PCA事件的监控
创建 CA 证书是一项特权操作,只能由 CA管理团队中的授权人员执行。因此,我们希望监控任何 CA 证书的创建, 另外当证书被撤销时我们也需要知道。
解决方案:
使用EventBridge检查和创建证书相关的操作,将事件发送到Lambda, Lambda再发送到Security Hub:
Lambda
创建两个Lambda,一个用于检查证书创建,另一个检查证书被撤销(revoke):
import json
import boto3
import datetime
def lambda_handler(event, context):
secHubClient = boto3.client('securityhub')
accountNum = boto3.client('sts').get_caller_identity()['Account']
my_session = boto3.session.Session()
region = my_session.region_name
caCertARN = event['detail']['requestParameters']['certificateAuthorityArn']
date = datetime.datetime.now().isoformat() + "Z"
print(date)
response = secHubClient.batch_import_findings(
Findings=[
{
"SchemaVersion": "2018-10-08",
"Id": region + "/" + accountNum + "/" + caCertARN,
"ProductArn": "arn:aws:securityhub:" + region + ":" + accountNum + ":product/" + accountNum + "/default",
"GeneratorId": caCertARN,
"AwsAccountId": accountNum,
"Types": [
"Unusual Behaviors/Process"
],
"CreatedAt": date,
"UpdatedAt": date,
"Severity": {
"Normalized": 60
},
"Criticality": 80,
"Title": "Certificate Authority Creation",
"Description": "A Private CA certificate was issued in AWS Certificate Manager Private CA",
"Remediation": {
"Recommendation": {
"Text": "Verify this CA certificate creation was taken by a privileged user",
"Url": "https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html"
}
},
"ProductFields": {
"aws/securityhub/FindingId": "arn:aws:securityhub:" + region + ":" + accountNum + ":product/" + accountNum + "/default/" + region + "/" + accountNum + "/caCertARN",
"aws/securityhub/SeverityLabel": "MEDIUM",
"aws/securityhub/ProductName": "ACM PCA",
"aws/securityhub/CompanyName": "AWS"
},
"Resources": [
{
"Type": "Other",
"Id": caCertARN,
"Region": region
}
],
"WorkflowState": "NEW",
"RecordState": "ACTIVE"
},
]
)
print(response)
return 200
检查被撤销的Lambda:
import json
import boto3
import datetime
def lambda_handler(event, context):
secHubClient = boto3.client('securityhub')
accountNum = boto3.client('sts').get_caller_identity()['Account']
my_session = boto3.session.Session()
region = my_session.region_name
certARN = event['detail']['requestParameters']['certificateSerial']
date = datetime.datetime.now().isoformat() + "Z"
print(date)
response = secHubClient.batch_import_findings(
Findings=[
{
"SchemaVersion": "2018-10-08",
"Id": region + "/" + accountNum + "/" + certARN,
"ProductArn": "arn:aws:securityhub:" + region + ":" + accountNum + ":product/" + accountNum + "/default",
"GeneratorId": certARN,
"AwsAccountId": accountNum,
"Types": [
"Unusual Behaviors/Process"
],
"CreatedAt": date,
"UpdatedAt": date,
"Severity": {
"Normalized": 60
},
"Criticality": 80,
"Title": "Certificate Revocation",
"Description": "A private certificate was revoked in AWS Certificate Manager Private CA",
"Remediation": {
"Recommendation": {
"Text": "Verify this certificate revocation was taken by a privileged user",
"Url": "https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html"
}
},
"ProductFields": {
"aws/securityhub/FindingId": "arn:aws:securityhub:" + region + ":" + accountNum + ":product/" + accountNum + "/default/" + region + "/" + accountNum + "/certARN",
"aws/securityhub/SeverityLabel": "MEDIUM",
"aws/securityhub/ProductName": "ACM PCA",
"aws/securityhub/CompanyName": "AWS"
},
"Resources": [
{
"Type": "Other",
"Id": certARN,
"Region": region
}
],
"WorkflowState": "NEW",
"RecordState": "ACTIVE"
},
]
)
print(response)
return 200
给两个Lambda Role授权:
- 'arn:aws:iam::aws:policy/AWSSecurityHubFullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
创建EventBridge Rule
创建两个EventBridge Rule,一个用于检查创建证书:
EventPattern:
source:
- "aws.acm-pca"
detail-type:
- "AWS API Call via CloudTrail"
detail:
eventSource:
- "acm-pca.amazonaws.com"
eventName:
- "ImportCertificateAuthorityCertificate"
另一个检查证书被撤销:
EventPattern:
source:
- "aws.acm-pca"
detail-type:
- "AWS API Call via CloudTrail"
detail:
eventSource:
- "acm-pca.amazonaws.com"
eventName:
- "RevokeCertificate"
使用Security Hub进行监控
检查证书被创建的事件
进入 Security Hub 控制台的Findings页面:
- 按标题搜索
Certificate Authority Creation:
选中一条,点击Finding ID:
可以找到被创建出来的证书的详细信:
检查证书被撤销的事件
此场景演示开发人员在短时间内撤销了许多证书,如果发生此类操作,我们希望监控并通知安全团队以便进行调查。
导航到 Security Hub 控制台并选择页面左侧的“发现”。
搜索Ttile = Certificate Revocation,在列表看到证书被吊销的结果:
