與 AWS Security Hub 的整合 - Amazon Inspector Classic
Amazon Inspector Security Security Hub 如何將問題清單傳送來自亞馬遜的典型問題清單啟用與設定整合如何停止傳送問題清單

這是 Amazon Inspector 經典的用戶指南。如需有關新 Amazon Inspector 查器的資訊,請參閱 Amazon Inspector 使用者指南。若要存取 Amazon Inspector 經典主控台,請在 https://console.aws.amazon.com/inspector/ 開啟 Amazon Inspector 主控台,然後在導覽窗格中選擇 Amazon Inspector 經典版

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

與 AWS Security Hub 的整合

AWS Security Hub 可讓您全方位地檢視 AWS 中的安全狀態,並可協助您檢查環境是否符合安全業界標準和最佳實務。Security Hub 會從各個 AWS 帳戶、服務和支援的第三方合作夥伴產品收集安全資料,並協助您分析安全趨勢及識別最高優先順序的安全問題。

Amazon Inspector Security Hub 的整合可讓您將問題清單從 Amazon Inspector Security Hub 傳送至 Security Hub。Security Hub 接著可將這些問題清單納入其安全狀態的分析中。

Amazon Inspector Security Security Hub 如何將問題清單傳送

在 Security Hub 中,將安全問題作為問題清單進行追蹤。有些問題清單是由其他 AWS 服務或第三方合作夥伴偵測所得。Security Hub 也有一組規則,用來偵測安全問題並產生問題清單。

Security Hub 提供用來跨所有這些來源管理問題清單的工具。您可以檢視並篩選問題清單列表,並檢視問題清單的詳細資訊。請參閱 AWS Security Hub 使用者指南中的檢視問題清單。您也可以追蹤問題清單的調查狀態。請參閱 AWS Security Hub 使用者指南中的對問題清單採取動作

所有 Security Hub 中的問題清單都使用稱為 AWS 安全問題清單格式 (ASFF) 的標準 JSON 格式。ASFF 包含問題來源、受影響的資源以及問題清單目前狀態的詳細資訊。請參閱AWS Security 問題清單格式 (ASFF)中的AWS Security Hub使用者指南

Amazon Inspector 是AWS服務,將問題清單傳送到 Security Hub。

Amazon Inspector 傳送的問題清單類型

Amazon Inspector 將其生成的所有調查結果發送到 Security Hub。

Amazon Inspector ecurity Security Hub 會使用AWS安全問題清單格式 (ASFF)。在 ASFF 中,Types 欄位提供問題清單類型。來自 Amazon Inspector 的問題清單可能具有以下值Types

  • 軟體和組態檢查/漏障/CVE

  • 軟體和組態檢查/AWS 安全最佳實務/網絡可到達

  • 軟件和配置檢查/行業和監管標準/CIS 主機強化基準

傳送問題清單延遲

Amazon Security Security 建立新的問題清單時,通常會在五分鐘內傳送至 Security Hub。

無法使用 Security Hub 時重試

如果 Security Hub 無法使用,Amazon Inspector Hub 會重試傳送問題清單,直到收到問題清單。

更新 Security Hub 中的現有問題清單

將問題清單傳送至 Security Hub 後,Amazon Security Hub 會更新問題清單以反映對問題清單活動的其他觀察結果。這將導致與 Amazon Inspector 相比,Security Hub 中的 Amazon Inspector 找結果要少。

來自亞馬遜的典型問題清單

Amazon Inspector Security Security Hub 會使用AWS安全問題清單格式 (ASFF)

這是來自 Amazon Inspector 的典型問題清單範例。


{
  "SchemaVersion": "2018-10-08",
  "Id": "inspector/us-east-1/111122223333/629ff13fbbb44c872f7bba3e7f79f60cb6d443d8",
  "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
  "GeneratorId": "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd",
  "AwsAccountId": "111122223333",
  "Types": [
    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability - Recognized port reachable from internet"
  ],
  "CreatedAt": "2020-08-19T17:36:22.169Z",
  "UpdatedAt": "2020-11-04T16:36:06.064Z",
  "Severity": {
    "Label": "MEDIUM",
    "Normalized": 40,
    "Original": "6.0"
  },
  "Confidence": 10,
  "Title": "On instance i-0c10c2c7863d1a356, TCP port 22 which is associated with 'SSH' is reachable from the internet",
  "Description": "On this instance, TCP port 22, which is associated with SSH, is reachable from the internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-0c10c2c7863d1a356 is located in VPC vpc-a0c2d7c7 and has an attached ENI eni-078eac9d6ad9b20d1 which uses network ACL acl-154b8273. The port is reachable from the internet through Security Group sg-0af64c8a5eb30ca75 and IGW igw-e209d785",
  "Remediation": {
    "Recommendation": {
      "Text": "You can edit the Security Group sg-0af64c8a5eb30ca75 to remove access from the internet on port 22"
    }
  },
  "ProductFields": {
    "attributes/VPC": "vpc-a0c2d7c7",
    "aws/inspector/id": "Recognized port reachable from internet",
    "serviceAttributes/schemaVersion": "1",
    "aws/inspector/arn": "arn:aws:inspector:us-east-1:111122223333:target/0-8zh1cWkg/template/0-rqtRV0u0/run/0-Ck2F6tY9/finding/0-B458MQWe",
    "attributes/ACL": "acl-154b8273",
    "serviceAttributes/assessmentRunArn": "arn:aws:inspector:us-east-1:111122223333:target/0-8zh1cWkg/template/0-rqtRV0u0/run/0-Ck2F6tY9",
    "attributes/PROTOCOL": "TCP",
    "attributes/RULE_TYPE": "RecognizedPortNoAgent",
    "aws/inspector/RulesPackageName": "Network Reachability",
    "attributes/INSTANCE_ID": "i-0c10c2c7863d1a356",
    "attributes/PORT_GROUP_NAME": "SSH",
    "attributes/IGW": "igw-e209d785",
    "serviceAttributes/rulesPackageArn": "arn:aws:inspector:us-east-1:111122223333:rulespackage/0-PmNV0Tcd",
    "attributes/SECURITY_GROUP": "sg-0af64c8a5eb30ca75",
    "attributes/ENI": "eni-078eac9d6ad9b20d1",
    "attributes/REACHABILITY_TYPE": "Internet",
    "attributes/PORT": "22",
    "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/inspector/us-east-1/111122223333/629ff13fbbb44c872f7bba3e7f79f60cb6d443d8",
    "aws/securityhub/ProductName": "Inspector",
    "aws/securityhub/CompanyName": "Amazon"
  },
  "Resources": [
    {
      "Type": "AwsEc2Instance",
      "Id": "arn:aws:ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356",
      "Partition": "aws",
      "Region": "us-east-1",
      "Tags": {
        "Name": "kubectl"
      },
      "Details": {
        "AwsEc2Instance": {
          "ImageId": "ami-02354e95b39ca8dec",
          "IpV4Addresses": [
            "172.31.43.6"
          ],
          "VpcId": "vpc-a0c2d7c7",
          "SubnetId": "subnet-4975b475"
        }
      }
    }
  ],
  "WorkflowState": "NEW",
  "Workflow": {
    "Status": "NEW"
  },
  "RecordState": "ACTIVE"
}

啟用與設定整合

若要使用與 Security Hub 的整合,您必須啟用 Security Hub。如需有關如何啟用 Security Hub 的資訊,請參閱 AWS Security Hub 使用者指南中的設定 Security Hub

同時啟用 Amazon Inspector 和 Security Hub 時,會自動啟用整合。Amazon Inspector 開始將問題清單傳送至 Security Hub。

如何停止傳送問題清單

若要停止將問題清單傳送至 Security Hub,您可以使用 Security Hub 主控台或 API。

請參閱停用和啟用從整合接收問題清單的流程 (主控台)或者停用從整合接收問題清單的流程 (Security Hub API、AWS CLI)中的AWS Security Hub使用者指南