Slide 28
Slide 28 text
セキュリティ本部で全ての通知を確認するのは難しい
● 全AWSアカウントの重要な通知のみ受けるSlackチャンネルを用意
○ Event pattern を調整すれば、さまざまな通知条件を実現できる
28
# 特定のアカウントの SecurityHubのCRITICAL, HIGH, MEDIUMの通知を受ける
{
"detail": {
"findings": {
"AwsAccountId": ["123456789012"],
"ProductName": ["Security Hub"],
"RecordState": ["ACTIVE"],
"Severity": {
"Label": ["CRITICAL", "HIGH", "MEDIUM"]
},
"Types": ["Software and Configuration Checks/Industry and Regulatory
Standards/AWS-Foundational-Security-Best-Practices"],
"Workflow": {
"Status": ["NEW"]
}
}
},
"detail-type": ["Security Hub Findings - Imported"],
"source": ["aws.securityhub"]
}
# 全てのアカウントの SecurityHubのCRITICALの通知を受ける
{
"detail": {
"findings": {
"ProductName": ["Security Hub"],
"RecordState": ["ACTIVE"],
"Severity": {
"Label": ["CRITICAL"]
},
"Types": ["Software and Configuration Checks/Industry and Regulatory
Standards/AWS-Foundational-Security-Best-Practices"],
"Workflow": {
"Status": ["NEW"]
}
}
},
"detail-type": ["Security Hub Findings - Imported"],
"source": ["aws.securityhub"]
}