使用 Amazon Simple Notification Service 订阅 Security Hub 公告 - Amazon Security Hub
Amazon SNS 消息格式
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Amazon Simple Notification Service 订阅 Security Hub 公告

本节提供有关通过 Amazon Simple Notification Service (Amazon SNS)订阅Amazon Security Hub 公告以接收 Security Hub 通知的信息。

订阅后,您将收到有关以下事件的通知(请注意每个事件相应的 AnnouncementType):

  • GENERAL:有关 Security Hub 服务的常规通知。

  • UPCOMING_STANDARDS_CONTROLS:特定的 Security Hub 控件或标准将很快发布。此类公告可帮助您在发布之前准备响应和补救工作流程。

  • NEW_REGIONS:新 Amazon Web Services 区域 中提供了对 Security Hub 的支持。

  • NEW_STANDARDS_CONTROLS:添加了新的 Security Hub 控件或标准。

  • UPDATED_STANDARDS_CONTROLS:现有的 Security Hub 控件或标准已更新。

  • RETIRED_STANDARDS_CONTROLS:现有的 Security Hub 控件或标准已停用。

  • UPDATED_ASFF:Amazon 安全调查发现格式 (ASFF) 语法、字段或值已更新。

  • NEW_INTEGRATION:提供了与其他Amazon服务或第三方产品的新集成。

  • NEW_FEATURE:新的 Security Hub 功能可用。

  • UPDATED_FEATURE:现有的 Security Hub 功能已更新。

通知以 Amazon SNS 支持的所有格式提供。您可以在 Security Hub 可用的所有 Amazon Web Services 区域 中订阅 Security Hub 公告。

用户必须拥有 Subscribe 权限才能订阅 Amazon SNS 主题。您可以通过 Amazon SNS 策略、IAM policy 或两者来实现这一目标。有关更多信息,请参阅 Amazon Simple Notification Service 开发者指南中的 IAM 和 Amazon SNS 策略

注意

Security Hub 会向任何 Amazon Web Services 账户 订阅者发送有关 Security Hub 服务更新的 Amazon SNS 公告。要接收有关 Security Hub 调查发现的通知,请参阅 管理和查看查找结果的详细信息和历史记录

您可以为 Amazon SNS 主题订阅 Amazon Simple Queue Service (Amazon SQS) 队列,但必须使用同一区域内的 Amazon SNS 主题 Amazon 资源名称(ARN)。有关更多信息,请参阅 Amazon Simple Queue Service 开发人员指南中的教程:为 Amazon SQS 队列订阅 Amazon SNS 主题

您也可以使用 Amazon Lambda 函数在收到通知时调用事件。有关更多信息,包括示例函数代码,请参阅《Amazon Lambda 开发者指南》中的教程:一起使用 Amazon Lambda 与 Amazon Simple Notification Service。

每个区域的 Amazon SNS 主题 ARN 如下所示。

Amazon Web Services 区域 Amazon SNS 主题 ARN
美国东部(俄亥俄) arn:aws:sns:us-east-2:291342846459:SecurityHubAnnouncements
美国东部(弗吉尼亚州北部) arn:aws:sns:us-east-1:088139225913:SecurityHubAnnouncements
美国西部(北加利福尼亚) arn:aws:sns:us-west-1:137690824926:SecurityHubAnnouncements
美国西部(俄勒冈州) arn:aws:sns:us-west-2:393883065485:SecurityHubAnnouncements
非洲(开普敦) arn:aws:sns:af-south-1:463142546776:SecurityHubAnnouncements
亚太地区(香港) arn:aws:sns:ap-east-1:464812404305:SecurityHubAnnouncements
亚太地区(海得拉巴) arn:aws:sns:ap-south-2:849907286123:SecurityHubAnnouncements
亚太地区(雅加达) arn:aws:sns:ap-southeast-3:627843640627:SecurityHubAnnouncements
Asia Pacific (Mumbai) arn:aws:sns:ap-south-1:707356269775:SecurityHubAnnouncements
亚太地区(大阪) arn:aws:sns:ap-northeast-3:633550238216:SecurityHubAnnouncements
亚太地区(首尔) arn:aws:sns:ap-northeast-2:374299265323:SecurityHubAnnouncements
亚太地区(新加坡) arn:aws:sns:ap-southeast-1:512267288502:SecurityHubAnnouncements
亚太地区(悉尼) arn:aws:sns:ap-southeast-2:475730049140:SecurityHubAnnouncements
亚太地区(东京) arn:aws:sns:ap-northeast-1:592469075483:SecurityHubAnnouncements
加拿大(中部) arn:aws:sns:ca-central-1:137749997395:SecurityHubAnnouncements
中国(北京) arn:aws-cn:sns:cn-north-1:672341567257:SecurityHubAnnouncements
中国(宁夏) arn:aws-cn:sns:cn-northwest-1:672534482217:SecurityHubAnnouncements
欧洲地区(法兰克福) arn:aws:sns:eu-central-1:871975303681:SecurityHubAnnouncements
欧洲地区(爱尔兰) arn:aws:sns:eu-west-1:705756202095:SecurityHubAnnouncements
欧洲地区(伦敦) arn:aws:sns:eu-west-2:883600840440:SecurityHubAnnouncements
欧洲地区(米兰) arn:aws:sns:eu-south-1:151363035580:SecurityHubAnnouncements
欧洲地区(巴黎) arn:aws:sns:eu-west-3:313420042571:SecurityHubAnnouncements
欧洲(西班牙) arn:aws:sns:eu-south-2:777487947751:SecurityHubAnnouncements
欧洲地区(斯德哥尔摩) arn:aws:sns:eu-north-1:191971010772:SecurityHubAnnouncements
欧洲(苏黎世) arn:aws:sns:eu-central-2:704347005078:SecurityHubAnnouncements
以色列(特拉维夫) arn:aws:sns:il-central-1:726652212146:SecurityHubAnnouncements
中东(巴林) arn:aws:sns:me-south-1:585146626860:SecurityHubAnnouncements
中东(阿联酋) arn:aws:sns:me-central-1:431548502100:SecurityHubAnnouncements
南美洲(圣保罗) arn:aws:sns:sa-east-1:359811883282:SecurityHubAnnouncements
Amazon GovCloud(美国东部) arn:aws-us-gov:sns:us-gov-east-1:239368469855:SecurityHubAnnouncements
Amazon GovCloud(美国西部) arn:aws-us-gov:sns:us-gov-west-1:239334163374:SecurityHubAnnouncements

分区内各区域的消息通常相同,因此您可以订阅每个分区中的一个区域,以接收影响该分区中所有区域的公告。与成员账户关联的公告不会复制到管理员账户中。因此,每个账户(包括管理员账户)将只有一份每份公告的副本。您可以决定要使用哪个账户来订阅 Security Hub 公告。

有关订阅 Security Hub 公告的费用信息,请参阅 Amazon SNS 定价。

订阅 Security Hub 公告(控制台)

  1. 通过 https://console.aws.amazon.com/sns/v3/home 打开 Amazon SNS 控制台。

  2. 在“区域”列表中,选择要在其中订阅 Security Hub 公告的区域。此示例使用us-west-2区域。

  3. 在导航窗格中,选择订阅,然后选择创建订阅

  4. 主题 ARN 框中,输入主题 ARN。例如,arn:aws:sns:us-west-2:393883065485:SecurityHubAnnouncements

  5. 协议中,选择您希望如何接收 Security Hub 公告。如果您选择电子邮件,请在端点中输入要用于接收公告的电子邮件地址。

  6. 选择创建订阅

  7. 确认订阅。例如,如果您选择电子邮件协议,Amazon SNS 会向您提供的电子邮件发送一条订阅确认消息。

订阅 Security Hub 公告(Amazon CLI)

  1. 运行以下命令:

     aws  sns --region us-west-2 subscribe --topic-arn arn:aws:sns:us-west-2:393883065485:SecurityHubAnnouncements --protocol email --notification-endpoint your_email@your_domain.com

  2. 确认订阅。例如,如果您选择电子邮件协议,Amazon SNS 会向您提供的电子邮件发送一条订阅确认消息。

Amazon SNS 消息格式

以下示例显示了 Amazon SNS 发布的关于引入新安全控制措施的 Security Hub 公告。消息内容因公告类型而异,但所有公告类型的格式都相同。可选择包含一个 Link 字段,提供有关公告的详细信息。

示例:Security Hub 关于新控件的公告(电子邮件协议)

{
"AnnouncementType":"NEW_STANDARDS_CONTROLS",
"Title":"[New Controls] 36 new Security Hub controls added to the Amazon Foundational Security Best Practices standard",
"Description":"We have added 36 new controls to the Amazon Foundational Security Best Practices standard. These include controls for Amazon Auto Scaling (AutoScaling.3, AutoScaling.4, AutoScaling.6), Amazon CloudFormation (CloudFormation.1), Amazon CloudFront (CloudFront.10), Amazon Elastic Compute Cloud (Amazon EC2) (EC2.23, EC2.24, EC2.27), Amazon Elastic Container Registry (Amazon ECR) (ECR.1, ECR.2), Amazon Elastic Container Service (Amazon ECS) (ECS.3, ECS.4, ECS.5, ECS.8, ECS.10, ECS.12), Amazon Elastic File System (Amazon EFS) (EFS.3, EFS.4), Amazon Elastic Kubernetes Service (Amazon EKS) (EKS.2), Elastic Load Balancing (ELB.12, ELB.13, ELB.14), Amazon Kinesis (Kinesis.1), Amazon Network Firewall (NetworkFirewall.3, NetworkFirewall.4, NetworkFirewall.5), Amazon OpenSearch Service (OpenSearch.7), Amazon Redshift (Redshift.9), 
Amazon Simple Storage Service (Amazon S3) (S3.13), Amazon Simple Notification Service (SNS.2), Amazon WAF (WAF.2, WAF.3, WAF.4, WAF.6, WAF.7, WAF.8). If you enabled the Amazon Foundational Security Best Practices standard in an account and configured Security Hub to automatically enable new controls, these controls are enabled by default. Availability of controls can vary by Region. "
}

示例:Security Hub 新控件的公告(电子邮件-JSON 协议)

{
  "Type" : "Notification",
  "MessageId" : "d124c9cf-326a-5931-9263-92a92e7af49f",
  "TopicArn" : "arn:aws:sns:us-west-2:393883065485:SecurityHubAnnouncements",
  "Message" : "{\"AnnouncementType\":\"NEW_STANDARDS_CONTROLS\",\"Title\":\"[New Controls] 36 new Security Hub controls added to the Amazon Foundational Security Best Practices standard\",\"Description\":\"We have added 36 new controls to the Amazon Foundational Security Best Practices standard. These include controls for Amazon Auto Scaling (AutoScaling.3, AutoScaling.4, AutoScaling.6), Amazon CloudFormation (CloudFormation.1), Amazon CloudFront (CloudFront.10), Amazon Elastic Compute Cloud (Amazon EC2) (EC2.23, EC2.24, EC2.27), Amazon Elastic Container Registry (Amazon ECR) (ECR.1, ECR.2), Amazon Elastic Container Service (Amazon ECS) (ECS.3, ECS.4, ECS.5, ECS.8, ECS.10, ECS.12), Amazon Elastic File System (Amazon EFS) (EFS.3, EFS.4), Amazon Elastic Kubernetes Service (Amazon EKS) (EKS.2), Elastic Load Balancing (ELB.12, ELB.13, ELB.14), Amazon Kinesis (Kinesis.1), Amazon Network Firewall (NetworkFirewall.3, NetworkFirewall.4, NetworkFirewall.5), Amazon OpenSearch Service (OpenSearch.7), Amazon Redshift (Redshift.9), 
Amazon Simple Storage Service (Amazon S3) (S3.13), Amazon Simple Notification Service (SNS.2), Amazon WAF (WAF.2, WAF.3, WAF.4, WAF.6, WAF.7, WAF.8). If you enabled the Amazon Foundational Security Best Practices standard in an account and configured SSecurity Hub to automatically enable new controls, these controls are enabled by default. Availability of controls can vary by Region. \"}",
  "Timestamp" : "2022-08-04T19:11:12.652Z",
  "SignatureVersion" : "1",
  "Signature" : "HTHgNFRYMetCvisulgLM4CVySvK9qCXFPHQDxYl9tuCFQuIrd7YO4m4YFR28XKMgzqrF20YP+EilipUm2SOTpEEtOTekU5bn74+YmNZfwr4aPFx0vUuQCVOshmHl37hjkiLjhCg/t53QQiLfP7MH+MTXIUPR37k5SuFCXvjpRQ8ynV532AH3Wpv0HmojDLMg+eg51V1fUsOG8yiJVCBEJhJ1yS+gkwJdhRk2UQab9RcAmE6COK3hRWcjDwqTXz5nR6Ywv1ZqZfLIl7gYKslt+jsyd/k+7kOqGmOJRDr7qhE7H+7vaGRLOptsQnbW8VmeYnDbahEO8FV+Mp1rpV+7Qg==",
  "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-56e67fcb41f6fec09b0196692625d385.pem",
  "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:393883065485:SecurityHubAnnouncements:9d0230d7-d582-451d-9f15-0c32818bf61f"
}