与 AWS Security Hub CSPM 集成
AWS Security Hub CSPM 为您提供 AWS 安全状态的全面视图,可帮助您检查环境是否符合安全行业标准和最佳实践。Security Hub CSPM 从跨 AWS 账户、服务和受支持的第三方产品中收集安全数据。您可以使用 Security Hub CSPM 分析安全趋势并确定优先级最高的安全问题。
AWS IoT Device Defender 与 Security Hub CSPM 的集成使您能够从 AWS IoT Device Defender 中的 Security Hub CSPM 接收调查发现。Security Hub CSPM 会在其对您的安全状况分析中包含这些调查发现。
目录
启用和配置集成
将 AWS IoT Device Defender 与 Security Hub CSPM 集成之前,您必须先启用 Security Hub CSPM。有关如何启用 Security Hub CSPM 的信息,请参阅《AWS Security Hub 用户指南》中的设置 Security Hub。
同时启用 AWS IoT Device Defender 和 Security Hub CSPM 后,打开 Security Hub CSPM 控制台中的“集成”页面
AWS IoT Device Defender 如何将调查发现发送到 Security Hub CSPM
在 Security Hub CSPM 中,安全问题按调查发现进行跟踪。一些调查结果来自其他 AWS 服务或第三方产品检测到的问题。
Security Hub CSPM 提供了用于管理来自所有这些来源的调查发现的工具。您可以查看和筛选结果列表,并查看结果的详细信息。有关更多信息,请参阅 AWS Security Hub 用户指南中的查看结果。您还可以跟踪调查发现的调查状态。有关更多信息,请参阅 AWS Security Hub 用户指南中对结果采取行动。
Security Hub CSPM 中的所有调查发现都使用名为 AWS 安全调查发现格式(ASFF)的标准 JSON 格式。ASFF 包含有关问题根源、受影响资源以及调查发现当前状态的详细信息。有关 ASFF 的更多信息,请参阅 AWS Security Hub 用户指南中的 AWS 安全检测结果格式 (ASFF)。
AWS IoT Device Defender 是一项 AWS 服务,可将调查发现发送到 Security Hub CSPM。
AWS IoT Device Defender 发送的结果类型
启用 Security Hub CSPM 集成后,AWS IoT Device Defender Audit 会将其生成的调查发现(称为检查摘要)发送到 Security Hub CSPM。检查摘要是关于特定审计检查类型和特定审计任务的一般信息。有关更多信息,请参阅审计检查。
AWS IoT Device Defender Audit 会向 Security Hub CSPM 发送有关每项 Audit 任务中的“审计检查摘要”和“审计调查发现”的调查发现更新。如果在“审计检查”中找到的所有资源均符合要求,或者审计任务被取消,Audit 会将 Security Hub CSPM 中的检查摘要更新为“已存档”记录状态。如果某项资源在审计检查中被报告为不合规,但在上一次审计任务中被报告为合规,则 Audit 会将其更改为合规,并将 Security Hub CSPM 中的调查发现更新为“已存档”记录状态。
AWS IoT Device Defender Detect 会将违规调查发现发送到 Security Hub CSPM。这些违规调查结果包括机器学习 (ML)、统计和静态行为。
为了将调查发现发送到 Security Hub CSPM,AWS IoT Device Defender 使用 AWS 安全调查发现格式(ASFF)。在 ASFF 中,Types 字段提供结果类型。来自 AWS IoT Device Defender 的结果可能具有 Types 的以下值。
- 不寻常的行为
-
冲突的 MQTT 客户端 ID 和设备证书共享检查的调查结果类型,以及检测的调查结果类型。
- 软件和配置检查/漏洞
-
所有其他审计检查的调查结果类型。
发送调查发现的延迟
AWS IoT Device Defender Audit 在创建新调查发现时,将在审计任务完成后立即将调查发现发送到 Security Hub CSPM。延迟取决于审计任务中生成的调查结果的数量。Security Hub CSPM 通常会在一小时内收到调查发现。
AWS IoT Device Defender 检测将近乎实时发送违规调查结果。在违规进入或退出警报(意味着已创建或删除警报)后,会立即创建或存档相应的 Security Hub CSPM 调查发现。
Security Hub CSPM 不可用时重试
如果 Security Hub CSPM 不可用,AWS IoT Device Defender Audit 和 AWS IoT Device Defender Detect 会重试发送调查发现,直到收到这些调查发现。
更新 Security Hub CSPM 中的现有调查发现
将 AWS IoT Device Defender Audit 调查发现发送到 Security Hub CSPM 后,您可以通过选中的资源标识符和审计检查类型对其进行识别。如果在后续审计任务中针对同一资源和审计检查生成了新的审计调查发现,AWS IoT Device Defender Audit 会向 Security Hub CSPM 发送更新,以反映调查发现活动的其他观察结果。如果在后续审计任务中没有针对同一资源和审计检查生成其他审计调查结果,则资源将更改为符合审计检查。 AWS IoT Device Defender然后,Audit 会将调查发现存档到 Security Hub CSPM 中。
AWS IoT Device Defender Audit 还会更新 Security Hub CSPM 中的检查摘要。如果在审计检查中发现不合规资源或检查失败,Security Hub CSPM 调查发现的状态将变为活动。否则,AWS IoT Device Defender Audit 会将调查发现存档到 Security Hub CSPM 中。
当发生冲突(例如,在警报中)时,AWS IoT Device Defender Detect 会创建一个 Security Hub CSPM 调查发现。仅当满足以下条件之一时,才会更新调查结果:
-
由于调查发现将很快在 Security Hub CSPM 中过期,因此 AWS IoT Device Defender 会发送更新以使该调查发现保持最新状态。调查结果将在最新更新后 90 天或创建日期后 90 天(如果未发生更新)被删除。有关更多信息,请参阅《AWS Security Hub 用户指南》中的 Security Hub CSPM 配额。
-
相应的违规将解除警报,因此 AWS IoT Device Defender 会将其调查结果状态更新为“已存档”。
来自 AWS IoT Device Defender 的典型结果
AWS IoT Device Defender 使用 AWS 安全调查发现格式(ASFF)将调查发现发送到 Security Hub CSPM。
以下示例显示了 Security Hub CSPM 中审计调查发现的典型调查发现。ProductFields 中的 ReportType 是 AuditFinding。
{ "SchemaVersion": "2018-10-08", "Id": "336757784525/IOT_POLICY/policyexample/1/IOT_POLICY_OVERLY_PERMISSIVE_CHECK/ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/iot-device-defender-audit", "ProductName": "IoT Device Defender - Audit", "CompanyName": "AWS", "Region": "us-west-2", "GeneratorId": "1928b87ab338ee2f541f6fab8c41c4f5", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Check/Vulnerabilities" ], "CreatedAt": "2022-11-06T22:11:40.941Z", "UpdatedAt": "2022-11-06T22:11:40.941Z", "Severity": { "Label": "CRITICAL", "Normalized": 90 }, "Title": "IOT_POLICY_OVERLY_PERMISSIVE_CHECK: ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "Description": "IOT_POLICY policyexample:1 is reported as non-compliant for IOT_POLICY_OVERLY_PERMISSIVE_CHECK by Audit task 9f71b6e90cfb57d4ac671be3a4898e6a. The non-compliant reason is Policy allows broad access to IoT data plane actions: [iot:Connect].", "SourceUrl": "https://us-west-2.console.aws.amazon.com/iot/home?region=us-west-2#/policy/policyexample", "ProductFields": { "CheckName": "IOT_POLICY_OVERLY_PERMISSIVE_CHECK", "TaskId": "9f71b6e90cfb57d4ac671be3a4898e6a", "TaskType": "ON_DEMAND_AUDIT_TASK", "PolicyName": "policyexample", "IsSuppressed": "false", "ReasonForNonComplianceCode": "ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "ResourceType": "IOT_POLICY", "FindingId": "1928b87ab338ee2f541f6fab8c41c4f5", "PolicyVersionId": "1", "ReportType": "AuditFinding", "TaskStartTime": "1667772700554", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/iot-device-defender-audit/336757784525/IOT_POLICY/policyexample/1/IOT_POLICY_OVERLY_PERMISSIVE_CHECK/ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "aws/securityhub/ProductName": "IoT Device Defender - Audit", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotPolicy", "Id": "policyexample", "Partition": "aws", "Region": "us-west-2", "Details": { "Other": { "PolicyVersionId": "1" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "CRITICAL" }, "Types": [ "Software and Configuration Check/Vulnerabilities" ] } }
以下示例显示了 Security Hub CSPM 中审计检查摘要的典型调查发现。ProductFields 中的 ReportType 是 CheckSummary。
{ "SchemaVersion": "2018-10-08", "Id": "615243839755/SCHEDULED_AUDIT_TASK/daily_audit_schedule_checks/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-audit", "ProductName": "IoT Device Defender - Audit", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "f3021945485adf92487c273558fcaa51", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Check/Vulnerabilities/CVE" ], "CreatedAt": "2022-10-18T14:20:13.933Z", "UpdatedAt": "2022-10-18T14:20:13.933Z", "Severity": { "Label": "CRITICAL", "Normalized": 90 }, "Title": "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK Summary: Completed with 2 non-compliant resources", "Description": "Task f3021945485adf92487c273558fcaa51 of weekly scheduled Audit daily_audit_schedule_checks completes. 2 non-cimpliant resources are found for DEVICE_CERTIFICATE_KEY_QUALITY_CHECK out of 1000 resources in the account. The percentage of non-compliant resources is 0.2%.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/dd/audit/results/f3021945485adf92487c273558fcaa51/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ProductFields": { "TaskId": "f3021945485adf92487c273558fcaa51", "TaskType": "SCHEDULED_AUDIT_TASK", "ScheduledAuditName": "daily_audit_schedule_checks", "CheckName": "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ReportType": "CheckSummary", "CheckRunStatus": "COMPLETED_NON_COMPLIANT", "NonComopliantResourcesCount": "2", "SuppressedNonCompliantResourcesCount": "1", "TotalResourcesCount": "1000", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-audit/615243839755/SCHEDULED/daily_audit_schedule_checks/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "aws/securityhub/ProductName": "IoT Device Defender - Audit", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotAuditTask", "Id": "f3021945485adf92487c273558fcaa51", "Region": "us-east-1" } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "CRITICAL" }, "Types": [ "Software and Configuration Check/Vulnerabilities/CVE" ] } }
以下示例显示了 Security Hub CSPM 中 AWS IoT Device Defender Detect 违规的典型调查发现。
{ "SchemaVersion": "2018-10-08", "Id": "e92a782593c6f5b1fc7cb6a443dc1a12", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-detect", "ProductName": "IoT Device Defender - Detect", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "arn:aws:iot:us-east-1:123456789012:securityprofile/MySecurityProfile", "AwsAccountId": "123456789012", "Types": [ "Unusual Behaviors" ], "CreatedAt": "2022-11-09T22:45:00Z", "UpdatedAt": "2022-11-09T22:45:00Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "Registered thing MyThing is in alarm for STATIC behavior MyBehavior.", "Description": "Registered thing MyThing violates STATIC behavior MyBehavior of security profile MySecurityProfile. Violation was triggered because the device did not conform to aws:num-disconnects less-than 1.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/dd/securityProfile/MySecurityProfile?tab=violations", "ProductFields": { "ComparisonOperator": "less-than", "BehaviorName": "MyBehavior", "ViolationId": "e92a782593c6f5b1fc7cb6a443dc1a12", "ViolationStartTime": "1668033900000", "SuppressAlerts": "false", "ConsecutiveDatapointsToAlarm": "1", "ConsecutiveDatapointsToClear": "1", "DurationSeconds": "300", "Count": "1", "MetricName": "aws:num-disconnects", "BehaviorCriteriaType": "STATIC", "ThingName": "MyThing", "SecurityProfileName": "MySecurityProfile", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-detect/e92a782593c6f5b1fc7cb6a443dc1a12", "aws/securityhub/ProductName": "IoT Device Defender - Detect", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotRegisteredThing", "Id": "MyThing", "Region": "us-east-1", "Details": { "Other": { "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/thing/MyThing?tab=violations", "IsRegisteredThing": "true", "ThingArn": "arn:aws:iot:us-east-1:123456789012:thing/MyThing" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Unusual Behaviors" ] } }
停止 AWS IoT Device Defender 向 Security Hub CSPM 发送调查发现
要停止向 Security Hub CSPM 发送调查发现,您可以使用 Security Hub CSPM 控制台或 API。
有关更多信息,请参阅《AWS Security Hub 用户指南》中的禁用和启用来自集成的调查发现流(控制台)或禁用来自集成的调查发现流(Security Hub CSPM API、AWS CLI)。
