使用 Amazon EventBridge 监控 S3 对象扫描
Amazon EventBridge 是一种无服务器事件总线服务,可以轻松地将应用程序与来自各种来源的数据相连接。EventBridge 可以从您自己的应用程序、软件即服务 (SaaS) 应用程序和Amazon服务传输实时数据流,然后将该数据路由到诸如 Lambda 之类的目标。这使您能够监控服务中发生的事件,并构建事件驱动的架构。有关更多信息,请参阅 Amazon EventBridge 用户指南。
作为受 S3 恶意软件防护功能保护的 S3 存储桶所有者账户,GuardDuty 会在下列场景中将 EventBridge 通知发布到默认事件总线:
-
任何受保护存储桶的恶意软件防护计划资源状态会发生变化。有关不同状态的更多信息,请参阅查看和了解受保护的存储桶状态。
要为资源状态设置 Amazon EventBridge(EventBridge)规则,请参阅恶意软件防护计划资源状态。
-
系统会将 S3 对象扫描结果发布到您的默认 EventBridge 事件总线。
s3Throttled字段指示在 Amazon S3 存储桶中上传或检索存储时是否出现延迟。true值指示存在延迟,false指示没有延迟。如果扫描结果的
s3Throttled为true,则 Amazon S3 会提供有关前缀设置方式的建议,以帮助您减少每个前缀的每秒事务处理量(TPS)。有关更多信息,请参阅《Amazon S3 用户指南》中的最佳实践设计模式:优化 Amazon S3 性能。要为 S3 对象扫描结果设置 Amazon EventBridge(EventBridge)规则,请参阅 S3 对象扫描结果。
-
由于以下原因,出现扫描后标记失败事件:
-
IAM 角色缺少标记对象的权限。
添加 IAM 策略权限 模板包含允许 GuardDuty 标记对象的权限。
-
IAM 角色中指定的存储桶资源或对象已不再存在。
-
关联的 S3 对象已达到最大标签限制。有关标签限制的更多信息,请参阅《Amazon S3 用户指南》中的使用标签对存储进行分类。
要为扫描后标记失败事件设置 Amazon EventBridge(EventBridge)规则,请参阅扫描后标记失败事件。
-
设置 EventBridge 规则
您可以在账户中设置 EventBridge 规则,以将资源状态、扫描后标记失败事件或 S3 对象扫描结果发送给其他 Amazon Web Services 服务。作为委派 GuardDuty 管理员账户,您将在状态发生变化时收到恶意软件防护计划资源状态通知。
将按标准 EventBridge 定价收费。有关更多信息,请参阅 Amazon EventBridge 定价
示例中所有以红色显示的值均为占位符。这些值将根据您账户中的值以及是否检测到恶意软件而改变。
恶意软件防护计划资源状态
您可以根据以下场景创建 EventBridge 事件模式:
可能的 detail-type 值
-
"GuardDuty Malware Protection Resource Status Active" -
"GuardDuty Malware Protection Resource Status Warning" -
"GuardDuty Malware Protection Resource Status Error"
事件模式
{ "detail-type": ["potential detail-type"], "source": ["aws.guardduty"] }
GuardDuty Malware
Protection Resource Status Active 示例通知架构:
{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "GuardDuty Malware Protection Resource Status Active", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "ACTIVE" } }
GuardDuty Malware
Protection Resource Status Warning 示例通知架构:
{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "GuardDuty Malware Protection Resource Status warning", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "WARNING", "statusReasons": [ { "code": "INSUFFICIENT_TEST_OBJECT_PERMISSIONS" } ] } }
GuardDuty Malware
Protection Resource Status Error 示例通知架构:
{ "version": "0", "id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2", "detail-type": "GuardDuty Malware Protection Resource StatusError", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "ERROR", "statusReasons": [ { "code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED" } ] } }
statusReasons 值将根据 resourceStatus ERROR 背后的原因填充。
有关以下警告和错误的故障排除步骤的信息,请参阅恶意软件防护计划状态故障排除。
S3 对象扫描结果
{ "detail-type": ["GuardDuty Malware Protection Object Scan Result"], "source": ["aws.guardduty"] }
NO_THREATS_FOUND 示例通知架构:
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0171419", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "scanStatus": "COMPLETED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "scanResultDetails": { "scanResultStatus": "NO_THREATS_FOUND", "threats": null } } }
THREATS_FOUND 示例通知架构:
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0171419", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "scanStatus": "COMPLETED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "scanResultDetails": { "scanResultStatus": "THREATS_FOUND", "threats": [ { "name": "EICAR-Test-File (not a virus)" } ] } } }
注意
scanResultDetails.Threats 字段仅包含一种威胁。默认情况下,S3 恶意软件防护扫描会报告第一个检测到的威胁。此后,scanStatus 将设置为 COMPLETED。
UNSUPPORTED 扫描结果状态的示例通知架构(已跳过):
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "scanStatus": "SKIPPED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "scanResultDetails": { "scanResultStatus": "UNSUPPORTED", "threats": null } } }
ACCESS_DENIED 扫描结果状态的示例通知架构(已跳过):
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "scanStatus": "SKIPPED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "scanResultDetails": { "scanResultStatus": "ACCESS_DENIED", "threats": null } } }
FAILED 扫描结果状态的示例通知架构:
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "scanStatus": "FAILED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "scanResultDetails": { "scanResultStatus": "FAILED", "threats": null } } }
扫描后标记失败事件
事件模式:
{ "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty" }
ACCESS_DENIED 示例通知架构:
{ "version": "0", "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7", "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty", "account": "111122223333", "time": "2024-06-10T16:16:08Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-06-10T16:16:08Z", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0", "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "postScanActions": [{ "actionType": "TAGGING", "failureReason": "ACCESS_DENIED" }] } }
MAX_TAG_LIMIT_EXCEEDED 示例通知架构:
{ "version": "0", "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7", "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty", "account": "111122223333", "time": "2024-06-10T16:16:08Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-06-10T16:16:08Z", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0", "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled":false}, "postScanActions": [{ "actionType": "TAGGING", "failureReason": "MAX_TAG_LIMIT_EXCEEDED" }] } }
要对这些失败原因进行故障排除,请参阅对 S3 对象扫描后标记失败问题进行故障排除。