Creating custom responses to Amazon Inspector findings with Amazon EventBridge
Amazon Inspector creates an event for Amazon EventBridge for newly
generated findings, newly aggregated findings, and changes in the state of findings.
Anything other than a change to the updatedAt
and lastObservedAt
fields will publish a new event. This means new events for a finding are generated when you
take actions such as restarting a resource or changing the tags associated with a resource.
However, the finding ID in the id
field remains the same. Events are emitted on
a best-effort basis.
Note
If your account is an Amazon Inspector delegated administrator, EventBridge publishes events to your account in addition to the member account from which they originated.
When you use EventBridge events with Amazon Inspector, you can automate tasks to help you respond to security issues revealed by Amazon Inspector findings.
Amazon Inspector emits events to the default event bus in the same Region. This means that you must configure event rules for each Region in which you are running Amazon Inspector to see events for that Region.
To receive notifications about Amazon Inspector findings based on EventBridge events, you must create an EventBridge rule and a target for Amazon Inspector. This rule allows EventBridge to send notifications for findings that Amazon Inspector generates to the target specified in the rule. For more information, see Amazon EventBridge rules in the Amazon EventBridge User Guide.
Event schema
The following is an example of the Amazon Inspector event format for an EC2 finding event. For example schema of other finding types and event types, see Amazon EventBridge event schema for Amazon Inspector events.
{ "version": "0", "id": "66a7a279-5f92-971c-6d3e-c92da0950992", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T22:46:15Z", "region": "us-east-1", "resources": ["i-0c2a343f1948d5205"], "detail": { "awsAccountId": "111122223333", "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).", "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM" }, "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 10:46:15 PM", "fixAvailable": "YES", "lastObservedAt": "Jan 19, 2023, 10:46:15 PM", "packageVulnerabilityDetails": { "cvss": [{ "baseScore": 4.7, "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" }], "referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"], "relatedVulnerabilities": [], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html", "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2022-3303", "vulnerablePackages": [{ "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:5.15.0.1027.31~20.04.16", "name": "linux-image-aws", "packageManager": "OS", "remediation": "apt update && apt install --only-upgrade linux-image-aws", "version": "5.15.0.1026.30~20.04.16" }] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b7ff1a8d69f1bb35", "ipV4Addresses": ["172.31.85.212", "44.203.45.27"], "ipV6Addresses": [], "launchedAt": "Jan 19, 2023, 7:53:14 PM", "platform": "UBUNTU_20_04", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0c2a343f1948d5205", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2022-3303 - linux-image-aws", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 10:46:15 PM" } }
Creating an EventBridge rule to notify you of Amazon Inspector findings
To increase the visibility of Amazon Inspector findings, you can use EventBridge to set up automated
finding alerts that are sent to a messaging hub. This topic shows you how to send alerts
for CRITICAL
and HIGH
severity findings to email, Slack, or
Amazon Chime. You'll learn how to set up an Amazon Simple Notification Service topic and then connect that topic to an
EventBridge event rule.
Step 1. Set up an Amazon SNS topic and endpoint
To set up automatic alerts, you must first set up a topic in Amazon Simple Notification Service and add an endpoint. For more information, refer to the SNS guide.
This procedure establishes where you want to send Amazon Inspector findings data. The SNS topic can be added to an EventBridge event rule during or after the creation of the event rule.
Step 2. Create an EventBridge rule for Amazon Inspector findings
Open the Amazon EventBridge console at https://console.aws.amazon.com/events/
. -
Select Rules from the navigation pane, and then select Create rule.
-
Enter a name and optional description for your rule.
-
Select Rule with an event pattern and then Next.
-
In the Event Pattern pane, choose Custom patterns (JSON editor).
-
Paste the following JSON into the editor.
{ "source": ["aws.inspector2"], "detail-type": ["Inspector2 Finding"], "detail": { "severity": ["HIGH", "CRITICAL"], "status": ["ACTIVE"] } }
Note
This pattern sends notifications for any active
CRITICAL
orHIGH
severity finding detected by Amazon Inspector.Select Next when you are finished entering the event pattern.
-
On the Select targets page, choose AWS service. Then, for Select target type, choose SNS topic.
-
For Topic, select the name of the SNS topic you created in step 1. Then choose Next.
-
Add optional tags if needed and choose Next.
-
Review your rule and then choose Create rule.
EventBridge for Amazon Inspector multi-account environments
If you're an Amazon Inspector delegated administrator, EventBridge rules appear on your account based on applicable findings from your member accounts. If you set up findings notifications through EventBridge in your administrator account, as detailed in the preceding section, you'll receive notifications about multiple accounts. In other words, you'll be notified of findings and events generated by your member accounts in addition to those generated by your own account.
You can use the accountId
from the finding's JSON details to identify the
member account from which the Amazon Inspector finding originated.