使用亚马逊 EventBridge - Amazon GuardDuty
设置 EventBridge 规则
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用亚马逊 EventBridge

Amazon EventBridge 是一项无服务器事件总线服务,可以轻松地将您的应用程序与来自各种来源的数据连接起来。 EventBridge 提供来自您自己的应用程序、S oftware-as-a-Service (SaaS) 应用程序和 Amazon 服务的实时数据流,并将这些数据路由到 Lambda 等目标。这使您能够监控服务中发生的事件,并构建事件驱动的架构。有关更多信息,请参阅 Amazon EventBridge 用户指南

作为受 S3 恶意软件防护保护的 S3 存储桶的所有者账户,在以下情况下向默认事件总线 GuardDuty发布 EventBridge 通知:

  • 您的任何受@@ 保护存储桶的恶意软件防护计划资源状态会发生变化。有关各种状态的信息,请参见恶意软件防护计划资源状态

  • 标签事件失败的原因如下:

    • 您 PassRole 的 IAM 缺少标记对象的权限。

      添加 IAM 策略权限模板包括为对象 GuardDuty 添加标签的权限。

    • IAM 中指定的存储桶资源或对象已 PassRole 不存在。

    • 关联的 S3 对象已达到最大标签限制。有关标签限制的更多信息,请参阅 Amazon S3 用户指南中的使用标签对存储进行分类

  • S 3 对象扫描结果将发布到您的默认 EventBridge 事件总线。

设置 EventBridge 规则

您可以在账户中设置 EventBridge 规则,将资源状态、扫描后标签失败事件或 S3 对象扫描结果发送给其他 Amazon Web Service人。作为委托 GuardDuty 管理员帐户,当恶意软件防护计划资源状态发生变化时,您将收到恶意软件防护计划资源状态通知。

将适用标准 EventBridge 定价。有关更多信息,请参阅 S3 恶意软件防护的定价

在该示例中,所有以红色显示的值均为占位符。这些值将根据您的 S3 对象的扫描结果而变化。

您可以根据以下场景创建 EventBridge 事件模式:

潜在detail-type

  • "GuardDuty Malware Protection Resource Status Active"

  • "GuardDuty Malware Protection Resource Status Warning"

  • "GuardDuty Malware Protection Resource Status Error"

事件模式

{
      "detail-type": ["potential detail-type"],
      "source": ["aws.guardduty"]
}

的示例通知架构 GuardDuty Malware Protection Resource Status Active

{
    "version": "0",
    "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
    "detail-type": "GuardDuty Malware Protection Resource Status Active",
    "source": "aws.guardduty",
    "account": "111122223333",
    "time": "2017-12-22T18:43:48Z",
    "region": "us-east-1",
    "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
    "detail": {
        "schemaVersion": "1.0",
        "eventTime": "2024-02-28T01:01:01Z",
        "s3BucketDetails": {
            "bucketName": "DOC-EXAMPLE-BUCKET"
        },
        "resourceStatus": "ACTIVE"
    }
}

GuardDuty Malware Protection Resource Status Error或的示例通知架构 GuardDuty Malware Protection Resource Status Warning

{
    "version": "0",
    "id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2",
    "detail-type": "GuardDuty Malware Protection Resource Status Error or Warning",
    "source": "aws.guardduty",
    "account": "111122223333",
    "time": "2017-12-22T18:43:48Z",
    "region": "us-east-1",
    "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
    "detail": {
        "schemaVersion": "1.0",
        "eventTime": "2024-02-28T01:01:01Z",
        "s3BucketDetails": {
            "bucketName": "DOC-EXAMPLE-BUCKET"
        },
        "resourceStatus": "ERROR",
        "statusReasons": [{
            "code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED"
        }, {
            "code": "PROTECTED_RESOURCE_DELETED"
        }]
    }
}

resourceStatus值可以是 WarningError

当受保护存储桶的 “状态” 列更改为 “警告” 或 “错误” 时,将根据根本原因填充该statusReasons值。有关故障排除步骤的信息,请参阅恶意软件防护计划故障排除状态详细信息

事件模式

{
      "detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
      "source": "aws.guardduty"
 }

通知架构示例

{
    "version": "0",
    "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
    "detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
    "source": "aws.guardduty",
    "account": "111122223333",
    "time": "2024-06-10T16:16:08Z",
    "region": "us-east-1",
    "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
    "detail": {
        "schemaVersion": "1.0",
        "eventTime": "2024-06-10T16:16:08Z",
        "s3ObjectDetails": {
            "bucketName": "DOC-EXAMPLE-BUCKET",
            "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
            "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6"
        },
        "postScanActions": [{
            "actionType": "TAGGING",
            "status": "FAILED",
            "failureReason": "ACCESS_DENIED"
        }]
    }
}

潜在failureReason值包括ACCESS_DENIEDMAX_TAG_LIMIT_EXCEEDED

{
  "detail-type": ["GuardDuty Malware Protection Object Scan Result"],
  "source": ["aws.guardduty"]
}

的示例通知架构 NO_THREATS_FOUND

{
    "version": "0",
    "id": "72c7d362-737a-6dce-fc78-9e27a0171419",
    "detail-type": "GuardDuty Malware Protection Object Scan Result",
    "source": "aws.guardduty",
    "account": "111122223333",
    "time": "2024-02-28T01:01:01Z",
    "region": "us-east-1",
    "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE],
    "detail": {
        "versionId": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "S3_OBJECT",
        "s3ObjectDetails": {
            "bucketName": "DOC-EXAMPLE-BUCKET",
            "objectKey": "APKAEIBAERJR2EXAMPLE",
            "eTag": "ASIAI44QH8DHBEXAMPLE"
        },
        "scanResultDetails": {
            "scanResultStatus": "NO_THREATS_FOUND",
            "threats": null
        }
    }
}

的示例通知架构 THREATS_FOUND

{
    "version": "0",
    "id": "72c7d362-737a-6dce-fc78-9e27a0171419",
    "detail-type": "GuardDuty Malware Protection Object Scan Result",
    "source": "aws.guardduty",
    "account": "111122223333",
    "time": "2024-02-28T01:01:01Z",
    "region": "us-east-1",
    "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE],
    "detail": {
        "versionId": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "S3_OBJECT",
        "s3ObjectDetails": {
            "bucketName": "DOC-EXAMPLE-BUCKET",
            "objectKey": "APKAEIBAERJR2EXAMPLE",
            "eTag": "ASIAI44QH8DHBEXAMPLE"
        },
        "scanResultDetails": {
            "scanResultStatus": "THREATS_FOUND",
            "threats": [
                {
                    "name": "EICAR-Test-File (not a virus)"
                }
            ]
        }
    }
}