本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon EventBridge 事件模式 Amazon Inspector 事件
Amazon 可將應用程式和其他應用程式的即時資料串流 EventBridge交付 AWS 服務 到目標,例如 AWS Lambda 功能、Amazon 簡單通知服務主題,以及 Amazon Kinesis 資料串流中的資料串流。為了支援與其他應用程式、服務和系統的整合,Amazon Inspector 會自動將發現 EventBridge 作為事件發佈到。您可以使用 Amazon Inspector 發佈有關發現項目、涵蓋範圍和掃描的事件。本節提供 EventBridge 事件的範例綱要。
主題
Amazon 檢查器的 EventBridge 基本架構
以下是 Amazon Inspector EventBridge 事件的基本結構描述範例。活動詳細資訊會根據事件類型而有所不同。
{ "version": "0", "id": "Event ID", "detail-type": "Inspector2 *event type*", "source": "aws.inspector2", "account": "AWS 帳戶 ID (string)", "time": "event timestamp (string)", "region": "AWS 區域 (string)", "resources": [ *IDs or ARNs of the resources involved in the event* ], "detail": { *Details of an Amazon Inspector event type* } }
Amazon Inspector 發現事件模式示例
以下是 Amazon Inspector 發現項目 EventBridge 事件的結構描述範例。當 Amazon Inspector 在您的其中一個資源中發現軟體弱點或網路問題時,就會建立尋找事件。如需建立通知以回應此類事件的指南,請參閱使用 Amazon 創建對 Amazon Inspector 發現的自定義 EventBridge。
下列欄位可識別搜尋結果事件:
detail-type欄位設定為Inspector2 Finding。detail物件描述發現項目。
從選項中選取,以查看尋找不同資源的事件綱要和尋找類型。
- Amazon EC2 package vulnerability finding
{ "version": "0", "id": "66a7a279-5f92-971c-6d3e-c92da0950992", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T22:46:15Z", "region": "us-east-1", "resources": ["i-0c2a343f1948d5205"], "detail": { "awsAccountId": "111122223333", "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).", "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM" }, "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 10:46:15 PM", "fixAvailable": "YES", "lastObservedAt": "Jan 19, 2023, 10:46:15 PM", "packageVulnerabilityDetails": { "cvss": [{ "baseScore": 4.7, "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" }], "referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"], "relatedVulnerabilities": [], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html", "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2022-3303", "vulnerablePackages": [{ "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:5.15.0.1027.31~20.04.16", "name": "linux-image-aws", "packageManager": "OS", "remediation": "apt update && apt install --only-upgrade linux-image-aws", "version": "5.15.0.1026.30~20.04.16" }] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b7ff1a8d69f1bb35", "ipV4Addresses": ["172.31.85.212", "44.203.45.27"], "ipV6Addresses": [], "launchedAt": "Jan 19, 2023, 7:53:14 PM", "platform": "UBUNTU_20_04", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0c2a343f1948d5205", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2022-3303 - linux-image-aws", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 10:46:15 PM" } }- Amazon EC2 network reachability finding
-
{ "version": "0", "id": "d0384f63-1621-1b75-d014-a5e45628ef3e", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T09:17:57Z", "region": "us-east-1", "resources": ["i-0a96278c2206a8e4b"], "detail": { "awsAccountId": "111122223333", "description": "On the instance i-0a96278c2206a8e4b, the port range 22-22 is reachable from the InternetGateway igw-72069c09 from an attached ENI eni-0976efe678170408f.", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 20, 2023, 9:17:57 AM", "lastObservedAt": "Jan 20, 2023, 9:17:57 AM", "networkReachabilityDetails": { "networkPath": { "steps": [{ "componentId": "igw-72069c09", "componentType": "AWS::EC2::InternetGateway" }, { "componentId": "acl-91d74eec", "componentType": "AWS::EC2::NetworkAcl" }, { "componentId": "sg-0aaed0af450bd0165", "componentType": "AWS::EC2::SecurityGroup" }, { "componentId": "eni-0976efe678170408f", "componentType": "AWS::EC2::NetworkInterface" }, { "componentId": "i-0a96278c2206a8e4b", "componentType": "AWS::EC2::Instance" }] }, "openPortRange": { "begin": 22, "end": 22 }, "protocol": "TCP" }, "remediation": { "recommendation": { "text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path." } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b5eea76982371e91", "ipV4Addresses": ["3.89.90.19", "172.31.93.57"], "ipV6Addresses": [], "keyName": "example-inspector-test", "launchedAt": "Jan 19, 2023, 7:25:02 PM", "platform": "AMAZON_LINUX_2", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0a96278c2206a8e4b", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "Port 22 is reachable from an Internet Gateway", "type": "NETWORK_REACHABILITY", "updatedAt": "Jan 20, 2023, 9:17:57 AM" } } - Amazon ECR package vulnerability finding
{ "version": "0", "id": "5b52952e-26df-3a51-6d14-4dbe737e58ec", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T21:59:00Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2/sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13" ], "detail": { "awsAccountId": "111122223333", "description": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.", "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 9:59:00 PM", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "adjustments": [], "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "lastObservedAt": "Jan 19, 2023, 9:59:00 PM", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 5, "scoringVector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "source": "NVD", "version": "2.0" }, { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://hackerone.com/reports/1555796", "https://security.gentoo.org/glsa/202212-01", "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", "https://www.debian.org/security/2022/dsa-5197" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-27782", "vendorCreatedAt": "Jun 2, 2022, 2:15:00 PM", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Jan 5, 2023, 5:51:00 PM", "vulnerabilityId": "CVE-2022-27782", "vulnerablePackages": [ { "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:7.61.1-22.el8_6.3", "name": "libcurl", "packageManager": "OS", "release": "22.el8", "remediation": "yum update libcurl", "sourceLayerHash": "sha256:38a980f2cc8accf69c23deae6743d42a87eb34a54f02396f3fcfd7c2d06e2c5b", "version": "7.61.1" }, { "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:7.61.1-22.el8_6.3", "name": "curl", "packageManager": "OS", "release": "22.el8", "remediation": "yum update curl", "sourceLayerHash": "sha256:38a980f2cc8accf69c23deae6743d42a87eb34a54f02396f3fcfd7c2d06e2c5b", "version": "7.61.1" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEcrContainerImage": { "architecture": "amd64", "imageHash": "sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13", "imageTags": [ "o3" ], "platform": "ORACLE_LINUX_8", "pushedAt": "Jan 19, 2023, 7:38:39 PM", "registry": "111122223333", "repositoryName": "inspector2" } }, "id": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2/sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13", "partition": "aws", "region": "us-east-1", "type": "AWS_ECR_CONTAINER_IMAGE" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2022-27782 - libcurl, curl", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 9:59:00 PM" } }- Lambda package vulnerability finding
-
{ "version": "0", "id": "040bb590-3a12-353f-ecb1-05e54b0fbea7", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T19:20:25Z", "region": "us-east-1", "resources": [ "arn:aws:lambda:us-east-1:111122223333:function:ExampleFunction:$LATEST" ], "detail": { "awsAccountId": "111122223333", "description": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 7:20:25 PM", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "lastObservedAt": "Jan 19, 2023, 7:20:25 PM", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "vendorCreatedAt": "Sep 16, 2022, 10:15:00 AM", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Nov 25, 2022, 11:15:00 AM", "vulnerabilityId": "CVE-2022-40152", "vulnerablePackages": [ { "epoch": 0, "filePath": "lib/woodstox-core-6.2.7.jar", "fixedInVersion": "6.4.0", "name": "com.fasterxml.woodstox:woodstox-core", "packageManager": "JAR", "remediation": "Update woodstox-core to 6.4.0", "version": "6.2.7" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "+EwrOrht2um4fdVCD73gj+O7HJIAUvUxi8AD0eKHSkc=", "executionRoleArn": "arn:aws:iam::111122223333:role/ExampleFunction-ExecutionRole", "functionName": "Example-function", "lastModifiedAt": "Nov 7, 2022, 8:29:27 PM", "packageType": "ZIP", "runtime": "JAVA_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:us-east-1:111122223333:function:ExampleFunction:$LATEST", "partition": "aws", "region": "us-east-1", "tags": { "TargetAlias": "DeploymentStack", "SoftwareType": "Infrastructure" }, "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2022-40152 - com.fasterxml.woodstox:woodstox-core", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 7:20:25 PM" } } - Lambda code vulnerability finding
{ "version":"0", "id":"9df01cb1-df24-bc46-5650-085a4087e7aa", "detail-type":"Inspector2 Finding", "source":"aws.inspector2", "account":"111122223333", "time":"2023-12-07T22:14:45Z", "region":"us-east-1", "resources":[ "arn:aws:lambda:us-east-1:111122223333:function:code-finding:$LATEST" ], "detail":{ "awsAccountId":"111122223333", "codeVulnerabilityDetails":{ "detectorId":"python/lambda-override-reserved@v1.0", "detectorName":"Override of reserved variable names in a Lambda function", "detectorTags":[ "availability", "aws-python-sdk", "aws-lambda", "data-integrity", "maintainability", "security", "security-context", "python" ], "filePath":{ "endLine":6, "fileName":"lambda_function.py", "filePath":"lambda_function.py", "startLine":6 }, "ruleId":"Rule-434311" }, "description":"Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior or failure of the Lambda function.", "findingArn":"arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt":"Aug 8, 2023, 7:33:58 PM", "lastObservedAt":"Dec 7, 2023, 10:14:45 PM", "remediation":{ "recommendation":{ "text":"Your code attempts to override an environment variable that is reserved by the Lambda runtime environment. This can lead to unexpected behavior and might break the execution of your Lambda function.\n\n[Learn more](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime)" } }, "resources":[ { "details":{ "awsLambdaFunction":{ "architectures":[ "X86_64" ], "codeSha256":"2mtfH+CgubesG6NYpb2zEqBja5WN6FfbH4AAYDuF8RE=", "executionRoleArn":"arn:aws:iam::193043430472:role/service-role/code-finding-role-7jgg3wan", "functionName":"code-finding", "lastModifiedAt":"Dec 7, 2023, 10:12:48 PM", "packageType":"ZIP", "runtime":"PYTHON_3_7", "version":"$LATEST" } }, "id":"arn:aws:lambda:us-east-1:193043430472:function:code-finding:$LATEST", "partition":"aws", "region":"us-east-1", "type":"AWS_LAMBDA_FUNCTION" } ], "severity":"HIGH", "status":"ACTIVE", "title":"Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior.", "type":"CODE_VULNERABILITY", "updatedAt":"Dec 7, 2023, 10:14:45 PM" } }
注意
詳細資JSON料值會以物件形式傳回單一發現項目的詳細資訊。它不會傳回整個發現項目回應語法,它支援陣列中的多個發現項目。
Amazon Inspector 初始掃描完成事件架構示例
以下是完成初始掃描之 EventBridge Amazon Inspector 事件的事件結構描述範例。當 Amazon Inspector 完成對您其中一個資源的初始掃描時,就會建立此事件。
下列欄位可識別初始掃描完成事件:
detail-type欄位設定為Inspector2 Scan。detail物件包含一個finding-severity-counts物件,其中詳細說明適用嚴重性類別中發現項目的數目CRITICAL,例如HIGH、和MEDIUM。
從選項中選取,依資源類型查看不同的初始掃描事件結構描述。
- Amazon EC2 instance initial scan
-
{ "version": "0", "id": "28a46762-6ac8-6cc4-4f55-bc9ab99af928", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:52:35Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "instance-id": "i-087d63509b8c97098", "version": "1.0" } } - Amazon ECR image initial scan
-
{ "version": "0", "id": "fdaa751a-984c-a709-44f9-9a9da9cd3606", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T23:15:18Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "repository-name": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "image-digest": "sha256:965fbcae990b0467ed5657caceaec165018ef44a4d2d46c7cdea80a9dff0d1ea", "image-tags": [ "ubuntu22" ], "version": "1.0" } } - Lambda function initial scan
-
{ "version": "0", "id": "4f290a7c-361b-c442-03c8-a629f6f20d6c", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-02-23T18:06:03Z", "region": "us-west-2", "resources": [ "arn:aws:lambda:us-west-2:111122223333:function:lambda-example:$LATEST" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "version": "1.0" } }
Amazon Inspector 覆蓋事件架構示例
以下是涵蓋範圍之 Amazon Inspector EventBridge 事件的事件結構描述範例。此事件會在資源的 Amazon Inspector 掃描涵蓋範圍變更時建立。下列欄位可識別涵蓋範圍事件:
detail-type欄位設定為Inspector2 Coverage。detail物件包含一個scanStatus物件,指出資源的新掃描狀態。
{ "version": "0", "id": "000adda5-0fbf-913e-bc0e-10f0376412aa", "detail-type": "Inspector2 Coverage", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:51:39Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scanStatus": { "reason": "UNMANAGED_EC2_INSTANCE", "statusCodeValue": "INACTIVE" }, "scanType": "PACKAGE", "eventTimestamp": "2023-01-20T22:51:35.665501Z", "version": "1.0" } }
搜尋弱點資料庫
CI/CD 整合