{"id":9288,"date":"2025-10-13T06:19:47","date_gmt":"2025-10-13T06:19:47","guid":{"rendered":"https:\/\/pokecon.jp\/job\/?p=9288"},"modified":"2025-10-13T06:19:47","modified_gmt":"2025-10-13T06:19:47","slug":"aws-cdk-%e3%81%a7-aws-security-hub-%e3%82%92%e5%ae%9f%e8%a3%85%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f-techharmony","status":"publish","type":"post","link":"https:\/\/pokecon.jp\/job\/9288\/","title":{"rendered":"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony"},"content":{"rendered":"\n<\/p>\n<div itemprop=\"mainEntityOfPage\">\n<p>\u4eca\u56de\u306f\u3001AWS Config \u3068 AWS Security Hub \u3092\u6d3b\u7528\u3057\u305f\u7d71\u5408\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u8996\u3092 AWS CDK \u3067\u5b9f\u88c5\u3059\u308b\u65b9\u6cd5\u3092\u307e\u3068\u3081\u307e\u3057\u305f\u3002<\/p>\n<h2><span id=\"toc1\">\u306f\u3058\u3081\u306b<\/span><\/h2>\n<p>\u4eca\u56de\u306f\u3092AWS CDK\u3067AWS Config\u3068SecurityHub\u3092\u5b9f\u88c5\u3057\u3066\u3044\u304d\u307e\u3059\u3002<br \/>\u307e\u305f\u3001EventBridge\u3067\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u9055\u53cd\u3092\u691c\u77e5\u3057\u3066\u5165\u529b\u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30de\u30fc\u3067\u30e1\u30fc\u30eb\u6587\u3092\u6210\u578b\u3057\u3066\u901a\u77e5\u3057\u307e\u3059\u3002<\/p>\n<h2><span id=\"toc2\">\u4eca\u56de\u4f5c\u6210\u3059\u308b\u30ea\u30bd\u30fc\u30b9<\/span><\/h2>\n<ul>\n<li><strong>SNS\u30c8\u30d4\u30c3\u30af<\/strong>: \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30e9\u30fc\u30c8\u306e\u901a\u77e5<\/li>\n<li><strong>S3\u30d0\u30b1\u30c3\u30c8<\/strong>: AWS Config\u8a2d\u5b9a\u5c65\u6b74\u306e\u4fdd\u5b58<\/li>\n<li><strong>IAM\u30ed\u30fc\u30eb<\/strong>: AWS Config\u3068SecurityHub\u5b9f\u884c\u6a29\u9650<\/li>\n<li><strong>AWS Config<\/strong>: \u5168\u30ea\u30bd\u30fc\u30b9\u306e\u69cb\u6210\u5909\u66f4\u8a18\u9332<\/li>\n<li><strong>AWS SecurityHub<\/strong>: \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u57fa\u6e96\u30c1\u30a7\u30c3\u30af<\/li>\n<li><strong>EventBridge<\/strong>: \u8105\u5a01\u691c\u77e5\u6642\u306e\u81ea\u52d5\u901a\u77e5<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h2><span id=\"toc3\">\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3\u6982\u8981<\/span><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-46815 size-large\" src=\"https:\/\/blog.usize-tech.com\/contents\/uploads\/2025\/10\/image-2025-9-17_15-36-20-800x328.png\" alt=\"\" width=\"800\" height=\"328\" srcset=\"https:\/\/blog.usize-tech.com\/contents\/uploads\/2025\/10\/image-2025-9-17_15-36-20-800x328.png 800w, https:\/\/blog.usize-tech.com\/contents\/uploads\/2025\/10\/image-2025-9-17_15-36-20-600x246.png 600w, https:\/\/blog.usize-tech.com\/contents\/uploads\/2025\/10\/image-2025-9-17_15-36-20-300x123.png 300w, https:\/\/blog.usize-tech.com\/contents\/uploads\/2025\/10\/image-2025-9-17_15-36-20-768x315.png 768w, https:\/\/blog.usize-tech.com\/contents\/uploads\/2025\/10\/image-2025-9-17_15-36-20.png 979w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"\/><\/p>\n<p>\u00a0<\/p>\n<h2><span id=\"toc4\">AWS CDK \u30bd\u30fc\u30b9\u30b3\u30fc\u30c9<\/span><\/h2>\n<h3><span id=\"toc5\">SNS\u901a\u77e5\u8a2d\u5b9a<\/span><\/h3>\n<pre><code class=\"language-typescript\">    const emailAddresses = [                                                             \/\/ SNS\u901a\u77e5\u5148\u30e1\u30fc\u30ea\u30f3\u30b0\u30ea\u30b9\u30c8(\u901a\u77e5\u5148\u304c\u8907\u6570\u3042\u308b\u5834\u5408\u306f\u30a2\u30c9\u30ec\u30b9\u3092\u8ffd\u52a0)&#13;\n      'xxxxxx@example.com',&#13;\n      'xxxxxx@example.com',&#13;\n    ];&#13;\n&#13;\n    \/\/ SecurityHub\u7528\u30c8\u30d4\u30c3\u30af&#13;\n    const securityHubTopic = new sns.Topic(this, 'SecurityHubTopic', {                   &#13;\n      topicName: 'securityhub-alertnotification',                                        \/\/ \u30c8\u30d4\u30c3\u30af\u540d&#13;\n      displayName: 'SecurityHub Alert Notifications'                                     \/\/ \u8868\u793a\u540d&#13;\n    });&#13;\n&#13;\n    \/\/ SecurityHub\u7528\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3&#13;\n    emailAddresses.forEach(email =&gt; {                                                    &#13;\n        securityHubTopic.addSubscription(&#13;\n        new subscriptions.EmailSubscription(email)                                       \/\/ \u30d7\u30ed\u30c8\u30b3\u30eb\uff1aEMAIL&#13;\n      );&#13;\n    });<\/code><\/pre>\n<p class=\"mb-2 whitespace-pre-wrap\"><strong>\u30dd\u30a4\u30f3\u30c8:<\/strong><\/p>\n<ul>\n<li>\u8907\u6570\u306e\u7ba1\u7406\u8005\u3078\u306e\u901a\u77e5\u914d\u4fe1<\/li>\n<li>\u30a2\u30e9\u30fc\u30e0\u767a\u751f\u6642\u306b\u901a\u77e5\u3059\u308b\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u3092\u6307\u5b9a<\/li>\n<\/ul>\n<h3><span id=\"toc6\">S3\u30d0\u30b1\u30c3\u30c8\u8a2d\u5b9a\uff08Config\u5c65\u6b74\u4fdd\u5b58\uff09<\/span><\/h3>\n<pre><code class=\"language-typescript\">    const configBucket = new s3.Bucket(this, 'ConfigBucket', {&#13;\n      bucketName: 's3b-config',                                                          \/\/ \u30d0\u30b1\u30c3\u30c8\u540d&#13;\n      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,                                 \/\/ \u30d1\u30d6\u30ea\u30c3\u30af\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u30d6\u30ed\u30c3\u30af&#13;\n      encryption: s3.BucketEncryption.S3_MANAGED,                                        \/\/ \u6697\u53f7\u5316\u30bf\u30a4\u30d7\uff1aSSE-S3&#13;\n      enforceSSL: true,                                                                  \/\/ SSL\u901a\u4fe1\u3092\u5f37\u5236&#13;\n      autoDeleteObjects: true,                                                           \/\/ \u30b9\u30bf\u30c3\u30af\u524a\u9664\u6642\u306b\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u81ea\u52d5\u7684\u306b\u524a\u9664 \u203b\u30c7\u30d7\u30ed\u30a4\u6642\u306b\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8&#13;\n      removalPolicy: cdk.RemovalPolicy.DESTROY,                                          \/\/ \u30b9\u30bf\u30c3\u30af\u524a\u9664\u6642\u306b\u30d0\u30b1\u30c3\u30c8\u3082\u524a\u9664 \u203b\u30c7\u30d7\u30ed\u30a4\u6642\u306bRETAIN\u306b\u4fee\u6b63&#13;\n      lifecycleRules: [                                                                  \/\/ \u30e9\u30a4\u30d5\u30b5\u30a4\u30af\u30eb\u30eb\u30fc\u30eb\u4f5c\u6210&#13;\n        {&#13;\n          id: 'Expiration Rule 12 Months',                                               \/\/ \u30e9\u30a4\u30d5\u30b5\u30a4\u30af\u30eb\u30eb\u30fc\u30eb\u540d&#13;\n          expiration: cdk.Duration.days(366),                                            \/\/ \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u73fe\u884c\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u6709\u52b9\u671f\u9650:366\u65e5\u5f8c\u306b\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u524a\u9664&#13;\n        }&#13;\n      ]&#13;\n    });&#13;\n&#13;\n    configBucket.addToResourcePolicy(new iam.PolicyStatement({                           \/\/ \u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u8ffd\u52a01&#13;\n      effect: iam.Effect.ALLOW,&#13;\n      actions: [&#13;\n        's3:GetBucketAcl',&#13;\n        's3:ListBucket'&#13;\n      ],&#13;\n      resources: [configBucket.bucketArn],&#13;\n      principals: [new iam.ServicePrincipal('config.amazonaws.com')],&#13;\n      conditions: {&#13;\n        StringEquals: {&#13;\n          'aws:SourceAccount': cdk.Stack.of(this).account               &#13;\n        }&#13;\n      }&#13;\n    }));&#13;\n&#13;\n    configBucket.addToResourcePolicy(new iam.PolicyStatement({                           \/\/ \u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u8ffd\u52a02&#13;\n      effect: iam.Effect.ALLOW,&#13;\n      actions: [&#13;\n        's3:PutObject'&#13;\n      ],&#13;\n      resources: [`${configBucket.bucketArn}\/AWSLogs\/${cdk.Stack.of(this).account}\/Config\/*`],&#13;\n      principals: [new iam.ServicePrincipal('config.amazonaws.com')],&#13;\n      conditions: {&#13;\n        StringEquals: {&#13;\n          's3:x-amz-acl': 'bucket-owner-full-control',                                  \/\/ \u30d0\u30b1\u30c3\u30c8\u6240\u6709\u8005\u306b\u30d5\u30eb\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3092\u4ed8\u4e0e&#13;\n          'aws:SourceAccount': cdk.Stack.of(this).account            &#13;\n        }&#13;\n      }&#13;\n    }));<\/code><\/pre>\n<p class=\"mb-2 whitespace-pre-wrap\"><strong>\u30dd\u30a4\u30f3\u30c8:<\/strong><\/p>\n<ul>\n<li><strong>\u30bb\u30ad\u30e5\u30a2\u8a2d\u8a08<\/strong>: \u30d1\u30d6\u30ea\u30c3\u30af\u30a2\u30af\u30bb\u30b9\u5b8c\u5168\u30d6\u30ed\u30c3\u30af\u3001SSL\u5f37\u5236<\/li>\n<li><strong>\u9577\u671f\u4fdd\u5b58<\/strong>: \u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u8981\u4ef6\u306b\u5fdc\u3058\u305f1\u5e74\u9593\u4fdd\u6301<\/li>\n<li><strong>\u9069\u5207\u306a\u6a29\u9650<\/strong>: AWS Config\u30b5\u30fc\u30d3\u30b9\u306e\u307f\u306b\u30a2\u30af\u30bb\u30b9\u8a31\u53ef<\/li>\n<\/ul>\n<h3><span id=\"toc7\">AWS Config\u8a2d\u5b9a<\/span><\/h3>\n<pre><code class=\"language-typescript\">    \/\/ \u30b5\u30fc\u30d3\u30b9\u30ed\u30fc\u30eb\u4f5c\u6210&#13;\n    const configServiceRole = new iam.CfnServiceLinkedRole(this, 'ConfigServiceLinkedRole', {                     \/\/ \u65e2\u5b58\u306eAWS Config\u30b5\u30fc\u30d3\u30b9\u306b\u30ea\u30f3\u30af\u3055\u308c\u305f\u30ed\u30fc\u30eb(Config\u5b9f\u884c\u306b\u5fc5\u8981\u306a\u6a29\u9650\u3092\u81ea\u52d5\u4ed8\u4e0e)\u203b\u3059\u3067\u306b\u4ed8\u4e0e\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u306f\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3057\u3066\u30c7\u30d7\u30ed\u30a4&#13;\n      awsServiceName: 'config.amazonaws.com',                                                                     \/\/ \u30b5\u30fc\u30d3\u30b9\u540d&#13;\n    });&#13;\n&#13;\n    \/\/ \u30ec\u30b3\u30fc\u30c0\u30fc\u306e\u4f5c\u6210&#13;\n    const accountId = cdk.Stack.of(this).account;&#13;\n    const configRecorder = new config.CfnConfigurationRecorder(this, 'Recorder', {&#13;\n      roleArn: `arn:aws:iam::${accountId}:role\/aws-service-role\/config.amazonaws.com\/AWSServiceRoleForConfig`,    \/\/ Config\u306eIAM\u30ed\u30fc\u30eb(Config\u304c\u30ea\u30bd\u30fc\u30b9\u306e\u8a2d\u5b9a\u5909\u66f4\u3092\u8a18\u9332\u3059\u308b\u6a29\u9650)&#13;\n      recordingGroup: {                                                                                           \/\/ \u8a18\u9332\u5bfe\u8c61\u306e\u8a2d\u5b9a&#13;\n        allSupported: true,                                                                                       \/\/ \u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u308b\u5168\u30ea\u30bd\u30fc\u30b9\u30bf\u30a4\u30d7\u3092\u8a18\u9332&#13;\n        includeGlobalResourceTypes: true,                                                                         \/\/ \u30b0\u30ed\u30fc\u30d0\u30eb\u30ea\u30bd\u30fc\u30b9\u3082\u8a18\u9332\u5bfe\u8c61\u306b\u542b\u3081\u308b&#13;\n      }&#13;\n    });&#13;\n&#13;\n    \/\/ \u914d\u4fe1\u30c1\u30e3\u30cd\u30eb\u306e\u4f5c\u6210&#13;\n    const configDeliveryChannel = new config.CfnDeliveryChannel(this, 'DeliveryChannel', {                        \/\/ &#13;\n      s3BucketName: configBucket.bucketName,                                                                      \/\/ Config\u7528\u306e\u30d0\u30b1\u30c3\u30c8&#13;\n      configSnapshotDeliveryProperties: {                                                                         \/\/ &#13;\n        deliveryFrequency: 'TwentyFour_Hours'                                                                     \/\/ \u30b9\u30ca\u30c3\u30d7\u30b7\u30e7\u30c3\u30c8\u309224\u6642\u9593(1\u65e5)\u3054\u3068\u306bS3\u30d0\u30b1\u30c3\u30c8\u3078\u914d\u4fe1&#13;\n      }&#13;\n    });&#13;\n<\/code><\/pre>\n<p class=\"mb-2 whitespace-pre-wrap\"><strong>\u30dd\u30a4\u30f3\u30c8:<\/strong><\/p>\n<ul>\n<li><strong>\u5305\u62ec\u7684\u8a18\u9332<\/strong>: \u5168\u30b5\u30dd\u30fc\u30c8\u30ea\u30bd\u30fc\u30b9\u306e\u69cb\u6210\u5909\u66f4\u3092\u8a18\u9332<\/li>\n<li><strong>\u30b0\u30ed\u30fc\u30d0\u30eb\u30ea\u30bd\u30fc\u30b9\u5bfe\u5fdc<\/strong>: IAM\u3001CloudFront\u306a\u3069\u3082\u76e3\u8996\u5bfe\u8c61<\/li>\n<li><strong>\u5b9a\u671f\u30b9\u30ca\u30c3\u30d7\u30b7\u30e7\u30c3\u30c8<\/strong>: 24\u6642\u9593\u3054\u3068\u306e\u8a2d\u5b9a\u72b6\u6cc1\u4fdd\u5b58<\/li>\n<li><strong>\u30b5\u30fc\u30d3\u30b9\u30ea\u30f3\u30af\u30ed\u30fc\u30eb<\/strong>: AWS Config\u5c02\u7528\u306e\u6a29\u9650\u3067\u5b9f\u884c<\/li>\n<\/ul>\n<h3><span id=\"toc8\">AWS SecurityHub\u8a2d\u5b9a<\/span><\/h3>\n<pre><code class=\"language-typescript\">    \/\/ AWS\u57fa\u790e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9v1.0.0 \/ CISAWSFoundationsBenchmarkv1.2.0 \u6709\u52b9\u5316&#13;\n    const securityHub = new securityhub.CfnHub(this, 'SecurityHub', { &#13;\n      enableDefaultStandards: true,                                                      \/\/ \u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u57fa\u6e96\u3092\u6709\u52b9\u5316&#13;\n      controlFindingGenerator: 'SECURITY_CONTROL',                                       \/\/ \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u7ba1\u7406\u30d9\u30fc\u30b9\u306e\u691c\u51fa&#13;\n    });&#13;\n<\/code><\/pre>\n<p class=\"mb-2 whitespace-pre-wrap\"><strong>\u30dd\u30a4\u30f3\u30c8:<\/strong><\/p>\n<ul>\n<li><strong>AWS Foundational Security Standard<\/strong>: AWS\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u57fa\u6e96<\/li>\n<li><strong>CIS AWS Foundations Benchmark v1.2.0<\/strong>: \u696d\u754c\u6a19\u6e96\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u57fa\u6e96<\/li>\n<li><strong>\u81ea\u52d5\u691c\u51fa<\/strong>: \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u9055\u53cd\u306e\u81ea\u52d5\u691c\u77e5<\/li>\n<\/ul>\n<h3><span id=\"toc9\">EventBridge\u8a2d\u5b9a<\/span><\/h3>\n<pre><code class=\"language-typescript\">    \/\/ SecurityHub\u7528\u30eb\u30fc\u30eb&#13;\n    const securityHubRule = new events.Rule(this, 'SecurityHubEventRule', {&#13;\n      ruleName: 'eventbridge-rule-securityhub',                                          \/\/ \u30eb\u30fc\u30eb\u540d&#13;\n      eventPattern: {                                                                    \/\/ \u30a4\u30d9\u30f3\u30c8\u30d1\u30bf\u30fc\u30f3\u3092\u6307\u5b9a&#13;\n        source: ['aws.securityhub'],&#13;\n        detailType: ['Security Hub Findings - Imported'],                                \/\/ SecurityHub\u306b\u3088\u3063\u3066\u691c\u51fa\u3055\u308c\u305f\u7d50\u679c\uff08Findings\uff09\u304c\u30a4\u30f3\u30dd\u30fc\u30c8\u3055\u308c\u305f\u969b\u306b\u767a\u884c\u3055\u308c\u308b\u30a4\u30d9\u30f3\u30c8&#13;\n        detail: {&#13;\n          findings: {&#13;\n            Compliance: {                                                                \/\/ \u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u30b9\u30c6\u30fc\u30bf\u30b9\u304cFAILED\u304b\u3069\u3046\u304b&#13;\n              Status: ['FAILED']                                                         \/\/ FAILED\uff1a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u3084\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u8981\u4ef6\u3092\u6e80\u305f\u3055\u306a\u3044\u691c\u51fa\u7d50\u679c&#13;\n            },&#13;\n            Severity: {&#13;\n              Label: ['HIGH', 'CRITICAL']                                                \/\/ \u91cd\u8981\u5ea6\u304cHIGH,CRITICAL\u304b\u3069\u3046\u304b&#13;\n            },&#13;\n            Workflow: {                                                                  \/\/ \u30ef\u30fc\u30af\u30d5\u30ed\u30fc\u30b9\u30c6\u30fc\u30bf\u30b9\u304cNEW\u304b\u3069\u3046\u304b&#13;\n              Status: ['NEW']                                                            \/\/ NEW\uff1a\u307e\u3060\u8abf\u67fb\u3084\u5bfe\u5fdc\u304c\u884c\u308f\u308c\u3066\u3044\u306a\u3044\u65b0\u3057\u3044\u691c\u51fa\u7d50\u679c&#13;\n            }&#13;\n          }&#13;\n        }&#13;\n      },&#13;\n    });&#13;\n&#13;\n    \/\/ \u5165\u529b\u30d1\u30b9\u30de\u30c3\u30d7\uff08InputPathsMap\uff09&#13;\n    const inputPathsMap: { [key: string]: string } = {&#13;\n      accountId: '$.detail.findings[0].AwsAccountId',&#13;\n      description: '$.detail.findings[0].Description',&#13;\n      resourceId: '$.detail.findings[0].Resources[0].Id',&#13;\n      securityControlId: '$.detail.findings[0].Compliance.SecurityControlId',&#13;\n      severity: '$.detail.findings[0].Severity.Label',&#13;\n      title: '$.detail.findings[0].Title',&#13;\n    };&#13;\n&#13;\n    const inputTemplate = \"\\\"\u30a2\u30ab\u30a6\u30f3\u30c8ID\uff1a \u306e SecurityHub \u3067\u30a4\u30d9\u30f3\u30c8\u691c\u77e5\u304c\u3042\u308a\u307e\u3057\u305f\u3002\\\"\\n\\\"\u691c\u77e5\u5185\u5bb9\u3092\u78ba\u8a8d\u3057\u3001\u5bfe\u5fdc\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002\\\"\\n\\n\\\"\u30bf\u30a4\u30c8\u30eb: []&#13;\n&#13;\n    const cfnRule = securityHubRule.node.defaultChild as events.CfnRule;&#13;\n    cfnRule.addPropertyOverride('Targets', [&#13;\n      {&#13;\n        Arn: securityHubTopic.topicArn,                                                  \/\/ SNS\u30c8\u30d4\u30c3\u30afARN&#13;\n        Id: 'SecurityHubTopicTarget',                                                    \/\/ \u30bf\u30fc\u30b2\u30c3\u30c8ID&#13;\n        InputTransformer: {                                                              \/\/ \u5165\u529b\u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30de\u30fc&#13;\n          InputPathsMap: inputPathsMap,&#13;\n          InputTemplate: inputTemplate,&#13;\n        },&#13;\n      },&#13;\n    ]);&#13;\n&#13;\n    \/\/ SNS Topic \u30dd\u30ea\u30b7\u30fc\uff08EventBridge \u304b\u3089\u306e Publish \u3092\u8a31\u53ef\uff09&#13;\n    securityHubTopic.addToResourcePolicy(new iam.PolicyStatement({&#13;\n      sid: 'AllowEventBridgePublish',                                                    \/\/ \u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8ID&#13;\n      effect: iam.Effect.ALLOW,                                                          \/\/ \u8a31\u53ef&#13;\n      principals: [new iam.ServicePrincipal('events.amazonaws.com')],                    \/\/ EventBridge\u30b5\u30fc\u30d3\u30b9\u30d7\u30ea\u30f3\u30b7\u30d1\u30eb&#13;\n      actions: ['sns:Publish'],                                                          \/\/ Publish\u6a29\u9650&#13;\n      resources: [securityHubTopic.topicArn],                                            \/\/ \u5bfe\u8c61\u30c8\u30d4\u30c3\u30af&#13;\n      conditions: {                                                                      \/\/ \u30eb\u30fc\u30ebARN\u306b\u9650\u5b9a&#13;\n        ArnEquals: { 'aws:SourceArn': securityHubRule.ruleArn }&#13;\n      }&#13;\n    }));<\/code><\/pre>\n<p class=\"mb-2 whitespace-pre-wrap\"><strong>\u30dd\u30a4\u30f3\u30c8:<\/strong><\/p>\n<ul>\n<li><strong>\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/strong>: HIGH\/CRITICAL\u91cd\u8981\u5ea6\u306e\u65b0\u898f\u9055\u53cd\u306e\u307f\u901a\u77e5<\/li>\n<li><strong>Input Transformer<\/strong>: Lambda\u306a\u3057\u3067\u901a\u77e5\u5185\u5bb9\u3092\u6574\u5f62<\/li>\n<li><strong>\u8a73\u7d30\u60c5\u5831<\/strong>: \u30a2\u30ab\u30a6\u30f3\u30c8ID\u3001\u30ea\u30bd\u30fc\u30b9ID\u3001\u9055\u53cd\u5185\u5bb9\u3092\u81ea\u52d5\u62bd\u51fa<\/li>\n<li><strong>\u30bb\u30ad\u30e5\u30a2\u901a\u77e5<\/strong>: \u7279\u5b9a\u306eEventBridge\u30eb\u30fc\u30eb\u304b\u3089\u306e\u307fPublish\u8a31\u53ef<\/li>\n<\/ul>\n<h2><span id=\"toc10\">\u8105\u5a01\u691c\u77e5\u30d5\u30ed\u30fc\u3068\u901a\u77e5\u5185\u5bb9<\/span><\/h2>\n<h3><span id=\"toc11\">\u691c\u77e5\u30d5\u30ed\u30fc<\/span><\/h3>\n<ol>\n<li><strong>\u30ea\u30bd\u30fc\u30b9\u5909\u66f4\u691c\u77e5<\/strong>: AWS Config\u304c\u30ea\u30bd\u30fc\u30b9\u69cb\u6210\u5909\u66f4\u3092\u8a18\u9332<\/li>\n<li><strong>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c1\u30a7\u30c3\u30af<\/strong>: SecurityHub\u304c\u8a2d\u5b9a\u57fa\u6e96\u306b\u7167\u5408<\/li>\n<li><strong>\u9055\u53cd\u691c\u51fa<\/strong>: \u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u9055\u53cd\u3084\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8105\u5a01\u3092\u7279\u5b9a<\/li>\n<li><strong>\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/strong>: EventBridge\u304c\u91cd\u8981\u5ea6\u30fb\u30b9\u30c6\u30fc\u30bf\u30b9\u3067\u30d5\u30a3\u30eb\u30bf<\/li>\n<li><strong>\u901a\u77e5\u9001\u4fe1<\/strong>: \u5165\u529b\u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30de\u30fc\u3067\u6574\u5f62\u3057\u3066SNS\u7d4c\u7531\u3067\u30e1\u30fc\u30eb\u901a\u77e5<\/li>\n<\/ol>\n<h3><span id=\"toc12\">\u901a\u77e5\u30e1\u30fc\u30eb\u4f8b<\/span><\/h3>\n<blockquote>\n<p>\u30a2\u30ab\u30a6\u30f3\u30c8ID\uff1a123456789012 \u306e SecurityHub \u3067\u30a4\u30d9\u30f3\u30c8\u691c\u77e5\u304c\u3042\u308a\u307e\u3057\u305f\u3002<br \/>\u691c\u77e5\u5185\u5bb9\u3092\u78ba\u8a8d\u3057\u3001\u5bfe\u5fdc\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002<\/p>\n<p>\u30bf\u30a4\u30c8\u30eb: [EC2.2] VPC default security group should not allow inbound and outbound traffic<br \/>\u91cd\u5927\u5ea6: HIGH<br \/>\u5bfe\u8c61\u30ea\u30bd\u30fc\u30b9: arn:aws:ec2:ap-northeast-1:123456789012:security-group\/sg-12345678<br \/>\u8aac\u660e: This AWS control checks whether the default security group of any VPC restricts all traffic.<\/p>\n<\/blockquote>\n<p>\u00a0<\/p>\n<h2><span id=\"toc13\">\u4eca\u56de\u5b9f\u88c5\u3057\u305f\u30b3\u30f3\u30b9\u30c8\u30e9\u30af\u30c8\u30d5\u30a1\u30a4\u30eb\u307e\u3068\u3081<\/span><\/h2>\n<pre><code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib';&#13;\nimport { Construct } from 'constructs';&#13;\nimport * as sns from 'aws-cdk-lib\/aws-sns';&#13;\nimport * as subscriptions from 'aws-cdk-lib\/aws-sns-subscriptions';&#13;\nimport * as s3 from 'aws-cdk-lib\/aws-s3';&#13;\nimport * as iam from 'aws-cdk-lib\/aws-iam';&#13;\nimport * as config from 'aws-cdk-lib\/aws-config';&#13;\nimport * as securityhub from 'aws-cdk-lib\/aws-securityhub';&#13;\nimport * as events from 'aws-cdk-lib\/aws-events'; &#13;\nimport * as targets from 'aws-cdk-lib\/aws-events-targets';&#13;\n&#13;\nexport interface SecurityConstructProps {&#13;\n  \/\/ \u5fc5\u8981\u306b\u5fdc\u3058\u3066\u8ffd\u52a0\u306e\u30d7\u30ed\u30d1\u30c6\u30a3\u3092\u5b9a\u7fa9&#13;\n}&#13;\n&#13;\nexport class SecurityConstruct extends Construct {     &#13;\n  constructor(scope: Construct, id: string, props?: SecurityConstructProps) {&#13;\n    super(scope, id);&#13;\n&#13;\n    \/\/===========================================&#13;\n    \/\/ SNS&#13;\n    \/\/===========================================&#13;\n    const emailAddresses = [                                                             \/\/ SNS\u901a\u77e5\u5148\u30e1\u30fc\u30ea\u30f3\u30b0\u30ea\u30b9\u30c8(\u901a\u77e5\u5148\u304c\u8907\u6570\u3042\u308b\u5834\u5408\u306f\u30a2\u30c9\u30ec\u30b9\u3092\u8ffd\u52a0)&#13;\n      'xxxxxx@example.com',&#13;\n      'xxxxxx@example.com',&#13;\n    ];&#13;\n&#13;\n    \/\/ SecurityHub\u7528\u30c8\u30d4\u30c3\u30af&#13;\n    const securityHubTopic = new sns.Topic(this, 'SecurityHubTopic', {                   &#13;\n      topicName: 'securityhub-alertnotification',                                        \/\/ \u30c8\u30d4\u30c3\u30af\u540d&#13;\n      displayName: 'SecurityHub Alert Notifications'                                     \/\/ \u8868\u793a\u540d&#13;\n    });&#13;\n&#13;\n    \/\/ SecurityHub\u7528\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3&#13;\n    emailAddresses.forEach(email =&gt; {                                                    &#13;\n        securityHubTopic.addSubscription(&#13;\n        new subscriptions.EmailSubscription(email)                                       \/\/ \u30d7\u30ed\u30c8\u30b3\u30eb\uff1aEMAIL&#13;\n      );&#13;\n    });&#13;\n&#13;\n    \/\/===========================================&#13;\n    \/\/ S3&#13;\n    \/\/===========================================&#13;\n    \/\/ Config\u7528S3\u30d0\u30b1\u30c3\u30c8&#13;\n    const configBucket = new s3.Bucket(this, 'ConfigBucket', {&#13;\n      bucketName: 's3b-config',                                                          \/\/ \u30d0\u30b1\u30c3\u30c8\u540d&#13;\n      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,                                 \/\/ \u30d1\u30d6\u30ea\u30c3\u30af\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u30d6\u30ed\u30c3\u30af&#13;\n      encryption: s3.BucketEncryption.S3_MANAGED,                                        \/\/ \u6697\u53f7\u5316\u30bf\u30a4\u30d7\uff1aSSE-S3&#13;\n      enforceSSL: true,                                                                  \/\/ SSL\u901a\u4fe1\u3092\u5f37\u5236&#13;\n      autoDeleteObjects: true,                                                           \/\/ \u30b9\u30bf\u30c3\u30af\u524a\u9664\u6642\u306b\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u81ea\u52d5\u7684\u306b\u524a\u9664 \u203b\u30c7\u30d7\u30ed\u30a4\u6642\u306b\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8&#13;\n      removalPolicy: cdk.RemovalPolicy.DESTROY,                                          \/\/ \u30b9\u30bf\u30c3\u30af\u524a\u9664\u6642\u306b\u30d0\u30b1\u30c3\u30c8\u3082\u524a\u9664 \u203b\u30c7\u30d7\u30ed\u30a4\u6642\u306bRETAIN\u306b\u4fee\u6b63&#13;\n      lifecycleRules: [                                                                  \/\/ \u30e9\u30a4\u30d5\u30b5\u30a4\u30af\u30eb\u30eb\u30fc\u30eb\u4f5c\u6210&#13;\n        {&#13;\n          id: 'Expiration Rule 12 Months',                                               \/\/ \u30e9\u30a4\u30d5\u30b5\u30a4\u30af\u30eb\u30eb\u30fc\u30eb\u540d&#13;\n          expiration: cdk.Duration.days(366),                                            \/\/ \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u73fe\u884c\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u6709\u52b9\u671f\u9650:366\u65e5\u5f8c\u306b\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u524a\u9664&#13;\n        }&#13;\n      ]&#13;\n    });&#13;\n&#13;\n    configBucket.addToResourcePolicy(new iam.PolicyStatement({                           \/\/ \u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u8ffd\u52a01&#13;\n      effect: iam.Effect.ALLOW,&#13;\n      actions: [&#13;\n        's3:GetBucketAcl',&#13;\n        's3:ListBucket'&#13;\n      ],&#13;\n      resources: [configBucket.bucketArn],&#13;\n      principals: [new iam.ServicePrincipal('config.amazonaws.com')],&#13;\n      conditions: {&#13;\n        StringEquals: {&#13;\n          'aws:SourceAccount': cdk.Stack.of(this).account               &#13;\n        }&#13;\n      }&#13;\n    }));&#13;\n&#13;\n    configBucket.addToResourcePolicy(new iam.PolicyStatement({                           \/\/ \u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u8ffd\u52a02&#13;\n      effect: iam.Effect.ALLOW,&#13;\n      actions: [&#13;\n        's3:PutObject'&#13;\n      ],&#13;\n      resources: [`${configBucket.bucketArn}\/AWSLogs\/${cdk.Stack.of(this).account}\/Config\/*`],&#13;\n      principals: [new iam.ServicePrincipal('config.amazonaws.com')],&#13;\n      conditions: {&#13;\n        StringEquals: {&#13;\n          's3:x-amz-acl': 'bucket-owner-full-control',                                            \/\/ \u30d0\u30b1\u30c3\u30c8\u6240\u6709\u8005\u306b\u30d5\u30eb\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3092\u4ed8\u4e0e&#13;\n          'aws:SourceAccount': cdk.Stack.of(this).account            &#13;\n        }&#13;\n      }&#13;\n    }));&#13;\n&#13;\n&#13;\n&#13;\n    \/\/===========================================&#13;\n    \/\/ Config&#13;\n    \/\/===========================================&#13;\n    \/\/ \u30b5\u30fc\u30d3\u30b9\u30ed\u30fc\u30eb\u4f5c\u6210&#13;\n    const configServiceRole = new iam.CfnServiceLinkedRole(this, 'ConfigServiceLinkedRole', {                     \/\/ \u65e2\u5b58\u306eAWS Config\u30b5\u30fc\u30d3\u30b9\u306b\u30ea\u30f3\u30af\u3055\u308c\u305f\u30ed\u30fc\u30eb(Config\u5b9f\u884c\u306b\u5fc5\u8981\u306a\u6a29\u9650\u3092\u81ea\u52d5\u4ed8\u4e0e)\u203b\u3059\u3067\u306b\u4ed8\u4e0e\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u306f\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3057\u3066\u30c7\u30d7\u30ed\u30a4&#13;\n     awsServiceName: 'config.amazonaws.com',                                                                     \/\/ \u30b5\u30fc\u30d3\u30b9\u540d&#13;\n    });&#13;\n    &#13;\n&#13;\n    \/\/ \u30ec\u30b3\u30fc\u30c0\u30fc\u306e\u4f5c\u6210&#13;\n    const accountId = cdk.Stack.of(this).account;&#13;\n    const configRecorder = new config.CfnConfigurationRecorder(this, 'Recorder', {&#13;\n      roleArn: `arn:aws:iam::${accountId}:role\/aws-service-role\/config.amazonaws.com\/AWSServiceRoleForConfig`,    \/\/ Config\u306eIAM\u30ed\u30fc\u30eb(Config\u304c\u30ea\u30bd\u30fc\u30b9\u306e\u8a2d\u5b9a\u5909\u66f4\u3092\u8a18\u9332\u3059\u308b\u6a29\u9650)&#13;\n      recordingGroup: {                                                                                           \/\/ \u8a18\u9332\u5bfe\u8c61\u306e\u8a2d\u5b9a&#13;\n        allSupported: true,                                                                                       \/\/ \u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u308b\u5168\u30ea\u30bd\u30fc\u30b9\u30bf\u30a4\u30d7\u3092\u8a18\u9332&#13;\n        includeGlobalResourceTypes: true,                                                                         \/\/ \u30b0\u30ed\u30fc\u30d0\u30eb\u30ea\u30bd\u30fc\u30b9\u3082\u8a18\u9332\u5bfe\u8c61\u306b\u542b\u3081\u308b&#13;\n      }&#13;\n    });&#13;\n&#13;\n&#13;\n    \/\/ \u914d\u4fe1\u30c1\u30e3\u30cd\u30eb\u306e\u4f5c\u6210&#13;\n    const configDeliveryChannel = new config.CfnDeliveryChannel(this, 'DeliveryChannel', {                        \/\/ &#13;\n      s3BucketName: configBucket.bucketName,                                                                      \/\/ Config\u7528\u306e\u30d0\u30b1\u30c3\u30c8&#13;\n      configSnapshotDeliveryProperties: {                                                                         \/\/ &#13;\n        deliveryFrequency: 'TwentyFour_Hours'                                                                     \/\/ \u30b9\u30ca\u30c3\u30d7\u30b7\u30e7\u30c3\u30c8\u309224\u6642\u9593(1\u65e5)\u3054\u3068\u306bS3\u30d0\u30b1\u30c3\u30c8\u3078\u914d\u4fe1&#13;\n      }&#13;\n    });&#13;\n    &#13;\n&#13;\n    &#13;\n    \/\/===========================================&#13;\n    \/\/ SecurityHub&#13;\n    \/\/===========================================&#13;\n    \/\/ AWS\u57fa\u790e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9v1.0.0 \/ CISAWSFoundationsBenchmarkv1.2.0 \u6709\u52b9\u5316&#13;\n    const securityHub = new securityhub.CfnHub(this, 'SecurityHub', { &#13;\n      enableDefaultStandards: true,                                                      \/\/ \u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u57fa\u6e96\u3092\u6709\u52b9\u5316&#13;\n      controlFindingGenerator: 'SECURITY_CONTROL',                                       \/\/ \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u7ba1\u7406\u30d9\u30fc\u30b9\u306e\u691c\u51fa&#13;\n    });&#13;\n&#13;\n&#13;\n&#13;\n    \/\/===========================================&#13;\n    \/\/ EventBridge&#13;\n    \/\/===========================================&#13;\n&#13;\n    \/\/ SecurityHub\u7528\u30eb\u30fc\u30eb&#13;\n    const securityHubRule = new events.Rule(this, 'SecurityHubEventRule', {&#13;\n      ruleName: 'eventbridge-rule-securityhub',                                          \/\/ \u30eb\u30fc\u30eb\u540d&#13;\n      eventPattern: {                                                                    \/\/ \u30a4\u30d9\u30f3\u30c8\u30d1\u30bf\u30fc\u30f3\u3092\u6307\u5b9a&#13;\n        source: ['aws.securityhub'],&#13;\n        detailType: ['Security Hub Findings - Imported'],                                \/\/ SecurityHub\u306b\u3088\u3063\u3066\u691c\u51fa\u3055\u308c\u305f\u7d50\u679c\uff08Findings\uff09\u304c\u30a4\u30f3\u30dd\u30fc\u30c8\u3055\u308c\u305f\u969b\u306b\u767a\u884c\u3055\u308c\u308b\u30a4\u30d9\u30f3\u30c8&#13;\n        detail: {&#13;\n          findings: {&#13;\n            Compliance: {                                                                \/\/ \u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u30b9\u30c6\u30fc\u30bf\u30b9\u304cFAILED\u304b\u3069\u3046\u304b&#13;\n              Status: ['FAILED']                                                         \/\/ FAILED\uff1a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u3084\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u8981\u4ef6\u3092\u6e80\u305f\u3055\u306a\u3044\u691c\u51fa\u7d50\u679c&#13;\n            },&#13;\n            Severity: {&#13;\n              Label: ['HIGH', 'CRITICAL']                                                \/\/ \u91cd\u8981\u5ea6\u304cHIGH,CRITICAL\u304b\u3069\u3046\u304b&#13;\n            },&#13;\n            Workflow: {                                                                  \/\/ \u30ef\u30fc\u30af\u30d5\u30ed\u30fc\u30b9\u30c6\u30fc\u30bf\u30b9\u304cNEW\u304b\u3069\u3046\u304b&#13;\n              Status: ['NEW']                                                            \/\/ NEW\uff1a\u307e\u3060\u8abf\u67fb\u3084\u5bfe\u5fdc\u304c\u884c\u308f\u308c\u3066\u3044\u306a\u3044\u65b0\u3057\u3044\u691c\u51fa\u7d50\u679c&#13;\n            }&#13;\n          }&#13;\n        }&#13;\n      },&#13;\n    });&#13;\n&#13;\n    \/\/ \u5165\u529b\u30d1\u30b9\u30de\u30c3\u30d7\uff08InputPathsMap\uff09&#13;\n    const inputPathsMap: { [key: string]: string } = {&#13;\n      accountId: '$.detail.findings[0].AwsAccountId',&#13;\n      description: '$.detail.findings[0].Description',&#13;\n      resourceId: '$.detail.findings[0].Resources[0].Id',&#13;\n      securityControlId: '$.detail.findings[0].Compliance.SecurityControlId',&#13;\n      severity: '$.detail.findings[0].Severity.Label',&#13;\n      title: '$.detail.findings[0].Title',&#13;\n    };&#13;\n&#13;\n    const inputTemplate = \"\\\"\u30a2\u30ab\u30a6\u30f3\u30c8ID\uff1a \u306e SecurityHub \u3067\u30a4\u30d9\u30f3\u30c8\u691c\u77e5\u304c\u3042\u308a\u307e\u3057\u305f\u3002\\\"\\n\\\"\u691c\u77e5\u5185\u5bb9\u3092\u78ba\u8a8d\u3057\u3001\u5bfe\u5fdc\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002\\\"\\n\\n\\\"\u30bf\u30a4\u30c8\u30eb: []&#13;\n&#13;\n    const cfnRule = securityHubRule.node.defaultChild as events.CfnRule;&#13;\n    cfnRule.addPropertyOverride('Targets', [&#13;\n      {&#13;\n        Arn: securityHubTopic.topicArn,                                                  \/\/ SNS\u30c8\u30d4\u30c3\u30afARN&#13;\n        Id: 'SecurityHubTopicTarget',                                                    \/\/ \u30bf\u30fc\u30b2\u30c3\u30c8ID&#13;\n        InputTransformer: {                                                              \/\/ \u5165\u529b\u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30de\u30fc&#13;\n          InputPathsMap: inputPathsMap,&#13;\n          InputTemplate: inputTemplate,&#13;\n        },&#13;\n      },&#13;\n    ]);&#13;\n&#13;\n    \/\/ SNS Topic \u30dd\u30ea\u30b7\u30fc\uff08EventBridge \u304b\u3089\u306e Publish \u3092\u8a31\u53ef\uff09&#13;\n    securityHubTopic.addToResourcePolicy(new iam.PolicyStatement({&#13;\n      sid: 'AllowEventBridgePublish',                                                    \/\/ \u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8ID&#13;\n      effect: iam.Effect.ALLOW,                                                          \/\/ \u8a31\u53ef&#13;\n      principals: [new iam.ServicePrincipal('events.amazonaws.com')],                    \/\/ EventBridge\u30b5\u30fc\u30d3\u30b9\u30d7\u30ea\u30f3\u30b7\u30d1\u30eb&#13;\n      actions: ['sns:Publish'],                                                          \/\/ Publish\u6a29\u9650&#13;\n      resources: [securityHubTopic.topicArn],                                            \/\/ \u5bfe\u8c61\u30c8\u30d4\u30c3\u30af&#13;\n      conditions: {                                                                      \/\/ \u30eb\u30fc\u30ebARN\u306b\u9650\u5b9a&#13;\n        ArnEquals: { 'aws:SourceArn': securityHubRule.ruleArn }&#13;\n      }&#13;\n    }));&#13;\n  }&#13;\n}&#13;\n&#13;\n<\/code><\/pre>\n<h2><span id=\"toc14\">\u307e\u3068\u3081<\/span><\/h2>\n<p>\u4eca\u56de\u306f\u3001AWS Config\u3068SecurityHub\u3092\u6d3b\u7528\u3057\u305f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u8996\u3092AWS CDK\u3067\u5b9f\u88c5\u3057\u307e\u3057\u305f\u3002<\/p>\n<p class=\"mb-2 whitespace-pre-wrap\">IaC\u3068\u3057\u3066\u7ba1\u7406\u3059\u308b\u3053\u3068\u3067\u3001\u74b0\u5883\u9593\u3067\u306e\u4e00\u8cab\u3057\u305f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u306e\u5c55\u958b\u3084\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a\u306e\u5909\u66f4\u5c65\u6b74\u7ba1\u7406\u3082\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u7d99\u7d9a\u7684\u306a\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u76e3\u8996\u306b\u3088\u308a\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ac\u30d0\u30ca\u30f3\u30b9\u306e\u5411\u4e0a\u3068\u76e3\u67fb\u5bfe\u5fdc\u306e\u52b9\u7387\u5316\u3092\u5b9f\u73fe\u3067\u304d\u307e\u3059\u3002<\/p>\n<p class=\"mb-2 whitespace-pre-wrap\">\u7686\u3055\u3093\u306e\u304a\u5f79\u306b\u7acb\u3066\u308c\u3070\u5e78\u3044\u3067\u3059\u3002<\/p>\n<\/p><\/div>\n\n<br \/><a href=\"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/\">\u5143\u306e\u8a18\u4e8b\u3092\u78ba\u8a8d\u3059\u308b <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\u4eca\u56de\u306f\u3001AWS Config \u3068 AWS Security Hub \u3092\u6d3b\u7528\u3057\u305f\u7d71\u5408\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u8996\u3092 AWS CDK \u3067\u5b9f\u88c5\u3059\u308b\u65b9\u6cd5\u3092\u307e\u3068\u3081\u307e\u3057\u305f\u3002 \u306f\u3058\u3081\u306b \u4eca\u56de\u306f\u3092AWS CDK\u3067AWS Config\u3068Secur [&hellip;]","protected":false},"author":1,"featured_media":9289,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-9288","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-company-tec"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony - \u30dd\u30b1\u30b3\u30f3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony - \u30dd\u30b1\u30b3\u30f3\" \/>\n<meta property=\"og:description\" content=\"\u4eca\u56de\u306f\u3001AWS Config \u3068 AWS Security Hub \u3092\u6d3b\u7528\u3057\u305f\u7d71\u5408\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u8996\u3092 AWS CDK \u3067\u5b9f\u88c5\u3059\u308b\u65b9\u6cd5\u3092\u307e\u3068\u3081\u307e\u3057\u305f\u3002 \u306f\u3058\u3081\u306b \u4eca\u56de\u306f\u3092AWS CDK\u3067AWS Config\u3068Secur [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/\" \/>\n<meta property=\"og:site_name\" content=\"\u30dd\u30b1\u30b3\u30f3\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-13T06:19:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/awscdksecurityhub.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"info@pokecon.jp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u57f7\u7b46\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"info@pokecon.jp\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u63a8\u5b9a\u8aad\u307f\u53d6\u308a\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"5\u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/9288\\\/\"},\"author\":{\"name\":\"info@pokecon.jp\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#\\\/schema\\\/person\\\/16c9f07b1ba984d165d9aee259bda997\"},\"headline\":\"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony\",\"datePublished\":\"2025-10-13T06:19:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/9288\\\/\"},\"wordCount\":117,\"image\":{\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/awscdksecurityhub.png\",\"articleSection\":[\"\u4f01\u696d\u30c6\u30c3\u30af\"],\"inLanguage\":\"ja\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/9288\\\/\",\"url\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/\",\"name\":\"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony - \u30dd\u30b1\u30b3\u30f3\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/awscdksecurityhub.png\",\"datePublished\":\"2025-10-13T06:19:47+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#\\\/schema\\\/person\\\/16c9f07b1ba984d165d9aee259bda997\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#breadcrumb\"},\"inLanguage\":\"ja\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ja\",\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/awscdksecurityhub.png\",\"contentUrl\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/awscdksecurityhub.png\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.usize-tech.com\\\/aws-cdk-securityhub\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u30db\u30fc\u30e0\",\"item\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#website\",\"url\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/\",\"name\":\"\u30dd\u30b1\u30b3\u30f3\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ja\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#\\\/schema\\\/person\\\/16c9f07b1ba984d165d9aee259bda997\",\"name\":\"info@pokecon.jp\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ja\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g\",\"caption\":\"info@pokecon.jp\"},\"url\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/author\\\/infopokecon-jp\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony - \u30dd\u30b1\u30b3\u30f3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/","og_locale":"ja_JP","og_type":"article","og_title":"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony - \u30dd\u30b1\u30b3\u30f3","og_description":"\u4eca\u56de\u306f\u3001AWS Config \u3068 AWS Security Hub \u3092\u6d3b\u7528\u3057\u305f\u7d71\u5408\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u8996\u3092 AWS CDK \u3067\u5b9f\u88c5\u3059\u308b\u65b9\u6cd5\u3092\u307e\u3068\u3081\u307e\u3057\u305f\u3002 \u306f\u3058\u3081\u306b \u4eca\u56de\u306f\u3092AWS CDK\u3067AWS Config\u3068Secur [&hellip;]","og_url":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/","og_site_name":"\u30dd\u30b1\u30b3\u30f3","article_published_time":"2025-10-13T06:19:47+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/awscdksecurityhub.png","type":"image\/png"}],"author":"info@pokecon.jp","twitter_card":"summary_large_image","twitter_misc":{"\u57f7\u7b46\u8005":"info@pokecon.jp","\u63a8\u5b9a\u8aad\u307f\u53d6\u308a\u6642\u9593":"5\u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#article","isPartOf":{"@id":"https:\/\/pokecon.jp\/job\/9288\/"},"author":{"name":"info@pokecon.jp","@id":"https:\/\/pokecon.jp\/job\/#\/schema\/person\/16c9f07b1ba984d165d9aee259bda997"},"headline":"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony","datePublished":"2025-10-13T06:19:47+00:00","mainEntityOfPage":{"@id":"https:\/\/pokecon.jp\/job\/9288\/"},"wordCount":117,"image":{"@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#primaryimage"},"thumbnailUrl":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/awscdksecurityhub.png","articleSection":["\u4f01\u696d\u30c6\u30c3\u30af"],"inLanguage":"ja"},{"@type":"WebPage","@id":"https:\/\/pokecon.jp\/job\/9288\/","url":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/","name":"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony - \u30dd\u30b1\u30b3\u30f3","isPartOf":{"@id":"https:\/\/pokecon.jp\/job\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#primaryimage"},"image":{"@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#primaryimage"},"thumbnailUrl":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/awscdksecurityhub.png","datePublished":"2025-10-13T06:19:47+00:00","author":{"@id":"https:\/\/pokecon.jp\/job\/#\/schema\/person\/16c9f07b1ba984d165d9aee259bda997"},"breadcrumb":{"@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#primaryimage","url":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/awscdksecurityhub.png","contentUrl":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/awscdksecurityhub.png","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/blog.usize-tech.com\/aws-cdk-securityhub\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u30db\u30fc\u30e0","item":"https:\/\/pokecon.jp\/job\/"},{"@type":"ListItem","position":2,"name":"AWS CDK \u3067 AWS Security Hub \u3092\u5b9f\u88c5\u3057\u3066\u307f\u305f \u2013 TechHarmony"}]},{"@type":"WebSite","@id":"https:\/\/pokecon.jp\/job\/#website","url":"https:\/\/pokecon.jp\/job\/","name":"\u30dd\u30b1\u30b3\u30f3","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/pokecon.jp\/job\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/pokecon.jp\/job\/#\/schema\/person\/16c9f07b1ba984d165d9aee259bda997","name":"info@pokecon.jp","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/secure.gravatar.com\/avatar\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g","caption":"info@pokecon.jp"},"url":"https:\/\/pokecon.jp\/job\/author\/infopokecon-jp\/"}]}},"_links":{"self":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts\/9288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/comments?post=9288"}],"version-history":[{"count":1,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts\/9288\/revisions"}],"predecessor-version":[{"id":9290,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts\/9288\/revisions\/9290"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/media\/9289"}],"wp:attachment":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/media?parent=9288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/categories?post=9288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/tags?post=9288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}