與 AWS Security Hub 的整合
AWS Security Hub 可讓您全方位地檢視您 AWS 中的安全狀態,並可協助您檢查環境是否符合安全業界標準和最佳實務。Security Hub 會從 AWS 帳戶、服務,以及支援的第三方合作夥伴產品來收集安全資料。您可以使用 Security Hub 來分析安全趨勢,並識別最高優先級的安全問題。
AWS IoT Device Defender 與 Security Hub 的整合可讓您將問題清單從 AWS IoT Device Defender 傳送到 Security Hub。Security Hub 可將這些問題清單納入其安全狀態的分析中。
內容
啟用與設定整合
在將 AWS IoT Device Defender 整合至 Security Hub 之前,您必須先啟用 Security Hub。如需有關如何啟用 Security Hub 的資訊,請參閱《AWS Security Hub 使用者指南》中的設定 Security Hub。
在啟用 AWS IoT Device Defender 和 Security Hub 之後,請開啟 Security Hub 主控台中的 Integrations (整合) 頁面
AWS IoT Device Defender 如何將問題清單傳送到 Security Hub
在 Security Hub 中,將安全問題作為問題清單進行追蹤。有些問題清單是由其他 AWS 服務或第三方產品偵測所得。
Security Hub 提供用來跨所有這些來源管理問題清單的工具。您可以檢視並篩選問題清單列表,並檢視問題清單的詳細資訊。如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視問題清單。您也可以追蹤問題清單的調查狀態。如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的針對問題清單採取動作。
所有 Security Hub 中的問題清單都使用稱為 AWS 安全問題清單格式 (ASFF) 的標準 JSON 格式。ASFF 包含問題來源、受影響的資源以及問題清單目前狀態的詳細資訊。如需有關 ASFF 的詳細資訊,請參閱《AWS Security Hub 使用者指南》中的 AWS 安全問題清單格式 (ASFF)。
AWS IoT Device Defender 是負責將問題清單傳送至 Security Hub 的 AWS 服務之一。
AWS IoT Device Defender 傳送的問題清單類型
啟用 Security Hub 整合之後,AWS IoT Device Defender 稽核會將其產生的問題清單 (稱為檢查摘要) 傳送至 Security Hub。檢查摘要是特定稽核檢查類型與特定稽核作業的一般資訊。如需稽核的詳細資訊,請參閱稽核檢查。
AWS IoT Device Defender 稽核會針對每項稽核作業中的稽核檢查摘要與稽核問題清單,將問題清單更新項目傳送至 Security Hub。如果稽核檢查中發現的所有資源都符合規定,或稽核任務已經取消,則稽核會將 Security Hub 中的檢查摘要更新為 ARCHIVED (已封存) 記錄狀態。如果某項資源曾在稽核檢查中通報為不合規,但在最近一次稽核任務經通報為合規,則稽核會將其變更為合規,並將 Security Hub 中的問題清單更新為 ARCHIVED (已封存) 記錄狀態。
AWS IoT Device Defender 偵測將違規問題清單傳送到 Security Hub。這些違規問題清單包括機器學習 (ML)、統計和靜態行為。
AWS IoT Device Defender 會使用 AWS 安全問題清單格式 (ASFF) 將問題清單傳送到 Security Hub。在 ASFF 中,Types 欄位提供問題清單類型。來自 AWS IoT Device Defender 的問題清單可以具有以下 Types 值。
- 異常行為
-
衝突 MQTT 用戶端 ID 與裝置憑證共用檢查的問題清單類型,以及偵測的問題清單類型。
- 軟體與組態檢查/漏洞
-
所有其他稽核檢查的問題清單類型。
傳送問題清單延遲
當 AWS IoT Device Defender 稽核建立新的問題清單時,會在稽核任務完成後立即傳送至 Security Hub。延遲時間取決於稽核任務中產生的問題清單數量。Security Hub 通常會在一小時內收到問題清單。
AWS IoT Device Defender 偵測會以近乎即時的方式傳送違規的問題清單。當違規進入或退出警示 (表示已建立或刪除警示) 狀態之後,系統會立即建立或封存對應的 Security Hub 問題清單。
無法使用 Security Hub 時重試
如果 Security Hub 無法使用,AWS IoT Device Defender 會重試傳送問題清單,直到收到問題清單。
更新 Security Hub 中的現有問題清單
將 AWS IoT Device Defender 稽核問題清單傳送至 Security Hub 之後,您可以透過檢查的資源識別碼和稽核檢查類型加以識別。如果對相同資源和稽核檢查的後續稽核任務產生新的稽核問題清單,則 AWS IoT Device Defender 稽核會傳送更新項目以向 Security Hub 反映額外的問題清單活動觀察結果。如果對相同資源和稽核檢查的後續稽核任務並未產生額外的稽核問題清單,則資源狀態會變更為符合稽核檢查要求。AWS IoT Device Defender然後,稽核會將問題清單封存至 Security Hub 中。
AWS IoT Device Defender 稽核也會更新 Security Hub 中的檢查摘要。如果稽核檢查發現不合規資源或者檢查失敗,Security Hub 問題清單的狀態會變為作用中。否則,AWS IoT Device Defender 稽核會將問題清單封存至 Security Hub 中。
AWS IoT Device Defender 偵測會在發生違規 (例如警示中) 時建立 Security Hub 問題清單。只有在下列其中一項條件成立時,才會更新該問題清單
-
問題清單即將在 Security Hub 中到期,因此 AWS IoT Device Defender 會傳送更新項目,以使問題清單保持最新狀態。問題清單會在最近更新 90 天後刪除,如果沒有更新,則在建立日期 90 天後刪除。如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的 Security Hub 配額。
-
相應的違規行為退出警示狀態,因此 AWS IoT Device Defender 會將其問題清單狀態更新為 ARCHIVED (已封存)。
來自 AWS IoT Device Defender 的一般問題清單
AWS IoT Device Defender 會使用 AWS 安全問題清單格式 (ASFF) 將問題清單傳送到 Security Hub。
下列範例顯示 Security Hub 針對稽核發現的典型問題清單。在 ProductFields 中的 ReportType 是AuditFinding。
{ "SchemaVersion": "2018-10-08", "Id": "336757784525/IOT_POLICY/policyexample/1/IOT_POLICY_OVERLY_PERMISSIVE_CHECK/ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/iot-device-defender-audit", "ProductName": "IoT Device Defender - Audit", "CompanyName": "AWS", "Region": "us-west-2", "GeneratorId": "1928b87ab338ee2f541f6fab8c41c4f5", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Check/Vulnerabilities" ], "CreatedAt": "2022-11-06T22:11:40.941Z", "UpdatedAt": "2022-11-06T22:11:40.941Z", "Severity": { "Label": "CRITICAL", "Normalized": 90 }, "Title": "IOT_POLICY_OVERLY_PERMISSIVE_CHECK: ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "Description": "IOT_POLICY policyexample:1 is reported as non-compliant for IOT_POLICY_OVERLY_PERMISSIVE_CHECK by Audit task 9f71b6e90cfb57d4ac671be3a4898e6a. The non-compliant reason is Policy allows broad access to IoT data plane actions: [iot:Connect].", "SourceUrl": "https://us-west-2.console.aws.amazon.com/iot/home?region=us-west-2#/policy/policyexample", "ProductFields": { "CheckName": "IOT_POLICY_OVERLY_PERMISSIVE_CHECK", "TaskId": "9f71b6e90cfb57d4ac671be3a4898e6a", "TaskType": "ON_DEMAND_AUDIT_TASK", "PolicyName": "policyexample", "IsSuppressed": "false", "ReasonForNonComplianceCode": "ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "ResourceType": "IOT_POLICY", "FindingId": "1928b87ab338ee2f541f6fab8c41c4f5", "PolicyVersionId": "1", "ReportType": "AuditFinding", "TaskStartTime": "1667772700554", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/iot-device-defender-audit/336757784525/IOT_POLICY/policyexample/1/IOT_POLICY_OVERLY_PERMISSIVE_CHECK/ALLOWS_BROAD_ACCESS_TO_IOT_DATA_PLANE_ACTIONS", "aws/securityhub/ProductName": "IoT Device Defender - Audit", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotPolicy", "Id": "policyexample", "Partition": "aws", "Region": "us-west-2", "Details": { "Other": { "PolicyVersionId": "1" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "CRITICAL" }, "Types": [ "Software and Configuration Check/Vulnerabilities" ] } }
下列範例顯示 Security Hub 針對稽核檢查摘要得出的問題清單。在 ProductFields 中的 ReportType 是CheckSummary。
{ "SchemaVersion": "2018-10-08", "Id": "615243839755/SCHEDULED_AUDIT_TASK/daily_audit_schedule_checks/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-audit", "ProductName": "IoT Device Defender - Audit", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "f3021945485adf92487c273558fcaa51", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Check/Vulnerabilities/CVE" ], "CreatedAt": "2022-10-18T14:20:13.933Z", "UpdatedAt": "2022-10-18T14:20:13.933Z", "Severity": { "Label": "CRITICAL", "Normalized": 90 }, "Title": "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK Summary: Completed with 2 non-compliant resources", "Description": "Task f3021945485adf92487c273558fcaa51 of weekly scheduled Audit daily_audit_schedule_checks completes. 2 non-cimpliant resources are found for DEVICE_CERTIFICATE_KEY_QUALITY_CHECK out of 1000 resources in the account. The percentage of non-compliant resources is 0.2%.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/dd/audit/results/f3021945485adf92487c273558fcaa51/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ProductFields": { "TaskId": "f3021945485adf92487c273558fcaa51", "TaskType": "SCHEDULED_AUDIT_TASK", "ScheduledAuditName": "daily_audit_schedule_checks", "CheckName": "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "ReportType": "CheckSummary", "CheckRunStatus": "COMPLETED_NON_COMPLIANT", "NonComopliantResourcesCount": "2", "SuppressedNonCompliantResourcesCount": "1", "TotalResourcesCount": "1000", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-audit/615243839755/SCHEDULED/daily_audit_schedule_checks/DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", "aws/securityhub/ProductName": "IoT Device Defender - Audit", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotAuditTask", "Id": "f3021945485adf92487c273558fcaa51", "Region": "us-east-1" } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "CRITICAL" }, "Types": [ "Software and Configuration Check/Vulnerabilities/CVE" ] } }
下列範例顯示 Security Hub 針對 AWS IoT Device Defender 偵測違規得出的典型問題清單。
{ "SchemaVersion": "2018-10-08", "Id": "e92a782593c6f5b1fc7cb6a443dc1a12", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-detect", "ProductName": "IoT Device Defender - Detect", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "arn:aws:iot:us-east-1:123456789012:securityprofile/MySecurityProfile", "AwsAccountId": "123456789012", "Types": [ "Unusual Behaviors" ], "CreatedAt": "2022-11-09T22:45:00Z", "UpdatedAt": "2022-11-09T22:45:00Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "Registered thing MyThing is in alarm for STATIC behavior MyBehavior.", "Description": "Registered thing MyThing violates STATIC behavior MyBehavior of security profile MySecurityProfile. Violation was triggered because the device did not conform to aws:num-disconnects less-than 1.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/dd/securityProfile/MySecurityProfile?tab=violations", "ProductFields": { "ComparisonOperator": "less-than", "BehaviorName": "MyBehavior", "ViolationId": "e92a782593c6f5b1fc7cb6a443dc1a12", "ViolationStartTime": "1668033900000", "SuppressAlerts": "false", "ConsecutiveDatapointsToAlarm": "1", "ConsecutiveDatapointsToClear": "1", "DurationSeconds": "300", "Count": "1", "MetricName": "aws:num-disconnects", "BehaviorCriteriaType": "STATIC", "ThingName": "MyThing", "SecurityProfileName": "MySecurityProfile", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/iot-device-defender-detect/e92a782593c6f5b1fc7cb6a443dc1a12", "aws/securityhub/ProductName": "IoT Device Defender - Detect", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIotRegisteredThing", "Id": "MyThing", "Region": "us-east-1", "Details": { "Other": { "SourceUrl": "https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/thing/MyThing?tab=violations", "IsRegisteredThing": "true", "ThingArn": "arn:aws:iot:us-east-1:123456789012:thing/MyThing" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Unusual Behaviors" ] } }
停止 AWS IoT Device Defender 將問題清單傳送至 Security Hub
若要停止將問題清單傳送至 Security Hub,您可以使用 Security Hub 主控台或 API。
如需詳細資訊,請參閱 AWS Security Hub 使用者指南 中的停用和啟用整合中的問題清單流程 (主控台) 或停用來自整合的問題清單流程 (Security Hub API、AWS CLI)。
