Creating custom responses to Amazon Inspector findings with Amazon EventBridge
Amazon Inspector creates an event in Amazon EventBridge for newly generated findings and aggregated findings.
Amazon Inspector also creates an event for any changes to the state of a finding.
This means Amazon Inspector creates a new event for a finding when you take actions like restarting a resource or changing tags associated with a resource.
When Amazon Inspector creates a new event for an updated finding, the finding id
stays the same.
Note
If your account is an Amazon Inspector delegated administrator account, EventBridge publishes events to your account and the member account where the events originated.
When using EventBridge events with Amazon Inspector, you can automate tasks to help you respond to security issues your findings reveal. To receive notifications about Amazon Inspector findings based on EventBridge events, you must create an EventBridge rule and specify a target for Amazon Inspector. The EventBridge rule allows EventBridge to send notifications for Amazon Inspector findings, and the target specifies where to send the notifications.
Amazon Inspector emits events to the default event bus in the AWS Region where you are currently using Amazon Inspector. This means you must configure event rules for each AWS Region where you activated Amazon Inspector and configured Amazon Inspector to receive EventBridge events. Amazon Inspector emits events on a best-effort basis.
This section provides you with an example of an event schema and describes how to create an EventBridge rule.
Event schema
The following is an example of the Amazon Inspector event format for an EC2 finding event. For example schema of other finding types and event types, see Amazon EventBridge event schema for Amazon Inspector events.
{ "version": "0", "id": "66a7a279-5f92-971c-6d3e-c92da0950992", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T22:46:15Z", "region": "us-east-1", "resources": ["i-0c2a343f1948d5205"], "detail": { "awsAccountId": "111122223333", "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).", "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM" }, "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 10:46:15 PM", "fixAvailable": "YES", "lastObservedAt": "Jan 19, 2023, 10:46:15 PM", "packageVulnerabilityDetails": { "cvss": [{ "baseScore": 4.7, "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" }], "referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"], "relatedVulnerabilities": [], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html", "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2022-3303", "vulnerablePackages": [{ "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:5.15.0.1027.31~20.04.16", "name": "linux-image-aws", "packageManager": "OS", "remediation": "apt update && apt install --only-upgrade linux-image-aws", "version": "5.15.0.1026.30~20.04.16" }] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b7ff1a8d69f1bb35", "ipV4Addresses": ["172.31.85.212", "44.203.45.27"], "ipV6Addresses": [], "launchedAt": "Jan 19, 2023, 7:53:14 PM", "platform": "UBUNTU_20_04", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0c2a343f1948d5205", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2022-3303 - linux-image-aws", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 10:46:15 PM" } }
Creating an EventBridge rule to notify you of Amazon Inspector findings
To increase the visibility of Amazon Inspector findings, you can use EventBridge to set up automated
finding alerts that are sent to a messaging hub. This topic shows you how to send alerts
for CRITICAL
and HIGH
severity findings to email, Slack, or
Amazon Chime. You'll learn how to set up an Amazon Simple Notification Service topic and then connect that topic to an
EventBridge event rule.
Step 1. Set up an Amazon SNS topic and endpoint
To set up automatic alerts, you must first set up a topic in Amazon Simple Notification Service and add an endpoint. For more information, refer to the SNS guide.
This procedure establishes where you want to send Amazon Inspector findings data. The SNS topic can be added to an EventBridge event rule during or after the creation of the event rule.
Step 2. Create an EventBridge rule for Amazon Inspector findings
-
Sign in using your credentials.
Open the Amazon EventBridge console at https://console.aws.amazon.com/events/
. -
Select Rules from the navigation pane, and then select Create rule.
-
Enter a name and optional description for your rule.
-
Select Rule with an event pattern and then Next.
-
In the Event Pattern pane, choose Custom patterns (JSON editor).
-
Paste the following JSON into the editor.
{ "source": ["aws.inspector2"], "detail-type": ["Inspector2 Finding"], "detail": { "severity": ["HIGH", "CRITICAL"], "status": ["ACTIVE"] } }
Note
This pattern sends notifications for any active
CRITICAL
orHIGH
severity finding detected by Amazon Inspector.Select Next when you are finished entering the event pattern.
-
On the Select targets page, choose AWS service. Then, for Select target type, choose SNS topic.
-
For Topic, select the name of the SNS topic you created in step 1. Then choose Next.
-
Add optional tags if needed and choose Next.
-
Review your rule and then choose Create rule.
EventBridge for Amazon Inspector multi-account environments
If you're an Amazon Inspector delegated administrator, EventBridge rules appear on your account based on applicable findings from your member accounts. If you set up findings notifications through EventBridge in your administrator account, as detailed in the preceding section, you'll receive notifications about multiple accounts. In other words, you'll be notified of findings and events generated by your member accounts in addition to those generated by your own account.
You can use the accountId
from the finding's JSON details to identify the
member account from which the Amazon Inspector finding originated.