有効化してからスコアが反映されるには時間がかかります。
参考
おわりに
AWS Security Hub で新規セキュリティ基準の CIS AWS Foundations Benchmark v3.0.0 をご紹介しました。
v2.0.0 を待っていたらまさかの飛ばして v3.0.0 で少し驚きました。
CIS AWS Foundations Benchmark をコンプライアンスチェックに活用しているユーザーは要チェックの内容になっているかと思いますので、ぜひバージョンアップの際のご参考にしていただければと思います。
この記事がどなたかの役に立つと嬉しいです。
6
