使用的 Security Hub 示例 AWS CLI - AWS SDK 代码示例

文档 AWS SDK 示例 GitHub 存储库中还有更多 S AWS DK 示例

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用的 Security Hub 示例 AWS CLI

以下代码示例向您展示了如何使用 with Security Hub 来执行操作和实现常见场景。 AWS Command Line Interface

操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。

每个示例都包含一个指向完整源代码的链接,您可以从中找到有关如何在上下文中设置和运行代码的说明。

主题

操作

以下代码示例演示如何使用 accept-administrator-invitation

AWS CLI

接受管理员账户的邀请

以下 accept-administrator-invitation 示例接受来自指定管理员账户的指定邀请。

aws securityhub accept-invitation \ --administrator-id 123456789012 \ --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 accept-invitation

AWS CLI

接受管理员账户的邀请

以下 accept-invitation 示例接受来自指定管理员账户的指定邀请。

aws securityhub accept-invitation \ --master-id 123456789012 \ --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考AcceptInvitation中的。

以下代码示例演示如何使用 batch-delete-automation-rules

AWS CLI

删除自动化规则

以下 batch-delete-automation-rules 示例删除指定的自动化规则。您只需一个命令即可删除一个或多个规则。只有 Security Hub 管理员账户才能运行此命令。

aws securityhub batch-delete-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'

输出:

{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的删除自动化规则

以下代码示例演示如何使用 batch-disable-standards

AWS CLI

禁用标准

以下 batch-disable-standards 示例禁用与指定订阅 ARN 相关的标准。

aws securityhub batch-disable-standards \ --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"

输出:

{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "DELETING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用或启用安全标准

以下代码示例演示如何使用 batch-enable-standards

AWS CLI

启用标准

以下 batch-enable-standards 示例为请求的账户启用 PCI DSS 标准。

aws securityhub batch-enable-standards \ --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1"}'

输出:

{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "PENDING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用或启用安全标准

以下代码示例演示如何使用 batch-get-automation-rules

AWS CLI

获取自动化规则的详细信息

以下 batch-get-automation-rules 示例获取指定自动化规则的详细信息。您只需一个命令即可获得一个或多个自动化规则的详细信息。

aws securityhub batch-get-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'

输出:

{ "Rules": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "Criteria": { "ProductName": [ { "Value": "GuardDuty", "Comparison": "EQUALS" } ], "SeverityLabel": [ { "Value": "INFORMATIONAL", "Comparison": "EQUALS" } ], "WorkflowStatus": [ { "Value": "NEW", "Comparison": "EQUALS" } ], "RecordState": [ { "Value": "ACTIVE", "Comparison": "EQUALS" } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Automatically suppress GuardDuty findings with Informational severity", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "SUPPRESSED" } } } ], "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ], "UnprocessedAutomationRules": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看自动化规则

以下代码示例演示如何使用 batch-get-configuration-policy-associations

AWS CLI

获取一批目标的配置关联详细信息

以下 batch-get-configuration-policy-associations 示例检索指定目标的关联详细信息。您可以为目标提供帐户 IDs IDs、组织单位或根 ID。

aws securityhub batch-get-configuration-policy-associations \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

输出:

{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略

以下代码示例演示如何使用 batch-get-security-controls

AWS CLI

获取安全控件详细信息

以下batch-get-security-controls示例获取当前 AWS 账户和区域中安全控制 ACM.1 和 IAM.1 的详细信息。 AWS

aws securityhub batch-get-security-controls \ --security-control-ids '["ACM.1", "IAM.1"]'

输出:

{ "SecurityControls": [ { "SecurityControlId": "ACM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": { "daysToExpiration": { "ValueType": CUSTOM, "Value": { "Integer": 15 } } }, "LastUpdateReason": "Updated control parameter" }, { "SecurityControlId": "IAM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1", "Title": "IAM policies should not allow full \"*\" administrative privileges", "Description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", "SeverityRating": "HIGH", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": {} } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看控件的详细信息

以下代码示例演示如何使用 batch-get-standards-control-associations

AWS CLI

获取控件的启用状态

以下 batch-get-standards-control-associations 示例确定指定标准中是否启用了指定控件。

aws securityhub batch-get-standards-control-associations \ --standards-control-association-ids '[{"SecurityControlId": "Config.1","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {"SecurityControlId": "IAM.6","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:standards/aws-foundational-security-best-practices/v/1.0.0"}]'

输出:

{ "StandardsControlAssociationDetails": [ { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "Config.1", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/Config.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.5" ], "UpdatedAt": "2022-10-27T16:07:12.960000+00:00", "StandardsControlTitle": "Ensure AWS Config is enabled", "StandardsControlDescription": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/cis-aws-foundations-benchmark/v/1.2.0/2.5" ] }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "IAM.6", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/IAM.6", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2022-11-22T21:30:35.080000+00:00", "UpdatedReason": "test", "StandardsControlTitle": "Hardware MFA should be enabled for the root user", "StandardsControlDescription": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" ] } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的在指定标准中启用或禁用控件

以下代码示例演示如何使用 batch-import-findings

AWS CLI

更新调查发现

以下 batch-import-findings 示例更新调查发现。

aws securityhub batch-import-findings \ --findings ' [{ "AwsAccountId": "123456789012", "CreatedAt": "2020-05-27T17:05:54.832Z", "Description": "Vulnerability in a CloudTrail trail", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "10" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "GeneratorId": "TestGeneratorId", "Id": "Id1", "ProductArn": "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", "Resources": [ { "Id": "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", "Partition": "aws", "Region": "us-west-1", "Type": "AwsCloudTrailTrail" } ], "SchemaVersion": "2018-10-08", "Title": "CloudTrail trail vulnerability", "UpdatedAt": "2020-06-02T16:05:54.832Z" }]'

输出:

{ "FailedCount": 0, "SuccessCount": 1, "FailedFindings": [] }

有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的使用 BatchImportFindings 来创建和更新调查结果

以下代码示例演示如何使用 batch-update-automation-rules

AWS CLI

更新自动化规则

以下 batch-update-automation-rules 示例更新指定的自动化规则。您只需一个命令即可更新一个或多个规则。只有 Security Hub 管理员账户才能运行此命令。

aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '[ \ { \ "Actions": [{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Note": { \ "Text": "Known issue that is a risk", \ "UpdatedBy": "sechub-automation" \ }, \ "Workflow": { \ "Status": "NEW" \ } \ } \ }], \ "Criteria": { \ "SeverityLabel": [{ \ "Value": "LOW", \ "Comparison": "EQUALS" \ }] \ }, \ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", \ "RuleOrder": 1, \ "RuleStatus": "DISABLED" \ } \ ]'

输出:

{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的编辑自动化规则

以下代码示例演示如何使用 batch-update-findings

AWS CLI

示例 1:更新调查发现

以下 batch-update-findings 示例更新两个调查发现,以添加注释、更改严重性标签并解决这些问题。

aws securityhub batch-update-findings \ --finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \ --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \ --severity '{"Label": "LOW"}' \ --workflow '{"Status": "RESOLVED"}'

输出:

{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }

有关更多信息,请参阅《Sec AWS ur BatchUpdateFindings ity Hub 用户指南》中的使用更新调查结果

示例 2:使用速记语法更新调查发现

以下 batch-update-findings 示例更新两个调查发现,以使用速记语法添加注释、更改严重性标签并解决这些问题。

aws securityhub batch-update-findings \ --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" \ --note Text="Known issue that is not a risk.",UpdatedBy="user1" \ --severity Label="LOW" \ --workflow Status="RESOLVED"

输出:

{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }

有关更多信息,请参阅《Sec AWS ur BatchUpdateFindings ity Hub 用户指南》中的使用更新调查结果

以下代码示例演示如何使用 batch-update-standards-control-associations

AWS CLI

更新已启用标准中控件的启用状态

以下batch-update-standards-control-associations示例禁用了指定标准中的 CloudTrail .1。

aws securityhub batch-update-standards-control-associations \ --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'

如果成功,此命令不会产生任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的在指定标准中启用或禁用控件在所有标准中启用和禁用控件

以下代码示例演示如何使用 create-action-target

AWS CLI

创建自定义操作

以下 create-action-target 示例创建一个自定义操作。它将提供操作的名称、描述和标识符。

aws securityhub create-action-target \ --name "Send to remediation" \ --description "Action to send the finding for remediation tracking" \ --id "Remediation"

输出:

{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }

有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联

以下代码示例演示如何使用 create-automation-rule

AWS CLI

创建自动化规则

以下create-automation-rule示例在当前 AWS 账户和 AWS 区域中创建自动化规则。Security Hub 会根据指定的条件筛选您的调查发现,并将操作应用于匹配的调查发现。只有 Security Hub 管理员账户才能运行此命令。

aws securityhub create-automation-rule \ --actions '[{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Severity": { \ "Label": "HIGH" \ }, \ "Note": { \ "Text": "Known issue that is a risk. Updated by automation rules", \ "UpdatedBy": "sechub-automation" \ } \ } \ }]' \ --criteria '{ \ "SeverityLabel": [{ \ "Value": "INFORMATIONAL", \ "Comparison": "EQUALS" \ }] \ }' \ --description "A sample rule" \ --no-is-terminal \ --rule-name "sample rule" \ --rule-order 1 \ --rule-status "ENABLED"

输出:

{ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建自动化规则

以下代码示例演示如何使用 create-configuration-policy

AWS CLI

创建配置策略

以下 create-configuration-policy 示例使用指定设置创建一个配置策略。

aws securityhub create-configuration-policy \ --name "SampleConfigurationPolicy" \ --description "SampleDescription" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' \ --tags '{"Environment": "Prod"}'

输出:

{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建并关联 Security Hub 配置策略

以下代码示例演示如何使用 create-finding-aggregator

AWS CLI

启用调查发现聚合

以下 create-finding-aggregator 示例配置调查发现聚合。它会从美国东部(弗吉尼亚)运行,指定美国东部(弗吉尼亚)为聚合区域。它表示仅链接指定的区域,不自动链接新区域。它选择美国西部(北加利福尼亚)和美国西部(俄勒冈州)作为链接区域。

aws securityhub create-finding-aggregator \ --region us-east-1 \ --region-linking-mode SPECIFIED_REGIONS \ --regions us-west-1,us-west-2

输出:

{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的启用调查发现聚合

以下代码示例演示如何使用 create-insight

AWS CLI

创建自定义见解

以下create-insight示例创建了一个名为 “关键角色调查结果” 的自定义见解,该洞察返回与 AWS 角色相关的关键发现。

aws securityhub create-insight \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' \ --group-by-attribute "ResourceId" \ --name "Critical role findings"

输出:

{ "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理自定义见解

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考CreateInsight中的。

以下代码示例演示如何使用 create-members

AWS CLI

将账户添加为成员账户

以下 create-members 示例会将两个账户作为成员账户添加到请求的管理员账户。

aws securityhub create-members \ --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'

输出:

{ "UnprocessedAccounts": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考CreateMembers中的。

以下代码示例演示如何使用 decline-invitations

AWS CLI

拒绝成为成员账户的邀请

以下 decline-invitations 示例拒绝成为指定管理员账户成员账户的邀请。成员账户是请求的账户。

aws securityhub decline-invitations \ --account-ids "123456789012"

输出:

{ "UnprocessedAccounts": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 delete-action-target

AWS CLI

删除自定义操作

以下 delete-action-target 示例删除由指定 ARN 标识的自定义操作。

aws securityhub delete-action-target \ --action-target-arn "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"

输出:

{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }

有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联

以下代码示例演示如何使用 delete-configuration-policy

AWS CLI

要删除配置策略

以下 delete-configuration-policy 示例删除指定的配置策略。

aws securityhub delete-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的删除并解除与 Security Hub 配置策略的关联

以下代码示例演示如何使用 delete-finding-aggregator

AWS CLI

停止调查发现聚合

以下 delete-finding-aggregator 示例停止调查发现聚合。它从聚合区域(即美国东部(弗吉尼亚))运行。

aws securityhub delete-finding-aggregator \ --region us-east-1 \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的停止调查发现聚合

以下代码示例演示如何使用 delete-insight

AWS CLI

删除自定义见解

以下 delete-insight 示例删除指定 ARN 的自定义见解。

aws securityhub delete-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

输出:

{ "InsightArn": "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理自定义见解

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteInsight中的。

以下代码示例演示如何使用 delete-invitations

AWS CLI

删除成为成员账户的邀请

以下 delete-invitations 示例删除指定管理员账户的成员账户邀请。成员账户是请求的账户。

aws securityhub delete-invitations \ --account-ids "123456789012"

输出:

{ "UnprocessedAccounts": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteInvitations中的。

以下代码示例演示如何使用 delete-members

AWS CLI

删除成员账户

以下 delete-members 示例从请求的管理员帐户中删除指定的成员帐户。

aws securityhub delete-members \ --account-ids "123456789111" "123456789222"

输出:

{ "UnprocessedAccounts": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteMembers中的。

以下代码示例演示如何使用 describe-action-targets

AWS CLI

检索有关自定义操作的详细信息

以下 describe-action-targets 示例检索有关由指定 ARN 标识的自定义操作的信息。

aws securityhub describe-action-targets \ --action-target-arns "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"

输出:

{ "ActionTargets": [ { "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", "Description": "Action to send the finding for remediation tracking", "Name": "Send to remediation" } ] }

有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联

以下代码示例演示如何使用 describe-hub

AWS CLI

获取有关 Hub 资源的信息

以下 describe-hub 示例返回指定 Hub 资源的订阅日期。Hub 资源由其 ARN 标识。

aws securityhub describe-hub \ --hub-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default"

输出:

{ "HubArn": "arn:aws:securityhub:us-west-1:123456789012:hub/default", "SubscribedAt": "2019-11-19T23:15:10.046Z" }

有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeHub中的。

以下代码示例演示如何使用 describe-organization-configuration

AWS CLI

查看如何为组织配置 Security Hub

以下 describe-organization-configuration 示例返回有关组织在 Security Hub 中配置方式的信息。在此示例中,组织使用中央配置。只有 Security Hub 管理员账户才能运行此命令。

aws securityhub describe-organization-configuration

输出:

{ "AutoEnable": false, "MemberAccountLimitReached": false, "AutoEnableStandards": "NONE", "OrganizationConfiguration": { "ConfigurationType": "LOCAL", "Status": "ENABLED", "StatusMessage": "Central configuration has been enabled successfully" } }

有关更多信息,请参阅《Sec AWS urity Hub 用户指南 AWS 》中的 Organizations 账户

以下代码示例演示如何使用 describe-products

AWS CLI

返回有关可用产品集成的信息

以下 describe-products 示例逐一返回可用的产品集成。

aws securityhub describe-products \ --max-results 1

输出:

{ "NextToken": "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", "Products": [ { "ProductArn": "arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon", "ProductName": "CrowdStrike Falcon", "CompanyName": "CrowdStrike", "Description": "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", "Categories": [ "Endpoint Detection and Response (EDR)", "AV Scanning and Sandboxing", "Threat Intelligence Feeds and Reports", "Endpoint Forensics", "Network Forensics" ], "IntegrationTypes": [ "SEND_FINDINGS_TO_SECURITY_HUB" ], "MarketplaceUrl": "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ActivationUrl": "https://falcon.crowdstrike.com/support/documentation", "ProductSubscriptionResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeProducts中的。

以下代码示例演示如何使用 describe-standards-controls

AWS CLI

请求已启用标准中的控件列表

以下 describe-standards-controls 示例请求请求者账户订阅的 PCI DSS 标准中的控件列表。该请求一次返回两个控件。

aws securityhub describe-standards-controls \ --standards-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" \ --max-results 2

输出:

{ "Controls": [ { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.473000+00:00", "ControlId": "PCI.AutoScaling.1", "Title": "Auto scaling groups associated with a load balancer should use health checks", "Description": "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", "SeverityRating": "LOW", "RelatedRequirements": [ "PCI DSS 2.2" ] }, { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.498000+00:00", "ControlId": "PCI.CW.1", "Title": "A log metric filter and alarm should exist for usage of the \"root\" user", "Description": "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", "SeverityRating": "MEDIUM", "RelatedRequirements": [ "PCI DSS 7.2.1" ] } ], "NextToken": "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看控件的详细信息

以下代码示例演示如何使用 describe-standards

AWS CLI

返回可用标准列表

以下 describe-standards 示例返回可用标准的列表。

aws securityhub describe-standards

输出:

{ "Standards": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", "Description": "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "Name": "CIS AWS Foundations Benchmark v1.2.0", "Description": "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "Name": "PCI DSS v3.2.1", "Description": "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", "EnabledByDefault": false } ] }

有关更多信息,请参阅 Security Hub 用户指南中的 Sec AWS urity Hub 中的安全标准。 AWS

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeStandards中的。

以下代码示例演示如何使用 disable-import-findings-for-product

AWS CLI

停止接收来自产品集成的调查发现

以下 disable-import-findings-for-product 示例禁用指定订阅的产品集成的调查发现流。

aws securityhub disable-import-findings-for-product \ --product-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成

以下代码示例演示如何使用 disable-organization-admin-account

AWS CLI

移除 Security Hub 管理员账户

以下disable-organization-admin-account示例撤消了指定账户作为 Organizations 的 Security Hub 管理员账户的分配 AWS 。

aws securityhub disable-organization-admin-account \ --admin-account-id 777788889999

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的指定 Security Hub 管理员账户

以下代码示例演示如何使用 disable-security-hub

AWS CLI

禁用 S AWS ecurity Hub

以下disable-security-hub示例为请求的账户禁用 S AWS ecurity Hub。

aws securityhub disable-security-hub

此命令不生成任何输出。

有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的禁用 S AWS ecurity Hub

以下代码示例演示如何使用 disassociate-from-administrator-account

AWS CLI

从管理员账户解除关联

以下 disassociate-from-administrator-account 示例解除请求账户与其当前管理员账户的关联。

aws securityhub disassociate-from-administrator-account

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 disassociate-from-master-account

AWS CLI

从管理员账户解除关联

以下 disassociate-from-master-account 示例解除请求账户与其当前管理员账户的关联。

aws securityhub disassociate-from-master-account

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 disassociate-members

AWS CLI

取消成员账户的关联

以下 disassociate-members 示例从请求的管理员帐户中解除指定成员帐户的关联。

aws securityhub disassociate-members \ --account-ids "123456789111" "123456789222"

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 enable-import-findings-for-product

AWS CLI

开始接收来自产品集成的调查发现

以下 enable-import-findings-for-product 示例启用指定产品集成的调查发现流。

aws securityhub enable-import-findings-for-product \ --product-arn "arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"

输出:

{ "ProductSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成

以下代码示例演示如何使用 enable-organization-admin-account

AWS CLI

将组织账户指定为 Security Hub 管理员账户

以下 enable-organization-admin-account 示例会将指定账户指定为 Security Hub 管理员账户。

aws securityhub enable-organization-admin-account \ --admin-account-id 777788889999

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的指定 Security Hub 管理员账户

以下代码示例演示如何使用 enable-security-hub

AWS CLI

启用 S AWS ecurity Hub

以下enable-security-hub示例为请求的账户启用 S AWS ecurity Hub。它会将 Security Hub 配置为启用默认标准。对于 Hub 资源,它会为标签 Department 分配值 Security

aws securityhub enable-security-hub \ --enable-default-standards \ --tags '{"Department": "Security"}'

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的启用 Security Hub

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考EnableSecurityHub中的。

以下代码示例演示如何使用 get-administrator-account

AWS CLI

检索管理员帐户的相关信息

以下 get-administrator-account 示例检索请求账户的管理员账户的相关信息。

aws securityhub get-administrator-account

输出:

{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 get-configuration-policy-association

AWS CLI

获取目标的配置关联详细信息

以下 get-configuration-policy-association 示例检索指定目标的关联详细信息。您可以提供目标的账户 ID、组织单位 ID 或根 ID。

aws securityhub get-configuration-policy-association \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

输出:

{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略

以下代码示例演示如何使用 get-configuration-policy

AWS CLI

查看配置策略详细信息

以下 get-configuration-policy 示例检索有关指定配置策略的详细信息。

aws securityhub get-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

输出:

{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "ce5ed1e7-9639-4e2f-9313-fa87fcef944b", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略

以下代码示例演示如何使用 get-enabled-standards

AWS CLI

检索有关已启用标准的信息

以下 get-enabled-standards 示例检索有关 PCI DSS 标准的信息。

aws securityhub get-enabled-standards \ --standards-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"

输出:

{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "READY", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }

有关更多信息,请参阅 Security Hub 用户指南中的 Sec AWS urity Hub 中的安全标准。 AWS

以下代码示例演示如何使用 get-finding-aggregator

AWS CLI

检索当前调查发现聚合的配置

以下 get-finding-aggregator 示例检索当前调查发现聚合的配置。

aws securityhub get-finding-aggregator \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000

输出:

{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看当前调查发现聚合的配置

以下代码示例演示如何使用 get-finding-history

AWS CLI

获取调查发现的历史记录

以下 get-finding-history 示例获取指定调查发现最近 90 天的历史记录。在此示例中,结果仅限于两条调查发现的历史记录。

aws securityhub get-finding-history \ --finding-identifier Id="arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"

输出:

{ "Records": [ { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-06-02T03:15:25.685000+00:00", "FindingCreated": false, "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [ { "UpdatedField": "Compliance.RelatedRequirements", "OldValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 SC-12(3)\",\"NIST.800-53.r5 SC-12(6)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\"]", "NewValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"]" }, { "UpdatedField": "LastObservedAt", "OldValue": "2023-06-01T09:15:38.587Z", "NewValue": "2023-06-02T03:15:22.946Z" }, { "UpdatedField": "UpdatedAt", "OldValue": "2023-06-01T09:15:31.049Z", "NewValue": "2023-06-02T03:15:14.861Z" }, { "UpdatedField": "ProcessedAt", "OldValue": "2023-06-01T09:15:41.058Z", "NewValue": "2023-06-02T03:15:25.685Z" } ] }, { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-05-23T02:06:51.518000+00:00", "FindingCreated": "true", "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [] } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的调查发现的历史记录

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考GetFindingHistory中的。

以下代码示例演示如何使用 get-findings

AWS CLI

示例 1:返回针对特定标准生成的调查发现

以下 get-findings 示例返回针对 PCI DSS 标准的调查发现。

aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "pci-dss","Comparison":"PREFIX"}]}' \ --max-items 1

输出:

{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "GeneratorId": "pci-dss/v/3.2.1/PCI.Lambda.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FindingProviderFields": { "Severity": { "Original": 0, "Label": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] }, "FirstObservedAt": "2020-06-02T14:02:49.159Z", "LastObservedAt": "2020-06-02T14:02:52.397Z", "CreatedAt": "2020-06-02T14:02:49.159Z", "UpdatedAt": "2020-06-02T14:02:52.397Z", "Severity": { "Original": 0, "Label": "INFORMATIONAL", "Normalized": 0 }, "Title": "PCI.Lambda.2 Lambda functions should be in a VPC", "Description": "This AWS control checks whether a Lambda function is in a VPC.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.Lambda.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation", "RelatedAWSResources:0/name": "securityhub-lambda-inside-vpc-0e904a3b", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.Lambda.2", "aws/securityhub/SeverityLabel": "INFORMATIONAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "PASSED", "RelatedRequirements": [ "PCI DSS 1.2.1", "PCI DSS 1.3.1", "PCI DSS 1.3.2", "PCI DSS 1.3.4" ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED" } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==" }

示例 2:返回工作流状态为 NOTIFIED 的关键调查发现

以下 get-findings 示例返回严重性标签值为 CRITICAL 且工作流状态为 NOTIFIED 的调查发现。结果按“置信度”值降序排序。

aws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value": "CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus": [{"Value":"NOTIFIED","Comparison":"EQUALS"}]}' \ --sort-criteria '{ "Field": "Confidence", "SortOrder": "desc"}' \ --max-items 1

输出:

{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-west-1: 123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FindingProviderFields" { "Severity": { "Original": 90, "Label": "CRITICAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "FirstObservedAt": "2020-05-21T20:16:34.752Z", "LastObservedAt": "2020-06-09T08:16:37.171Z", "CreatedAt": "2020-05-21T20:16:34.752Z", "UpdatedAt": "2020-06-09T08:16:36.430Z", "Severity": { "Original": 90, "Label": "CRITICAL", "Normalized": 90 }, "Title": "1.13 Ensure MFA is enabled for the \"root\" account", "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "1.13", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", "RelatedAWSResources:0/name": "securityhub-root-account-mfa-enabled-5pftha", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", "aws/securityhub/SeverityLabel": "CRITICAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NOTIFIED" }, "RecordState": "ACTIVE" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的筛选和分组调查发现

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考GetFindings中的。

以下代码示例演示如何使用 get-insight-results

AWS CLI

检索结果以获取见解

以下 get-insight-results 示例返回具有指定 ARN 见解的见解结果列表。

aws securityhub get-insight-results \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

输出:

{ "InsightResults": { "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResultValues": [ { "Count": 10, "GroupByAttributeValue": "AWS::::Account:123456789111" }, { "Count": 3, "GroupByAttributeValue": "AWS::::Account:123456789222" } ] } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看见解结果和调查发现并对其采取行动

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考GetInsightResults中的。

以下代码示例演示如何使用 get-insights

AWS CLI

检索有关见解的详细信息

以下 get-insights 示例检索具有指定 ARN 见解的配置详细信息。

aws securityhub get-insights \ --insight-arns "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

输出:

{ "Insights": [ { "Filters": { "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsIamRole" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "CRITICAL" } ], }, "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings" } ] }

有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的 Sec AWS urity Hub 见解

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考GetInsights中的。

以下代码示例演示如何使用 get-invitations-count

AWS CLI

检索未被接受的邀请数量

以下 get-invitations-count 示例检索请求账户拒绝或未回复的邀请数量。

aws securityhub get-invitations-count

输出:

{ "InvitationsCount": 3 }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

以下代码示例演示如何使用 get-master-account

AWS CLI

检索管理员帐户的相关信息

以下 get-master-account 示例检索请求账户的管理员账户的相关信息。

aws securityhub get-master-account

输出:

{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考GetMasterAccount中的。

以下代码示例演示如何使用 get-members

AWS CLI

检索所选成员账户的相关信息

以下 get-members 示例检索指定成员账户的相关信息。

aws securityhub get-members \ --account-ids "444455556666" "777788889999"

输出:

{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], "UnprocessedAccounts": [ ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考GetMembers中的。

以下代码示例演示如何使用 get-security-control-definition

AWS CLI

获取安全控件的定义详细信息

以下 get-security-control-definition 示例检索 Security Hub 安全控件的定义详细信息。详细信息包括控件标题、描述、区域可用性、参数和其他信息。

aws securityhub get-security-control-definition \ --security-control-id ACM.1

输出:

{ "SecurityControlDefinition": { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "ParameterDefinitions": { "daysToExpiration": { "Description": "Number of days within which the ACM certificate must be renewed", "ConfigurationOptions": { "Integer": { "DefaultValue": 30, "Min": 14, "Max": 365 } } } } } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的自定义控件参数

以下代码示例演示如何使用 invite-members

AWS CLI

向成员账户发送邀请

以下 invite-members 示例向指定的成员账户发送邀请。

aws securityhub invite-members \ --account-ids "123456789111" "123456789222"

输出:

{ "UnprocessedAccounts": [] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考InviteMembers中的。

以下代码示例演示如何使用 list-automation-rules

AWS CLI

查看自动化规则列表

以下list-automation-rules示例列出了 AWS 账户的自动化规则。只有 Security Hub 管理员账户才能运行此命令。

aws securityhub list-automation-rules \ --max-results 3 \ --next-token NULL

输出:

{ "AutomationRulesMetadata": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:37:20.223000+00:00", "UpdatedAt": "2023-07-15T23:37:20.223000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:45:25.126000+00:00", "UpdatedAt": "2023-07-15T23:45:25.126000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看自动化规则

以下代码示例演示如何使用 list-configuration-policies

AWS CLI

列出配置策略摘要

以下 list-configuration-policies 示例列出组织的配置策略摘要。

aws securityhub list-configuration-policies \ --max-items 3

输出:

{ "ConfigurationPolicySummaries": [ { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy1", "Description": "SampleDescription1", "UpdatedAt": "2023-09-26T21:08:36.214000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Name": "SampleConfigurationPolicy2", "Description": "SampleDescription2" "UpdatedAt": "2023-11-28T19:26:25.207000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Name": "SampleConfigurationPolicy3", "Description": "SampleDescription3", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "ServiceEnabled": true } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略

以下代码示例演示如何使用 list-configuration-policy-associations

AWS CLI

列出配置关联

以下 list-configuration-policy-associations 示例列出组织的配置关联摘要。响应包括与配置策略和自行管理行为的关联。

aws securityhub list-configuration-policy-associations \ --filters '{"AssociationType": "APPLIED"}' \ --max-items 4

输出:

{ "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TargetId": "r-1ab2", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T19:26:49.417000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "Policy association failed because 2 organizational units or accounts under this root failed." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "TargetId": "ou-1ab2-c3de4f5g", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:14:05.283000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "One or more children under this target failed association." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }, { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "111122223333", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T22:01:26.409000+00:00", "AssociationStatus": "SUCCESS" } }

有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的查看配置策略状态和详细信息

以下代码示例演示如何使用 list-enabled-products-for-import

AWS CLI

返回已启用产品集成的列表

以下 list-enabled-products-for-import 示例返回当前已启用产品集成的订阅 ARN 列表。

aws securityhub list-enabled-products-for-import

输出:

{ "ProductSubscriptions": [ "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon", "arn:aws:securityhub:us-west-1:123456789012:product-subscription/aws/securityhub" ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成

以下代码示例演示如何使用 list-finding-aggregators

AWS CLI

列出可用的小部件

以下 list-finding-aggregators 示例返回调查发现聚合配置的 ARN。

aws securityhub list-finding-aggregators

输出:

{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看当前调查发现聚合的配置

以下代码示例演示如何使用 list-invitations

AWS CLI

显示邀请列表

以下 list-invitations 示例检索发送到请求账户的邀请列表。

aws securityhub list-invitations

输出:

{ "Invitations": [ { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } ], }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考ListInvitations中的。

以下代码示例演示如何使用 list-members

AWS CLI

检索成员账户列表

以下 list-members 示例返回请求管理员账户的成员账户列表。

aws securityhub list-members

输出:

{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考ListMembers中的。

以下代码示例演示如何使用 list-organization-admin-accounts

AWS CLI

列出指定的 Security Hub 管理员账户

以下 list-organization-admin-accounts 示例列出组织的 Security Hub 管理员账户。

aws securityhub list-organization-admin-accounts

输出:

{ AdminAccounts": [ { "AccountId": "777788889999" }, { "Status": "ENABLED" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的指定 Security Hub 管理员账户

以下代码示例演示如何使用 list-security-control-definitions

AWS CLI

示例 1:列出所有可用的安全控件

以下 list-security-control-definitions 示例列出所有 Security Hub 标准中可用的安全控件。此示例结果限制为三个控件。

aws securityhub list-security-control-definitions \ --max-items 3

输出:

{ "SecurityControlDefinitions": [ { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] }, { "SecurityControlId": "ACM.2", "Title": "RSA certificates managed by ACM should use a key length of at least 2,048 bits", "Description": "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.2/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "APIGateway.1", "Title": "API Gateway REST and WebSocket API execution logging should be enabled", "Description": "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the 'loggingLevel' isn't 'ERROR' or 'INFO' for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the logging level is either 'ERROR' or 'INFO'.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] } ], "NextToken": "U2FsdGVkX1/UprCPzxVbkDeHikDXbDxfgJZ1w2RG1XWsFPTMTIQPVE0m/FduIGxS7ObRtAbaUt/8/RCQcg2PU0YXI20hH/GrhoOTgv+TSm0qvQVFhkJepWmqh+NYawjocVBeos6xzn/8qnbF9IuwGg==" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看标准的详细信息

示例 2:列出特定标准的可用安全控件

以下list-security-control-definitions示例列出了 CIS AWS 基金会基准测试 v1.4.0 的可用安全控制措施。此示例结果限制为三个控件。

aws securityhub list-security-control-definitions \ --standards-arn "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0" \ --max-items 3

输出:

{ "SecurityControlDefinitions": [ { "SecurityControlId": "CloudTrail.1", "Title": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "Description": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.1/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.2", "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.4", "Title": "CloudTrail log file validation should be enabled", "Description": "This AWS control checks whether CloudTrail log file validation is enabled.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAzfQ==" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看标准的详细信息

以下代码示例演示如何使用 list-standards-control-associations

AWS CLI

获取每个已启用标准中控件的启用状态

以下list-standards-control-associations示例列出了每个已启用的标准中的启用状态为 CloudTrail .1。

aws securityhub list-standards-control-associations \ --security-control-id CloudTrail.1

输出:

{ "StandardsControlAssociationSummaries": [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/nist-800-53/v/5.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "NIST.800-53.r5 AC-2(4)", "NIST.800-53.r5 AC-4(26)", "NIST.800-53.r5 AC-6(9)", "NIST.800-53.r5 AU-10", "NIST.800-53.r5 AU-12", "NIST.800-53.r5 AU-2", "NIST.800-53.r5 AU-3", "NIST.800-53.r5 AU-6(3)", "NIST.800-53.r5 AU-6(4)", "NIST.800-53.r5 AU-14(1)", "NIST.800-53.r5 CA-7", "NIST.800-53.r5 SC-7(9)", "NIST.800-53.r5 SI-3(8)", "NIST.800-53.r5 SI-4(20)", "NIST.800-53.r5 SI-7(8)", "NIST.800-53.r5 SA-8(22)" ], "UpdatedAt": "2023-05-15T17:52:21.304000+00:00", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.1" ], "UpdatedAt": "2020-02-10T21:22:53.998000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2023-05-15T19:31:52.671000+00:00", "UpdatedReason": "Alternative compensating controls are in place", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.1" ], "UpdatedAt": "2022-11-10T15:40:36.021000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的在指定标准中启用或禁用控件

以下代码示例演示如何使用 list-tags-for-resource

AWS CLI

检索分配给资源的标签

以下 list-tags-for-resource 示例返回分配给指定 Hub 资源的标签。

aws securityhub list-tags-for-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default"

输出:

{ "Tags": { "Department" : "Operations", "Area" : "USMidwest" } }

有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub

以下代码示例演示如何使用 start-configuration-policy-association

AWS CLI

示例 1:关联配置策略

以下 start-configuration-policy-association 示例会将指定的配置策略与指定的组织单位相关联。配置可以与目标账户、组织单位或根用户相关联。

aws securityhub start-configuration-policy-association \ --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

输出:

{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建并关联 Security Hub 配置策略

示例 2:关联自行管理配置

以下 start-configuration-policy-association 示例会将自行管理配置与指定账户相关联。

aws securityhub start-configuration-policy-association \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"OrganizationalUnitId": "123456789012"}'

输出:

{ "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "123456789012", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建并关联 Security Hub 配置策略

以下代码示例演示如何使用 start-configuration-policy-disassociation

AWS CLI

示例 1:解除配置策略关联

以下 start-configuration-policy-disassociation 示例解除指定组织单位的配置策略关联。配置可以解除与目标账户、组织单位或根用户的关联。

aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

此命令不生成任何输出。

有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的 “取消配置与 OUs账户的关联”。

示例 2:解除自行管理配置关联

以下 start-configuration-policy-disassociation 示例解除指定账户的自行管理配置关联。

aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"AccountId": "123456789012"}'

此命令不生成任何输出。

有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的 “取消配置与 OUs账户的关联”。

以下代码示例演示如何使用 tag-resource

AWS CLI

将标签添加到资源

以下 tag-resource 示例为指定的 Hub 资源分配“Department”和“Area”标签的值。

aws securityhub tag-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default" \ --tags '{"Department":"Operations", "Area":"USMidwest"}'

此命令不生成任何输出。

有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考TagResource中的。

以下代码示例演示如何使用 untag-resource

AWS CLI

从资源中删除标签值

以下 untag-resource 示例从指定的 Hub 资源中删除“Department”标签。

aws securityhub untag-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default" \ --tag-keys "Department"

此命令不生成任何输出。

有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考UntagResource中的。

以下代码示例演示如何使用 update-action-target

AWS CLI

更新自定义操作

以下 update-action-target 示例更新由指定 ARN 标识的自定义操作名称。

aws securityhub update-action-target \ --action-target-arn "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" \ --name "Send to remediation"

此命令不生成任何输出。

有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联

以下代码示例演示如何使用 update-configuration-policy

AWS CLI

更新配置策略

以下 update-configuration-policy 示例更新现有配置策略以使用指定的设置。

aws securityhub update-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:508236694226:configuration-policy/09f37766-57d8-4ede-9d33-5d8b0fecf70e" \ --name "SampleConfigurationPolicyUpdated" \ --description "SampleDescriptionUpdated" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 21}}}}]}}}' \ --updated-reason "Disabling CloudWatch.1 and changing parameter value"

输出:

{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicyUpdated", "Description": "SampleDescriptionUpdated", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 21 } } } } ] } } } }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的更新 Security Hub 配置策略

以下代码示例演示如何使用 update-finding-aggregator

AWS CLI

更新当前调查发现聚合配置

以下 update-finding-aggregator 示例会将调查发现聚合配置更改为从选定区域进行链接。它从聚合区域(即美国东部(弗吉尼亚))运行。它选择美国西部(北加利福尼亚)和美国西部(俄勒冈州)作为链接区域。

aws securityhub update-finding-aggregator \ --region us-east-1 \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 \ --region-linking-mode SPECIFIED_REGIONS \ --regions us-west-1,us-west-2

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的更新调查发现聚合配置

以下代码示例演示如何使用 update-insight

AWS CLI

示例 1:更改自定义见解的筛选条件

以下 update-insight 示例更改自定义见解的筛选条件。更新的见解会查找与 AWS 角色相关的严重性较高的调查结果。

aws securityhub update-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' \ --name "High severity role findings"

示例 2:更改自定义见解的分组属性

以下 update-insight 示例使用指定 ARN 更改自定义见解的分组属性。新的分组属性是资源 ID。

aws securityhub update-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --group-by-attribute "ResourceId" \ --name "Critical role findings"

输出:

{ "Insights": [ { "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings", "Filters": { "SeverityLabel": [ { "Value": "CRITICAL", "Comparison": "EQUALS" } ], "ResourceType": [ { "Value": "AwsIamRole", "Comparison": "EQUALS" } ] }, "GroupByAttribute": "ResourceId" } ] }

有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理自定义见解

  • 有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateInsight中的。

以下代码示例演示如何使用 update-organization-configuration

AWS CLI

更新为组织配置 Security Hub 的方式

以下 update-organization-configuration 示例指定 Security Hub 应使用集中配置来配置组织。运行此命令后,委托的 Security Hub 管理员可以通过创建和管理配置策略来配置组织。委托的管理员也可以使用此命令从集中配置切换到本地配置。如果配置类型为本地配置,委托管理员可以选择是否在新组织账户中自动启用 Security Hub 和默认安全标准。

aws securityhub update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}'

此命令不生成任何输出。

有关更多信息,请参阅《Sec AWS urity Hub 用户指南 AWS 》中的 Organizations 账户

以下代码示例演示如何使用 update-security-control

AWS CLI

更新安全控件属性

以下 update-security-control 示例为 Security Hub 安全控件参数指定自定义值。

aws securityhub update-security-control \ --security-control-id ACM.1 \ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}' \ --last-update-reason "Internal compliance requirement"

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的自定义控件参数

以下代码示例演示如何使用 update-security-hub-configuration

AWS CLI

更新 Security Hub 配置

以下 update-security-hub-configuration 示例会将 Security Hub 配置为自动为已启用标准启用新控件。

aws securityhub update-security-hub-configuration \ --auto-enable-controls

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的自动启用新控件

以下代码示例演示如何使用 update-standards-control

AWS CLI

示例 1:禁用控件

以下update-standards-control示例禁用 PCI。 AutoScaling.1 控制。

aws securityhub update-standards-control \ --standards-control-arn "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" \ --control-status "DISABLED" \ --disabled-reason "Not applicable for my service"

此命令不生成任何输出。

示例 2:启用控件

以下update-standards-control示例启用 PCI。 AutoScaling.1 控制。

aws securityhub update-standards-control \ --standards-control-arn "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" \ --control-status "ENABLED"

此命令不生成任何输出。

有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用或启用单个控件