如何执行审核 - AWS IoT
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

如何执行审核

  1. 为账户配置审核设置。使用 UpdateAccountAuditConfiguration 启用您希望用于审核、设置可选通知及配置权限的检查。

    对于某些检查,AWS IoT 会在检查启用后立即开始收集数据。

  2. 创建一个或多个审核计划。使用 CreateScheduledAudit 指定您在审核期间要执行的检查以及这些审核应该运行的频率。

    或者,您可以在必要时运行按需审核。使用 StartOnDemandAuditTask 指定要执行的检查并立即开始运行审核。(如果您最近启用了包含在按需审核之中的检查,则可能需要等待一段时间才能获得结果。)

  3. 可以使用 AWS IoT 控制台查看审核结果。

    或者,也可以使用 ListAuditFindings 查看审核结果。使用此命令,您可以按照检查类型、特定资源或审核时间筛选结果。您可以使用此信息来解决发现的任何问题。

  4. 您可以将您在 AWS 账户中定义的缓解操作应用于任何不符合要求的结果。有关更多信息,请参阅应用缓解操作

通知

审核完成后,系统会发送 SNS 通知,并附带所执行的各项审核检查结果的摘要,包括发现的不合规资源的数量详情。在 UpdateAccountAuditConfiguration 命令的输入中使用 auditNotificationTargetConfigurations 字段。SNS 通知具有以下负载:

{ "accountId": "123456789012", "taskId": "4e2bcd1ccbc2a5dd15292a82ab80c380", "taskStatus": "FAILED|CANCELED|COMPLETED", "taskType": "ON_DEMAND_AUDIT_TASK|SCHEDULED_AUDIT_TASK", "scheduledAuditName": "myWeeklyAudit", "failedChecksCount": 0, "canceledChecksCount": 0, "nonCompliantChecksCount": 1, "compliantChecksCount": 0, "totalChecksCount": 1, "taskStartTime": 1524740766191, "auditDetails": [ { "checkName": "DEVICE_CERT_APPROACHING_EXPIRATION_CHECK | REVOKED_DEVICE_CERT_CHECK | CA_CERT_APPROACHING_EXPIRATION_CHECK | REVOKED_CA_CERT_CHECK | DEVICE_CERTIFICATE_SHARED_CHECK | IOT_POLICY_UNRESTRICTED_CHECK | UNAUTHENTICATED_COGNITO_IDENTITY_UNRESTRICTED_ACCESS_CHECK | AUTHENTICATED_COGNITO_IDENTITY_UNRESTRICTED_ACCESS_CHECK | CONFLICTING_CLIENT_IDS_CHECK | LOGGING_DISABLED_CHECK", "checkRunStatus": "FAILED | CANCELED | COMPLETED_COMPLIANT | COMPLETED_NON_COMPLIANT", "nonCompliantResourcesCount": 1, "totalResourcesCount": 1, "message": "optional message if an error occurred", "errorCode": "INSUFFICIENT_PERMISSIONS|AUDIT_CHECK_DISABLED" } ] }
{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "arn:aws:iot:::schema:auditnotification/1.0", "type": "object", "properties": { "accountId": { "type": "string" }, "taskId": { "type": "string" }, "taskStatus": { "type": "string", "enum": [ "FAILED", "CANCELED", "COMPLETED" ] }, "taskType": { "type": "string", "enum": [ "SCHEDULED_AUDIT_TASK", "ON_DEMAND_AUDIT_TASK" ] }, "scheduledAuditName": { "type": "string" }, "failedChecksCount": { "type": "integer" }, "canceledChecksCount": { "type": "integer" }, "nonCompliantChecksCount": { "type": "integer" }, "compliantChecksCount": { "type": "integer" }, "totalChecksCount": { "type": "integer" }, "taskStartTime": { "type": "integer" }, "auditDetails": { "type": "array", "items": [ { "type": "object", "properties": { "checkName": { "type": "string", "enum": [ "DEVICE_CERT_APPROACHING_EXPIRATION_CHECK", "REVOKED_DEVICE_CERT_CHECK", "CA_CERT_APPROACHING_EXPIRATION_CHECK", "REVOKED_CA_CERT_CHECK", "LOGGING_DISABLED_CHECK" ] }, "checkRunStatus": { "type": "string", "enum": [ "FAILED", "CANCELED", "COMPLETED_COMPLIANT", "COMPLETED_NON_COMPLIANT" ] }, "nonCompliantResourcesCount": { "type": "integer" }, "totalResourcesCount": { "type": "integer" }, "message": { "type": "string", }, "errorCode": { "type": "string", "enum": [ "INSUFFICIENT_PERMISSIONS", "AUDIT_CHECK_DISABLED" ] } }, "required": [ "checkName", "checkRunStatus", "nonCompliantResourcesCount", "totalResourcesCount" ] } ] } }, "required": [ "accountId", "taskId", "taskStatus", "taskType", "failedChecksCount", "canceledChecksCount", "nonCompliantChecksCount", "compliantChecksCount", "totalChecksCount", "taskStartTime", "auditDetails" ] }

您也可以在 AWS IoT 控制台中查看通知,以及设备相关信息、设备统计数据(例如,上次连接时间、活动连接数、数据传输速率)和设备提醒历史记录。

权限

本部分包含有关如何设置创建、运行和管理 AWS IoT Device Defender 审核所需 IAM 角色和策略的信息。有关更多信息,请参阅 AWS Identity and Access Management 用户指南

授予 AWS IoT Device Defender 收集数据的权限以运行审核

调用 UpdateAccountAuditConfiguration 时,必须为 IAM 角色指定两个策略:一个权限策略和一个信任策略。运行审核时,权限策略使用 AWS IoT 授予 AWS IoT Device Defender 访问您账户数据的权限。信任策略授予 AWS IoT Device Defender 代入所需角色的权限。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:GetLoggingOptions", "iot:GetV2LoggingOptions", "iot:ListCACertificates", "iot:ListCertificates", "iot:DescribeCACertificate", "iot:DescribeCertificate", "iot:ListPolicies", "iot:GetPolicy", "iot:GetEffectivePolicies", "iot:ListRoleAliases", "iot:DescribeRoleAlias", "cognito-identity:GetIdentityPoolRoles", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRolePolicy", "iam:GenerateServiceLastAccessedDetails", "iam:GetServiceLastAccessedDetails" ], "Resource":[ "*" ] } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

授予 AWS IoT Device Defender 向 SNS 主题发布通知的权限。

如果在 UpdateAccountAuditConfiguration 中使用 auditNotificationTargetConfigurations 参数,则必须为 IAM 角色指定两个策略:一个权限策略和一个信任策略。权限策略授予 AWS IoT Device Defender 向 SNS 主题发布通知的权限。信任策略授予 AWS IoT Device Defender 代入所需角色的权限。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "sns:Publish" ], "Resource":[ "arn:aws:sns:region:account-id:your-topic-name" ] } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

授予 IAM 用户或组运行 AWS IoT Device Defender 审核命令的权限

要允许 IAM 用户或组管理、运行或查看 AWS IoT Device Defender 结果,必须创建和分配角色,并附加相应的策略以授予这些角色运行适当命令的权限。每个策略的内容取决于您希望用户或组运行的命令。

  • UpdateAccountAuditConfiguration

必须在运行该命令的同一账户中创建 IAM 角色并为其附加策略。不允许跨账户访问。策略应该具有 iam:PassRole 权限(用于传递该角色的权限)。

在以下策略模板中,audit-permissions-role-arn 是您在 UpdateAccountAuditConfiguration 请求中使用 roleArn 参数传递到 AWS IoT Device Defender 的角色 ARN。audit-notifications-permissions-role-arn 是您在 UpdateAccountAuditConfiguration 请求中使用 auditNotificationTargetConfigurations 参数传递到 AWS IoT Device Defender 的角色 ARN。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:UpdateAccountAuditConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::account-id:role/audit-permissions-role-arn", "arn:aws:iam::account-id:role/audit-notifications-permissions-role-arn" ] } ] }
  • DescribeAccountAuditConfiguration

  • DeleteAccountAuditConfiguration

  • StartOnDemandAuditTask

  • CancelAuditTask

  • DescribeAuditTask

  • ListAuditTasks

  • ListScheduledAudits

  • ListAuditFindings

所有这些命令都要求策略的 Resource 字段中包含 *。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:DescribeAccountAuditConfiguration", "iot:DeleteAccountAuditConfiguration", "iot:StartOnDemandAuditTask", "iot:CancelAuditTask", "iot:DescribeAuditTask", "iot:ListAuditTasks", "iot:ListScheduledAudits", "iot:ListAuditFindings" ], "Resource": [ "*" ] } ] }
  • CreateScheduledAudit

  • UpdateScheduledAudit

  • DeleteScheduledAudit

  • DescribeScheduledAudit

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:CreateScheduledAudit", "iot:UpdateScheduledAudit", "iot:DeleteScheduledAudit", "iot:DescribeScheduledAudit" ], "Resource": [ "arn:aws:iot:region:account-id:scheduledaudit/scheduled-audit-name" ] } ] }

AWS IoT Device Defender 计划审核角色 ARN 的格式为:

arn:aws:iot:region:account-id:scheduledaudit/scheduled-audit-name