本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
亚马逊 Inspector EventBridge 事件的亚马逊事件架构
为了支持与其他应用程序、服务和系统(例如监控或事件管理系统)的集成,Amazon Inspector 会自动将调查结果 EventBridge 作为事件发布到亚马逊。 EventBridge是一项无服务器事件总线服务,可将来自应用程序和其他应用程序的实时数据流传送 Amazon Web Services 到 Amazon Lambda 函数、亚马逊简单通知服务主题和 Amazon Kinesis Data Streams 流等目标。要了解有关 EventBridge 和 EventBridge 活动的更多信息,请参阅 Amazon EventBridge 用户指南。
Amazon Inspector 会发布调查发现、资源覆盖率变更和对单个资源的初始扫描等事件。每个事件都是一个符合 Amazon 事件 EventBridge 架构的 JSON 对象。由于数据结构为 EventBridge 事件,因此您可以使用其他应用程序、服务和工具,更轻松地监控、处理调查结果和支持的 Amazon Inspector 事件,并根据这些事件采取行动。
主题
亚马逊 Inspector 的亚马逊 EventBridge 基本架构
以下是 Amazon Inspector EventBridge 事件的基本架构示例。事件详情因事件类型而异。
{ "version": "0", "id": "Event ID", "detail-type": "Inspector2 *event type*", "source": "aws.inspector2", "account": "Amazon Web Services 账户 ID (string)", "time": "event timestamp (string)", "region": "Amazon Web Services 区域 (string)", "resources": [ *IDs or ARNs of the resources involved in the event* ], "detail": { *Details of an Amazon Inspector event type* } }
Amazon Inspector 调查发现事件架构示例
以下是 Amazon Inspector 调查结果 EventBridge 的事件架构示例。当 Amazon Inspector 发现您的某个资源中存在软件脆弱性或网络问题时,就会创建调查发现事件。有关创建针对此类事件的通知的指南,请参阅使用亚马逊创建对 Amazon Inspector 调查结果的自定义回复 EventBridge。
以下字段可识别调查发现事件:
detail-type字段设置为Inspector2 Finding。detail对象描述调查发现。
从选项中进行选择,查看针对不同资源和调查发现类型的调查发现事件架构。
- Amazon EC2 package vulnerability finding
{ "version": "0", "id": "66a7a279-5f92-971c-6d3e-c92da0950992", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T22:46:15Z", "region": "us-east-1", "resources": ["i-0c2a343f1948d5205"], "detail": { "awsAccountId": "111122223333", "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).", "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM" }, "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 10:46:15 PM", "fixAvailable": "YES", "lastObservedAt": "Jan 19, 2023, 10:46:15 PM", "packageVulnerabilityDetails": { "cvss": [{ "baseScore": 4.7, "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" }], "referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"], "relatedVulnerabilities": [], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html", "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2022-3303", "vulnerablePackages": [{ "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:5.15.0.1027.31~20.04.16", "name": "linux-image-aws", "packageManager": "OS", "remediation": "apt update && apt install --only-upgrade linux-image-aws", "version": "5.15.0.1026.30~20.04.16" }] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b7ff1a8d69f1bb35", "ipV4Addresses": ["172.31.85.212", "44.203.45.27"], "ipV6Addresses": [], "launchedAt": "Jan 19, 2023, 7:53:14 PM", "platform": "UBUNTU_20_04", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0c2a343f1948d5205", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2022-3303 - linux-image-aws", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 10:46:15 PM" } }- Amazon EC2 network reachability finding
-
{ "version": "0", "id": "d0384f63-1621-1b75-d014-a5e45628ef3e", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T09:17:57Z", "region": "us-east-1", "resources": ["i-0a96278c2206a8e4b"], "detail": { "awsAccountId": "111122223333", "description": "On the instance i-0a96278c2206a8e4b, the port range 22-22 is reachable from the InternetGateway igw-72069c09 from an attached ENI eni-0976efe678170408f.", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 20, 2023, 9:17:57 AM", "lastObservedAt": "Jan 20, 2023, 9:17:57 AM", "networkReachabilityDetails": { "networkPath": { "steps": [{ "componentId": "igw-72069c09", "componentType": "AWS::EC2::InternetGateway" }, { "componentId": "acl-91d74eec", "componentType": "AWS::EC2::NetworkAcl" }, { "componentId": "sg-0aaed0af450bd0165", "componentType": "AWS::EC2::SecurityGroup" }, { "componentId": "eni-0976efe678170408f", "componentType": "AWS::EC2::NetworkInterface" }, { "componentId": "i-0a96278c2206a8e4b", "componentType": "AWS::EC2::Instance" }] }, "openPortRange": { "begin": 22, "end": 22 }, "protocol": "TCP" }, "remediation": { "recommendation": { "text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path." } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-0b5eea76982371e91", "ipV4Addresses": ["3.89.90.19", "172.31.93.57"], "ipV6Addresses": [], "keyName": "example-inspector-test", "launchedAt": "Jan 19, 2023, 7:25:02 PM", "platform": "AMAZON_LINUX_2", "subnetId": "subnet-8213f2a3", "type": "t2.micro", "vpcId": "vpc-ab6650d1" } }, "id": "i-0a96278c2206a8e4b", "partition": "aws", "region": "us-east-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "Port 22 is reachable from an Internet Gateway", "type": "NETWORK_REACHABILITY", "updatedAt": "Jan 20, 2023, 9:17:57 AM" } } - Amazon ECR package vulnerability finding
{ "version": "0", "id": "5b52952e-26df-3a51-6d14-4dbe737e58ec", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T21:59:00Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2/sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13" ], "detail": { "awsAccountId": "111122223333", "description": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.", "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 9:59:00 PM", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "adjustments": [], "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "lastObservedAt": "Jan 19, 2023, 9:59:00 PM", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 5, "scoringVector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "source": "NVD", "version": "2.0" }, { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://hackerone.com/reports/1555796", "https://security.gentoo.org/glsa/202212-01", "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", "https://www.debian.org/security/2022/dsa-5197" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-27782", "vendorCreatedAt": "Jun 2, 2022, 2:15:00 PM", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Jan 5, 2023, 5:51:00 PM", "vulnerabilityId": "CVE-2022-27782", "vulnerablePackages": [ { "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:7.61.1-22.el8_6.3", "name": "libcurl", "packageManager": "OS", "release": "22.el8", "remediation": "yum update libcurl", "sourceLayerHash": "sha256:38a980f2cc8accf69c23deae6743d42a87eb34a54f02396f3fcfd7c2d06e2c5b", "version": "7.61.1" }, { "arch": "X86_64", "epoch": 0, "fixedInVersion": "0:7.61.1-22.el8_6.3", "name": "curl", "packageManager": "OS", "release": "22.el8", "remediation": "yum update curl", "sourceLayerHash": "sha256:38a980f2cc8accf69c23deae6743d42a87eb34a54f02396f3fcfd7c2d06e2c5b", "version": "7.61.1" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEcrContainerImage": { "architecture": "amd64", "imageHash": "sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13", "imageTags": [ "o3" ], "platform": "ORACLE_LINUX_8", "pushedAt": "Jan 19, 2023, 7:38:39 PM", "registry": "111122223333", "repositoryName": "inspector2" } }, "id": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2/sha256:98f0304b3a3b7c12ce641177a99d1f3be56f532473a528fda38d53d519cafb13", "partition": "aws", "region": "us-east-1", "type": "AWS_ECR_CONTAINER_IMAGE" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2022-27782 - libcurl, curl", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 9:59:00 PM" } }- Lambda package vulnerability finding
-
{ "version": "0", "id": "040bb590-3a12-353f-ecb1-05e54b0fbea7", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-19T19:20:25Z", "region": "us-east-1", "resources": [ "arn:aws:lambda:us-east-1:111122223333:function:ExampleFunction:$LATEST" ], "detail": { "awsAccountId": "111122223333", "description": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt": "Jan 19, 2023, 7:20:25 PM", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "lastObservedAt": "Jan 19, 2023, 7:20:25 PM", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "vendorCreatedAt": "Sep 16, 2022, 10:15:00 AM", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Nov 25, 2022, 11:15:00 AM", "vulnerabilityId": "CVE-2022-40152", "vulnerablePackages": [ { "epoch": 0, "filePath": "lib/woodstox-core-6.2.7.jar", "fixedInVersion": "6.4.0", "name": "com.fasterxml.woodstox:woodstox-core", "packageManager": "JAR", "remediation": "Update woodstox-core to 6.4.0", "version": "6.2.7" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "+EwrOrht2um4fdVCD73gj+O7HJIAUvUxi8AD0eKHSkc=", "executionRoleArn": "arn:aws:iam::111122223333:role/ExampleFunction-ExecutionRole", "functionName": "Example-function", "lastModifiedAt": "Nov 7, 2022, 8:29:27 PM", "packageType": "ZIP", "runtime": "JAVA_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:us-east-1:111122223333:function:ExampleFunction:$LATEST", "partition": "aws", "region": "us-east-1", "tags": { "TargetAlias": "DeploymentStack", "SoftwareType": "Infrastructure" }, "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2022-40152 - com.fasterxml.woodstox:woodstox-core", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Jan 19, 2023, 7:20:25 PM" } } - Lambda code vulnerability finding
{ "version":"0", "id":"9df01cb1-df24-bc46-5650-085a4087e7aa", "detail-type":"Inspector2 Finding", "source":"aws.inspector2", "account":"111122223333", "time":"2023-12-07T22:14:45Z", "region":"us-east-1", "resources":[ "arn:aws:lambda:us-east-1:111122223333:function:code-finding:$LATEST" ], "detail":{ "awsAccountId":"111122223333", "codeVulnerabilityDetails":{ "detectorId":"python/lambda-override-reserved@v1.0", "detectorName":"Override of reserved variable names in a Lambda function", "detectorTags":[ "availability", "aws-python-sdk", "aws-lambda", "data-integrity", "maintainability", "security", "security-context", "python" ], "filePath":{ "endLine":6, "fileName":"lambda_function.py", "filePath":"lambda_function.py", "startLine":6 }, "ruleId":"Rule-434311" }, "description":"Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior or failure of the Lambda function.", "findingArn":"arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID", "firstObservedAt":"Aug 8, 2023, 7:33:58 PM", "lastObservedAt":"Dec 7, 2023, 10:14:45 PM", "remediation":{ "recommendation":{ "text":"Your code attempts to override an environment variable that is reserved by the Lambda runtime environment. This can lead to unexpected behavior and might break the execution of your Lambda function.\n\n[Learn more](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime)" } }, "resources":[ { "details":{ "awsLambdaFunction":{ "architectures":[ "X86_64" ], "codeSha256":"2mtfH+CgubesG6NYpb2zEqBja5WN6FfbH4AAYDuF8RE=", "executionRoleArn":"arn:aws:iam::193043430472:role/service-role/code-finding-role-7jgg3wan", "functionName":"code-finding", "lastModifiedAt":"Dec 7, 2023, 10:12:48 PM", "packageType":"ZIP", "runtime":"PYTHON_3_7", "version":"$LATEST" } }, "id":"arn:aws:lambda:us-east-1:193043430472:function:code-finding:$LATEST", "partition":"aws", "region":"us-east-1", "type":"AWS_LAMBDA_FUNCTION" } ], "severity":"HIGH", "status":"ACTIVE", "title":"Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior.", "type":"CODE_VULNERABILITY", "updatedAt":"Dec 7, 2023, 10:14:45 PM" } }
注意
详细信息值以对象形式返回单个调查发现的 JSON 详细信息。它不会返回整个调查发现响应语法,该语法支持数组中的多个调查发现。
Amazon Inspector 初始扫描完成事件架构示例
以下是用于完成初始扫描的 Amazon Inspector 事件的事件架构示例。 EventBridge 当 Amazon Inspector 完成对您的某个资源的初始扫描时,会创建此事件。
以下字段可识别初始扫描完成事件:
detail-type字段设置为Inspector2 Scan。detail对象包含一个finding-severity-counts对象,该对象详细说明了适用严重性类别中调查发现的数量,例如CRITICAL、HIGH和MEDIUM。
从选项中进行选择,按资源类型查看不同的初始扫描事件架构。
- Amazon EC2 instance initial scan
-
{ "version": "0", "id": "28a46762-6ac8-6cc4-4f55-bc9ab99af928", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:52:35Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "instance-id": "i-087d63509b8c97098", "version": "1.0" } } - Amazon ECR image initial scan
-
{ "version": "0", "id": "fdaa751a-984c-a709-44f9-9a9da9cd3606", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T23:15:18Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "repository-name": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "image-digest": "sha256:965fbcae990b0467ed5657caceaec165018ef44a4d2d46c7cdea80a9dff0d1ea", "image-tags": [ "ubuntu22" ], "version": "1.0" } } - Lambda function initial scan
-
{ "version": "0", "id": "4f290a7c-361b-c442-03c8-a629f6f20d6c", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-02-23T18:06:03Z", "region": "us-west-2", "resources": [ "arn:aws:lambda:us-west-2:111122223333:function:lambda-example:$LATEST" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "version": "1.0" } }
Amazon Inspector 覆盖率事件架构示例
以下是用于报道的 Amazon Inspector 事件的事件架构示例。 EventBridge 当 Amazon Inspector 扫描资源的覆盖率发生变化时,会创建此事件。以下字段可识别覆盖率事件:
detail-type字段设置为Inspector2 Coverage。detail对象包含一个scanStatus对象,用于指示资源的新扫描状态。
{ "version": "0", "id": "000adda5-0fbf-913e-bc0e-10f0376412aa", "detail-type": "Inspector2 Coverage", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:51:39Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scanStatus": { "reason": "UNMANAGED_EC2_INSTANCE", "statusCodeValue": "INACTIVE" }, "scanType": "PACKAGE", "eventTimestamp": "2023-01-20T22:51:35.665501Z", "version": "1.0" } }
脆弱性数据库搜索
自动扫描