English / 日本語
AWSCloudFormationTemplates/security
sets basic configurations for security. This builds Amazon Inspector
, Amazon GuardDuty
, AWS Config
, AWS CloudTrail
, AWS Security Hub
, Amazon Detective
, Amazon Macie
, AWS Audit Manager
, and related resources.
If you just want to deploy the stack, click the button below.
If you want to deploy each service individually, click the button below.
Services | Launchers |
---|---|
IAM | |
AWS Security Hub | |
Amazon Detective | |
Amazon Inspector | |
Amazon GuardDuty | |
AWS CloudTrail | |
AWS Config | |
Amazon Macie | |
AWS Audit Manager |
The following sections describe the individual components of the architecture.
This template enables IAM Access Analyzer
. IAM Access Analyzer sends results to Amazon SNS
via Amazon EventBridge
.
This template enables the AWS Security Hub
and sets up Amazon SNS
and Amazon EventBridge
to receive a message when the result of a compliance check changes to Failure.
This template creates an Amazon Detective
behavior graph.
This template enables Amazon GuardDuty
. Amazon GuardDuty
only sends notifications when it detects findings of MEDIUM or higher level.
This template enables AWS CloudTrail
and creates an S3 Bucket
when its logs are stored.
CloudTrail Logs stored in an S3 bucket are encrypted using AWS KMS CMKs
.
This template creates an Amazon Inspector assessment target
and some assessment templates
, as follows.
- Network Reachability
- Common Vulnerabilities and Exposures
- Center for Internet Security (CIS) Benchmarks
- Security Best Practices for Amazon Inspector
They run every Monday at 9am, kicked by Amazon EventBridge
.
This template supports some specific regions.
- US East (N. Virginia)
- US East (Ohio)
- US West (N. California)
- US West (Oregon)
- Asia Pacific (Tokyo)
- Asia Pacific (Seoul)
- Asia Pacific (Sydney)
- EU (Frankfurt)
- EU (Ireland)
- EU (London)
- EU (Stockholm)
This template creates an AWS Config delivery channel
, a configuration recorder
and some managed rules
, as follows.
The following rules enable Automatic Remediation
feature and attached SSM Automation Documents
.
- IAM_PASSWORD_POLICY
- IAM_ROOT_ACCESS_KEY_CHECK
- S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
- VPC_FLOW_LOGS_ENABLED
- VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
- VPC_DEFAULT_SECURITY_GROUP_CLOSED
AWS Security Hub
creates some related config rules for security checks automatically.
When AWS Config
detects noncompliant resources, it sends a notification to Amazon SNS
.
This templates configures Amazon Macie
.
This templates creates assesments such as AWS Well Architected Framework
, AWS Foundational Security Best Practices
and AWS Operational Best Practices
.
This template creates Amazon EventBridge
for AWS Health
.
EventBridge transfer its events to Amazon SNS
.
This template creates some other resources, such as Service-linked Role
, IAM Role
, S3 Bucket
, Amazon SNS
, and so on.
Execute the command to deploy.
aws cloudformation deploy --template-file template.yaml --stack-name DefaultSecuritySettings --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
You can provide optional parameters as follows:
Name | Type | Default | Requied | Details |
---|---|---|---|---|
AmazonDetective | ENABLED / DISABLED | DISABLED | ○ | If it is ENABLED, Amazon Detective is enabled. |
AuditOtherRegions | ENABLED / DISABLED | ENABLED | ○ | If it is ENABLED, CloudTrail and Include Global Resource Types option in Config are enabled. |
AutoRemediation | ENABLED / DISABLED | ENABLED | ○ | If it is ENABLED, AutoRemediation by SSM Automation and Lambda are enabled. |
IAMUserArnToAssumeAWSSupportRole | String | IAM User ARN to assume AWS Support role | ||
NotificationFilterAboutSecurityChecks | DENY_ALL / MEDIUM / ALLOW_ALL | DENY_ALL | ○ | Notification filter about Security Hub Security Checks |
This template helps you to comply with the Center for Internet Security (CIS) Benchmarks.
No. | Rules | Remediation |
---|---|---|
1.3 | Ensure credentials unused for 90 days or greater are disabled | Config checks it and Lambda removes it automatically. |
1.4 | Ensure access keys are rotated every 90 days or less | Config checks it and Lambda removes it automatically. |
1.5 | Ensure IAM password policy requires at least one uppercase letter | Config checks it and SSM Automation remediates the policy automatically. |
1.6 | Ensure IAM password policy requires at least one lowercase letter | Config checks it and SSM Automation remediates the policy automatically. |
1.7 | Ensure IAM password policy requires at least one symbol | Config checks it and SSM Automation remediates the policy automatically. |
1.8 | Ensure IAM password policy requires at least one number | Config checks it and SSM Automation remediates the policy automatically. |
1.9 | Ensure IAM password policy requires a minimum length of 14 or greater | Config checks it and SSM Automation remediates the policy automatically. |
1.10 | Ensure IAM password policy prevents password reuse | Config checks it and SSM Automation remediates the policy automatically. |
1.20 | Ensure a support role has been created to manage incidents with AWS Support | This template creates IAM Role for AWS Support. |
2.1 | Ensure CloudTrail is enabled in all Regions | This template enables CloudTrail and related resources in all Regions. |
2.2 | Ensure CloudTrail log file validation is enabled | This template enables CloudTrail and related resources in all Regions. |
2.3 | Ensure the S3 bucket CloudTrail logs to is not publicly accessible | This template enables CloudTrail and related resources in all Regions. |
2.4 | Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs | This template enables CloudTrail and related resources in all Regions. |
2.5 | Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs | This template enables Config and related resources. |
2.6 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | This template enables CloudTrail and related resources in all Regions. |
2.7 | Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs | This template enables CloudTrail and related resources in all Regions. |
2.9 | Ensure VPC flow logging is enabled in all VPCs | Config checks it and SSM Automation enables VPC flow log automatically. |
3.1 | Ensure VPC flow logging is enabled in all VPCs | This template creates a log metric filter and alarm. |
3.2 | Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA | This template creates a log metric filter and alarm. |
3.3 | Ensure a log metric filter and alarm exist for usage of "root" account | This template creates a log metric filter and alarm. |
3.4 | Ensure a log metric filter and alarm exist for IAM policy changes | This template creates a log metric filter and alarm. |
3.5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | This template creates a log metric filter and alarm. |
3.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | This template creates a log metric filter and alarm. |
3.7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | This template creates a log metric filter and alarm. |
3.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes | This template creates a log metric filter and alarm. |
3.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes | This template creates a log metric filter and alarm. |
3.10 | Ensure a log metric filter and alarm exist for security group changes | This template creates a log metric filter and alarm. |
3.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | This template creates a log metric filter and alarm. |
3.12 | Ensure a log metric filter and alarm exist for changes to network gateways | This template creates a log metric filter and alarm. |
3.13 | Ensure a log metric filter and alarm exist for route table changes | This template creates a log metric filter and alarm. |
3.14 | Ensure a log metric filter and alarm exist for VPC changes | This template creates a log metric filter and alarm. |
4.1 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Config checks it and SSM Automation remediates the rules automatically. |
4.2 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Config checks it and SSM Automation remediates the rules automatically. |
4.3 | Ensure the default security group of every VPC restricts all traffic | Config checks it and SSM Automation remediates the default security group automatically. |
This template helps you to comply with the PCI DSS controls.
No. | Rules | Remediation |
---|---|---|
PCI.CloudTrail.1 | CloudTrail logs should be encrypted at rest using AWS KMS CMKs. | This template enables CloudTrail and related resources in all Regions. |
PCI.CloudTrail.2 | CloudTrail should be enabled. | This template enables CloudTrail and related resources in all Regions. |
PCI.CloudTrail.3 | CloudTrail log file validation should be enabled. | This template enables CloudTrail and related resources in all Regions. |
PCI.CloudTrail.4 | CloudTrail trails should be integrated with CloudWatch Logs. | This template enables CloudTrail and related resources in all Regions. |
PCI.Config.1 | AWS Config should be enabled. | This template enables Config and related resources in all Regions. |
PCI.CW.1 | A log metric filter and alarm should exist for usage of the "root" user. | This template enables CloudTrail and related resources in all Regions. |
PCI.EC2.2 | VPC default security group should prohibit inbound and outbound traffic. | Config checks it and SSM Automation remediates the default security group automatically. |
PCI.IAM.1 | IAM root user access key should not exist. | Config checks it and SSM Automation remediates the default security group automatically. |
PCI.S3.4 | S3 buckets should have server-side encryption enabled. | Config checks it and SSM Automation remediates the default security group automatically.s |
This template helps you to comply with the AWS Foundational Security Best Practices standard.
No. | Rules | Remediation |
---|---|---|
CloudTrail.1 | CloudTrail should be enabled and configured with at least one multi-Region trail. | This template enables CloudTrail and related resources in all Regions. |
CloudTrail.2 | CloudTrail should have encryption at-rest enabled. | This template enables CloudTrail and related resources in all Regions. |
Config.1 | AWS Config should be enabled. | This template enables Config and related resources in all Regions. |
EC2.2 | The VPC default security group should not allow inbound and outbound traffic. | Config checks it and SSM Automation remediates the default security group automatically. |
GuardDuty.1 | GuardDuty should be enabled. | This template enables GuardDuty and related resources in all Regions. |
IAM.3 | IAM users' access keys should be rotated every 90 days or less. | Config checks it and SSM Automation remediates the default security group automatically. |
IAM.4 | IAM root user access key should not exist. | Config checks it and SSM Automation remediates the default security group automatically. |
S3.4 | S3 buckets should have server-side encryption enabled. | Config checks it and SSM Automation remediates the default security group automatically. |