与 AWS Security Hub 集成
AWS Security Hub 为您提供 AWS 安全状态的全面视图,可帮助您检查环境是否符合安全行业标准和最佳实践。Security Hub 从跨 AWS 账户、服务和受支持的第三方产品中收集安全数据。您可以使用 Security Hub 分析安全趋势并确定优先级最高的安全问题。
AWS IoT Device Defender 与 Security Hub 的集成使您能够从 AWS IoT Device Defender 中的 Security Hub 接收调查结果。Security Hub 会在其对您的安全状况分析中包含这些结果。
目录
启用和配置集成
将 AWS IoT Device Defender 与 Security Hub 集成之前,您必须先启用 Security Hub。有关如何启用 Security Hub 的信息,请参阅 AWS Security Hub 用户指南中的设置 Security Hub。
同时启用 AWS IoT Device Defender 和 Security Hub 后,打开 Security Hub 控制台中的“Integrations”(集成)页面
AWS IoT Device Defender 将结果发送到 Security Hub 的方式
在 Security Hub 中,安全问题按调查结果进行跟踪。一些调查结果来自其他 AWS 服务或第三方产品检测到的问题。
Security Hub 提供了管理来自所有这些来源的结果的工具。您可以查看和筛选结果列表,并查看结果的详细信息。有关更多信息,请参阅 AWS Security Hub 用户指南中的查看结果。您还可以跟踪调查发现的调查状态。有关更多信息,请参阅 AWS Security Hub 用户指南中对结果采取行动。
Security Hub 中的所有调查结果都使用名为 AWS 安全检测结果格式 (ASFF) 的标准 JSON 格式。ASFF 包含有关问题根源、受影响资源以及调查发现当前状态的详细信息。有关 ASFF 的更多信息,请参阅 AWS Security Hub 用户指南中的 AWS 安全检测结果格式 (ASFF)。
AWS IoT Device Defender 是一项 AWS 服务,可将检测结果发送到 Security Hub。
AWS IoT Device Defender 发送的结果类型
启用 Security Hub 集成后,AWS IoT Device Defender 审计会将其生成的检测结果(称为检查摘要)发送到 Security Hub。检查摘要是关于特定审计检查类型和特定审计任务的一般信息。有关更多信息,请参阅审计检查。
AWS IoT Device Defender 审计会向 Security Hub 发送有关每项审计任务中的“审计检查摘要”和“审计结果”的检测结果更新。如果在“审计检查”中找到的所有资源均符合要求,或者审计任务被取消,审计会将 Security Hub 中的检查摘要更新为“已存档”记录状态。如果某项资源在审计检查中被报告为不合规,但在上一次审计任务中被报告为合规,则审计会将其更改为合规,并将 Security Hub 中的调查结果更新为“已存档”记录状态。
AWS IoT Device Defender 检测会将违规调查结果发送到 Security Hub。这些违规调查结果包括机器学习 (ML)、统计和静态行为。
为了将调查结果发送到 Security Hub,AWS IoT Device Defender 使用 AWS 安全检测结果格式 (ASFF)。在 ASFF 中,Types 字段提供结果类型。来自 AWS IoT Device Defender 的结果可能具有 Types 的以下值。
- 不寻常的行为
-
冲突的 MQTT 客户端 ID 和设备证书共享检查的调查结果类型,以及检测的调查结果类型。
- 软件和配置检查/漏洞
-
所有其他审计检查的调查结果类型。
发送调查发现的延迟
AWS IoT Device Defender 审计创建新调查结果时,将在审计任务完成后立即将结果发送到 Security Hub。延迟取决于审计任务中生成的调查结果的数量。Security Hub 通常会在一小时内收到调查结果。
AWS IoT Device Defender 检测将近乎实时发送违规调查结果。在违规进入或退出警报(意味着已创建或删除警报)后,会立即创建或存档相应的 Security Hub 调查结果。
当 Security Hub 不可用时重试
如果 Security Hub 不可用,AWS IoT Device Defender 审计和 AWS IoT Device Defender 检测会重试发送调查结果,直到收到这些结果。
更新 Security Hub 中的现有 结果
将 AWS IoT Device Defender 审计调查结果发送到 Security Hub 后,您可以通过选中的资源标识符和审计检查类型对其进行识别。如果在后续审计任务中针对同一资源和审计检查生成了新的审计调查结果,AWS IoT Device Defender 审计会向 Security Hub 发送更新,以反映调查结果活动的其他观察结果。如果在后续审计任务中没有针对同一资源和审计检查生成其他审计调查结果,则资源将更改为符合审计检查。 AWS IoT Device Defender然后,审计会将调查结果存档到 Security Hub 中。
AWS IoT Device Defender 审计还会更新 Security Hub 中的检查摘要。如果在审计检查中发现不合规资源或检查失败,Security Hub 调查结果的状态将变为活动。否则,AWS IoT Device Defender 审计会将调查结果存档到 Security Hub 中。
当发生冲突(例如,在警报中)时,AWS IoT Device Defender 检测会创建一个 Security Hub 调查结果。仅当满足以下条件之一时,才会更新调查结果:
-
由于调查结果将很快在 Security Hub 中过期,因此 AWS IoT Device Defender 会发送更新以使该调查结果保持最新状态。调查结果将在最新更新后 90 天或创建日期后 90 天(如果未发生更新)被删除。有关更多信息,请参阅 AWS Security Hub 用户指南中的 Security Hub 配额。
-
相应的违规将解除警报,因此 AWS IoT Device Defender 会将其调查结果状态更新为“已存档”。
来自 AWS IoT Device Defender 的典型结果
AWS IoT Device Defender 使用 AWS 安全检测结果格式 (ASFF) 将调查结果发送到 Security Hub。
以下示例显示了 Security Hub 中审计调查结果的典型调查结果。ProductFields 中的 ReportType 是 AuditFinding。
{ "SchemaVersion": "2018-10-08", "Id": "336757784525/IOT_POLICY/policyexample/1/IOT_POLICY_OVERLY_PERMISSIVE_CHECK/ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/iot-device-defender-audit", "ProductName": "IoT Device Defender - Audit", "CompanyName": "AWS", "Region": "us-west-2", "GeneratorId": "1928b87ab338ee2f541f6fab8c41c4f5", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Check/Vulnerabilities" ], "CreatedAt": "2022-11-06T22:11:40.941Z", "UpdatedAt": "2022-11-06T22:11:40.941Z", "Severity": { "Label": "CRITICAL", "Normalized": 90 }, "Title": "IOT_POLICY_OVERLY_PERMISSIVE_CHECK: ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "Description": "IOT_POLICY policyexample:1 is reported as non-compliant for IOT_POLICY_OVERLY_PERMISSIVE_CHECK by Audit task 9f71b6e90cfb57d4ac671be3a4898e6a. The non-compliant reason is Policy allows broad access to IoT data plane actions: [iot:Connect].", "SourceUrl": "https://us-west-2.console.aws.amazon.com/iot/home?region=us-west-2#/policy/policyexample", "ProductFields": { "CheckName": "IOT_POLICY_OVERLY_PERMISSIVE_CHECK", "TaskId": "9f71b6e90cfb57d4ac671be3a4898e6a", "TaskType": "ON_DEMAND_AUDIT_TASK", "PolicyName": "policyexample", "IsSuppressed": "false", "ReasonForNonComplianceCode": "ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "ResourceType": "IOT_POLICY", "FindingId": "1928b87ab338ee2f541f6fab8c41c4f5", "PolicyVersionId": "1", "ReportType": "AuditFinding", "TaskStartTime": "1667772700554", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/iot-device-defender-audit/336757784525/IOT_POLICY/policyexample/1/IOT_POLICY_OVERLY_PERMISSIVE_CHECK/ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "aws/securityhub/ProductName": "IoT Device Defender - Audit", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotPolicy", "Id": "policyexample", "Partition": "aws", "Region": "us-west-2", "Details": { "Other": { "PolicyVersionId": "1" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "CRITICAL" }, "Types": [ "Software and Configuration Check/Vulnerabilities" ] } }
以下示例显示了 Security Hub 中审计检查摘要的典型调查结果。ProductFields 中的 ReportType 是 CheckSummary。
{ "SchemaVersion": "2018-10-08", "Id": "615243839755/SCHEDULED_AUDIT_TASK/daily_audit_schedule_checks/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-audit", "ProductName": "IoT Device Defender - Audit", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "f3021945485adf92487c273558fcaa51", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Check/Vulnerabilities/CVE" ], "CreatedAt": "2022-10-18T14:20:13.933Z", "UpdatedAt": "2022-10-18T14:20:13.933Z", "Severity": { "Label": "CRITICAL", "Normalized": 90 }, "Title": "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK Summary: Completed with 2 non-compliant resources", "Description": "Task f3021945485adf92487c273558fcaa51 of weekly scheduled Audit daily_audit_schedule_checks completes. 2 non-cimpliant resources are found for DEVICE_CERTIFICATE_KEY_QUALITY_CHECK out of 1000 resources in the account. The percentage of non-compliant resources is 0.2%.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/dd/audit/results/f3021945485adf92487c273558fcaa51/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ProductFields": { "TaskId": "f3021945485adf92487c273558fcaa51", "TaskType": "SCHEDULED_AUDIT_TASK", "ScheduledAuditName": "daily_audit_schedule_checks", "CheckName": "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ReportType": "CheckSummary", "CheckRunStatus": "COMPLETED_NON_COMPLIANT", "NonComopliantResourcesCount": "2", "SuppressedNonCompliantResourcesCount": "1", "TotalResourcesCount": "1000", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-audit/615243839755/SCHEDULED/daily_audit_schedule_checks/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "aws/securityhub/ProductName": "IoT Device Defender - Audit", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotAuditTask", "Id": "f3021945485adf92487c273558fcaa51", "Region": "us-east-1" } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "CRITICAL" }, "Types": [ "Software and Configuration Check/Vulnerabilities/CVE" ] } }
以下示例显示了 Security Hub 中 AWS IoT Device Defender 检测违规的典型调查结果。
{ "SchemaVersion": "2018-10-08", "Id": "e92a782593c6f5b1fc7cb6a443dc1a12", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-detect", "ProductName": "IoT Device Defender - Detect", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "arn:aws:iot:us-east-1:123456789012:securityprofile/MySecurityProfile", "AwsAccountId": "123456789012", "Types": [ "Unusual Behaviors" ], "CreatedAt": "2022-11-09T22:45:00Z", "UpdatedAt": "2022-11-09T22:45:00Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "Registered thing MyThing is in alarm for STATIC behavior MyBehavior.", "Description": "Registered thing MyThing violates STATIC behavior MyBehavior of security profile MySecurityProfile. Violation was triggered because the device did not conform to aws:num-disconnects less-than 1.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/dd/securityProfile/MySecurityProfile?tab=violations", "ProductFields": { "ComparisonOperator": "less-than", "BehaviorName": "MyBehavior", "ViolationId": "e92a782593c6f5b1fc7cb6a443dc1a12", "ViolationStartTime": "1668033900000", "SuppressAlerts": "false", "ConsecutiveDatapointsToAlarm": "1", "ConsecutiveDatapointsToClear": "1", "DurationSeconds": "300", "Count": "1", "MetricName": "aws:num-disconnects", "BehaviorCriteriaType": "STATIC", "ThingName": "MyThing", "SecurityProfileName": "MySecurityProfile", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-detect/e92a782593c6f5b1fc7cb6a443dc1a12", "aws/securityhub/ProductName": "IoT Device Defender - Detect", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotRegisteredThing", "Id": "MyThing", "Region": "us-east-1", "Details": { "Other": { "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/thing/MyThing?tab=violations", "IsRegisteredThing": "true", "ThingArn": "arn:aws:iot:us-east-1:123456789012:thing/MyThing" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Unusual Behaviors" ] } }
停止 AWS IoT Device Defender 向 Security Hub 发送调查结果
要停止向 Security Hub 发送结果,您可以使用 Security Hub 控制台或 API。
有关更多信息,请参阅 AWS Security Hub 用户指南中的禁用和启用来自集成的结果流(控制台)或禁用来自集成的结果流(Security Hub API、AWS CLI)。
