Created
September 22, 2022 02:21
-
-
Save MasahiroKawahara/0fa27c0771e67ab7e3ec51288f017eac to your computer and use it in GitHub Desktop.
AWS Security Hub の検出結果を自動で「通知済み」にする
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Provider | |
provider "aws" { | |
region = "ap-northeast-1" | |
} | |
### Locals | |
locals { | |
prefix = "test" | |
} | |
### Resources(Step Functions) | |
# ステートマシン用IAMロール | |
resource aws_iam_role states { | |
name = "${local.prefix}-security-events-handler-role" | |
assume_role_policy = <<-EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "states.amazonaws.com" | |
}, | |
"Effect": "Allow" | |
} | |
] | |
} | |
EOF | |
inline_policy { | |
name = "aws-actions" | |
policy = <<-EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"securityhub:BatchUpdateFindings" | |
], | |
"Resource": "*" | |
} | |
] | |
} | |
EOF | |
} | |
} | |
# ステートマシン | |
resource aws_sfn_state_machine this { | |
name = "${local.prefix}-security-events-handler" | |
role_arn = aws_iam_role.states.arn | |
definition = <<-EOF | |
{ | |
"Comment": "Security Hub finding handler", | |
"StartAt": "Set a finding as NOTIFIED", | |
"States": { | |
"Set a finding as NOTIFIED": { | |
"Type": "Task", | |
"End": true, | |
"Parameters": { | |
"FindingIdentifiers": [ | |
{ | |
"Id.$": "$.detail.findings[0].Id", | |
"ProductArn.$": "$.detail.findings[0].ProductArn" | |
} | |
], | |
"Workflow": { | |
"Status": "NOTIFIED" | |
} | |
}, | |
"Resource": "arn:aws:states:::aws-sdk:securityhub:batchUpdateFindings" | |
} | |
} | |
} | |
EOF | |
} | |
### Resources(EventBridge) | |
# EventBridgeターゲット用IAMロール | |
resource aws_iam_role events { | |
name = "${local.prefix}-security-events-role" | |
assume_role_policy = <<-EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "events.amazonaws.com" | |
}, | |
"Effect": "Allow" | |
} | |
] | |
} | |
EOF | |
inline_policy { | |
name = "aws-actions" | |
policy = <<-EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": "states:StartExecution", | |
"Resource": "${aws_sfn_state_machine.this.arn}" | |
} | |
] | |
} | |
EOF | |
} | |
} | |
# EventBridgeルール | |
resource aws_cloudwatch_event_rule securityhub { | |
name = "${local.prefix}-security-events-securityhub" | |
event_bus_name = "default" | |
event_pattern = <<-EOF | |
{ | |
"detail-type": ["Security Hub Findings - Imported"], | |
"source": ["aws.securityhub"], | |
"detail": { | |
"findings": { | |
"ProductName": ["Security Hub"], | |
"Compliance": { | |
"Status": [{ | |
"anything-but": "PASSED" | |
}] | |
}, | |
"RecordState": ["ACTIVE"], | |
"Workflow": { | |
"Status": ["NEW"] | |
}, | |
"Severity": { | |
"Label": ["CRITICAL"] | |
} | |
} | |
} | |
} | |
EOF | |
} | |
# EventBridgeターゲット | |
resource aws_cloudwatch_event_target securityhub { | |
event_bus_name = "default" | |
rule = aws_cloudwatch_event_rule.securityhub.name | |
target_id = "step-functions" | |
arn = aws_sfn_state_machine.this.arn | |
role_arn = aws_iam_role.events.arn | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment