本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
订阅 Amazon SNS GuardDuty 公告
本节提供了有关订阅 Amazon SNS(Simple Notification Service)for GuardDuty 公告的信息,以接收有关新发布的调查发现类型、现有调查发现类型的更新以及其他功能更改的通知。通知以 Amazon SNS 支持的所有格式提供。
GuardDuty SNS 会向任何订阅账户发送有关 Amazon 的 GuardDuty 服务更新的公告。要接收有关您账户中调查发现的通知,请参阅 使用 Amazon CloudWatch Events 创建对 GuardDuty 调查结果的自定义响应。
注意
IAM 用户必须拥有 sns::subscribe
权限才能订阅 SNS。
您可以为 Amazon SQS 队列订阅此通知主题,但您必须使用位于同一区域的主题 ARN。有关更多信息,请参阅《Amazon Simple Queue Service 开发人员指南》中的教程:为 Amazon SQS 队列订阅 Amazon SNS 主题。
您也可以使用 Amazon Lambda 函数在收到通知时触发事件。有关更多信息,请参阅《Amazon Simple Queue Service 开发人员指南》中的使用 Amazon SNS 通知调用 Lambda 函数。
每个区域的 Amazon SNS 主题 ARN 如下所示。
Amazon 区域 | Amazon SNS 主题 ARN |
---|---|
us-east-1 |
arn:aws:sns:us-east-1:242987662583:GuardDutyAnnouncements |
us-east-2 |
arn:aws:sns:us-east-2:118283430703:GuardDutyAnnouncements |
us-west-1 |
arn:aws:sns:us-west-1:144182107116:GuardDutyAnnouncements |
us-west-2 |
arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements |
ca-central-1 |
arn:aws:sns:ca-central-1:107430051933:GuardDutyAnnouncements |
ca-west-1 |
arn:aws:sns:ca-west-1:440427180217:GuardDutyAnnouncements |
eu-north-1 |
arn:aws:sns:eu-north-1:973841112453:GuardDutyAnnouncements |
eu-west-1 |
arn:aws:sns:eu-west-1:965013871422:GuardDutyAnnouncements |
eu-west-2 |
arn:aws:sns:eu-west-2:506403581195:GuardDutyAnnouncements |
eu-west-3 |
arn:aws:sns:eu-west-3:436163563069:GuardDutyAnnouncements |
eu-central-1 |
arn:aws:sns:eu-central-1:378365507264:GuardDutyAnnouncements |
eu-central-2 |
arn:aws:sns:eu-central-2:383009515534:GuardDutyAnnouncements |
ap-east-1 |
arn:aws:sns:ap-east-1:646602203151:GuardDutyAnnouncements |
ap-northeast-1 |
arn:aws:sns:ap-northeast-1:741172661024:GuardDutyAnnouncements |
ap-northeast-2 |
arn:aws:sns:ap-northeast-2:464168911255:GuardDutyAnnouncements |
ap-southeast-1 |
arn:aws:sns:ap-southeast-1:476419727788:GuardDutyAnnouncements |
ap-southeast-2 |
arn:aws:sns:ap-southeast-2:457615622431:GuardDutyAnnouncements |
ap-south-1 |
arn:aws:sns:ap-south-1:926826061926:GuardDutyAnnouncements |
sa-east-1 |
arn:aws:sns:sa-east-1:955633302743:GuardDutyAnnouncements |
us-gov-west-1 |
arn:aws-us-gov:sns:us-gov-west-1:430639793359:GuardDutyAnnouncements |
cn-north-1 |
arn:aws-cn:sns:cn-north-1:002991280229:GuardDutyAnnouncements |
cn-northwest-1 |
arn:aws-cn:sns:cn-northwest-1:003033775354:GuardDutyAnnouncements |
me-south-1 |
arn:aws:sns:me-south-1:552740612889:GuardDutyAnnouncements |
me-central-1 |
arn:aws:sns:me-central-1:030935290150:GuardDutyAnnouncements |
eu-south-1 |
arn:aws:sns:eu-south-1:188461706213:GuardDutyAnnouncements |
eu-south-2 |
arn:aws:sns:eu-south-2:445632894446:GuardDutyAnnouncements |
us-gov-east-1 |
arn:aws:sns:us-gov-east-1:143972945659:GuardDutyAnnouncements |
ap-northeast-3 |
arn:aws:sns:ap-northeast-3:129086577509:GuardDutyAnnouncements |
ap-southeast-3 |
arn:aws:sns:ap-southeast-3:225965583551:GuardDutyAnnouncements |
ap-south-2 |
arn:aws:sns:ap-south-2:595653072700:GuardDutyAnnouncements |
ap-southeast-4 |
arn:aws:sns:ap-southeast-4:529900636122:GuardDutyAnnouncements |
il-central-1 |
arn:aws:sns:il-central-1:847886274986:GuardDutyAnnouncements |
要在 Amazon Web Services Management Console 中订阅 GuardDuty 更新通知电子邮件
通过 https://console.aws.amazon.com/sns/v3/home
打开 Amazon SNS 控制台。 -
在区域列表中,选择与要订阅的主题 ARN 相同的区域。此示例使用
us-west-2
区域。 -
在左侧导航窗格中,依次选择订阅和创建订阅。
-
在 Create Subscription (创建订阅) 对话框中,对于 Topic ARN (主题 ARN),粘贴主题 ARN:
arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements
。 -
对于协议,选择电子邮件。对于终端节点,请键入您可用于接收通知的电子邮件地址。
-
选择创建订阅。
-
在您的电子邮件应用程序中,打开来自 Amazon 通知的消息,然后打开链接以确认订阅。
您的 Web 浏览器将显示来自 Amazon SNS 的确认响应。
要使用 Amazon CLI 订阅 GuardDuty 更新通知电子邮件
-
使用 Amazon CLI 运行以下命令:
aws sns --region
us-west-2
subscribe --topic-arn arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements --protocolemail
--notification-endpointyour_email@your_domain.com
-
在您的电子邮件应用程序中,打开来自 Amazon 通知的消息,然后打开链接以确认订阅。
您的 Web 浏览器将显示来自 Amazon SNS 的确认响应。
Amazon SNS 消息格式
GuardDuty 一般通知消息示例:
{ "Type" : "Notification", "MessageId" : "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn" : "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message" : "{\"version\":\"1\",\"type\":\"GENERAL\",\"message\":[{\"title\":\"Updated AmazonGuardDutyFullAccess policy\",\"body\":\"Added permission that allows you to pass an IAM role to GuardDuty when you enable Malware Protection for S3.\",\"links\":[\"https://docs.aws.amazon.com//guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess\"]}]}", "Timestamp" : "2018-03-09T00:25:43.483Z", "SignatureVersion" : "1", "Signature" : "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
解析的 Message 值(去掉转义引号)如下所示:
{ "version": "1", "type": "GENERAL", "message": [ { "title": "Updated AmazonGuardDutyFullAccess policy", "body": "Added permission that allows you to pass an IAM role to GuardDuty when you enable Malware Protection for S3.", "links": [ "https://docs.aws.amazon.com//guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess" ] } ] }
有关新调查发现的 GuardDuty 更新通知消息示例如下所示:
{ "Type" : "Notification", "MessageId" : "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn" : "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message" : "{\"version\":\"1\",\"type\":\"NEW_FINDINGS\",\"findingDetails\":[{\"link\":\"https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html\",\"findingType\":\"UnauthorizedAccess:EC2/TorClient\",\"findingDescription\":\"This finding informs you that an EC2 instance in your Amazon environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance is acting as a client on a Tor network. A common use for a Tor client is to circumvent network monitoring and filter for access to unauthorized or illicit content. Tor clients can also generate nefarious Internet traffic, including attacking SSH servers. This activity can indicate that your EC2 instance is compromised.\"}]}", "Timestamp" : "2018-03-09T00:25:43.483Z", "SignatureVersion" : "1", "Signature" : "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
解析的 Message 值(去掉转义引号)如下所示:
{ "version": "1", "type": "NEW_FINDINGS", "findingDetails": [{ "link": "https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html", "findingType": "UnauthorizedAccess:EC2/TorClient", "findingDescription": "This finding informs you that an EC2 instance in your Amazon environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance is acting as a client on a Tor network. A common use for a Tor client is to circumvent network monitoring and filter for access to unauthorized or illicit content. Tor clients can also generate nefarious Internet traffic, including attacking SSH servers. This activity can indicate that your EC2 instance is compromised." }] }
有关 GuardDuty 功能更新的 GuardDuty 更新通知消息示例如下所示:
{ "Type" : "Notification", "MessageId" : "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn" : "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message" : "{\"version\":\"1\",\"type\":\"NEW_FEATURES\",\"featureDetails\":[{\"featureDescription\":\"Customers with high-volumes of global CloudTrail events should see a net positive impact on their GuardDuty costs.\",\"featureLink\":\"https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_data-sources.html#guardduty_controlplane\"}]}", "Timestamp" : "2018-03-09T00:25:43.483Z", "SignatureVersion" : "1", "Signature" : "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
解析的 Message 值(去掉转义引号)如下所示:
{ "version": "1", "type": "NEW_FEATURES", "featureDetails": [{ "featureDescription": "Customers with high-volumes of global CloudTrail events should see a net positive impact on their GuardDuty costs.", "featureLink": "https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_data-sources.html#guardduty_controlplane" }] }
有关更新调查发现的 GuardDuty 更新通知消息示例如下所示:
{ "Type": "Notification", "MessageId": "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn": "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message": "{\"version\":\"1\",\"type\":\"UPDATED_FINDINGS\",\"findingDetails\":[{\"link\":\"https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html\",\"findingType\":\"UnauthorizedAccess:EC2/TorClient\",\"description\":\"Increased severity value from 5 to 8.\"}]}", "Timestamp": "2018-03-09T00:25:43.483Z", "SignatureVersion": "1", "Signature": "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
解析的 Message 值(去掉转义引号)如下所示:
{ "version": "1", "type": "UPDATED_FINDINGS", "findingDetails": [{ "link": "https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html", "findingType": "UnauthorizedAccess:EC2/TorClient", "description": "Increased severity value from 5 to 8." }] }