本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Inspector 与 Amazon Security Hub 集成
Security Hub 提供了 Amazon 中安全状态的全面视图,可帮助您检查环境是否符合安全行业标准和最佳实践。Security Hub 从 Amazon 账户、服务和其他受支持产品中收集安全数据。您可以使用它提供的信息来分析安全趋势并确定优先级最高的安全问题。
Amazon Inspector 与 Security Hub 的集成让您可以将调查发现从 Amazon Inspector 发送到 Security Hub。随后,Security Hub 可以在对您的安全状况进行分析时使用这些调查发现。
在 Amazon Security Hub 中,安全问题以调查发现的形式进行跟踪。有些调查发现来自其他 Amazon 服务或第三方产品检测到的问题。Security Hub 还有一套用于检测安全问题和生成结果的规则。Security Hub 提供了管理来自所有这些来源的结果的工具。您可以查看和筛选调查发现列表,并查看调查发现的详细信息。有关 Security Hub 中的调查发现的更多信息,请参阅 Amazon Security Hub 用户指南中的查看调查发现。您还可以跟踪调查发现的调查状态。请参阅 Amazon Security Hub 用户指南中的对调查发现采取措施。
Security Hub 中的所有调查发现都使用标准的 JSON 格式,即 Amazon Security Finding 格式 (ASFF)。ASFF 包含有关问题根源、受影响资源以及调查发现当前状态的详细信息。请参阅 Amazon Security Hub 用户指南中的 Amazon Security Finding 格式 (ASFF)。
Amazon Inspector 调查发现得到解决并在 Amazon Inspector 中关闭后,Security Hub 将存档这些调查发现。
在 Amazon Security Hub 中查看 Amazon Inspector 调查发现
Amazon Inspector Classic 和新 Amazon Inspector 的调查发现都可在 Security Hub 的同一面板中查看。但是,您可以通过在筛选栏中添加 "aws/inspector/ProductVersion": "2" 来筛选新 Amazon Inspector 的调查发现。添加此筛选条件会从 Security Hub 控制面板中排除 Amazon Inspector Classic 的调查发现。
Amazon Inspector 调查发现示例
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:inspector2:us-east-1:123456789012:finding/FINDING_ID", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", "ProductName": "Inspector", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "AWSInspector", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ], "FirstObservedAt": "2023-01-31T20:25:38Z", "LastObservedAt": "2023-05-04T18:18:43Z", "CreatedAt": "2023-01-31T20:25:38Z", "UpdatedAt": "2023-05-04T18:18:43Z", "Severity": { "Label": "HIGH", "Normalized": 70 }, "Title": "CVE-2022-34918 - kernel", "Description": "An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.", "Remediation": { "Recommendation": { "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above. For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." } }, "ProductFields": { "aws/inspector/FindingStatus": "ACTIVE", "aws/inspector/inspectorScore": "7.8", "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "AMAZON_LINUX_2", "aws/inspector/ProductVersion": "2", "aws/inspector/instanceId": "i-0f1ed287081bdf0fb", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector2:us-east-1:123456789012:finding/FINDING_ID", "aws/securityhub/ProductName": "Inspector", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsEc2Instance", "Id": "arn:aws:ec2:us-east-1:123456789012:i-0f1ed287081bdf0fb", "Partition": "aws", "Region": "us-east-1", "Tags": { "Patch Group": "SSM", "Name": "High-SEv-Test" }, "Details": { "AwsEc2Instance": { "Type": "t2.micro", "ImageId": "ami-0cff7528ff583bf9a", "IpV4Addresses": [ "52.87.229.97", "172.31.57.162" ], "KeyName": "ACloudGuru", "IamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "VpcId": "vpc-a0c2d7c7", "SubnetId": "subnet-9c934cb1", "LaunchedAt": "2022-07-26T21:49:46Z" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "Vulnerabilities": [ { "Id": "CVE-2022-34918", "VulnerablePackages": [ { "Name": "kernel", "Version": "5.10.118", "Epoch": "0", "Release": "111.515.amzn2", "Architecture": "X86_64", "PackageManager": "OS", "FixedInVersion": "0:5.10.130-118.517.amzn2", "Remediation": "yum update kernel" } ], "Cvss": [ { "Version": "2.0", "BaseScore": 7.2, "BaseVector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "Source": "NVD" }, { "Version": "3.1", "BaseScore": 7.8, "BaseVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "Source": "NVD" }, { "Version": "3.1", "BaseScore": 7.8, "BaseVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "Source": "NVD", "Adjustments": [] } ], "Vendor": { "Name": "NVD", "Url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34918", "VendorSeverity": "HIGH", "VendorCreatedAt": "2022-07-04T21:15:00Z", "VendorUpdatedAt": "2022-10-26T17:05:00Z" }, "ReferenceUrls": [ "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6", "https://lore.kernel.org/netfilter-devel/cd9428b6-7ffb-dd22-d949-d86f4869f452@randorisec.fr/T/", "https://www.debian.org/security/2022/dsa-5191" ], "FixAvailable": "YES" } ], "FindingProviderFields": { "Severity": { "Label": "HIGH" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "ProcessedAt": "2023-05-05T20:28:38.822Z" }
激活和配置集成
要使用 Amazon Inspector 与 Amazon Security Hub 的集成,必须激活 Security Hub。有关如何激活 Security Hub 的信息,请参阅 Amazon Security Hub 用户指南中的设置 Security Hub。
同时激活 Amazon Inspector 和 Security Hub 后,集成会自动激活,Amazon Inspector 将开始向 Security Hub 发送调查发现。Amazon Inspector 使用 Amazon Security Finding 格式 (ASFF) 将其生成的所有调查发现发送到 Security Hub。
停止向 Amazon Security Hub 发布调查发现
如何停止发送调查发现
要停止向 Security Hub 发送结果,您可以使用 Security Hub 控制台或 API。
请参阅 Amazon Security Hub 用户指南中的停用和激活来自集成(控制台)的调查发现流或停用来自集成(Security Hub API、Amazon CLI)的调查发现流。