本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用的 Security Hub 示例 Amazon CLI
以下代码示例向您展示了如何使用 with Security Hub 来执行操作和实现常见场景。 Amazon Command Line Interface
操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景和跨服务示例的上下文查看操作。
场景是展示如何通过在同一服务中调用多个函数来完成特定任务任务的代码示例。
每个示例都包含一个指向的链接 GitHub,您可以在其中找到有关如何在上下文中设置和运行代码的说明。
主题
操作
以下代码示例演示如何使用 accept-administrator-invitation。
- Amazon CLI
-
接受管理员账户的邀请
以下
accept-administrator-invitation示例接受来自指定管理员账户的指定邀请。aws securityhub accept-invitation \ --administrator-id 123456789012 \ --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考AcceptAdministratorInvitation
中的。
-
以下代码示例演示如何使用 accept-invitation。
- Amazon CLI
-
接受管理员账户的邀请
以下
accept-invitation示例接受来自指定管理员账户的指定邀请。aws securityhub accept-invitation \ --master-id 123456789012 \ --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考AcceptInvitation
中的。
-
以下代码示例演示如何使用 batch-delete-automation-rules。
- Amazon CLI
-
删除自动化规则
以下
batch-delete-automation-rules示例删除了指定的自动化规则。您可以使用单个命令删除一条或多条规则。只有 Security Hub 管理员帐户可以运行此命令。aws securityhub batch-delete-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'输出:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的删除自动化规则。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchDeleteAutomationRules
中的。
-
以下代码示例演示如何使用 batch-disable-standards。
- Amazon CLI
-
禁用标准
以下
batch-disable-standards示例禁用与指定订阅 ARN 关联的标准。aws securityhub batch-disable-standards \ --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"输出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "DELETING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }有关更多信息,请参阅《Security Hub 用户指南》中的禁用或启用Amazon 安全标准。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchDisableStandards
中的。
-
以下代码示例演示如何使用 batch-enable-standards。
- Amazon CLI
-
启用标准
以下
batch-enable-standards示例为请求的账户启用 PCI DSS 标准。aws securityhub batch-enable-standards \ --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1"}'输出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "PENDING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }有关更多信息,请参阅《Security Hub 用户指南》中的禁用或启用Amazon 安全标准。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchEnableStandards
中的。
-
以下代码示例演示如何使用 batch-get-automation-rules。
- Amazon CLI
-
获取自动化规则的详细信息
以下
batch-get-automation-rules示例获取指定自动化规则的详细信息。您只需一个命令即可获取一条或多条自动化规则的详细信息。aws securityhub batch-get-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'输出:
{ "Rules": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "Criteria": { "ProductName": [ { "Value": "GuardDuty", "Comparison": "EQUALS" } ], "SeverityLabel": [ { "Value": "INFORMATIONAL", "Comparison": "EQUALS" } ], "WorkflowStatus": [ { "Value": "NEW", "Comparison": "EQUALS" } ], "RecordState": [ { "Value": "ACTIVE", "Comparison": "EQUALS" } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Automatically suppress GuardDuty findings with Informational severity", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "SUPPRESSED" } } } ], "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ], "UnprocessedAutomationRules": [] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看自动化规则。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchGetAutomationRules
中的。
-
以下代码示例演示如何使用 batch-get-configuration-policy-associations。
- Amazon CLI
-
获取一批目标的配置关联详细信息
以下
batch-get-configuration-policy-associations示例检索指定目标的关联详细信息。您可以为目标提供账户 ID、组织单位 ID 或根 ID。aws securityhub batch-get-configuration-policy-associations \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'输出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }有关更多信息,请参阅《Sec urity Hub 用户指南》中的查看 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchGetConfigurationPolicyAssociations
中的。
-
以下代码示例演示如何使用 batch-get-security-controls。
- Amazon CLI
-
获取安全控制详情
以下
batch-get-security-controls示例获取当前 Amazon 账户和区域中安全控制 ACM.1 和 IAM.1 的详细信息。 Amazonaws securityhub batch-get-security-controls \ --security-control-ids '["ACM.1", "IAM.1"]'输出:
{ "SecurityControls": [ { "SecurityControlId": "ACM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": { "daysToExpiration": { "ValueType": CUSTOM, "Value": { "Integer": 15 } } }, "LastUpdateReason": "Updated control parameter" }, { "SecurityControlId": "IAM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1", "Title": "IAM policies should not allow full \"*\" administrative privileges", "Description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", "SeverityRating": "HIGH", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": {} } ] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看控件的详细信息。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchGetSecurityControls
中的。
-
以下代码示例演示如何使用 batch-get-standards-control-associations。
- Amazon CLI
-
获取控件的启用状态
以下
batch-get-standards-control-associations示例标识了在指定标准中是否启用了指定的控件。aws securityhub batch-get-standards-control-associations \ --standards-control-association-ids '[{"SecurityControlId": "Config.1","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {"SecurityControlId": "IAM.6","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:standards/aws-foundational-security-best-practices/v/1.0.0"}]'输出:
{ "StandardsControlAssociationDetails": [ { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "Config.1", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/Config.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.5" ], "UpdatedAt": "2022-10-27T16:07:12.960000+00:00", "StandardsControlTitle": "Ensure AWS Config is enabled", "StandardsControlDescription": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/cis-aws-foundations-benchmark/v/1.2.0/2.5" ] }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "IAM.6", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/IAM.6", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2022-11-22T21:30:35.080000+00:00", "UpdatedReason": "test", "StandardsControlTitle": "Hardware MFA should be enabled for the root user", "StandardsControlDescription": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" ] } ] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的启用和禁用特定标准中的控件。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchGetStandardsControlAssociations
中的。
-
以下代码示例演示如何使用 batch-import-findings。
- Amazon CLI
-
更新调查结果
以下
batch-import-findings示例更新了调查结果。aws securityhub batch-import-findings \ --findings ' [{ "AwsAccountId": "123456789012", "CreatedAt": "2020-05-27T17:05:54.832Z", "Description": "Vulnerability in a CloudTrail trail", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "10" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "GeneratorId": "TestGeneratorId", "Id": "Id1", "ProductArn": "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", "Resources": [ { "Id": "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", "Partition": "aws", "Region": "us-west-1", "Type": "AwsCloudTrailTrail" } ], "SchemaVersion": "2018-10-08", "Title": "CloudTrail trail vulnerability", "UpdatedAt": "2020-06-02T16:05:54.832Z" }]'输出:
{ "FailedCount": 0, "SuccessCount": 1, "FailedFindings": [] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的使用 BatchImportFindings 来创建和更新调查结果。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchImportFindings
中的。
-
以下代码示例演示如何使用 batch-update-automation-rules。
- Amazon CLI
-
更新自动化规则
以下
batch-update-automation-rules示例更新了指定的自动化规则。您可以使用单个命令更新一条或多条规则。只有 Security Hub 管理员帐户可以运行此命令。aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '[ \ { \ "Actions": [{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Note": { \ "Text": "Known issue that is a risk", \ "UpdatedBy": "sechub-automation" \ }, \ "Workflow": { \ "Status": "NEW" \ } \ } \ }], \ "Criteria": { \ "SeverityLabel": [{ \ "Value": "LOW", \ "Comparison": "EQUALS" \ }] \ }, \ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", \ "RuleOrder": 1, \ "RuleStatus": "DISABLED" \ } \ ]'输出:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的编辑自动化规则。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchUpdateAutomationRules
中的。
-
以下代码示例演示如何使用 batch-update-findings。
- Amazon CLI
-
示例 1:更新调查结果
以下
batch-update-findings示例更新了两个发现结果以添加注释、更改严重性标签并解决该问题。aws securityhub batch-update-findings \ --finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \ --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \ --severity '{"Label": "LOW"}' \ --workflow '{"Status": "RESOLVED"}'输出:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }有关更多信息,请参阅《Sec Amazon ur BatchUpdateFindings ity Hub 用户指南》中的使用更新调查结果。
示例 2:使用速记语法更新调查结果
以下
batch-update-findings示例更新了两个发现结果,以添加注释、更改严重性标签并使用速记语法解决该问题。aws securityhub batch-update-findings \ --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" \ --note Text="Known issue that is not a risk.",UpdatedBy="user1" \ --severity Label="LOW" \ --workflow Status="RESOLVED"输出:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }有关更多信息,请参阅《Sec Amazon ur BatchUpdateFindings ity Hub 用户指南》中的使用更新调查结果。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchUpdateFindings
中的。
-
以下代码示例演示如何使用 batch-update-standards-control-associations。
- Amazon CLI
-
更新已启用标准中控件的启用状态
以下
batch-update-standards-control-associations示例禁用了指定标准中的 CloudTrail .1。aws securityhub batch-update-standards-control-associations \ --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'如果成功,此命令不会产生任何输出。
有关更多信息,请参阅《S ec Amazon urity Hub 用户指南》中的启用和禁用特定标准中的控件以及启用和禁用所有标准中的控件。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考BatchUpdateStandardsControlAssociations
中的。
-
以下代码示例演示如何使用 create-action-target。
- Amazon CLI
-
创建自定义操作
以下
create-action-target示例创建了一个自定义操作。它提供操作的名称、描述和标识符。aws securityhub create-action-target \ --name "Send to remediation" \ --description "Action to send the finding for remediation tracking" \ --id "Remediation"输出:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }有关更多信息,请参阅《S ec Amazon urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考CreateActionTarget
中的。
-
以下代码示例演示如何使用 create-automation-rule。
- Amazon CLI
-
创建自动化规则
以下
create-automation-rule示例在当前 Amazon 账户和 Amazon 区域中创建自动化规则。Security Hub 根据指定的条件筛选您的发现,并将操作应用于匹配的结果。只有 Security Hub 管理员帐户可以运行此命令。aws securityhub create-automation-rule \ --actions '[{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Severity": { \ "Label": "HIGH" \ }, \ "Note": { \ "Text": "Known issue that is a risk. Updated by automation rules", \ "UpdatedBy": "sechub-automation" \ } \ } \ }]' \ --criteria '{ \ "SeverityLabel": [{ \ "Value": "INFORMATIONAL", \ "Comparison": "EQUALS" \ }] \ }' \ --description "A sample rule" \ --no-is-terminal \ --rule-name "sample rule" \ --rule-order 1 \ --rule-status "ENABLED"输出:
{ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的创建自动化规则。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考CreateAutomationRule
中的。
-
以下代码示例演示如何使用 create-configuration-policy。
- Amazon CLI
-
创建配置策略
以下
create-configuration-policy示例使用指定设置创建配置策略。aws securityhub create-configuration-policy \ --name "SampleConfigurationPolicy" \ --description "SampleDescription" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' \ --tags '{"Environment": "Prod"}'输出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }有关更多信息,请参阅《Sec urity Hub 用户指南》中的创建和关联 S Amazon ecurity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考CreateConfigurationPolicy
中的。
-
以下代码示例演示如何使用 create-finding-aggregator。
- Amazon CLI
-
启用查找结果聚合
以下
create-finding-aggregator示例配置了查找聚合。它从美国东部(弗吉尼亚州)运营,后者将美国东部(弗吉尼亚州)指定为聚合区域。它表示仅链接指定区域,不自动关联新区域。它选择美国西部(加利福尼亚北部)和美国西部(俄勒冈)作为关联区域。aws securityhub create-finding-aggregator \ --region us-east-1 \ --region-linking-mode SPECIFIED_REGIONS \ --regions us-west-1,us-west-2输出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的启用查找结果聚合。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考CreateFindingAggregator
中的。
-
以下代码示例演示如何使用 create-insight。
- Amazon CLI
-
创建自定义见解
以下
create-insight示例创建了一个名为 “关键角色调查结果” 的自定义见解,该洞察返回与 Amazon 角色相关的关键发现。aws securityhub create-insight \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' \ --group-by-attribute "ResourceId" \ --name "Critical role findings"输出:
{ "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理自定义见解。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考CreateInsight
中的。
-
以下代码示例演示如何使用 create-members。
- Amazon CLI
-
将账户添加为成员账户
以下
create-members示例将两个账户作为成员账户添加到请求的管理员账户。aws securityhub create-members \ --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'输出:
{ "UnprocessedAccounts": [] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考CreateMembers
中的。
-
以下代码示例演示如何使用 decline-invitations。
- Amazon CLI
-
拒绝成为成员账户的邀请
以下
decline-invitations示例拒绝了成为指定管理员账户成员账户的邀请。成员账户是请求的账户。aws securityhub decline-invitations \ --account-ids "123456789012"输出:
{ "UnprocessedAccounts": [] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeclineInvitations
中的。
-
以下代码示例演示如何使用 delete-action-target。
- Amazon CLI
-
删除自定义操作
以下
delete-action-target示例删除由指定 ARN 标识的自定义操作。aws securityhub delete-action-target \ --action-target-arn "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"输出:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }有关更多信息,请参阅《S ec Amazon urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeleteActionTarget
中的。
-
以下代码示例演示如何使用 delete-configuration-policy。
- Amazon CLI
-
要删除配置策略
以下
delete-configuration-policy示例删除了指定的配置策略。aws securityhub delete-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"此命令不生成任何输出。
有关更多信息,请参阅《Sec urity Hub 用户指南》中的删除和取消关联 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeleteConfigurationPolicy
中的。
-
以下代码示例演示如何使用 delete-finding-aggregator。
- Amazon CLI
-
停止查找聚合
以下
delete-finding-aggregator示例停止查找聚合。它从美国东部(弗吉尼亚州)运营,这是聚合区域。aws securityhub delete-finding-aggregator \ --region us-east-1 \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000此命令不生成任何输出。
有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的停止查找聚合。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeleteFindingAggregator
中的。
-
以下代码示例演示如何使用 delete-insight。
- Amazon CLI
-
删除自定义见解
以下
delete-insight示例删除具有指定 ARN 的自定义分析。aws securityhub delete-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"输出:
{ "InsightArn": "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理自定义见解。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeleteInsight
中的。
-
以下代码示例演示如何使用 delete-invitations。
- Amazon CLI
-
删除成为成员账户的邀请
以下
delete-invitations示例删除了指定管理员账户的成员账户邀请。成员账户是请求的账户。aws securityhub delete-invitations \ --account-ids "123456789012"输出:
{ "UnprocessedAccounts": [] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeleteInvitations
中的。
-
以下代码示例演示如何使用 delete-members。
- Amazon CLI
-
删除成员账户
以下
delete-members示例从请求的管理员帐户中删除指定的成员帐户。aws securityhub delete-members \ --account-ids "123456789111" "123456789222"输出:
{ "UnprocessedAccounts": [] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DeleteMembers
中的。
-
以下代码示例演示如何使用 describe-action-targets。
- Amazon CLI
-
检索有关自定义操作的详细信息
以下
describe-action-targets示例检索有关由指定 ARN 标识的自定义操作的信息。aws securityhub describe-action-targets \ --action-target-arns "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"输出:
{ "ActionTargets": [ { "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", "Description": "Action to send the finding for remediation tracking", "Name": "Send to remediation" } ] }有关更多信息,请参阅《S ec Amazon urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DescribeActionTargets
中的。
-
以下代码示例演示如何使用 describe-hub。
- Amazon CLI
-
获取有关中心资源的信息
以下
describe-hub示例返回指定中心资源的订阅日期。中心资源由其 ARN 标识。aws securityhub describe-hub \ --hub-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default"输出:
{ "HubArn": "arn:aws:securityhub:us-west-1:123456789012:hub/default", "SubscribedAt": "2019-11-19T23:15:10.046Z" }有关更多信息,请参阅《Amazon CloudFormation 用户指南》中的Amazon SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DescribeHub
中的。
-
以下代码示例演示如何使用 describe-organization-configuration。
- Amazon CLI
-
查看如何为组织配置 Security Hub
以下
describe-organization-configuration示例返回有关在 Security Hub 中配置组织的方式的信息。在此示例中,组织使用中央配置。只有 Security Hub 管理员帐户可以运行此命令。aws securityhub describe-organization-configuration输出:
{ "AutoEnable": false, "MemberAccountLimitReached": false, "AutoEnableStandards": "NONE", "OrganizationConfiguration": { "ConfigurationType": "LOCAL", "Status": "ENABLED", "StatusMessage": "Central configuration has been enabled successfully" } }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南 Amazon 》中的 Organizations 账户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DescribeOrganizationConfiguration
中的。
-
以下代码示例演示如何使用 describe-products。
- Amazon CLI
-
返回有关可用产品集成的信息
以下
describe-products示例逐一返回可用的产品集成。aws securityhub describe-products \ --max-results 1输出:
{ "NextToken": "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", "Products": [ { "ProductArn": "arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon", "ProductName": "CrowdStrike Falcon", "CompanyName": "CrowdStrike", "Description": "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", "Categories": [ "Endpoint Detection and Response (EDR)", "AV Scanning and Sandboxing", "Threat Intelligence Feeds and Reports", "Endpoint Forensics", "Network Forensics" ], "IntegrationTypes": [ "SEND_FINDINGS_TO_SECURITY_HUB" ], "MarketplaceUrl": "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ActivationUrl": "https://falcon.crowdstrike.com/support/documentation", "ProductSubscriptionResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}" } ] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理产品集成。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DescribeProducts
中的。
-
以下代码示例演示如何使用 describe-standards-controls。
- Amazon CLI
-
请求已启用的标准中的控件列表
以下
describe-standards-controls示例请求请求者账户订阅 PCI DSS 标准时的控制列表。该请求一次返回两个控件。aws securityhub describe-standards-controls \ --standards-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" \ --max-results 2输出:
{ "Controls": [ { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.473000+00:00", "ControlId": "PCI.AutoScaling.1", "Title": "Auto scaling groups associated with a load balancer should use health checks", "Description": "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", "SeverityRating": "LOW", "RelatedRequirements": [ "PCI DSS 2.2" ] }, { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.498000+00:00", "ControlId": "PCI.CW.1", "Title": "A log metric filter and alarm should exist for usage of the \"root\" user", "Description": "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", "SeverityRating": "MEDIUM", "RelatedRequirements": [ "PCI DSS 7.2.1" ] } ], "NextToken": "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看控件详情。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DescribeStandardsControls
中的。
-
以下代码示例演示如何使用 describe-standards。
- Amazon CLI
-
返回可用标准列表
以下
describe-standards示例返回可用标准的列表。aws securityhub describe-standards输出:
{ "Standards": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", "Description": "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "Name": "CIS AWS Foundations Benchmark v1.2.0", "Description": "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "Name": "PCI DSS v3.2.1", "Description": "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", "EnabledByDefault": false } ] }有关更多信息,请参阅 Security Hub 用户指南中的 Sec Amazon urity Hub 中的安全标准。 Amazon
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DescribeStandards
中的。
-
以下代码示例演示如何使用 disable-import-findings-for-product。
- Amazon CLI
-
停止接收来自产品集成的调查结果
以下
disable-import-findings-for-product示例禁用产品集成的指定订阅的结果流。aws securityhub disable-import-findings-for-product \ --product-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理产品集成。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DisableImportFindingsForProduct
中的。
-
以下代码示例演示如何使用 disable-organization-admin-account。
- Amazon CLI
-
移除 Security Hub 管理员帐户
以下
disable-organization-admin-account示例撤消了指定账户作为 Organizations 的 Security Hub 管理员账户的分配 Amazon 。aws securityhub disable-organization-admin-account \ --admin-account-id 777788889999此命令不生成任何输出。
有关更多信息,请参阅《Sec urity Hub 用户指南》中的 “指定 Sec Amazon urity Hub 管理员帐户”。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DisableOrganizationAdminAccount
中的。
-
以下代码示例演示如何使用 disable-security-hub。
- Amazon CLI
-
禁用 S Amazon ecurity Hub
以下
disable-security-hub示例为请求的账户禁用 S Amazon ecurity Hub。aws securityhub disable-security-hub此命令不生成任何输出。
有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的禁用 S Amazon ecurity Hub。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DisableSecurityHub
中的。
-
以下代码示例演示如何使用 disassociate-from-administrator-account。
- Amazon CLI
-
取消与管理员帐户的关联
以下
disassociate-from-administrator-account示例取消请求账户与其当前管理员账户的关联。aws securityhub disassociate-from-administrator-account此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DisassociateFromAdministratorAccount
中的。
-
以下代码示例演示如何使用 disassociate-from-master-account。
- Amazon CLI
-
取消与管理员帐户的关联
以下
disassociate-from-master-account示例取消请求账户与其当前管理员账户的关联。aws securityhub disassociate-from-master-account此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DisassociateFromMasterAccount
中的。
-
以下代码示例演示如何使用 disassociate-members。
- Amazon CLI
-
取消成员账户的关联
以下
disassociate-members示例取消指定成员账户与请求管理员账户的关联。aws securityhub disassociate-members \ --account-ids "123456789111" "123456789222"此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考DisassociateMembers
中的。
-
以下代码示例演示如何使用 enable-import-findings-for-product。
- Amazon CLI
-
开始接收产品集成的调查结果
以下
enable-import-findings-for-product示例启用了来自指定产品集成的结果流。aws securityhub enable-import-findings-for-product \ --product-arn "arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"输出:
{ "ProductSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理产品集成。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考EnableImportFindingsForProduct
中的。
-
以下代码示例演示如何使用 enable-organization-admin-account。
- Amazon CLI
-
将组织帐户指定为 Security Hub 管理员帐户
以下
enable-organization-admin-account示例将指定帐户指定为 Security Hub 管理员帐户。aws securityhub enable-organization-admin-account \ --admin-account-id 777788889999此命令不生成任何输出。
有关更多信息,请参阅《Sec urity Hub 用户指南》中的 “指定 Sec Amazon urity Hub 管理员帐户”。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考EnableOrganizationAdminAccount
中的。
-
以下代码示例演示如何使用 enable-security-hub。
- Amazon CLI
-
启用 S Amazon ecurity Hub
以下
enable-security-hub示例为请求的账户启用 S Amazon ecurity Hub。它将 Security Hub 配置为启用默认标准。对于中心资源,它为标签SecurityDepartment分配值。aws securityhub enable-security-hub \ --enable-default-standards \ --tags '{"Department": "Security"}'此命令不生成任何输出。
有关更多信息,请参阅 Sec urity Hub 用户指南中的启用 S Amazon ecurity Hub。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考EnableSecurityHub
中的。
-
以下代码示例演示如何使用 get-administrator-account。
- Amazon CLI
-
检索有关管理员帐户的信息
以下
get-administrator-account示例检索有关请求账户的管理员帐户的信息。aws securityhub get-administrator-account输出:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetAdministratorAccount
中的。
-
以下代码示例演示如何使用 get-configuration-policy-association。
- Amazon CLI
-
获取目标的配置关联详细信息
以下
get-configuration-policy-association示例检索指定目标的关联详细信息。您可以为目标提供账户 ID、组织单位 ID 或根 ID。aws securityhub get-configuration-policy-association \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'输出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }有关更多信息,请参阅《Sec urity Hub 用户指南》中的查看 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetConfigurationPolicyAssociation
中的。
-
以下代码示例演示如何使用 get-configuration-policy。
- Amazon CLI
-
查看配置策略详细信息
以下
get-configuration-policy示例检索有关指定配置策略的详细信息。aws securityhub get-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"输出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "ce5ed1e7-9639-4e2f-9313-fa87fcef944b", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }有关更多信息,请参阅《Sec urity Hub 用户指南》中的查看 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetConfigurationPolicy
中的。
-
以下代码示例演示如何使用 get-enabled-standards。
- Amazon CLI
-
检索有关已启用标准的信息
以下
get-enabled-standards示例检索有关 PCI DSS 标准的信息。aws securityhub get-enabled-standards \ --standards-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"输出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "READY", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }有关更多信息,请参阅 Security Hub 用户指南中的 Sec Amazon urity Hub 中的安全标准。 Amazon
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetEnabledStandards
中的。
-
以下代码示例演示如何使用 get-finding-aggregator。
- Amazon CLI
-
检索当前的查找结果聚合配置
以下
get-finding-aggregator示例检索当前的查找结果聚合配置。aws securityhub get-finding-aggregator \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000输出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看当前查找结果聚合配置。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetFindingAggregator
中的。
-
以下代码示例演示如何使用 get-finding-history。
- Amazon CLI
-
要获取查找历史记录
以下
get-finding-history示例获取指定查找结果的最近 90 天的历史记录。在此示例中,结果仅限于两条查找历史记录。aws securityhub get-finding-history \ --finding-identifier Id="arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"输出:
{ "Records": [ { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-06-02T03:15:25.685000+00:00", "FindingCreated": false, "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [ { "UpdatedField": "Compliance.RelatedRequirements", "OldValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 SC-12(3)\",\"NIST.800-53.r5 SC-12(6)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\"]", "NewValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"]" }, { "UpdatedField": "LastObservedAt", "OldValue": "2023-06-01T09:15:38.587Z", "NewValue": "2023-06-02T03:15:22.946Z" }, { "UpdatedField": "UpdatedAt", "OldValue": "2023-06-01T09:15:31.049Z", "NewValue": "2023-06-02T03:15:14.861Z" }, { "UpdatedField": "ProcessedAt", "OldValue": "2023-06-01T09:15:41.058Z", "NewValue": "2023-06-02T03:15:25.685Z" } ] }, { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-05-23T02:06:51.518000+00:00", "FindingCreated": "true", "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [] } ] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查找历史记录。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetFindingHistory
中的。
-
以下代码示例演示如何使用 get-findings。
- Amazon CLI
-
示例 1:返回针对特定标准生成的调查结果
以下
get-findings示例返回 PCI DSS 标准的结果。aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "pci-dss","Comparison":"PREFIX"}]}' \ --max-items 1输出:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "GeneratorId": "pci-dss/v/3.2.1/PCI.Lambda.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FindingProviderFields": { "Severity": { "Original": 0, "Label": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] }, "FirstObservedAt": "2020-06-02T14:02:49.159Z", "LastObservedAt": "2020-06-02T14:02:52.397Z", "CreatedAt": "2020-06-02T14:02:49.159Z", "UpdatedAt": "2020-06-02T14:02:52.397Z", "Severity": { "Original": 0, "Label": "INFORMATIONAL", "Normalized": 0 }, "Title": "PCI.Lambda.2 Lambda functions should be in a VPC", "Description": "This AWS control checks whether a Lambda function is in a VPC.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.Lambda.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation", "RelatedAWSResources:0/name": "securityhub-lambda-inside-vpc-0e904a3b", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.Lambda.2", "aws/securityhub/SeverityLabel": "INFORMATIONAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "PASSED", "RelatedRequirements": [ "PCI DSS 1.2.1", "PCI DSS 1.3.1", "PCI DSS 1.3.2", "PCI DSS 1.3.4" ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED" } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==" }示例 2:返回工作流程状态为 “已通知” 的严重性调查结果
以下
get-findings示例返回的发现结果的严重性标签值为 “关键”,工作流程状态为 “已通知”。结果按置信度值降序排序。aws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value": "CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus": [{"Value":"NOTIFIED","Comparison":"EQUALS"}]}' \ --sort-criteria '{ "Field": "Confidence", "SortOrder": "desc"}' \ --max-items 1输出:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-west-1: 123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FindingProviderFields" { "Severity": { "Original": 90, "Label": "CRITICAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "FirstObservedAt": "2020-05-21T20:16:34.752Z", "LastObservedAt": "2020-06-09T08:16:37.171Z", "CreatedAt": "2020-05-21T20:16:34.752Z", "UpdatedAt": "2020-06-09T08:16:36.430Z", "Severity": { "Original": 90, "Label": "CRITICAL", "Normalized": 90 }, "Title": "1.13 Ensure MFA is enabled for the \"root\" account", "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "1.13", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", "RelatedAWSResources:0/name": "securityhub-root-account-mfa-enabled-5pftha", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", "aws/securityhub/SeverityLabel": "CRITICAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NOTIFIED" }, "RecordState": "ACTIVE" } ] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的筛选和分组搜索结果。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetFindings
中的。
-
以下代码示例演示如何使用 get-insight-results。
- Amazon CLI
-
检索结果以获取见解
以下
get-insight-results示例返回具有指定 ARN 的洞察的洞察结果列表。aws securityhub get-insight-results \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"输出:
{ "InsightResults": { "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResultValues": [ { "Count": 10, "GroupByAttributeValue": "AWS::::Account:123456789111" }, { "Count": 3, "GroupByAttributeValue": "AWS::::Account:123456789222" } ] } }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看洞察结果和发现并对其采取行动。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetInsightResults
中的。
-
以下代码示例演示如何使用 get-insights。
- Amazon CLI
-
检索有关洞察的详细信息
以下
get-insights示例检索具有指定 ARN 的洞察的配置详细信息。aws securityhub get-insights \ --insight-arns "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"输出:
{ "Insights": [ { "Filters": { "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsIamRole" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "CRITICAL" } ], }, "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings" } ] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的 Sec Amazon urity Hub 见解。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetInsights
中的。
-
以下代码示例演示如何使用 get-invitations-count。
- Amazon CLI
-
检索未被接受的邀请数量
以下
get-invitations-count示例检索请求账户拒绝或未回复的邀请数量。aws securityhub get-invitations-count输出:
{ "InvitationsCount": 3 }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetInvitationsCount
中的。
-
以下代码示例演示如何使用 get-master-account。
- Amazon CLI
-
检索有关管理员帐户的信息
以下
get-master-account示例检索有关请求账户的管理员帐户的信息。aws securityhub get-master-account输出:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetMasterAccount
中的。
-
以下代码示例演示如何使用 get-members。
- Amazon CLI
-
检索有关所选成员账户的信息
以下
get-members示例检索有关指定成员账户的信息。aws securityhub get-members \ --account-ids "444455556666" "777788889999"输出:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], "UnprocessedAccounts": [ ] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetMembers
中的。
-
以下代码示例演示如何使用 get-security-control-definition。
- Amazon CLI
-
获取安全控制定义的详细信息
以下
get-security-control-definition示例检索 Security Hub 安全控件的定义详细信息。详细信息包括控件标题、描述、区域可用性、参数和其他信息。aws securityhub get-security-control-definition \ --security-control-id ACM.1输出:
{ "SecurityControlDefinition": { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "ParameterDefinitions": { "daysToExpiration": { "Description": "Number of days within which the ACM certificate must be renewed", "ConfigurationOptions": { "Integer": { "DefaultValue": 30, "Min": 14, "Max": 365 } } } } } }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的自定义控件参数。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考GetSecurityControlDefinition
中的。
-
以下代码示例演示如何使用 invite-members。
- Amazon CLI
-
向成员账户发送邀请
以下
invite-members示例向指定的成员账户发送邀请。aws securityhub invite-members \ --account-ids "123456789111" "123456789222"输出:
{ "UnprocessedAccounts": [] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考InviteMembers
中的。
-
以下代码示例演示如何使用 list-automation-rules。
- Amazon CLI
-
查看自动化规则列表
以下
list-automation-rules示例列出了 Amazon 账户的自动化规则。只有 Security Hub 管理员帐户可以运行此命令。aws securityhub list-automation-rules \ --max-results 3 \ --next-token NULL输出:
{ "AutomationRulesMetadata": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:37:20.223000+00:00", "UpdatedAt": "2023-07-15T23:37:20.223000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:45:25.126000+00:00", "UpdatedAt": "2023-07-15T23:45:25.126000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ] }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看自动化规则。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListAutomationRules
中的。
-
以下代码示例演示如何使用 list-configuration-policies。
- Amazon CLI
-
列出配置策略摘要
以下
list-configuration-policies示例列出了该组织的配置策略摘要。aws securityhub list-configuration-policies \ --max-items 3输出:
{ "ConfigurationPolicySummaries": [ { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy1", "Description": "SampleDescription1", "UpdatedAt": "2023-09-26T21:08:36.214000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Name": "SampleConfigurationPolicy2", "Description": "SampleDescription2" "UpdatedAt": "2023-11-28T19:26:25.207000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Name": "SampleConfigurationPolicy3", "Description": "SampleDescription3", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "ServiceEnabled": true } }有关更多信息,请参阅《Sec urity Hub 用户指南》中的查看 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListConfigurationPolicies
中的。
-
以下代码示例演示如何使用 list-configuration-policy-associations。
- Amazon CLI
-
列出配置关联
以下
list-configuration-policy-associations示例列出了该组织的配置关联摘要。响应包括与配置策略和自我管理行为的关联。aws securityhub list-configuration-policy-associations \ --association-type "APPLIED" \ --max-items 4输出:
{ "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TargetId": "r-1ab2", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T19:26:49.417000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "Policy association failed because 2 organizational units or accounts under this root failed." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "TargetId": "ou-1ab2-c3de4f5g", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:14:05.283000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "One or more children under this target failed association." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }, { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "111122223333", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T22:01:26.409000+00:00", "AssociationStatus": "SUCCESS" } }有关更多信息,请参阅《Sec urity Hub 用户指南》中的查看 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListConfigurationPolicyAssociations
中的。
-
以下代码示例演示如何使用 list-enabled-products-for-import。
- Amazon CLI
-
返回已启用的产品集成列表
以下
list-enabled-products-for-import示例返回当前启用的产品集成的订阅 ARN 列表。aws securityhub list-enabled-products-for-import输出:
{ "ProductSubscriptions": [ "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon", "arn:aws:securityhub:us-west-1:123456789012:product-subscription/aws/securityhub" ] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理产品集成。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListEnabledProductsForImport
中的。
-
以下代码示例演示如何使用 list-finding-aggregators。
- Amazon CLI
-
列出可用的小部件
以下
list-finding-aggregators示例返回查找结果聚合配置的 ARN。aws securityhub list-finding-aggregators输出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看当前查找结果聚合配置。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListFindingAggregators
中的。
-
以下代码示例演示如何使用 list-invitations。
- Amazon CLI
-
显示邀请列表
以下
list-invitations示例检索发送到请求账户的邀请列表。aws securityhub list-invitations输出:
{ "Invitations": [ { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } ], }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListInvitations
中的。
-
以下代码示例演示如何使用 list-members。
- Amazon CLI
-
检索成员账户列表
以下
list-members示例返回请求的管理员账户的成员账户列表。aws securityhub list-members输出:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理管理员和成员帐户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListMembers
中的。
-
以下代码示例演示如何使用 list-organization-admin-accounts。
- Amazon CLI
-
列出指定的 Security Hub 管理员帐户
以下
list-organization-admin-accounts示例列出了组织的 Security Hub 管理员帐户。aws securityhub list-organization-admin-accounts输出:
{ AdminAccounts": [ { "AccountId": "777788889999" }, { "Status": "ENABLED" } ] }有关更多信息,请参阅《Sec urity Hub 用户指南》中的 “指定 Sec Amazon urity Hub 管理员帐户”。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListOrganizationAdminAccounts
中的。
-
以下代码示例演示如何使用 list-security-control-definitions。
- Amazon CLI
-
示例 1:列出所有可用的安全控件
以下
list-security-control-definitions示例列出了所有 Security Hub 标准中可用的安全控制措施。此示例将结果限制为三个控件。aws securityhub list-security-control-definitions \ --max-items 3输出:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] }, { "SecurityControlId": "ACM.2", "Title": "RSA certificates managed by ACM should use a key length of at least 2,048 bits", "Description": "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.2/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "APIGateway.1", "Title": "API Gateway REST and WebSocket API execution logging should be enabled", "Description": "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the 'loggingLevel' isn't 'ERROR' or 'INFO' for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the logging level is either 'ERROR' or 'INFO'.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] } ], "NextToken": "U2FsdGVkX1/UprCPzxVbkDeHikDXbDxfgJZ1w2RG1XWsFPTMTIQPVE0m/FduIGxS7ObRtAbaUt/8/RCQcg2PU0YXI20hH/GrhoOTgv+TSm0qvQVFhkJepWmqh+NYawjocVBeos6xzn/8qnbF9IuwGg==" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看标准详情。
示例 2:列出特定标准的可用安全控制措施
以下
list-security-control-definitions示例列出了 CIS Amazon 基金会基准测试 v1.4.0 的可用安全控制措施。此示例将结果限制为三个控件。aws securityhub list-security-control-definitions \ --standards-arn "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0" \ --max-items 3输出:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "CloudTrail.1", "Title": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "Description": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.1/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.2", "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.4", "Title": "CloudTrail log file validation should be enabled", "Description": "This AWS control checks whether CloudTrail log file validation is enabled.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAzfQ==" }有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的查看标准详情。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListSecurityControlDefinitions
中的。
-
以下代码示例演示如何使用 list-standards-control-associations。
- Amazon CLI
-
获取每个已启用的标准中控件的启用状态
以下
list-standards-control-associations示例列出了每个已启用的标准中的启用状态为 CloudTrail .1。aws securityhub list-standards-control-associations \ --security-control-id CloudTrail.1输出:
{ "StandardsControlAssociationSummaries": [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/nist-800-53/v/5.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "NIST.800-53.r5 AC-2(4)", "NIST.800-53.r5 AC-4(26)", "NIST.800-53.r5 AC-6(9)", "NIST.800-53.r5 AU-10", "NIST.800-53.r5 AU-12", "NIST.800-53.r5 AU-2", "NIST.800-53.r5 AU-3", "NIST.800-53.r5 AU-6(3)", "NIST.800-53.r5 AU-6(4)", "NIST.800-53.r5 AU-14(1)", "NIST.800-53.r5 CA-7", "NIST.800-53.r5 SC-7(9)", "NIST.800-53.r5 SI-3(8)", "NIST.800-53.r5 SI-4(20)", "NIST.800-53.r5 SI-7(8)", "NIST.800-53.r5 SA-8(22)" ], "UpdatedAt": "2023-05-15T17:52:21.304000+00:00", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.1" ], "UpdatedAt": "2020-02-10T21:22:53.998000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2023-05-15T19:31:52.671000+00:00", "UpdatedReason": "Alternative compensating controls are in place", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.1" ], "UpdatedAt": "2022-11-10T15:40:36.021000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." } ] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的启用和禁用特定标准中的控件。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListStandardsControlAssociations
中的。
-
以下代码示例演示如何使用 list-tags-for-resource。
- Amazon CLI
-
检索分配给资源的标签
以下
list-tags-for-resource示例返回分配给指定中心资源的标签。aws securityhub list-tags-for-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default"输出:
{ "Tags": { "Department" : "Operations", "Area" : "USMidwest" } }有关更多信息,请参阅《Amazon CloudFormation 用户指南》中的Amazon SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考ListTagsForResource
中的。
-
以下代码示例演示如何使用 start-configuration-policy-association。
- Amazon CLI
-
示例 1:关联配置策略
以下
start-configuration-policy-association示例将指定的配置策略与指定的组织单位相关联。配置可以与目标账户、组织单位或根用户相关联。aws securityhub start-configuration-policy-association \ --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'输出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }有关更多信息,请参阅《Sec urity Hub 用户指南》中的创建和关联 S Amazon ecurity Hub 配置策略。
示例 2:关联自管理配置
以下
start-configuration-policy-association示例将自管理配置与指定账户相关联。aws securityhub start-configuration-policy-association \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"OrganizationalUnitId": "123456789012"}'输出:
{ "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "123456789012", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }有关更多信息,请参阅《Sec urity Hub 用户指南》中的创建和关联 S Amazon ecurity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考StartConfigurationPolicyAssociation
中的。
-
以下代码示例演示如何使用 start-configuration-policy-disassociation。
- Amazon CLI
-
示例 1:取消关联配置策略
以下
start-configuration-policy-disassociation示例取消配置策略与指定组织单位的关联。可以取消配置与目标账户、组织单位或根账号的关联。aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的取消配置与账户和 OU 的关联。
示例 2:取消关联自管理配置
以下
start-configuration-policy-disassociation示例取消自管理配置与指定账户的关联。aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"AccountId": "123456789012"}'此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的取消配置与账户和 OU 的关联。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考StartConfigurationPolicyDisassociation
中的。
-
以下代码示例演示如何使用 tag-resource。
- Amazon CLI
-
为资源分配标签
以下
tag-resource示例将 “部门” 和 “区域” 标签的值分配给指定的中心资源。aws securityhub tag-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default" \ --tags '{"Department":"Operations", "Area":"USMidwest"}'此命令不生成任何输出。
有关更多信息,请参阅《Amazon CloudFormation 用户指南》中的Amazon SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考TagResource
中的。
-
以下代码示例演示如何使用 untag-resource。
- Amazon CLI
-
从资源中移除标签值
以下
untag-resource示例从指定的中心资源中删除 Department 标签。aws securityhub untag-resource \ --resource-arn "arn:aws:securityhub:us-west-1:123456789012:hub/default" \ --tag-keys "Department"此命令不生成任何输出。
有关更多信息,请参阅《Amazon CloudFormation 用户指南》中的Amazon SecurityHub::: Hub。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UntagResource
中的。
-
以下代码示例演示如何使用 update-action-target。
- Amazon CLI
-
更新自定义操作
以下
update-action-target示例更新了由指定 ARN 标识的自定义操作的名称。aws securityhub update-action-target \ --action-target-arn "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" \ --name "Send to remediation"此命令不生成任何输出。
有关更多信息,请参阅《S ec Amazon urity Hub 用户指南》中的创建自定义操作并将其与 CloudWatch 事件规则关联。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateActionTarget
中的。
-
以下代码示例演示如何使用 update-configuration-policy。
- Amazon CLI
-
更新配置策略
以下
update-configuration-policy示例更新现有配置策略以使用指定的设置。aws securityhub update-configuration-policy \ --identifier "arn:aws:securityhub:eu-central-1:508236694226:configuration-policy/09f37766-57d8-4ede-9d33-5d8b0fecf70e" \ --name "SampleConfigurationPolicyUpdated" \ --description "SampleDescriptionUpdated" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 21}}}}]}}}' \ --updated-reason "Disabling CloudWatch.1 and changing parameter value"输出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicyUpdated", "Description": "SampleDescriptionUpdated", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 21 } } } } ] } } } }有关更多信息,请参阅《Sec urity Hub 用户指南》中的更新 Sec Amazon urity Hub 配置策略。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateConfigurationPolicy
中的。
-
以下代码示例演示如何使用 update-finding-aggregator。
- Amazon CLI
-
更新当前的查找结果聚合配置
以下
update-finding-aggregator示例将查找结果聚合配置更改为从选定区域进行链接。它从美国东部(弗吉尼亚州)运营,这是聚合区域。它选择美国西部(加利福尼亚北部)和美国西部(俄勒冈)作为关联区域。aws securityhub update-finding-aggregator \ --region us-east-1 \ --finding-aggregator-arn arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 \ --region-linking-mode SPECIFIED_REGIONS \ --regions us-west-1,us-west-2此命令不生成任何输出。
有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的更新查找聚合配置。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateFindingAggregator
中的。
-
以下代码示例演示如何使用 update-insight。
- Amazon CLI
-
示例 1:更改自定义数据分析的筛选条件
以下
update-insight示例更改了自定义数据分析的筛选条件。更新的见解会查找与 Amazon 角色相关的严重性较高的调查结果。aws securityhub update-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' \ --name "High severity role findings"示例 2:更改自定义数据分析的分组属性
以下
update-insight示例使用指定 ARN 更改自定义数据分析的分组属性。新的分组属性是资源 ID。aws securityhub update-insight \ --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --group-by-attribute "ResourceId" \ --name "Critical role findings"输出:
{ "Insights": [ { "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings", "Filters": { "SeverityLabel": [ { "Value": "CRITICAL", "Comparison": "EQUALS" } ], "ResourceType": [ { "Value": "AwsIamRole", "Comparison": "EQUALS" } ] }, "GroupByAttribute": "ResourceId" } ] }有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的管理自定义见解。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateInsight
中的。
-
以下代码示例演示如何使用 update-organization-configuration。
- Amazon CLI
-
更新为组织配置 Security Hub 的方式
以下
update-organization-configuration示例指定 Security Hub 应使用集中配置来配置组织。运行此命令后,委派的 Security Hub 管理员可以创建和管理配置策略来配置组织。委派的管理员也可以使用此命令从中央配置切换到本地配置。如果配置类型为本地配置,则授权管理员可以选择是否在新组织帐户中自动启用 Security Hub 和默认安全标准。aws securityhub update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}'此命令不生成任何输出。
有关更多信息,请参阅《Sec Amazon urity Hub 用户指南 Amazon 》中的 Organizations 账户。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateOrganizationConfiguration
中的。
-
以下代码示例演示如何使用 update-security-control。
- Amazon CLI
-
更新安全控制属性
以下
update-security-control示例为 Security Hub 安全控制参数指定了自定义值。aws securityhub update-security-control \ --security-control-id ACM.1 \ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}' \ --last-update-reason "Internal compliance requirement"此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的自定义控件参数。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateSecurityControl
中的。
-
以下代码示例演示如何使用 update-security-hub-configuration。
- Amazon CLI
-
更新 Security Hub 配置
以下
update-security-hub-configuration示例将 Security Hub 配置为自动为启用的标准启用新控件。aws securityhub update-security-hub-configuration \ --auto-enable-controls此命令不生成任何输出。
有关更多信息,请参阅 Sec Amazon urity Hub 用户指南中的自动启用新控件。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateSecurityHubConfiguration
中的。
-
以下代码示例演示如何使用 update-standards-control。
- Amazon CLI
-
示例 1:禁用控件
以下
update-standards-control示例禁用 PCI。 AutoScaling.1 控制。aws securityhub update-standards-control \ --standards-control-arn "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" \ --control-status "DISABLED" \ --disabled-reason "Not applicable for my service"此命令不生成任何输出。
示例 2:启用控件
以下
update-standards-control示例启用 PCI。 AutoScaling.1 控制。aws securityhub update-standards-control \ --standards-control-arn "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" \ --control-status "ENABLED"此命令不生成任何输出。
有关更多信息,请参阅《Sec Amazon urity Hub 用户指南》中的禁用和启用单个控件。
-
有关 API 的详细信息,请参阅Amazon CLI 命令参考UpdateStandardsControl
中的。
-