使用 Security Hub 的範例 AWS CLI - AWS Command Line Interface

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 Security Hub 的範例 AWS CLI

下列程式碼範例說明如何使用 AWS Command Line Interface 搭配 Security Hub 來執行動作及實作常見案例。

Actions 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境和跨服務範例中查看內容中的動作。

Scenarios (案例) 是向您展示如何呼叫相同服務中的多個函數來完成特定任務的程式碼範例。

每個範例都包含一個連結 GitHub,您可以在其中找到如何在內容中設定和執行程式碼的指示。

主題

動作

下列程式碼範例會示範如何使用accept-administrator-invitation

AWS CLI

接受來自管理員帳戶的邀請

下列accept-administrator-invitation範例會接受來自指定管理員帳戶的指定邀請。

aws securityhub accept-invitation \ --administrator-id 123456789012 \ --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用accept-invitation

AWS CLI

接受來自管理員帳戶的邀請

下列accept-invitation範例會接受來自指定管理員帳戶的指定邀請。

aws securityhub accept-invitation \ --master-id 123456789012 \ --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考AcceptInvitation中的。

下列程式碼範例會示範如何使用batch-delete-automation-rules

AWS CLI

刪除自動化規則

下列batch-delete-automation-rules範例會刪除指定的自動化規則。您可以使用單一指令刪除一或多個規則。只有安全中心系統管理員帳戶可以執行此命令。

aws securityhub batch-delete-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'

輸出:

{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的刪除自動化規則

下列程式碼範例會示範如何使用batch-disable-standards

AWS CLI

停用標準的步驟

下列batch-disable-standards範例會停用與指定訂閱 ARN 相關聯的標準。

aws securityhub batch-disable-standards \ --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"

輸出:

{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "DELETING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }

如需詳細資訊,請參閱 Security Hub 使用者指南中的停用或啟用AWS 安全性標準

下列程式碼範例會示範如何使用batch-enable-standards

AWS CLI

啟用標準的步驟

下列batch-enable-standards範例會啟用要求帳戶的 PCI DSS 標準。

aws securityhub batch-enable-standards \ --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1"}'

輸出:

{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "PENDING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }

如需詳細資訊,請參閱 Security Hub 使用者指南中的停用或啟用AWS 安全性標準

下列程式碼範例會示範如何使用batch-get-automation-rules

AWS CLI

取得自動化規則的詳細資料

下列batch-get-automation-rules範例會取得指定之自動化規則的詳細資訊。您可以使用單一命令取得一或多個自動化規則的詳細資料。

aws securityhub batch-get-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'

輸出:

{ "Rules": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "Criteria": { "ProductName": [ { "Value": "GuardDuty", "Comparison": "EQUALS" } ], "SeverityLabel": [ { "Value": "INFORMATIONAL", "Comparison": "EQUALS" } ], "WorkflowStatus": [ { "Value": "NEW", "Comparison": "EQUALS" } ], "RecordState": [ { "Value": "ACTIVE", "Comparison": "EQUALS" } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Automatically suppress GuardDuty findings with Informational severity", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "SUPPRESSED" } } } ], "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ], "UnprocessedAutomationRules": [] }

如需詳細資訊,請參AWS Security Hub 使用者指南中的檢視自動化規則

下列程式碼範例會示範如何使用batch-get-configuration-policy-associations

AWS CLI

取得批次目標的組態關聯詳細資訊

下列batch-get-configuration-policy-associations範例會擷取指定目標的關聯詳細資訊。您可以提供帳號 ID、組織單位 ID 或目標的根 ID。

aws securityhub batch-get-configuration-policy-associations \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

輸出:

{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }

如需詳細資訊,請參閱 Security Hub 使用者指南中的檢視AWS Security Hub 組態原則

下列程式碼範例會示範如何使用batch-get-security-controls

AWS CLI

取得安全性控制詳細資料

下列batch-get-security-controls範例會取得目 AWS 前帳戶和區域中安全性控制項 ACM.1 和 IAM.1 的詳細資料。 AWS

aws securityhub batch-get-security-controls \ --security-control-ids '["ACM.1", "IAM.1"]'

輸出:

{ "SecurityControls": [ { "SecurityControlId": "ACM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": { "daysToExpiration": { "ValueType": CUSTOM, "Value": { "Integer": 15 } } }, "LastUpdateReason": "Updated control parameter" }, { "SecurityControlId": "IAM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1", "Title": "IAM policies should not allow full \"*\" administrative privileges", "Description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", "SeverityRating": "HIGH", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": {} } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的檢視控制項的詳細資料。

下列程式碼範例會示範如何使用batch-get-standards-control-associations

AWS CLI

若要取得控制項的啟用狀態

下列batch-get-standards-control-associations範例會識別指定的控制項是否在指定的標準中啟用。

aws securityhub batch-get-standards-control-associations \ --standards-control-association-ids '[{"SecurityControlId": "Config.1","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {"SecurityControlId": "IAM.6","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:standards/aws-foundational-security-best-practices/v/1.0.0"}]'

輸出:

{ "StandardsControlAssociationDetails": [ { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "Config.1", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/Config.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.5" ], "UpdatedAt": "2022-10-27T16:07:12.960000+00:00", "StandardsControlTitle": "Ensure AWS Config is enabled", "StandardsControlDescription": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/cis-aws-foundations-benchmark/v/1.2.0/2.5" ] }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "IAM.6", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/IAM.6", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2022-11-22T21:30:35.080000+00:00", "UpdatedReason": "test", "StandardsControlTitle": "Hardware MFA should be enabled for the root user", "StandardsControlDescription": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" ] } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的啟用和停用特定標準中的控制項。

下列程式碼範例會示範如何使用batch-import-findings

AWS CLI

若要更新發現項目

下列batch-import-findings範例會更新發現項目。

aws securityhub batch-import-findings \ --findings ' [{ "AwsAccountId": "123456789012", "CreatedAt": "2020-05-27T17:05:54.832Z", "Description": "Vulnerability in a CloudTrail trail", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "10" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "GeneratorId": "TestGeneratorId", "Id": "Id1", "ProductArn": "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", "Resources": [ { "Id": "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", "Partition": "aws", "Region": "us-west-1", "Type": "AwsCloudTrailTrail" } ], "SchemaVersion": "2018-10-08", "Title": "CloudTrail trail vulnerability", "UpdatedAt": "2020-06-02T16:05:54.832Z" }]'

輸出:

{ "FailedCount": 0, "SuccessCount": 1, "FailedFindings": [] }

如需詳細資訊,請參閱 AWS Security Hub BatchImportFindings 使用者指南中的使用建立和更新發現項目

下列程式碼範例會示範如何使用batch-update-automation-rules

AWS CLI

更新自動化規則

下列batch-update-automation-rules範例會更新指定的自動化規則。您可以使用單一指令更新一或多個規則。只有安全中心系統管理員帳戶可以執行此命令。

aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '[ \ { \ "Actions": [{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Note": { \ "Text": "Known issue that is a risk", \ "UpdatedBy": "sechub-automation" \ }, \ "Workflow": { \ "Status": "NEW" \ } \ } \ }], \ "Criteria": { \ "SeverityLabel": [{ \ "Value": "LOW", \ "Comparison": "EQUALS" \ }] \ }, \ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", \ "RuleOrder": 1, \ "RuleStatus": "DISABLED" \ } \ ]'

輸出:

{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的編輯自動化規則

下列程式碼範例會示範如何使用batch-update-findings

AWS CLI

範例 1:更新發現項目

下列batch-update-findings範例會更新兩個發現項目,以新增附註、變更嚴重性標籤並加以解決。

aws securityhub batch-update-findings \ --finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \ --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \ --severity '{"Label": "LOW"}' \ --workflow '{"Status": "RESOLVED"}'

輸出:

{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用 BatchUpdateFindings 者指南中的使用更新發現項目。

範例 2:若要使用速記語法更新發現項目

下列batch-update-findings範例會更新兩個發現項目,以新增附註、變更嚴重性標籤,以及使用速記語法解決。

aws securityhub batch-update-findings \ --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" \ --note Text="Known issue that is not a risk.",UpdatedBy="user1" \ --severity Label="LOW" \ --workflow Status="RESOLVED"

輸出:

{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用 BatchUpdateFindings 者指南中的使用更新發現項目。

下列程式碼範例會示範如何使用batch-update-standards-control-associations

AWS CLI

更新啟用標準中控制項的啟用狀態的步驟

下列batch-update-standards-control-associations範例會停用指定標準中的 CloudTrail .1。

aws securityhub batch-update-standards-control-associations \ --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'

此命令成功後就不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的啟用和停用特定標準中的控制項和啟用和停用所有標準中的控制項。

下列程式碼範例會示範如何使用create-action-target

AWS CLI

建立自訂動作

下列create-action-target範例會建立自訂動作。它提供動作的名稱、描述和識別碼。

aws securityhub create-action-target \ --name "Send to remediation" \ --description "Action to send the finding for remediation tracking" \ --id "Remediation"

輸出:

{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的建立自訂動作並將其與 CloudWatch 事件規則產生關聯。

下列程式碼範例會示範如何使用create-automation-rule

AWS CLI

建立自動化規則

下列create-automation-rule範例會在目前 AWS 帳戶和 AWS 區域中建立自動化規則。Security Hub 會根據指定的條件篩選您的發現項目,並將動作套用至符合的發現項目。只有安全中心系統管理員帳戶可以執行此命令。

aws securityhub create-automation-rule \ --actions '[{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Severity": { \ "Label": "HIGH" \ }, \ "Note": { \ "Text": "Known issue that is a risk. Updated by automation rules", \ "UpdatedBy": "sechub-automation" \ } \ } \ }]' \ --criteria '{ \ "SeverityLabel": [{ \ "Value": "INFORMATIONAL", \ "Comparison": "EQUALS" \ }] \ }' \ --description "A sample rule" \ --no-is-terminal \ --rule-name "sample rule" \ --rule-order 1 \ --rule-status "ENABLED"

輸出:

{ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的建立自動化規則

下列程式碼範例會示範如何使用create-configuration-policy

AWS CLI

若要建立組態原則

下列create-configuration-policy範例會使用指定的設定建立組態原則。

aws securityhub create-configuration-policy \ --name "SampleConfigurationPolicy" \ --description "SampleDescription" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' \ --tags '{"Environment": "Prod"}'

輸出:

{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }

如需詳細資訊,請參閱 Security Hub 使用者指南中的建立和關聯AWS 安全中心組態原則

下列程式碼範例會示範如何使用create-finding-aggregator

AWS CLI

啟用尋找彙總

下列create-finding-aggregator範例會設定尋找彙總。它從美國東部 (維吉尼亞) 執行,指定美國東部 (維吉尼亞) 為彙總區域。它表示僅鏈接指定的區域,並且不自動鏈接新區域。它會選取美國西部 (加利佛尼亞北部) 和美國西部 (奧勒岡) 作為連結的區域。

aws securityhub create-finding-aggregator \ --region us-east-1 \ --region-linking-mode SPECIFIED_REGIONS \ --regions us-west-1,us-west-2

輸出:

{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的啟用尋找彙總

下列程式碼範例會示範如何使用create-insight

AWS CLI

若要建立自訂分析

下列create-insight範例會建立名為 [重要角色發現項目] 的自訂分析,以傳回與 AWS 角色相關的重要發現項目。

aws securityhub create-insight \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' \ --group-by-attribute "ResourceId" \ --name "Critical role findings"

輸出:

{ "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理自訂見解

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考CreateInsight中的。

下列程式碼範例會示範如何使用create-members

AWS CLI

將帳戶新增為成員帳戶

下列create-members範例會將兩個帳戶做為成員帳戶新增至要求的系統管理員帳戶。

aws securityhub create-members \ --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'

輸出:

{ "UnprocessedAccounts": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考CreateMembers中的。

下列程式碼範例會示範如何使用decline-invitations

AWS CLI

拒絕成為會員帳戶的邀請

下列decline-invitations範例會拒絕邀請成為指定管理員帳戶的成員帳戶。會員帳戶是要求的帳戶。

aws securityhub decline-invitations \ --account-ids "123456789012"

輸出:

{ "UnprocessedAccounts": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用delete-action-target

AWS CLI

若要刪除自訂動作

下列delete-action-target範例會刪除指定 ARN 所識別的自訂動作。

aws securityhub delete-action-target \ --action-target-arn "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"

輸出:

{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的建立自訂動作並將其與 CloudWatch 事件規則產生關聯。

下列程式碼範例會示範如何使用delete-configuration-policy

AWS CLI

若要刪除組態原則

下列delete-configuration-policy範例會刪除指定的組態原則。

aws securityhub delete-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

此命令不會產生輸出。

如需詳細資訊,請參閱 Security Hub 使用者指南中的刪除和取消關聯AWS 安全中心組態原則

下列程式碼範例會示範如何使用delete-finding-aggregator

AWS CLI

停止尋找聚總

下列delete-finding-aggregator範例會停止尋找彙總。它是從美國東部 (維吉尼亞) 執行,也就是彙總區域。

aws securityhub delete-finding-aggregator \ --region us-east-1 \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的停止尋找彙總

下列程式碼範例會示範如何使用delete-insight

AWS CLI

若要刪除自訂分析

下列delete-insight範例會刪除具有指定 ARN 的自訂分析。

aws securityhub delete-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

輸出:

{ "InsightArn": "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理自訂見解

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考DeleteInsight中的。

下列程式碼範例會示範如何使用delete-invitations

AWS CLI

刪除成為會員帳戶的邀請

下列delete-invitations範例會刪除成為指定管理員帳戶之成員帳戶的邀請。會員帳戶是要求的帳戶。

aws securityhub delete-invitations \ --account-ids "123456789012"

輸出:

{ "UnprocessedAccounts": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用delete-members

AWS CLI

若要刪除成員帳戶

下列delete-members範例會從要求的系統管理員帳戶中刪除指定的成員帳戶。

aws securityhub delete-members \ --account-ids "123456789111" "123456789222"

輸出:

{ "UnprocessedAccounts": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考DeleteMembers中的。

下列程式碼範例會示範如何使用describe-action-targets

AWS CLI

擷取有關自訂動作的詳細資訊

下列describe-action-targets範例會擷取指定 ARN 所識別之自訂動作的相關資訊。

aws securityhub describe-action-targets \ --action-target-arns "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"

輸出:

{ "ActionTargets": [ { "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", "Description": "Action to send the finding for remediation tracking", "Name": "Send to remediation" } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的建立自訂動作並將其與 CloudWatch 事件規則產生關聯。

下列程式碼範例會示範如何使用describe-hub

AWS CLI

若要取得中樞資源的相關資訊

下列describe-hub範例會傳回指定 Hub 資源的訂閱日期。集線器資源由其 ARN 識別。

aws securityhub describe-hub \ --hub-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default"

輸出:

{ "HubArn": "arn:aws:securityhub:us-west-1:123456789012:hub/default", "SubscribedAt": "2019-11-19T23:15:10.046Z" }

如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的AWS SecurityHub::: Hub

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考DescribeHub中的。

下列程式碼範例會示範如何使用describe-organization-configuration

AWS CLI

若要檢視組織的 Security Hub 設定方式

下列describe-organization-configuration範例會傳回組織在 Security Hub 中設定方式的相關資訊。在此範例中,組織使用中央組態。只有安全中心系統管理員帳戶可以執行此命令。

aws securityhub describe-organization-configuration

輸出:

{ "AutoEnable": false, "MemberAccountLimitReached": false, "AutoEnableStandards": "NONE", "OrganizationConfiguration": { "ConfigurationType": "LOCAL", "Status": "ENABLED", "StatusMessage": "Central configuration has been enabled successfully" } }

如需詳細資訊,請參AWS Security Hub 使用者指南中的使用 Organ AWS izations 管理帳戶

下列程式碼範例會示範如何使用describe-products

AWS CLI

若要傳回可用產品整合的相關資訊

下列describe-products範例會一次傳回一個可用的產品整合。

aws securityhub describe-products \ --max-results 1

輸出:

{ "NextToken": "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", "Products": [ { "ProductArn": "arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon", "ProductName": "CrowdStrike Falcon", "CompanyName": "CrowdStrike", "Description": "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", "Categories": [ "Endpoint Detection and Response (EDR)", "AV Scanning and Sandboxing", "Threat Intelligence Feeds and Reports", "Endpoint Forensics", "Network Forensics" ], "IntegrationTypes": [ "SEND_FINDINGS_TO_SECURITY_HUB" ], "MarketplaceUrl": "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ActivationUrl": "https://falcon.crowdstrike.com/support/documentation", "ProductSubscriptionResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}" } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理產品整合

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考DescribeProducts中的。

下列程式碼範例會示範如何使用describe-standards-controls

AWS CLI

若要要求已啟用標準中的控制項清單

下列describe-standards-controls範例會要求要求者帳戶訂閱 PCI DSS 標準中的控制項清單。要求一次傳回兩個控制項。

aws securityhub describe-standards-controls \ --standards-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" \ --max-results 2

輸出:

{ "Controls": [ { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.473000+00:00", "ControlId": "PCI.AutoScaling.1", "Title": "Auto scaling groups associated with a load balancer should use health checks", "Description": "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", "SeverityRating": "LOW", "RelatedRequirements": [ "PCI DSS 2.2" ] }, { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.498000+00:00", "ControlId": "PCI.CW.1", "Title": "A log metric filter and alarm should exist for usage of the \"root\" user", "Description": "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", "SeverityRating": "MEDIUM", "RelatedRequirements": [ "PCI DSS 7.2.1" ] } ], "NextToken": "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的檢視控制項的詳細資料。

下列程式碼範例會示範如何使用describe-standards

AWS CLI

傳回可用標準清單的步驟

下列describe-standards範例會傳回可用標準的清單。

aws securityhub describe-standards

輸出:

{ "Standards": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", "Description": "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "Name": "CIS AWS Foundations Benchmark v1.2.0", "Description": "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "Name": "PCI DSS v3.2.1", "Description": "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", "EnabledByDefault": false } ] }

如需詳細資訊,請參閱安全性中 AWS 樞使用者指南中的AWS 安全性中 Security Hub 標準。

下列程式碼範例會示範如何使用disable-import-findings-for-product

AWS CLI

若要停止接收來自產品整合的發現項目

下列disable-import-findings-for-product範例會針對指定的產品整合訂閱停用發現項目的流程。

aws securityhub disable-import-findings-for-product \ --product-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理產品整合

下列程式碼範例會示範如何使用disable-organization-admin-account

AWS CLI

若要移除安全中心系統管理員帳戶

下列disable-organization-admin-account範例會撤銷指定帳戶的指派,做為 Organ AWS izations 的 Security Hub 系統管理員帳戶。

aws securityhub disable-organization-admin-account \ --admin-account-id 777788889999

此命令不會產生輸出。

如需詳細資訊,請參閱 Security Hub 使用者指南中的指定AWS 安全中心管理員帳戶

下列程式碼範例會示範如何使用disable-security-hub

AWS CLI

若要停用 AWS Security Hub

下列disable-security-hub範例會停用要求帳戶的 AWS Security Hub。

aws securityhub disable-security-hub

此命令不會產生輸出。

如需詳細資訊,請參閱AWS 安全性中樞使用者指南中的停用AWS Security Hub

下列程式碼範例會示範如何使用disassociate-from-administrator-account

AWS CLI

取消與管理員帳戶的關聯

下列disassociate-from-administrator-account範例會取消要求帳戶與其目前管理員帳戶的關聯。

aws securityhub disassociate-from-administrator-account

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用disassociate-from-master-account

AWS CLI

取消與管理員帳戶的關聯

下列disassociate-from-master-account範例會取消要求帳戶與其目前管理員帳戶的關聯。

aws securityhub disassociate-from-master-account

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用disassociate-members

AWS CLI

取消成員帳戶的關聯

下列disassociate-members範例會取消指定成員帳戶與要求之系統管理員帳戶的關聯。

aws securityhub disassociate-members \ --account-ids "123456789111" "123456789222"

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用enable-import-findings-for-product

AWS CLI

若要開始從產品整合接收發現項目

下列enable-import-findings-for-product範例會啟用來自指定產品整合的發現項目流程。

aws securityhub enable-import-findings-for-product \ --product-arn "arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"

輸出:

{ "ProductSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理產品整合

下列程式碼範例會示範如何使用enable-organization-admin-account

AWS CLI

將組織帳戶指定為 Security Hub 系統管理員帳戶

下列enable-organization-admin-account範例會將指定的帳戶指定為 Security Hub 系統管理員帳戶。

aws securityhub enable-organization-admin-account \ --admin-account-id 777788889999

此命令不會產生輸出。

如需詳細資訊,請參閱 Security Hub 使用者指南中的指定AWS 安全中心管理員帳戶

下列程式碼範例會示範如何使用enable-security-hub

AWS CLI

若要啟用 AWS Security Hub

下列enable-security-hub範例會針對要求的帳戶啟用 AWS Security Hub。它配置 Security Hub 以啟用默認標準。對於 Hub 資源,它會將值指派Security給標籤Department

aws securityhub enable-security-hub \ --enable-default-standards \ --tags '{"Department": "Security"}'

此命令不會產生輸出。

如需詳細資訊,請參閱安全性中樞使用者指南中的啟用AWS Security Hub

下列程式碼範例會示範如何使用get-administrator-account

AWS CLI

擷取管理員帳戶的相關資訊

下列get-administrator-account範例會擷取要求帳戶之系統管理員帳戶的相關資訊。

aws securityhub get-administrator-account

輸出:

{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用get-configuration-policy-association

AWS CLI

取得目標的組態關聯詳細資訊

下列get-configuration-policy-association範例會擷取指定目標的關聯詳細資訊。您可以提供目標的帳戶 ID、組織單位 ID 或根 ID。

aws securityhub get-configuration-policy-association \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

輸出:

{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }

如需詳細資訊,請參閱 Security Hub 使用者指南中的檢視AWS Security Hub 組態原則

下列程式碼範例會示範如何使用get-configuration-policy

AWS CLI

檢視組態原則詳細資訊

下列get-configuration-policy範例會擷取有關指定組態原則的詳細資料。

aws securityhub get-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

輸出:

{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "ce5ed1e7-9639-4e2f-9313-fa87fcef944b", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }

如需詳細資訊,請參閱 Security Hub 使用者指南中的檢視AWS Security Hub 組態原則

下列程式碼範例會示範如何使用get-enabled-standards

AWS CLI

若要擷取有關已啟用標準的資訊

下列get-enabled-standards範例會擷取 PCI DSS 標準的相關資訊。

aws securityhub get-enabled-standards \ --standards-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"

輸出:

{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "READY", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }

如需詳細資訊,請參閱安全性中 AWS 樞使用者指南中的AWS 安全性中 Security Hub 標準。

下列程式碼範例會示範如何使用get-finding-aggregator

AWS CLI

擷取目前發現的項目彙總組態

下列get-finding-aggregator範例會擷取目前發現項目的彙總組態。

aws securityhub get-finding-aggregator \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000

輸出:

{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的檢視目前發現項目彙總組態

下列程式碼範例會示範如何使用get-finding-history

AWS CLI

若要取得尋找記錄

下列get-finding-history範例會取得指定發現項目的最近 90 天歷史記錄。在此範例中,結果僅限於兩個尋找歷程記錄的記錄。

aws securityhub get-finding-history \ --finding-identifier Id="arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"

輸出:

{ "Records": [ { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-06-02T03:15:25.685000+00:00", "FindingCreated": false, "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [ { "UpdatedField": "Compliance.RelatedRequirements", "OldValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 SC-12(3)\",\"NIST.800-53.r5 SC-12(6)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\"]", "NewValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"]" }, { "UpdatedField": "LastObservedAt", "OldValue": "2023-06-01T09:15:38.587Z", "NewValue": "2023-06-02T03:15:22.946Z" }, { "UpdatedField": "UpdatedAt", "OldValue": "2023-06-01T09:15:31.049Z", "NewValue": "2023-06-02T03:15:14.861Z" }, { "UpdatedField": "ProcessedAt", "OldValue": "2023-06-01T09:15:41.058Z", "NewValue": "2023-06-02T03:15:25.685Z" } ] }, { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-05-23T02:06:51.518000+00:00", "FindingCreated": "true", "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [] } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的尋找歷程記錄

下列程式碼範例會示範如何使用get-findings

AWS CLI

範例 1:傳回針對特定標準產生的發現項目

下列get-findings範例會傳回 PCI DSS 標準的發現項目。

aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "pci-dss","Comparison":"PREFIX"}]}' \ --max-items 1

輸出:

{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "GeneratorId": "pci-dss/v/3.2.1/PCI.Lambda.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FindingProviderFields": { "Severity": { "Original": 0, "Label": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] }, "FirstObservedAt": "2020-06-02T14:02:49.159Z", "LastObservedAt": "2020-06-02T14:02:52.397Z", "CreatedAt": "2020-06-02T14:02:49.159Z", "UpdatedAt": "2020-06-02T14:02:52.397Z", "Severity": { "Original": 0, "Label": "INFORMATIONAL", "Normalized": 0 }, "Title": "PCI.Lambda.2 Lambda functions should be in a VPC", "Description": "This AWS control checks whether a Lambda function is in a VPC.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.Lambda.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation", "RelatedAWSResources:0/name": "securityhub-lambda-inside-vpc-0e904a3b", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.Lambda.2", "aws/securityhub/SeverityLabel": "INFORMATIONAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "PASSED", "RelatedRequirements": [ "PCI DSS 1.2.1", "PCI DSS 1.3.1", "PCI DSS 1.3.2", "PCI DSS 1.3.4" ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED" } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==" }

範例 2:傳回工作流程狀態為「已通知」的重要嚴重性發現項目

下列get-findings範例會傳回嚴重性標籤值為「嚴重」且工作流程狀態為「通知」的發現項目。結果會依「可信度」的值以遞減順序排序。

aws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value": "CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus": [{"Value":"NOTIFIED","Comparison":"EQUALS"}]}' \ --sort-criteria '{ "Field": "Confidence", "SortOrder": "desc"}' \ --max-items 1

輸出:

{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-west-1: 123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FindingProviderFields" { "Severity": { "Original": 90, "Label": "CRITICAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "FirstObservedAt": "2020-05-21T20:16:34.752Z", "LastObservedAt": "2020-06-09T08:16:37.171Z", "CreatedAt": "2020-05-21T20:16:34.752Z", "UpdatedAt": "2020-06-09T08:16:36.430Z", "Severity": { "Original": 90, "Label": "CRITICAL", "Normalized": 90 }, "Title": "1.13 Ensure MFA is enabled for the \"root\" account", "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "1.13", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", "RelatedAWSResources:0/name": "securityhub-root-account-mfa-enabled-5pftha", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", "aws/securityhub/SeverityLabel": "CRITICAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NOTIFIED" }, "RecordState": "ACTIVE" } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的篩選和分組發現項目

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考GetFindings中的。

下列程式碼範例會示範如何使用get-insight-results

AWS CLI

若要擷取結果以取得深入解析

下列get-insight-results範例會傳回具有指定 ARN 之洞察力的分析結果清單。

aws securityhub get-insight-results \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

輸出:

{ "InsightResults": { "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResultValues": [ { "Count": 10, "GroupByAttributeValue": "AWS::::Account:123456789111" }, { "Count": 3, "GroupByAttributeValue": "AWS::::Account:123456789222" } ] } }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南的檢視洞察結果和發現項目並對其採取行動。

下列程式碼範例會示範如何使用get-insights

AWS CLI

若要擷取深入解析的詳細資料

下列get-insights範例會擷取具有指定 ARN 之鑑識的組態詳細資料。

aws securityhub get-insights \ --insight-arns "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

輸出:

{ "Insights": [ { "Filters": { "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsIamRole" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "CRITICAL" } ], }, "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings" } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的資訊AWS 安全中心中的深入解析。

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考GetInsights中的。

下列程式碼範例會示範如何使用get-invitations-count

AWS CLI

擷取未接受的邀請數

下列get-invitations-count範例會擷取要求帳戶拒絕或未回應的邀請數目。

aws securityhub get-invitations-count

輸出:

{ "InvitationsCount": 3 }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

下列程式碼範例會示範如何使用get-master-account

AWS CLI

擷取管理員帳戶的相關資訊

下列get-master-account範例會擷取要求帳戶之系統管理員帳戶的相關資訊。

aws securityhub get-master-account

輸出:

{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考GetMasterAccount中的。

下列程式碼範例會示範如何使用get-members

AWS CLI

擷取所選成員帳戶的相關資訊

下列get-members範例會擷取有關指定成員帳戶的資訊。

aws securityhub get-members \ --account-ids "444455556666" "777788889999"

輸出:

{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], "UnprocessedAccounts": [ ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考GetMembers中的。

下列程式碼範例會示範如何使用get-security-control-definition

AWS CLI

取得安全性控制定義詳細資料

下列get-security-control-definition範例會擷取 Security Hub 控制項的定義詳細資料。詳細資料包括控制項標題、說明、區域可用性、參數及其他資訊。

aws securityhub get-security-control-definition \ --security-control-id ACM.1

輸出:

{ "SecurityControlDefinition": { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "ParameterDefinitions": { "daysToExpiration": { "Description": "Number of days within which the ACM certificate must be renewed", "ConfigurationOptions": { "Integer": { "DefaultValue": 30, "Min": 14, "Max": 365 } } } } } }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的自訂控制項參數

下列程式碼範例會示範如何使用invite-members

AWS CLI

傳送邀請至成員帳戶

下列invite-members範例會傳送邀請至指定的成員帳戶。

aws securityhub invite-members \ --account-ids "123456789111" "123456789222"

輸出:

{ "UnprocessedAccounts": [] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考InviteMembers中的。

下列程式碼範例會示範如何使用list-automation-rules

AWS CLI

若要檢視自動化規則清單

下列list-automation-rules範例列出 AWS 帳戶的自動化規則。只有安全中心系統管理員帳戶可以執行此命令。

aws securityhub list-automation-rules \ --max-results 3 \ --next-token NULL

輸出:

{ "AutomationRulesMetadata": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:37:20.223000+00:00", "UpdatedAt": "2023-07-15T23:37:20.223000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:45:25.126000+00:00", "UpdatedAt": "2023-07-15T23:45:25.126000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ] }

如需詳細資訊,請參AWS Security Hub 使用者指南中的檢視自動化規則

下列程式碼範例會示範如何使用list-configuration-policies

AWS CLI

若要列出組態原則摘要

下列list-configuration-policies範例會列出組織的組態原則摘要。

aws securityhub list-configuration-policies \ --max-items 3

輸出:

{ "ConfigurationPolicySummaries": [ { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy1", "Description": "SampleDescription1", "UpdatedAt": "2023-09-26T21:08:36.214000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Name": "SampleConfigurationPolicy2", "Description": "SampleDescription2" "UpdatedAt": "2023-11-28T19:26:25.207000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Name": "SampleConfigurationPolicy3", "Description": "SampleDescription3", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "ServiceEnabled": true } }

如需詳細資訊,請參閱 Security Hub 使用者指南中的檢視AWS Security Hub 組態原則

下列程式碼範例會示範如何使用list-configuration-policy-associations

AWS CLI

列出組態關聯

下列list-configuration-policy-associations範例會列出組織的組態關聯摘要。回應包括與組態原則和自我管理行為的關聯。

aws securityhub list-configuration-policy-associations \ --association-type "APPLIED" \ --max-items 4

輸出:

{ "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TargetId": "r-1ab2", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T19:26:49.417000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "Policy association failed because 2 organizational units or accounts under this root failed." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "TargetId": "ou-1ab2-c3de4f5g", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:14:05.283000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "One or more children under this target failed association." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }, { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "111122223333", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T22:01:26.409000+00:00", "AssociationStatus": "SUCCESS" } }

如需詳細資訊,請參閱 Security Hub 使用者指南中的檢視AWS Security Hub 組態原則

下列程式碼範例會示範如何使用list-enabled-products-for-import

AWS CLI

若要傳回已啟用的產品整合清單

下列list-enabled-products-for-import範例會傳回目前啟用之產品整合的訂閱 ARNS 清單。

aws securityhub list-enabled-products-for-import

輸出:

{ "ProductSubscriptions": [ "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon", "arn:aws:securityhub:us-west-1:123456789012:product-subscription/aws/securityhub" ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理產品整合

下列程式碼範例會示範如何使用list-finding-aggregators

AWS CLI

列出可用的小器具

下列list-finding-aggregators範例會傳回發現項目彙總組態的 ARN。

aws securityhub list-finding-aggregators

輸出:

{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的檢視目前發現項目彙總組態

下列程式碼範例會示範如何使用list-invitations

AWS CLI

顯示邀請清單

下列list-invitations範例會擷取傳送至要求帳戶的邀請清單。

aws securityhub list-invitations

輸出:

{ "Invitations": [ { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } ], }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考ListInvitations中的。

下列程式碼範例會示範如何使用list-members

AWS CLI

擷取成員帳戶清單

下列list-members範例會傳回要求之系統管理員帳戶的成員帳戶清單。

aws securityhub list-members

輸出:

{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理系統管理員和成員帳戶

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考ListMembers中的。

下列程式碼範例會示範如何使用list-organization-admin-accounts

AWS CLI

若要列出指定的 Security Hub 管理員帳戶

下列list-organization-admin-accounts範例會列出組織的 Security Hub 系統管理員帳戶。

aws securityhub list-organization-admin-accounts

輸出:

{ AdminAccounts": [ { "AccountId": "777788889999" }, { "Status": "ENABLED" } ] }

如需詳細資訊,請參閱 Security Hub 使用者指南中的指定AWS 安全中心管理員帳戶

下列程式碼範例會示範如何使用list-security-control-definitions

AWS CLI

範例 1:列出所有可用的安全性控制

下列list-security-control-definitions範例會列出所有 Security Hub 標準中的可用安全性控制項。此範例將結果限制為三個控制項。

aws securityhub list-security-control-definitions \ --max-items 3

輸出:

{ "SecurityControlDefinitions": [ { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] }, { "SecurityControlId": "ACM.2", "Title": "RSA certificates managed by ACM should use a key length of at least 2,048 bits", "Description": "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.2/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "APIGateway.1", "Title": "API Gateway REST and WebSocket API execution logging should be enabled", "Description": "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the 'loggingLevel' isn't 'ERROR' or 'INFO' for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the logging level is either 'ERROR' or 'INFO'.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] } ], "NextToken": "U2FsdGVkX1/UprCPzxVbkDeHikDXbDxfgJZ1w2RG1XWsFPTMTIQPVE0m/FduIGxS7ObRtAbaUt/8/RCQcg2PU0YXI20hH/GrhoOTgv+TSm0qvQVFhkJepWmqh+NYawjocVBeos6xzn/8qnbF9IuwGg==" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的檢視標準的詳細資料。

範例 2:列出特定標準的可用安全性控制

下列list-security-control-definitions範例列出 CIS AWS 基準測試 v1.4.0 的可用安全控制項。此範例將結果限制為三個控制項。

aws securityhub list-security-control-definitions \ --standards-arn "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0" \ --max-items 3

輸出:

{ "SecurityControlDefinitions": [ { "SecurityControlId": "CloudTrail.1", "Title": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "Description": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.1/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.2", "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.4", "Title": "CloudTrail log file validation should be enabled", "Description": "This AWS control checks whether CloudTrail log file validation is enabled.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAzfQ==" }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的檢視標準的詳細資料。

下列程式碼範例會示範如何使用list-standards-control-associations

AWS CLI

若要取得每個已啟用標準中控制項的啟用狀態

下列list-standards-control-associations範例會列出每個已啟用標準中的啟用狀態 CloudTrail .1。

aws securityhub list-standards-control-associations \ --security-control-id CloudTrail.1

輸出:

{ "StandardsControlAssociationSummaries": [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/nist-800-53/v/5.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "NIST.800-53.r5 AC-2(4)", "NIST.800-53.r5 AC-4(26)", "NIST.800-53.r5 AC-6(9)", "NIST.800-53.r5 AU-10", "NIST.800-53.r5 AU-12", "NIST.800-53.r5 AU-2", "NIST.800-53.r5 AU-3", "NIST.800-53.r5 AU-6(3)", "NIST.800-53.r5 AU-6(4)", "NIST.800-53.r5 AU-14(1)", "NIST.800-53.r5 CA-7", "NIST.800-53.r5 SC-7(9)", "NIST.800-53.r5 SI-3(8)", "NIST.800-53.r5 SI-4(20)", "NIST.800-53.r5 SI-7(8)", "NIST.800-53.r5 SA-8(22)" ], "UpdatedAt": "2023-05-15T17:52:21.304000+00:00", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.1" ], "UpdatedAt": "2020-02-10T21:22:53.998000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2023-05-15T19:31:52.671000+00:00", "UpdatedReason": "Alternative compensating controls are in place", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.1" ], "UpdatedAt": "2022-11-10T15:40:36.021000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的啟用和停用特定標準中的控制項。

下列程式碼範例會示範如何使用list-tags-for-resource

AWS CLI

若要擷取指派給資源的標籤

下列list-tags-for-resource範例會傳回指派給指定 Hub 資源的標籤。

aws securityhub list-tags-for-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default"

輸出:

{ "Tags": { "Department" : "Operations", "Area" : "USMidwest" } }

如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的AWS SecurityHub::: Hub

下列程式碼範例會示範如何使用start-configuration-policy-association

AWS CLI

範例 1:建立組態原則的關聯

下列start-configuration-policy-association範例會將指定的組態原則與指定的組織單位產生關聯。組態可能與目標帳戶、組織單位或根關聯。

aws securityhub start-configuration-policy-association \ --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

輸出:

{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }

如需詳細資訊,請參閱 Security Hub 使用者指南中的建立和關聯AWS 安全中心組態原則

範例 2:關聯自我管理的組態

下列start-configuration-policy-association範例會將自我管理的組態與指定帳戶產生關聯。

aws securityhub start-configuration-policy-association \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"OrganizationalUnitId": "123456789012"}'

輸出:

{ "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "123456789012", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }

如需詳細資訊,請參閱 Security Hub 使用者指南中的建立和關聯AWS 安全中心組態原則

下列程式碼範例會示範如何使用start-configuration-policy-disassociation

AWS CLI

範例 1:取消設定原則的關聯

下列start-configuration-policy-disassociation範例會取消設定原則與指定組織單位的關聯。組態可能與目標帳戶、組織單位或根目錄取消關聯。

aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的取消設定與帳戶和 OU 的關聯。

範例 2:取消自我管理組態的關聯

下列start-configuration-policy-disassociation範例會取消自我管理組態與指定帳戶的關聯。

aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"AccountId": "123456789012"}'

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的取消設定與帳戶和 OU 的關聯。

下列程式碼範例會示範如何使用tag-resource

AWS CLI

若要將標籤指派給資源

下列tag-resource範例會將「部門」和「區域」標籤的值指派給指定的中樞資源。

aws securityhub tag-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default" \ --tags '{"Department":"Operations", "Area":"USMidwest"}'

此命令不會產生輸出。

如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的AWS SecurityHub::: Hub

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考TagResource中的。

下列程式碼範例會示範如何使用untag-resource

AWS CLI

若要從資源中移除標籤值

下列untag-resource範例會從指定的中樞資源移除 Depart 標籤。

aws securityhub untag-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default" \ --tag-keys "Department"

此命令不會產生輸出。

如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的AWS SecurityHub::: Hub

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考UntagResource中的。

下列程式碼範例會示範如何使用update-action-target

AWS CLI

更新自訂動作

下列update-action-target範例會更新指定 ARN 所識別之自訂動作的名稱。

aws securityhub update-action-target \ --action-target-arn "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" \ --name "Send to remediation"

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的建立自訂動作並將其與 CloudWatch 事件規則產生關聯。

下列程式碼範例會示範如何使用update-configuration-policy

AWS CLI

若要更新組態原則

下列update-configuration-policy範例會更新現有的組態原則,以使用指定的設定。

aws securityhub update-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:508236694226:configuration-policy/09f37766-57d8-4ede-9d33-5d8b0fecf70e" \ --name "SampleConfigurationPolicyUpdated" \ --description "SampleDescriptionUpdated" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 21}}}}]}}}' \ --updated-reason "Disabling CloudWatch.1 and changing parameter value"

輸出:

{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicyUpdated", "Description": "SampleDescriptionUpdated", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 21 } } } } ] } } } }

如需詳細資訊,請參閱 Security Hub 使用者指南中的更新AWS Security Hub 組態原則

下列程式碼範例會示範如何使用update-finding-aggregator

AWS CLI

更新目前發現的項目彙總組態

下列update-finding-aggregator範例會將發現項目聚總組態變更為從選取的「區域」連結。它是從美國東部 (維吉尼亞) 執行,也就是彙總區域。它會選取美國西部 (加利佛尼亞北部) 和美國西部 (奧勒岡) 作為連結的區域。

aws securityhub update-finding-aggregator \ --region us-east-1 \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 \ --region-linking-mode SPECIFIED_REGIONS \ --regions us-west-1,us-west-2

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的更新尋找項目彙總組態

下列程式碼範例會示範如何使用update-insight

AWS CLI

範例 1:若要變更自訂分析的篩選器

下列update-insight範例會變更自訂分析的篩選器。更新後的分析會尋找與 AWS 角色相關的嚴重性高的發現項目。

aws securityhub update-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' \ --name "High severity role findings"

範例 2:若要變更自訂分析的分組屬性

下列update-insight範例會使用指定的 ARN 變更自訂分析的群組屬性。新的分組屬性是資源 ID。

aws securityhub update-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --group-by-attribute "ResourceId" \ --name "Critical role findings"

輸出:

{ "Insights": [ { "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings", "Filters": { "SeverityLabel": [ { "Value": "CRITICAL", "Comparison": "EQUALS" } ], "ResourceType": [ { "Value": "AwsIamRole", "Comparison": "EQUALS" } ] }, "GroupByAttribute": "ResourceId" } ] }

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的管理自訂見解

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考UpdateInsight中的。

下列程式碼範例會示範如何使用update-organization-configuration

AWS CLI

若要更新組織的 Security Hub 設定方式

下列update-organization-configuration範例會指定 Security Hub 應該使用中央組態來設定組織。執行此命令之後,委派的 Security Hub 系統管理員可以建立和管理設定原則以設定組織。委派的系統管理員也可以使用此命令,從中央組態切換到本機組態。如果本機組態是組態類型,委派的系統管理員可以選擇是否在新組織帳戶中自動啟用 Security Hub 和預設安全性標準。

aws securityhub update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}'

此命令不會產生輸出。

如需詳細資訊,請參AWS Security Hub 使用者指南中的使用 Organ AWS izations 管理帳戶

下列程式碼範例會示範如何使用update-security-control

AWS CLI

更新安全性控制項內容

下列update-security-control範例會指定 Security Hub 控制參數的自訂值。

aws securityhub update-security-control \ --security-control-id ACM.1 \ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}' \ --last-update-reason "Internal compliance requirement"

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的自訂控制項參數

下列程式碼範例會示範如何使用update-security-hub-configuration

AWS CLI

若要更新 Security Hub 組態

下列update-security-hub-configuration範例會將 Security Hub 設定為自動啟用已啟用標準的新控制項。

aws securityhub update-security-hub-configuration \ --auto-enable-controls

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的自動啟用新控制項

下列程式碼範例會示範如何使用update-standards-control

AWS CLI

範例 1:若要停用控制項

下列update-standards-control範例會停用 PCI。 AutoScaling.1 控制。

aws securityhub update-standards-control \ --standards-control-arn "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" \ --control-status "DISABLED" \ --disabled-reason "Not applicable for my service"

此命令不會產生輸出。

範例 2:啟用控制項

下列update-standards-control範例會啟用 PCI。 AutoScaling.1 控制。

aws securityhub update-standards-control \ --standards-control-arn "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" \ --control-status "ENABLED"

此命令不會產生輸出。

如需詳細資訊,請參閱 AWS Security Hub 使用者指南中的停用和啟用個別控制項