Amazon은 애플리케이션 및 AWS 서비스 기타의 실시간 데이터 스트림 (예: AWS Lambda 함수, Amazon 단순 알림 서비스 주제, Amazon Kinesis Data Streams 내 데이터 스트림) 을 대상으로 EventBridge 전달합니다. 다른 애플리케이션, 서비스 및 시스템과의 통합을 지원하기 위해 Amazon Inspector는 자동으로 결과를 이벤트로 게시합니다. EventBridge Amazon Inspector를 사용하여 결과, 적용 범위 및 스캔에 대한 이벤트를 게시할 수 있습니다. 이 섹션에서는 이벤트에 대한 예제 스키마를 제공합니다. EventBridge

아마존 인스펙터를 위한 아마존 EventBridge 기본 스키마

다음은 Amazon Inspector의 EventBridge 이벤트에 대한 기본 스키마의 예입니다. 이벤트 세부 정보는 이벤트 유형에 따라 다릅니다.

{ "version": "0", "id": "Event ID", "detail-type": "Inspector2 *event type*", "source": "aws.inspector2", "account": "AWS 계정 ID (string)", "time": "event timestamp (string)", "region": "AWS 리전 (string)", "resources": [ *IDs or ARNs of the resources involved in the event* ], "detail": { *Details of an Amazon Inspector event type* } }

Amazon Inspector 결과 이벤트 스키마 예제

다음은 Amazon Inspector 조사 결과에 대한 EventBridge 이벤트 스키마의 예입니다. 결과 이벤트는 Amazon Inspector가 리소스 중 하나에서 소프트웨어 취약성 또는 네트워크 문제를 식별할 경우에 생성됩니다. 이 유형의 이벤트에 대한 대응으로 알림을 생성하는 방법에 대한 지침은 Amazon을 사용하여 Amazon Inspector의 조사 결과에 대한 사용자 지정 응답 생성 EventBridge을 참조하세요.

다음은 결과 이벤트를 식별하는 필드입니다.

  • detail-type 필드가 Inspector2 Finding으로 설정되어 있습니다.

  • detail 객체가 결과를 설명합니다.

아래 옵션 중 하나를 선택하면 다양한 리소스에 대한 결과 이벤트 스키마와 결과 유형을 확인할 수 있습니다.

Amazon EC2 package vulnerability finding
{ "version": "0", "id": "66a7a279-5f92-971c-6d3e-c92da0950992", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T22:46:15Z", "region": "us-east-1", "resources": ["i-0c2a343f1948d5205"], "detail": { "awsAccountId": "111122223333", "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).", "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM" }, "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 10:46:15 PM", "fixAvailable": "YES", "lastObservedAt": "Jan 19, 2023, 10:46:15 PM", "packageVulnerabilityDetails": { "cvss": [{ "baseScore": 4.7, "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" }], "referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"], "relatedVulnerabilities": [], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html", "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2022-3303", "vulnerablePackages": [{ "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:", "name": "linux-image-aws", "packageManager": "OS", "remediation": "apt update && apt install --only-upgrade linux-image-aws", "version": "" }] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b7ff1a8d69f1bb35", "ipV4Addresses": ["", ""], "ipV6Addresses": [], "launchedAt": "Jan 19, 2023, 7:53:14 PM", "platform": "UBUNTU_20_04", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0c2a343f1948d5205", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2022-3303 - linux-image-aws", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 10:46:15 PM" } }
Amazon EC2 network reachability finding
{ "version": "0", "id": "d0384f63-1621-1b75-d014-a5e45628ef3e", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T09:17:57Z", "region": "us-east-1", "resources": ["i-0a96278c2206a8e4b"], "detail": { "awsAccountId": "111122223333", "description": "On the instance i-0a96278c2206a8e4b, the port range 22-22 is reachable from the InternetGateway igw-72069c09 from an attached ENI eni-0976efe678170408f.", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 20, 2023, 9:17:57 AM", "lastObservedAt": "Jan 20, 2023, 9:17:57 AM", "networkReachabilityDetails": { "networkPath": { "steps": [{ "componentId": "igw-72069c09", "componentType": "AWS::EC2::InternetGateway" }, { "componentId": "acl-91d74eec", "componentType": "AWS::EC2::NetworkAcl" }, { "componentId": "sg-0aaed0af450bd0165", "componentType": "AWS::EC2::SecurityGroup" }, { "componentId": "eni-0976efe678170408f", "componentType": "AWS::EC2::NetworkInterface" }, { "componentId": "i-0a96278c2206a8e4b", "componentType": "AWS::EC2::Instance" }] }, "openPortRange": { "begin": 22, "end": 22 }, "protocol": "TCP" }, "remediation": { "recommendation": { "text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path." } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b5eea76982371e91", "ipV4Addresses": ["", ""], "ipV6Addresses": [], "keyName": "example-inspector-test", "launchedAt": "Jan 19, 2023, 7:25:02 PM", "platform": "AMAZON_LINUX_2", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0a96278c2206a8e4b", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "Port 22 is reachable from an Internet Gateway", "type": "NETWORK_REACHABILITY", "updatedAt": "Jan 20, 2023, 9:17:57 AM" } }
Amazon ECR package vulnerability finding
{ "version": "0", "id": "5b52952e-26df-3a51-6d14-4dbe737e58ec", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T21:59:00Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2/sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13" ], "detail": { "awsAccountId": "111122223333", "description": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.", "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 9:59:00 PM", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "adjustments": [], "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "lastObservedAt": "Jan 19, 2023, 9:59:00 PM", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 5, "scoringVector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "source": "NVD", "version": "2.0" }, { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://hackerone.com/reports/1555796", "https://security.gentoo.org/glsa/202212-01", "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", "https://www.debian.org/security/2022/dsa-5197" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-27782", "vendorCreatedAt": "Jun 2, 2022, 2:15:00 PM", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Jan 5, 2023, 5:51:00 PM", "vulnerabilityId": "CVE-2022-27782", "vulnerablePackages": [ { "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:7.61.1-22.el8_6.3", "name": "libcurl", "packageManager": "OS", "release": "22.el8", "remediation": "yum update libcurl", "sourceLayerHash": "sha256:38a980f2cc8accf69c23deae6743d42a87eb34a54f02396f3fcfd7c2d06e2c5b", "version": "7.61.1" }, { "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:7.61.1-22.el8_6.3", "name": "curl", "packageManager": "OS", "release": "22.el8", "remediation": "yum update curl", "sourceLayerHash": "sha256:38a980f2cc8accf69c23deae6743d42a87eb34a54f02396f3fcfd7c2d06e2c5b", "version": "7.61.1" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEcrContainerImage": { "architecture": "amd64", "imageHash": "sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13", "imageTags": [ "o3" ], "platform": "ORACLE_LINUX_8", "pushedAt": "Jan 19, 2023, 7:38:39 PM", "registry": "111122223333", "repositoryName": "inspector2" } }, "id": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2/sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13", "partition": "aws", "region": "us-east-1", "type": "AWS_ECR_CONTAINER_IMAGE" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2022-27782 - libcurl, curl", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 9:59:00 PM" } }
Lambda package vulnerability finding
{ "version": "0", "id": "040bb590-3a12-353f-ecb1-05e54b0fbea7", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T19:20:25Z", "region": "us-east-1", "resources": [ "arn:aws:lambda:us-east-1:111122223333:function:ExampleFunction:$LATEST" ], "detail": { "awsAccountId": "111122223333", "description": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 7:20:25 PM", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "lastObservedAt": "Jan 19, 2023, 7:20:25 PM", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "vendorCreatedAt": "Sep 16, 2022, 10:15:00 AM", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Nov 25, 2022, 11:15:00 AM", "vulnerabilityId": "CVE-2022-40152", "vulnerablePackages": [ { "epoch": 0, "filePath": "lib/woodstox-core-6.2.7.jar", "fixedInVersion": "6.4.0", "name": "com.fasterxml.woodstox:woodstox-core", "packageManager": "JAR", "remediation": "Update woodstox-core to 6.4.0", "version": "6.2.7" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "+EwrOrht2um4fdVCD73gj+O7HJIAUvUxi8AD0eKHSkc=", "executionRoleArn": "arn:aws:iam::111122223333:role/ExampleFunction-ExecutionRole", "functionName": "Example-function", "lastModifiedAt": "Nov 7, 2022, 8:29:27 PM", "packageType": "ZIP", "runtime": "JAVA_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:us-east-1:111122223333:function:ExampleFunction:$LATEST", "partition": "aws", "region": "us-east-1", "tags": { "TargetAlias": "DeploymentStack", "SoftwareType": "Infrastructure" }, "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2022-40152 - com.fasterxml.woodstox:woodstox-core", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 7:20:25 PM" } }
Lambda code vulnerability finding
{ "version":"0", "id":"9df01cb1-df24-bc46-5650-085a4087e7aa", "detail-type":"Inspector2 Finding", "source":"aws.inspector2", "account":"111122223333", "time":"2023-12-07T22:14:45Z", "region":"us-east-1", "resources":[ "arn:aws:lambda:us-east-1:111122223333:function:code-finding:$LATEST" ], "detail":{ "awsAccountId":"111122223333", "codeVulnerabilityDetails":{ "detectorId":"python/lambda-override-reserved@v1.0", "detectorName":"Override of reserved variable names in a Lambda function", "detectorTags":[ "availability", "aws-python-sdk", "aws-lambda", "data-integrity", "maintainability", "security", "security-context", "python" ], "filePath":{ "endLine":6, "fileName":"lambda_function.py", "filePath":"lambda_function.py", "startLine":6 }, "ruleId":"Rule-434311" }, "description":"Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior or failure of the Lambda function.", "findingArn":"arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt":"Aug 8, 2023, 7:33:58 PM", "lastObservedAt":"Dec 7, 2023, 10:14:45 PM", "remediation":{ "recommendation":{ "text":"Your code attempts to override an environment variable that is reserved by the Lambda runtime environment. This can lead to unexpected behavior and might break the execution of your Lambda function.\n\n[Learn more](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime)" } }, "resources":[ { "details":{ "awsLambdaFunction":{ "architectures":[ "X86_64" ], "codeSha256":"2mtfH+CgubesG6NYpb2zEqBja5WN6FfbH4AAYDuF8RE=", "executionRoleArn":"arn:aws:iam::193043430472:role/service-role/code-finding-role-7jgg3wan", "functionName":"code-finding", "lastModifiedAt":"Dec 7, 2023, 10:12:48 PM", "packageType":"ZIP", "runtime":"PYTHON_3_7", "version":"$LATEST" } }, "id":"arn:aws:lambda:us-east-1:193043430472:function:code-finding:$LATEST", "partition":"aws", "region":"us-east-1", "type":"AWS_LAMBDA_FUNCTION" } ], "severity":"HIGH", "status":"ACTIVE", "title":"Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior.", "type":"CODE_VULNERABILITY", "updatedAt":"Dec 7, 2023, 10:14:45 PM" } }

세부 값은 단일 검색 결과에 대한 JSON 세부 정보를 객체로 반환합니다. 배열 내의 여러 결과를 지원하는 전체 결과 응답 구문은 반환하지 않습니다.

Amazon Inspector 최초 스캔 완료 이벤트 스키마 예제

다음은 초기 스캔을 완료하기 위한 Amazon Inspector 이벤트의 EventBridge 이벤트 스키마의 예입니다. 이 이벤트는 Amazon Inspector에서 리소스 중 하나에 대한 최초 스캔을 완료할 경우에 생성됩니다.

다음은 최초 스캔 완료 이벤트를 식별하는 필드입니다.

  • detail-type 필드가 Inspector2 Scan으로 설정되어 있습니다.

  • detail 객체에는 해당 심각도 범주(예: CRITICAL, HIGH, MEDIUM)에 있는 결과 수를 자세히 설명하는 finding-severity-counts 객체가 포함되어 있습니다.

아래 옵션 중 하나를 선택하면 여러 최초 스캔 이벤트 스키마를 리소스 유형별로 확인할 수 있습니다.

Amazon EC2 instance initial scan
{ "version": "0", "id": "28a46762-6ac8-6cc4-4f55-bc9ab99af928", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:52:35Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "instance-id": "i-087d63509b8c97098", "version": "1.0" } }
Amazon ECR image initial scan
{ "version": "0", "id": "fdaa751a-984c-a709-44f9-9a9da9cd3606", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T23:15:18Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "repository-name": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "image-digest": "sha256:965fbcae990b0467ed5657caceaec165018ef44a4d2d46c7cdea80a9dff0d1ea", "image-tags": [ "ubuntu22" ], "version": "1.0" } }
Lambda function initial scan
{ "version": "0", "id": "4f290a7c-361b-c442-03c8-a629f6f20d6c", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-02-23T18:06:03Z", "region": "us-west-2", "resources": [ "arn:aws:lambda:us-west-2:111122223333:function:lambda-example:$LATEST" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "version": "1.0" } }

Amazon Inspector 적용 범위 이벤트 스키마 예제

다음은 적용 범위를 위한 Amazon Inspector 이벤트에 대한 EventBridge 이벤트 스키마의 예입니다. 이 이벤트는 리소스에 대한 Amazon Inspector 스캔 적용 범위가 변경될 때 생성됩니다. 다음은 적용 범위 이벤트를 식별하는 필드입니다.

  • detail-type 필드가 Inspector2 Coverage으로 설정되어 있습니다.

  • detail 객체에는 리소스의 새 스캔 상태를 나타내는 scanStatus 객체가 포함되어 있습니다.

{ "version": "0", "id": "000adda5-0fbf-913e-bc0e-10f0376412aa", "detail-type": "Inspector2 Coverage", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:51:39Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scanStatus": { "reason": "UNMANAGED_EC2_INSTANCE", "statusCodeValue": "INACTIVE" }, "scanType": "PACKAGE", "eventTimestamp": "2023-01-20T22:51:35.665501Z", "version": "1.0" } }