文档 AWS SDK 示例 GitHub 存储库中还有更多 S AWS DK 示例
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用的 Security Hub 示例 AWS CLI
以下代码示例向您展示了如何使用 with Security Hub 来执行操作和实现常见场景。 AWS Command Line Interface
操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。
每个示例都包含一个指向完整源代码的链接,您可以从中找到有关如何在上下文中设置和运行代码的说明。
主题
操作
以下代码示例演示如何使用 accept-administrator-invitation
。
- AWS CLI
-
接受管理员账户的邀请
以下
accept-administrator-invitation
示例接受来自指定管理员账户的指定邀请。aws securityhub accept-invitation \ --administrator-id
123456789012
\ --invitation-id7ab938c5d52d7904ad09f9e7c20cc4eb
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考AcceptAdministratorInvitation
中的。
-
以下代码示例演示如何使用 accept-invitation
。
- AWS CLI
-
接受管理员账户的邀请
以下
accept-invitation
示例接受来自指定管理员账户的指定邀请。aws securityhub accept-invitation \ --master-id
123456789012
\ --invitation-id7ab938c5d52d7904ad09f9e7c20cc4eb
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考AcceptInvitation
中的。
-
以下代码示例演示如何使用 batch-delete-automation-rules
。
- AWS CLI
-
删除自动化规则
以下
batch-delete-automation-rules
示例删除指定的自动化规则。您只需一个命令即可删除一个或多个规则。只有 Security Hub 管理员账户才能运行此命令。aws securityhub batch-delete-automation-rules \ --automation-rules-arns '
["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]
'输出:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的删除自动化规则。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchDeleteAutomationRules
中的。
-
以下代码示例演示如何使用 batch-disable-standards
。
- AWS CLI
-
禁用标准
以下
batch-disable-standards
示例禁用与指定订阅 ARN 相关的标准。aws securityhub batch-disable-standards \ --standards-subscription-arns
"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"
输出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "DELETING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用或启用安全标准。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchDisableStandards
中的。
-
以下代码示例演示如何使用 batch-enable-standards
。
- AWS CLI
-
启用标准
以下
batch-enable-standards
示例为请求的账户启用 PCI DSS 标准。aws securityhub batch-enable-standards \ --standards-subscription-requests '
{"StandardsArn":"arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1"}
'输出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "PENDING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用或启用安全标准。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchEnableStandards
中的。
-
以下代码示例演示如何使用 batch-get-automation-rules
。
- AWS CLI
-
获取自动化规则的详细信息
以下
batch-get-automation-rules
示例获取指定自动化规则的详细信息。您只需一个命令即可获得一个或多个自动化规则的详细信息。aws securityhub batch-get-automation-rules \ --automation-rules-arns '
["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]
'输出:
{ "Rules": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "Criteria": { "ProductName": [ { "Value": "GuardDuty", "Comparison": "EQUALS" } ], "SeverityLabel": [ { "Value": "INFORMATIONAL", "Comparison": "EQUALS" } ], "WorkflowStatus": [ { "Value": "NEW", "Comparison": "EQUALS" } ], "RecordState": [ { "Value": "ACTIVE", "Comparison": "EQUALS" } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Automatically suppress GuardDuty findings with Informational severity", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "SUPPRESSED" } } } ], "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ], "UnprocessedAutomationRules": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看自动化规则。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchGetAutomationRules
中的。
-
以下代码示例演示如何使用 batch-get-configuration-policy-associations
。
- AWS CLI
-
获取一批目标的配置关联详细信息
以下
batch-get-configuration-policy-associations
示例检索指定目标的关联详细信息。您可以为目标提供帐户 IDs IDs、组织单位或根 ID。aws securityhub batch-get-configuration-policy-associations \ --target '
{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}
'输出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchGetConfigurationPolicyAssociations
中的。
-
以下代码示例演示如何使用 batch-get-security-controls
。
- AWS CLI
-
获取安全控件详细信息
以下
batch-get-security-controls
示例获取当前 AWS 账户和区域中安全控制 ACM.1 和 IAM.1 的详细信息。 AWSaws securityhub batch-get-security-controls \ --security-control-ids '
["ACM.1", "IAM.1"]
'输出:
{ "SecurityControls": [ { "SecurityControlId": "ACM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": { "daysToExpiration": { "ValueType": CUSTOM, "Value": { "Integer": 15 } } }, "LastUpdateReason": "Updated control parameter" }, { "SecurityControlId": "IAM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1", "Title": "IAM policies should not allow full \"*\" administrative privileges", "Description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", "SeverityRating": "HIGH", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": {} } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看控件的详细信息。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchGetSecurityControls
中的。
-
以下代码示例演示如何使用 batch-get-standards-control-associations
。
- AWS CLI
-
获取控件的启用状态
以下
batch-get-standards-control-associations
示例确定指定标准中是否启用了指定控件。aws securityhub batch-get-standards-control-associations \ --standards-control-association-ids '
[{"SecurityControlId": "Config.1","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {"SecurityControlId": "IAM.6","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:standards/aws-foundational-security-best-practices/v/1.0.0"}]
'输出:
{ "StandardsControlAssociationDetails": [ { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "Config.1", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/Config.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.5" ], "UpdatedAt": "2022-10-27T16:07:12.960000+00:00", "StandardsControlTitle": "Ensure AWS Config is enabled", "StandardsControlDescription": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/cis-aws-foundations-benchmark/v/1.2.0/2.5" ] }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "IAM.6", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/IAM.6", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2022-11-22T21:30:35.080000+00:00", "UpdatedReason": "test", "StandardsControlTitle": "Hardware MFA should be enabled for the root user", "StandardsControlDescription": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" ] } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的在指定标准中启用或禁用控件。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchGetStandardsControlAssociations
中的。
-
以下代码示例演示如何使用 batch-import-findings
。
- AWS CLI
-
更新调查发现
以下
batch-import-findings
示例更新调查发现。aws securityhub batch-import-findings \ --findings '
[{ "AwsAccountId": "123456789012", "CreatedAt": "2020-05-27T17:05:54.832Z", "Description": "Vulnerability in a CloudTrail trail", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "10" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "GeneratorId": "TestGeneratorId", "Id": "Id1", "ProductArn": "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", "Resources": [ { "Id": "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", "Partition": "aws", "Region": "us-west-1", "Type": "AwsCloudTrailTrail" } ], "SchemaVersion": "2018-10-08", "Title": "CloudTrail trail vulnerability", "UpdatedAt": "2020-06-02T16:05:54.832Z" }]
'输出:
{ "FailedCount": 0, "SuccessCount": 1, "FailedFindings": [] }
有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的使用 BatchImportFindings 来创建和更新调查结果。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchImportFindings
中的。
-
以下代码示例演示如何使用 batch-update-automation-rules
。
- AWS CLI
-
更新自动化规则
以下
batch-update-automation-rules
示例更新指定的自动化规则。您只需一个命令即可更新一个或多个规则。只有 Security Hub 管理员账户才能运行此命令。aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '
[ \ { \ "Actions": [{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Note": { \ "Text": "Known issue that is a risk", \ "UpdatedBy": "sechub-automation" \ }, \ "Workflow": { \ "Status": "NEW" \ } \ } \ }], \ "Criteria": { \ "SeverityLabel": [{ \ "Value": "LOW", \ "Comparison": "EQUALS" \ }] \ }, \ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", \ "RuleOrder": 1, \ "RuleStatus": "DISABLED" \ } \ ]
'输出:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的编辑自动化规则。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchUpdateAutomationRules
中的。
-
以下代码示例演示如何使用 batch-update-findings
。
- AWS CLI
-
示例 1:更新调查发现
以下
batch-update-findings
示例更新两个调查发现,以添加注释、更改严重性标签并解决这些问题。aws securityhub batch-update-findings \ --finding-identifiers '
[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]
' \ --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}
' \ --severity '{"Label": "LOW"}
' \ --workflow '{"Status": "RESOLVED"}
'输出:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }
有关更多信息,请参阅《Sec AWS ur BatchUpdateFindings ity Hub 用户指南》中的使用更新调查结果。
示例 2:使用速记语法更新调查发现
以下
batch-update-findings
示例更新两个调查发现,以使用速记语法添加注释、更改严重性标签并解决这些问题。aws securityhub batch-update-findings \ --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" \ --note Text="Known issue that is not a risk.",UpdatedBy="user1" \ --severity Label="LOW" \ --workflow Status="RESOLVED"
输出:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }
有关更多信息,请参阅《Sec AWS ur BatchUpdateFindings ity Hub 用户指南》中的使用更新调查结果。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchUpdateFindings
中的。
-
以下代码示例演示如何使用 batch-update-standards-control-associations
。
- AWS CLI
-
更新已启用标准中控件的启用状态
以下
batch-update-standards-control-associations
示例禁用了指定标准中的 CloudTrail .1。aws securityhub batch-update-standards-control-associations \ --standards-control-association-updates '
[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]
'如果成功,此命令不会产生任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的在指定标准中启用或禁用控件和在所有标准中启用和禁用控件。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考BatchUpdateStandardsControlAssociations
中的。
-
以下代码示例演示如何使用 create-action-target
。
- AWS CLI
-
创建自定义操作
以下
create-action-target
示例创建一个自定义操作。它将提供操作的名称、描述和标识符。aws securityhub create-action-target \ --name
"Send to remediation"
\ --description"Action to send the finding for remediation tracking"
\ --id"Remediation"
输出:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }
有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考CreateActionTarget
中的。
-
以下代码示例演示如何使用 create-automation-rule
。
- AWS CLI
-
创建自动化规则
以下
create-automation-rule
示例在当前 AWS 账户和 AWS 区域中创建自动化规则。Security Hub 会根据指定的条件筛选您的调查发现,并将操作应用于匹配的调查发现。只有 Security Hub 管理员账户才能运行此命令。aws securityhub create-automation-rule \ --actions '
[{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Severity": { \ "Label": "HIGH" \ }, \ "Note": { \ "Text": "Known issue that is a risk. Updated by automation rules", \ "UpdatedBy": "sechub-automation" \ } \ } \ }]
' \ --criteria '{ \ "SeverityLabel": [{ \ "Value": "INFORMATIONAL", \ "Comparison": "EQUALS" \ }] \ }
' \ --description"A sample rule"
\ --no-is-terminal \ --rule-name"sample rule"
\ --rule-order1
\ --rule-status"ENABLED"
输出:
{ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建自动化规则。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考CreateAutomationRule
中的。
-
以下代码示例演示如何使用 create-configuration-policy
。
- AWS CLI
-
创建配置策略
以下
create-configuration-policy
示例使用指定设置创建一个配置策略。aws securityhub create-configuration-policy \ --name
"SampleConfigurationPolicy"
\ --description"SampleDescription"
\ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}
' \ --tags '{"Environment": "Prod"}
'输出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建并关联 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考CreateConfigurationPolicy
中的。
-
以下代码示例演示如何使用 create-finding-aggregator
。
- AWS CLI
-
启用调查发现聚合
以下
create-finding-aggregator
示例配置调查发现聚合。它会从美国东部(弗吉尼亚)运行,指定美国东部(弗吉尼亚)为聚合区域。它表示仅链接指定的区域,不自动链接新区域。它选择美国西部(北加利福尼亚)和美国西部(俄勒冈州)作为链接区域。aws securityhub create-finding-aggregator \ --region
us-east-1
\ --region-linking-modeSPECIFIED_REGIONS
\ --regionsus-west-1,us-west-2
输出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的启用调查发现聚合。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考CreateFindingAggregator
中的。
-
以下代码示例演示如何使用 create-insight
。
- AWS CLI
-
创建自定义见解
以下
create-insight
示例创建了一个名为 “关键角色调查结果” 的自定义见解,该洞察返回与 AWS 角色相关的关键发现。aws securityhub create-insight \ --filters '
{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}
' \ --group-by-attribute"ResourceId"
\ --name"Critical role findings"
输出:
{ "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理自定义见解。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考CreateInsight
中的。
-
以下代码示例演示如何使用 create-members
。
- AWS CLI
-
将账户添加为成员账户
以下
create-members
示例会将两个账户作为成员账户添加到请求的管理员账户。aws securityhub create-members \ --account-details '
[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]
'输出:
{ "UnprocessedAccounts": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考CreateMembers
中的。
-
以下代码示例演示如何使用 decline-invitations
。
- AWS CLI
-
拒绝成为成员账户的邀请
以下
decline-invitations
示例拒绝成为指定管理员账户成员账户的邀请。成员账户是请求的账户。aws securityhub decline-invitations \ --account-ids
"123456789012"
输出:
{ "UnprocessedAccounts": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeclineInvitations
中的。
-
以下代码示例演示如何使用 delete-action-target
。
- AWS CLI
-
删除自定义操作
以下
delete-action-target
示例删除由指定 ARN 标识的自定义操作。aws securityhub delete-action-target \ --action-target-arn
"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"
输出:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }
有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteActionTarget
中的。
-
以下代码示例演示如何使用 delete-configuration-policy
。
- AWS CLI
-
要删除配置策略
以下
delete-configuration-policy
示例删除指定的配置策略。aws securityhub delete-configuration-policy \ --identifier
"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的删除并解除与 Security Hub 配置策略的关联。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteConfigurationPolicy
中的。
-
以下代码示例演示如何使用 delete-finding-aggregator
。
- AWS CLI
-
停止调查发现聚合
以下
delete-finding-aggregator
示例停止调查发现聚合。它从聚合区域(即美国东部(弗吉尼亚))运行。aws securityhub delete-finding-aggregator \ --region
us-east-1
\ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的停止调查发现聚合。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteFindingAggregator
中的。
-
以下代码示例演示如何使用 delete-insight
。
- AWS CLI
-
删除自定义见解
以下
delete-insight
示例删除指定 ARN 的自定义见解。aws securityhub delete-insight \ --insight-arn
"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
输出:
{ "InsightArn": "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理自定义见解。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteInsight
中的。
-
以下代码示例演示如何使用 delete-invitations
。
- AWS CLI
-
删除成为成员账户的邀请
以下
delete-invitations
示例删除指定管理员账户的成员账户邀请。成员账户是请求的账户。aws securityhub delete-invitations \ --account-ids
"123456789012"
输出:
{ "UnprocessedAccounts": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteInvitations
中的。
-
以下代码示例演示如何使用 delete-members
。
- AWS CLI
-
删除成员账户
以下
delete-members
示例从请求的管理员帐户中删除指定的成员帐户。aws securityhub delete-members \ --account-ids
"123456789111"
"123456789222"
输出:
{ "UnprocessedAccounts": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DeleteMembers
中的。
-
以下代码示例演示如何使用 describe-action-targets
。
- AWS CLI
-
检索有关自定义操作的详细信息
以下
describe-action-targets
示例检索有关由指定 ARN 标识的自定义操作的信息。aws securityhub describe-action-targets \ --action-target-arns
"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"
输出:
{ "ActionTargets": [ { "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", "Description": "Action to send the finding for remediation tracking", "Name": "Send to remediation" } ] }
有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeActionTargets
中的。
-
以下代码示例演示如何使用 describe-hub
。
- AWS CLI
-
获取有关 Hub 资源的信息
以下
describe-hub
示例返回指定 Hub 资源的订阅日期。Hub 资源由其 ARN 标识。aws securityhub describe-hub \ --hub-arn
"arn:aws:securityhub:us-west-1:123456789012:hub/default"
输出:
{ "HubArn": "arn:aws:securityhub:us-west-1:123456789012:hub/default", "SubscribedAt": "2019-11-19T23:15:10.046Z" }
有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeHub
中的。
-
以下代码示例演示如何使用 describe-organization-configuration
。
- AWS CLI
-
查看如何为组织配置 Security Hub
以下
describe-organization-configuration
示例返回有关组织在 Security Hub 中配置方式的信息。在此示例中,组织使用中央配置。只有 Security Hub 管理员账户才能运行此命令。aws securityhub describe-organization-configuration
输出:
{ "AutoEnable": false, "MemberAccountLimitReached": false, "AutoEnableStandards": "NONE", "OrganizationConfiguration": { "ConfigurationType": "LOCAL", "Status": "ENABLED", "StatusMessage": "Central configuration has been enabled successfully" } }
有关更多信息,请参阅《Sec AWS urity Hub 用户指南 AWS 》中的 Organizations 账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeOrganizationConfiguration
中的。
-
以下代码示例演示如何使用 describe-products
。
- AWS CLI
-
返回有关可用产品集成的信息
以下
describe-products
示例逐一返回可用的产品集成。aws securityhub describe-products \ --max-results
1
输出:
{ "NextToken": "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", "Products": [ { "ProductArn": "arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon", "ProductName": "CrowdStrike Falcon", "CompanyName": "CrowdStrike", "Description": "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", "Categories": [ "Endpoint Detection and Response (EDR)", "AV Scanning and Sandboxing", "Threat Intelligence Feeds and Reports", "Endpoint Forensics", "Network Forensics" ], "IntegrationTypes": [ "SEND_FINDINGS_TO_SECURITY_HUB" ], "MarketplaceUrl": "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ActivationUrl": "https://falcon.crowdstrike.com/support/documentation", "ProductSubscriptionResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeProducts
中的。
-
以下代码示例演示如何使用 describe-standards-controls
。
- AWS CLI
-
请求已启用标准中的控件列表
以下
describe-standards-controls
示例请求请求者账户订阅的 PCI DSS 标准中的控件列表。该请求一次返回两个控件。aws securityhub describe-standards-controls \ --standards-subscription-arn
"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"
\ --max-results2
输出:
{ "Controls": [ { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.473000+00:00", "ControlId": "PCI.AutoScaling.1", "Title": "Auto scaling groups associated with a load balancer should use health checks", "Description": "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", "SeverityRating": "LOW", "RelatedRequirements": [ "PCI DSS 2.2" ] }, { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.498000+00:00", "ControlId": "PCI.CW.1", "Title": "A log metric filter and alarm should exist for usage of the \"root\" user", "Description": "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", "SeverityRating": "MEDIUM", "RelatedRequirements": [ "PCI DSS 7.2.1" ] } ], "NextToken": "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看控件的详细信息。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeStandardsControls
中的。
-
以下代码示例演示如何使用 describe-standards
。
- AWS CLI
-
返回可用标准列表
以下
describe-standards
示例返回可用标准的列表。aws securityhub describe-standards
输出:
{ "Standards": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", "Description": "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "Name": "CIS AWS Foundations Benchmark v1.2.0", "Description": "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "Name": "PCI DSS v3.2.1", "Description": "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", "EnabledByDefault": false } ] }
有关更多信息,请参阅 Security Hub 用户指南中的 Sec AWS urity Hub 中的安全标准。 AWS
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DescribeStandards
中的。
-
以下代码示例演示如何使用 disable-import-findings-for-product
。
- AWS CLI
-
停止接收来自产品集成的调查发现
以下
disable-import-findings-for-product
示例禁用指定订阅的产品集成的调查发现流。aws securityhub disable-import-findings-for-product \ --product-subscription-arn
"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DisableImportFindingsForProduct
中的。
-
以下代码示例演示如何使用 disable-organization-admin-account
。
- AWS CLI
-
移除 Security Hub 管理员账户
以下
disable-organization-admin-account
示例撤消了指定账户作为 Organizations 的 Security Hub 管理员账户的分配 AWS 。aws securityhub disable-organization-admin-account \ --admin-account-id
777788889999
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的指定 Security Hub 管理员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DisableOrganizationAdminAccount
中的。
-
以下代码示例演示如何使用 disable-security-hub
。
- AWS CLI
-
禁用 S AWS ecurity Hub
以下
disable-security-hub
示例为请求的账户禁用 S AWS ecurity Hub。aws securityhub disable-security-hub
此命令不生成任何输出。
有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的禁用 S AWS ecurity Hub。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DisableSecurityHub
中的。
-
以下代码示例演示如何使用 disassociate-from-administrator-account
。
- AWS CLI
-
从管理员账户解除关联
以下
disassociate-from-administrator-account
示例解除请求账户与其当前管理员账户的关联。aws securityhub disassociate-from-administrator-account
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DisassociateFromAdministratorAccount
中的。
-
以下代码示例演示如何使用 disassociate-from-master-account
。
- AWS CLI
-
从管理员账户解除关联
以下
disassociate-from-master-account
示例解除请求账户与其当前管理员账户的关联。aws securityhub disassociate-from-master-account
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DisassociateFromMasterAccount
中的。
-
以下代码示例演示如何使用 disassociate-members
。
- AWS CLI
-
取消成员账户的关联
以下
disassociate-members
示例从请求的管理员帐户中解除指定成员帐户的关联。aws securityhub disassociate-members \ --account-ids
"123456789111"
"123456789222"
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考DisassociateMembers
中的。
-
以下代码示例演示如何使用 enable-import-findings-for-product
。
- AWS CLI
-
开始接收来自产品集成的调查发现
以下
enable-import-findings-for-product
示例启用指定产品集成的调查发现流。aws securityhub enable-import-findings-for-product \ --product-arn
"arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"
输出:
{ "ProductSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考EnableImportFindingsForProduct
中的。
-
以下代码示例演示如何使用 enable-organization-admin-account
。
- AWS CLI
-
将组织账户指定为 Security Hub 管理员账户
以下
enable-organization-admin-account
示例会将指定账户指定为 Security Hub 管理员账户。aws securityhub enable-organization-admin-account \ --admin-account-id
777788889999
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的指定 Security Hub 管理员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考EnableOrganizationAdminAccount
中的。
-
以下代码示例演示如何使用 enable-security-hub
。
- AWS CLI
-
启用 S AWS ecurity Hub
以下
enable-security-hub
示例为请求的账户启用 S AWS ecurity Hub。它会将 Security Hub 配置为启用默认标准。对于 Hub 资源,它会为标签Department
分配值Security
。aws securityhub enable-security-hub \ --enable-default-standards \ --tags '
{"Department": "Security"}
'此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的启用 Security Hub。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考EnableSecurityHub
中的。
-
以下代码示例演示如何使用 get-administrator-account
。
- AWS CLI
-
检索管理员帐户的相关信息
以下
get-administrator-account
示例检索请求账户的管理员账户的相关信息。aws securityhub get-administrator-account
输出:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetAdministratorAccount
中的。
-
以下代码示例演示如何使用 get-configuration-policy-association
。
- AWS CLI
-
获取目标的配置关联详细信息
以下
get-configuration-policy-association
示例检索指定目标的关联详细信息。您可以提供目标的账户 ID、组织单位 ID 或根 ID。aws securityhub get-configuration-policy-association \ --target '
{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}
'输出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetConfigurationPolicyAssociation
中的。
-
以下代码示例演示如何使用 get-configuration-policy
。
- AWS CLI
-
查看配置策略详细信息
以下
get-configuration-policy
示例检索有关指定配置策略的详细信息。aws securityhub get-configuration-policy \ --identifier
"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
输出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "ce5ed1e7-9639-4e2f-9313-fa87fcef944b", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetConfigurationPolicy
中的。
-
以下代码示例演示如何使用 get-enabled-standards
。
- AWS CLI
-
检索有关已启用标准的信息
以下
get-enabled-standards
示例检索有关 PCI DSS 标准的信息。aws securityhub get-enabled-standards \ --standards-subscription-arn
"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"
输出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "READY", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }
有关更多信息,请参阅 Security Hub 用户指南中的 Sec AWS urity Hub 中的安全标准。 AWS
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetEnabledStandards
中的。
-
以下代码示例演示如何使用 get-finding-aggregator
。
- AWS CLI
-
检索当前调查发现聚合的配置
以下
get-finding-aggregator
示例检索当前调查发现聚合的配置。aws securityhub get-finding-aggregator \ --finding-aggregator-arn
arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000
输出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看当前调查发现聚合的配置。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetFindingAggregator
中的。
-
以下代码示例演示如何使用 get-finding-history
。
- AWS CLI
-
获取调查发现的历史记录
以下
get-finding-history
示例获取指定调查发现最近 90 天的历史记录。在此示例中,结果仅限于两条调查发现的历史记录。aws securityhub get-finding-history \ --finding-identifier Id="arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"
输出:
{ "Records": [ { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-06-02T03:15:25.685000+00:00", "FindingCreated": false, "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [ { "UpdatedField": "Compliance.RelatedRequirements", "OldValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 SC-12(3)\",\"NIST.800-53.r5 SC-12(6)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\"]", "NewValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"]" }, { "UpdatedField": "LastObservedAt", "OldValue": "2023-06-01T09:15:38.587Z", "NewValue": "2023-06-02T03:15:22.946Z" }, { "UpdatedField": "UpdatedAt", "OldValue": "2023-06-01T09:15:31.049Z", "NewValue": "2023-06-02T03:15:14.861Z" }, { "UpdatedField": "ProcessedAt", "OldValue": "2023-06-01T09:15:41.058Z", "NewValue": "2023-06-02T03:15:25.685Z" } ] }, { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-05-23T02:06:51.518000+00:00", "FindingCreated": "true", "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [] } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的调查发现的历史记录。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetFindingHistory
中的。
-
以下代码示例演示如何使用 get-findings
。
- AWS CLI
-
示例 1:返回针对特定标准生成的调查发现
以下
get-findings
示例返回针对 PCI DSS 标准的调查发现。aws securityhub get-findings \ --filters '
{"GeneratorId":[{"Value": "pci-dss","Comparison":"PREFIX"}]}
' \ --max-items1
输出:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "GeneratorId": "pci-dss/v/3.2.1/PCI.Lambda.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FindingProviderFields": { "Severity": { "Original": 0, "Label": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] }, "FirstObservedAt": "2020-06-02T14:02:49.159Z", "LastObservedAt": "2020-06-02T14:02:52.397Z", "CreatedAt": "2020-06-02T14:02:49.159Z", "UpdatedAt": "2020-06-02T14:02:52.397Z", "Severity": { "Original": 0, "Label": "INFORMATIONAL", "Normalized": 0 }, "Title": "PCI.Lambda.2 Lambda functions should be in a VPC", "Description": "This AWS control checks whether a Lambda function is in a VPC.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.Lambda.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation", "RelatedAWSResources:0/name": "securityhub-lambda-inside-vpc-0e904a3b", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.Lambda.2", "aws/securityhub/SeverityLabel": "INFORMATIONAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "PASSED", "RelatedRequirements": [ "PCI DSS 1.2.1", "PCI DSS 1.3.1", "PCI DSS 1.3.2", "PCI DSS 1.3.4" ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED" } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==" }
示例 2:返回工作流状态为 NOTIFIED 的关键调查发现
以下
get-findings
示例返回严重性标签值为 CRITICAL 且工作流状态为 NOTIFIED 的调查发现。结果按“置信度”值降序排序。aws securityhub get-findings \ --filters '
{"SeverityLabel":[{"Value": "CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus": [{"Value":"NOTIFIED","Comparison":"EQUALS"}]}
' \ --sort-criteria '{ "Field": "Confidence", "SortOrder": "desc"}
' \ --max-items1
输出:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-west-1: 123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FindingProviderFields" { "Severity": { "Original": 90, "Label": "CRITICAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "FirstObservedAt": "2020-05-21T20:16:34.752Z", "LastObservedAt": "2020-06-09T08:16:37.171Z", "CreatedAt": "2020-05-21T20:16:34.752Z", "UpdatedAt": "2020-06-09T08:16:36.430Z", "Severity": { "Original": 90, "Label": "CRITICAL", "Normalized": 90 }, "Title": "1.13 Ensure MFA is enabled for the \"root\" account", "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "1.13", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", "RelatedAWSResources:0/name": "securityhub-root-account-mfa-enabled-5pftha", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", "aws/securityhub/SeverityLabel": "CRITICAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NOTIFIED" }, "RecordState": "ACTIVE" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的筛选和分组调查发现。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetFindings
中的。
-
以下代码示例演示如何使用 get-insight-results
。
- AWS CLI
-
检索结果以获取见解
以下
get-insight-results
示例返回具有指定 ARN 见解的见解结果列表。aws securityhub get-insight-results \ --insight-arn
"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
输出:
{ "InsightResults": { "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResultValues": [ { "Count": 10, "GroupByAttributeValue": "AWS::::Account:123456789111" }, { "Count": 3, "GroupByAttributeValue": "AWS::::Account:123456789222" } ] } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看见解结果和调查发现并对其采取行动。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetInsightResults
中的。
-
以下代码示例演示如何使用 get-insights
。
- AWS CLI
-
检索有关见解的详细信息
以下
get-insights
示例检索具有指定 ARN 见解的配置详细信息。aws securityhub get-insights \ --insight-arns
"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
输出:
{ "Insights": [ { "Filters": { "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsIamRole" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "CRITICAL" } ], }, "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings" } ] }
有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的 Sec AWS urity Hub 见解。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetInsights
中的。
-
以下代码示例演示如何使用 get-invitations-count
。
- AWS CLI
-
检索未被接受的邀请数量
以下
get-invitations-count
示例检索请求账户拒绝或未回复的邀请数量。aws securityhub get-invitations-count
输出:
{ "InvitationsCount": 3 }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetInvitationsCount
中的。
-
以下代码示例演示如何使用 get-master-account
。
- AWS CLI
-
检索管理员帐户的相关信息
以下
get-master-account
示例检索请求账户的管理员账户的相关信息。aws securityhub get-master-account
输出:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetMasterAccount
中的。
-
以下代码示例演示如何使用 get-members
。
- AWS CLI
-
检索所选成员账户的相关信息
以下
get-members
示例检索指定成员账户的相关信息。aws securityhub get-members \ --account-ids
"444455556666"
"777788889999"
输出:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], "UnprocessedAccounts": [ ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetMembers
中的。
-
以下代码示例演示如何使用 get-security-control-definition
。
- AWS CLI
-
获取安全控件的定义详细信息
以下
get-security-control-definition
示例检索 Security Hub 安全控件的定义详细信息。详细信息包括控件标题、描述、区域可用性、参数和其他信息。aws securityhub get-security-control-definition \ --security-control-id
ACM.1
输出:
{ "SecurityControlDefinition": { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "ParameterDefinitions": { "daysToExpiration": { "Description": "Number of days within which the ACM certificate must be renewed", "ConfigurationOptions": { "Integer": { "DefaultValue": 30, "Min": 14, "Max": 365 } } } } } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的自定义控件参数。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考GetSecurityControlDefinition
中的。
-
以下代码示例演示如何使用 invite-members
。
- AWS CLI
-
向成员账户发送邀请
以下
invite-members
示例向指定的成员账户发送邀请。aws securityhub invite-members \ --account-ids
"123456789111"
"123456789222"
输出:
{ "UnprocessedAccounts": [] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考InviteMembers
中的。
-
以下代码示例演示如何使用 list-automation-rules
。
- AWS CLI
-
查看自动化规则列表
以下
list-automation-rules
示例列出了 AWS 账户的自动化规则。只有 Security Hub 管理员账户才能运行此命令。aws securityhub list-automation-rules \ --max-results
3
\ --next-tokenNULL
输出:
{ "AutomationRulesMetadata": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:37:20.223000+00:00", "UpdatedAt": "2023-07-15T23:37:20.223000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:45:25.126000+00:00", "UpdatedAt": "2023-07-15T23:45:25.126000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看自动化规则。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListAutomationRules
中的。
-
以下代码示例演示如何使用 list-configuration-policies
。
- AWS CLI
-
列出配置策略摘要
以下
list-configuration-policies
示例列出组织的配置策略摘要。aws securityhub list-configuration-policies \ --max-items
3
输出:
{ "ConfigurationPolicySummaries": [ { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy1", "Description": "SampleDescription1", "UpdatedAt": "2023-09-26T21:08:36.214000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Name": "SampleConfigurationPolicy2", "Description": "SampleDescription2" "UpdatedAt": "2023-11-28T19:26:25.207000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Name": "SampleConfigurationPolicy3", "Description": "SampleDescription3", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "ServiceEnabled": true } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListConfigurationPolicies
中的。
-
以下代码示例演示如何使用 list-configuration-policy-associations
。
- AWS CLI
-
列出配置关联
以下
list-configuration-policy-associations
示例列出组织的配置关联摘要。响应包括与配置策略和自行管理行为的关联。aws securityhub list-configuration-policy-associations \ --filters '
{"AssociationType": "APPLIED"}
' \ --max-items4
输出:
{ "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TargetId": "r-1ab2", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T19:26:49.417000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "Policy association failed because 2 organizational units or accounts under this root failed." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "TargetId": "ou-1ab2-c3de4f5g", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:14:05.283000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "One or more children under this target failed association." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }, { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "111122223333", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T22:01:26.409000+00:00", "AssociationStatus": "SUCCESS" } }
有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的查看配置策略状态和详细信息。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListConfigurationPolicyAssociations
中的。
-
以下代码示例演示如何使用 list-enabled-products-for-import
。
- AWS CLI
-
返回已启用产品集成的列表
以下
list-enabled-products-for-import
示例返回当前已启用产品集成的订阅 ARN 列表。aws securityhub list-enabled-products-for-import
输出:
{ "ProductSubscriptions": [ "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon", "arn:aws:securityhub:us-west-1:123456789012:product-subscription/aws/securityhub" ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理产品集成。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListEnabledProductsForImport
中的。
-
以下代码示例演示如何使用 list-finding-aggregators
。
- AWS CLI
-
列出可用的小部件
以下
list-finding-aggregators
示例返回调查发现聚合配置的 ARN。aws securityhub list-finding-aggregators
输出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看当前调查发现聚合的配置。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListFindingAggregators
中的。
-
以下代码示例演示如何使用 list-invitations
。
- AWS CLI
-
显示邀请列表
以下
list-invitations
示例检索发送到请求账户的邀请列表。aws securityhub list-invitations
输出:
{ "Invitations": [ { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } ], }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListInvitations
中的。
-
以下代码示例演示如何使用 list-members
。
- AWS CLI
-
检索成员账户列表
以下
list-members
示例返回请求管理员账户的成员账户列表。aws securityhub list-members
输出:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理管理员和成员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListMembers
中的。
-
以下代码示例演示如何使用 list-organization-admin-accounts
。
- AWS CLI
-
列出指定的 Security Hub 管理员账户
以下
list-organization-admin-accounts
示例列出组织的 Security Hub 管理员账户。aws securityhub list-organization-admin-accounts
输出:
{ AdminAccounts": [ { "AccountId": "777788889999" }, { "Status": "ENABLED" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的指定 Security Hub 管理员账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListOrganizationAdminAccounts
中的。
-
以下代码示例演示如何使用 list-security-control-definitions
。
- AWS CLI
-
示例 1:列出所有可用的安全控件
以下
list-security-control-definitions
示例列出所有 Security Hub 标准中可用的安全控件。此示例结果限制为三个控件。aws securityhub list-security-control-definitions \ --max-items
3
输出:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] }, { "SecurityControlId": "ACM.2", "Title": "RSA certificates managed by ACM should use a key length of at least 2,048 bits", "Description": "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.2/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "APIGateway.1", "Title": "API Gateway REST and WebSocket API execution logging should be enabled", "Description": "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the 'loggingLevel' isn't 'ERROR' or 'INFO' for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the logging level is either 'ERROR' or 'INFO'.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] } ], "NextToken": "U2FsdGVkX1/UprCPzxVbkDeHikDXbDxfgJZ1w2RG1XWsFPTMTIQPVE0m/FduIGxS7ObRtAbaUt/8/RCQcg2PU0YXI20hH/GrhoOTgv+TSm0qvQVFhkJepWmqh+NYawjocVBeos6xzn/8qnbF9IuwGg==" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看标准的详细信息。
示例 2:列出特定标准的可用安全控件
以下
list-security-control-definitions
示例列出了 CIS AWS 基金会基准测试 v1.4.0 的可用安全控制措施。此示例结果限制为三个控件。aws securityhub list-security-control-definitions \ --standards-arn
"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"
\ --max-items3
输出:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "CloudTrail.1", "Title": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "Description": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.1/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.2", "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.4", "Title": "CloudTrail log file validation should be enabled", "Description": "This AWS control checks whether CloudTrail log file validation is enabled.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAzfQ==" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的查看标准的详细信息。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListSecurityControlDefinitions
中的。
-
以下代码示例演示如何使用 list-standards-control-associations
。
- AWS CLI
-
获取每个已启用标准中控件的启用状态
以下
list-standards-control-associations
示例列出了每个已启用的标准中的启用状态为 CloudTrail .1。aws securityhub list-standards-control-associations \ --security-control-id
CloudTrail.1
输出:
{ "StandardsControlAssociationSummaries": [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/nist-800-53/v/5.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "NIST.800-53.r5 AC-2(4)", "NIST.800-53.r5 AC-4(26)", "NIST.800-53.r5 AC-6(9)", "NIST.800-53.r5 AU-10", "NIST.800-53.r5 AU-12", "NIST.800-53.r5 AU-2", "NIST.800-53.r5 AU-3", "NIST.800-53.r5 AU-6(3)", "NIST.800-53.r5 AU-6(4)", "NIST.800-53.r5 AU-14(1)", "NIST.800-53.r5 CA-7", "NIST.800-53.r5 SC-7(9)", "NIST.800-53.r5 SI-3(8)", "NIST.800-53.r5 SI-4(20)", "NIST.800-53.r5 SI-7(8)", "NIST.800-53.r5 SA-8(22)" ], "UpdatedAt": "2023-05-15T17:52:21.304000+00:00", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.1" ], "UpdatedAt": "2020-02-10T21:22:53.998000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2023-05-15T19:31:52.671000+00:00", "UpdatedReason": "Alternative compensating controls are in place", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.1" ], "UpdatedAt": "2022-11-10T15:40:36.021000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的在指定标准中启用或禁用控件。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListStandardsControlAssociations
中的。
-
以下代码示例演示如何使用 list-tags-for-resource
。
- AWS CLI
-
检索分配给资源的标签
以下
list-tags-for-resource
示例返回分配给指定 Hub 资源的标签。aws securityhub list-tags-for-resource \ --resource-arn
"arn:aws:securityhub:us-west-1:123456789012:hub/default"
输出:
{ "Tags": { "Department" : "Operations", "Area" : "USMidwest" } }
有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考ListTagsForResource
中的。
-
以下代码示例演示如何使用 start-configuration-policy-association
。
- AWS CLI
-
示例 1:关联配置策略
以下
start-configuration-policy-association
示例会将指定的配置策略与指定的组织单位相关联。配置可以与目标账户、组织单位或根用户相关联。aws securityhub start-configuration-policy-association \ --configuration-policy-identifier
"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
\ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}
'输出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建并关联 Security Hub 配置策略。
示例 2:关联自行管理配置
以下
start-configuration-policy-association
示例会将自行管理配置与指定账户相关联。aws securityhub start-configuration-policy-association \ --configuration-policy-identifier
"SELF_MANAGED_SECURITY_HUB"
\ --target '{"OrganizationalUnitId": "123456789012"}
'输出:
{ "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "123456789012", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的创建并关联 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考StartConfigurationPolicyAssociation
中的。
-
以下代码示例演示如何使用 start-configuration-policy-disassociation
。
- AWS CLI
-
示例 1:解除配置策略关联
以下
start-configuration-policy-disassociation
示例解除指定组织单位的配置策略关联。配置可以解除与目标账户、组织单位或根用户的关联。aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier
"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
\ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}
'此命令不生成任何输出。
有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的 “取消配置与 OUs账户的关联”。
示例 2:解除自行管理配置关联
以下
start-configuration-policy-disassociation
示例解除指定账户的自行管理配置关联。aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier
"SELF_MANAGED_SECURITY_HUB"
\ --target '{"AccountId": "123456789012"}
'此命令不生成任何输出。
有关更多信息,请参阅《Sec AWS urity Hub 用户指南》中的 “取消配置与 OUs账户的关联”。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考StartConfigurationPolicyDisassociation
中的。
-
以下代码示例演示如何使用 tag-resource
。
- AWS CLI
-
将标签添加到资源
以下
tag-resource
示例为指定的 Hub 资源分配“Department”和“Area”标签的值。aws securityhub tag-resource \ --resource-arn
"arn:aws:securityhub:us-west-1:123456789012:hub/default"
\ --tags '{"Department":"Operations", "Area":"USMidwest"}
'此命令不生成任何输出。
有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考TagResource
中的。
-
以下代码示例演示如何使用 untag-resource
。
- AWS CLI
-
从资源中删除标签值
以下
untag-resource
示例从指定的 Hub 资源中删除“Department”标签。aws securityhub untag-resource \ --resource-arn
"arn:aws:securityhub:us-west-1:123456789012:hub/default"
\ --tag-keys"Department"
此命令不生成任何输出。
有关更多信息,请参阅《AWS CloudFormation 用户指南》中的AWS SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UntagResource
中的。
-
以下代码示例演示如何使用 update-action-target
。
- AWS CLI
-
更新自定义操作
以下
update-action-target
示例更新由指定 ARN 标识的自定义操作名称。aws securityhub update-action-target \ --action-target-arn
"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"
\ --name"Send to remediation"
此命令不生成任何输出。
有关更多信息,请参阅《S ec AWS urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateActionTarget
中的。
-
以下代码示例演示如何使用 update-configuration-policy
。
- AWS CLI
-
更新配置策略
以下
update-configuration-policy
示例更新现有配置策略以使用指定的设置。aws securityhub update-configuration-policy \ --identifier
"arn:aws:securityhub:eu-central-1:508236694226:configuration-policy/09f37766-57d8-4ede-9d33-5d8b0fecf70e"
\ --name"SampleConfigurationPolicyUpdated"
\ --description"SampleDescriptionUpdated"
\ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 21}}}}]}}}
' \ --updated-reason"Disabling CloudWatch.1 and changing parameter value"
输出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicyUpdated", "Description": "SampleDescriptionUpdated", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 21 } } } } ] } } } }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的更新 Security Hub 配置策略。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateConfigurationPolicy
中的。
-
以下代码示例演示如何使用 update-finding-aggregator
。
- AWS CLI
-
更新当前调查发现聚合配置
以下
update-finding-aggregator
示例会将调查发现聚合配置更改为从选定区域进行链接。它从聚合区域(即美国东部(弗吉尼亚))运行。它选择美国西部(北加利福尼亚)和美国西部(俄勒冈州)作为链接区域。aws securityhub update-finding-aggregator \ --region
us-east-1
\ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000
\ --region-linking-modeSPECIFIED_REGIONS
\ --regionsus-west-1,us-west-2
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的更新调查发现聚合配置。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateFindingAggregator
中的。
-
以下代码示例演示如何使用 update-insight
。
- AWS CLI
-
示例 1:更改自定义见解的筛选条件
以下
update-insight
示例更改自定义见解的筛选条件。更新的见解会查找与 AWS 角色相关的严重性较高的调查结果。aws securityhub update-insight \ --insight-arn
"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
\ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}
' \ --name"High severity role findings"
示例 2:更改自定义见解的分组属性
以下
update-insight
示例使用指定 ARN 更改自定义见解的分组属性。新的分组属性是资源 ID。aws securityhub update-insight \ --insight-arn
"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
\ --group-by-attribute"ResourceId"
\ --name"Critical role findings"
输出:
{ "Insights": [ { "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings", "Filters": { "SeverityLabel": [ { "Value": "CRITICAL", "Comparison": "EQUALS" } ], "ResourceType": [ { "Value": "AwsIamRole", "Comparison": "EQUALS" } ] }, "GroupByAttribute": "ResourceId" } ] }
有关更多信息,请参阅《AWS Security Hub 用户指南》中的管理自定义见解。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateInsight
中的。
-
以下代码示例演示如何使用 update-organization-configuration
。
- AWS CLI
-
更新为组织配置 Security Hub 的方式
以下
update-organization-configuration
示例指定 Security Hub 应使用集中配置来配置组织。运行此命令后,委托的 Security Hub 管理员可以通过创建和管理配置策略来配置组织。委托的管理员也可以使用此命令从集中配置切换到本地配置。如果配置类型为本地配置,委托管理员可以选择是否在新组织账户中自动启用 Security Hub 和默认安全标准。aws securityhub update-organization-configuration \ --no-auto-enable \ --organization-configuration '
{"ConfigurationType": "CENTRAL"}
'此命令不生成任何输出。
有关更多信息,请参阅《Sec AWS urity Hub 用户指南 AWS 》中的 Organizations 账户。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateOrganizationConfiguration
中的。
-
以下代码示例演示如何使用 update-security-control
。
- AWS CLI
-
更新安全控件属性
以下
update-security-control
示例为 Security Hub 安全控件参数指定自定义值。aws securityhub update-security-control \ --security-control-id
ACM.1
\ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}
' \ --last-update-reason"Internal compliance requirement"
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的自定义控件参数。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateSecurityControl
中的。
-
以下代码示例演示如何使用 update-security-hub-configuration
。
- AWS CLI
-
更新 Security Hub 配置
以下
update-security-hub-configuration
示例会将 Security Hub 配置为自动为已启用标准启用新控件。aws securityhub update-security-hub-configuration \ --auto-enable-controls
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的自动启用新控件。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateSecurityHubConfiguration
中的。
-
以下代码示例演示如何使用 update-standards-control
。
- AWS CLI
-
示例 1:禁用控件
以下
update-standards-control
示例禁用 PCI。 AutoScaling.1 控制。aws securityhub update-standards-control \ --standards-control-arn
"arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"
\ --control-status"DISABLED"
\ --disabled-reason"Not applicable for my service"
此命令不生成任何输出。
示例 2:启用控件
以下
update-standards-control
示例启用 PCI。 AutoScaling.1 控制。aws securityhub update-standards-control \ --standards-control-arn
"arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"
\ --control-status"ENABLED"
此命令不生成任何输出。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用或启用单个控件。
-
有关 API 的详细信息,请参阅AWS CLI 命令参考UpdateStandardsControl
中的。
-