기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
Amazon Inspector EventBridge 이벤트에 대한 Amazon 이벤트 스키마 Amazon Inspector
Amazon EventBridge은 애플리케이션 및 기타 의 실시간 데이터 스트림 AWS 서비스 을 Amazon Kinesis Data Streams의 AWS Lambda 함수, Amazon Simple Notification Service 주제 및 데이터 스트림과 같은 대상으로 제공합니다. 다른 애플리케이션, 서비스 및 시스템과의 통합을 지원하기 위해 Amazon Inspector는 결과를 이벤트 EventBridge 로 https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html에 자동으로 게시합니다. Amazon Inspector를 사용하여 조사 결과, 적용 범위 및 스캔에 대한 이벤트를 게시할 수 있습니다. 이 섹션에서는 EventBridge 이벤트에 대한 예제 스키마를 제공합니다.
주제
Amazon Inspector용 Amazon EventBridge 기본 스키마
다음은 Amazon Inspector 에 대한 EventBridge 이벤트의 기본 스키마의 예입니다. 이벤트 세부 정보는 이벤트 유형에 따라 다릅니다.
{ "version": "0", "id": "Event ID", "detail-type": "Inspector2 *event type*", "source": "aws.inspector2", "account": "AWS 계정 ID (string)", "time": "event timestamp (string)", "region": "AWS 리전 (string)", "resources": [ *IDs or ARNs of the resources involved in the event* ], "detail": { *Details of an Amazon Inspector event type* } }
Amazon Inspector 결과 이벤트 스키마 예제
다음은 Amazon Inspector 조사 결과에 대한 EventBridge 이벤트 스키마의 예입니다. 결과 이벤트는 Amazon Inspector가 리소스 중 하나에서 소프트웨어 취약성 또는 네트워크 문제를 식별할 경우에 생성됩니다. 이 유형의 이벤트에 대한 대응으로 알림을 생성하는 방법에 대한 지침은 Amazon을 사용하여 Amazon Inspector의 조사 결과에 대한 사용자 지정 응답 생성 EventBridge을 참조하세요.
다음은 결과 이벤트를 식별하는 필드입니다.
-
detail-type를Inspector2 Finding(으)로 설정합니다. -
detail는 결과를 설명합니다. -
detail.resources.tags는 키-값 데이터가 저장되는 곳입니다.
탭을 필터링하여 다양한 리소스 및 조사 결과 유형에 대한 조사 결과 이벤트 스키마를 볼 수 있습니다.
- Amazon EC2 package vulnerability finding
{ "version": "0", "id": "4d621919-f1f4-4201-a0e2-37e4e330ff51", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T17:00:36Z", "region": "eu-central-1", "resources": [ "i-12345678901234567" ], "detail": { "awsAccountId": "123456789012", "description": "In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.", "epss": { "score": 0.00043 }, "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:59:44.356 UTC 2024", "fixAvailable": "YES", "inspectorScore": 4.8, "inspectorScoreDetails": { "adjustedCvss": { "adjustments": [], "cvssSource": "UBUNTU_CVE", "score": 4.8, "scoreSource": "UBUNTU_CVE", "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" } }, "lastObservedAt": "Wed Sep 04 16:59:44.476 UTC 2024", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 4.8, "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "source": "UBUNTU_CVE", "version": "3.1" }, { "baseScore": 7.3, "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://www.cve.org/CVERecord?id=CVE-2024-29069", "https://ubuntu.com/security/notices/USN-6940-1" ], "relatedVulnerabilities": [ "USN-6940-1" ], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-29069.html", "vendorCreatedAt": "Thu Jul 25 20:15:00.000 UTC 2024", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2024-29069", "vulnerablePackages": [ { "arch": "ALL", "epoch": 0, "fixedInVersion": "0:2.63+22.04ubuntu0.1", "name": "snapd", "packageManager": "OS", "remediation": "apt-get update && apt-get upgrade", "version": "2.63" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-02ff980600c693b38", "ipV4Addresses": [ "1.23.456.789", "123.45.67.890" ], "ipV6Addresses": [], "launchedAt": "Wed Sep 04 16:57:40.000 UTC 2024", "platform": "UBUNTU_22_04", "subnetId": "subnet-12345678", "type": "t2.small", "vpcId": "vpc-12345678" } }, "id": "i-12345678901234567", "partition": "aws", "region": "eu-central-1", "type": "AWS_EC2_INSTANCE" } ], "severity": "MEDIUM", "status": "CLOSED", "title": "CVE-2024-29069 - snapd", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Wed Sep 04 17:00:36.951 UTC 2024" } }- Amazon EC2 network reachability finding
-
{ "version": "0", "id": "9eb1603b-4263-19ec-8be2-33184694cb92", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-05T13:06:56Z", "region": "eu-central-1", "resources": ["i-12345678901234567"], "detail": { "awsAccountId": "123456789012", "description": "On the instance i-12345678901234567, the port range 22-22 is reachable from the InternetGateway igw-261bab4d from an attached ENI eni-094ad651219472857.", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Thu Sep 05 13:06:56.334 UTC 2024", "lastObservedAt": "Thu Sep 05 13:06:56.334 UTC 2024", "networkReachabilityDetails": { "networkPath": { "steps": [{ "componentId": "igw-261bab4d", "componentType": "AWS::EC2::InternetGateway" }, { "componentId": "acl-171b527d", "componentType": "AWS::EC2::NetworkAcl" }, { "componentId": "sg-0d34debf87410f2d9", "componentType": "AWS::EC2::SecurityGroup" }, { "componentId": "eni-094ad651219472857", "componentType": "AWS::EC2::NetworkInterface" }, { "componentId": "i-12345678901234567", "componentType": "AWS::EC2::Instance" }] }, "openPortRange": { "begin": 22, "end": 22 }, "protocol": "TCP" }, "remediation": { "recommendation": { "text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path." } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-02ff980600c693b38", "ipV4Addresses": ["1.23.456.789", "123.45.67.890"], "ipV6Addresses": [], "launchedAt": "Wed Sep 04 17:41:24.000 UTC 2024", "platform": "UBUNTU_22_04", "subnetId": "subnet-12345678", "type": "t2.small", "vpcId": "vpc-12345678" } }, "id": "i-12345678901234567", "partition": "aws", "region": "eu-central-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "Port 22 is reachable from an Internet Gateway - TCP", "type": "NETWORK_REACHABILITY", "updatedAt": "Thu Sep 05 13:06:56.334 UTC 2024" } } - Amazon ECR package vulnerability finding
{ "version": "0", "id": "5325facf-a1aa-7d97-6bce-25fde6f6d2fc", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T16:55:38Z", "region": "eu-central-1", "resources": [ "arn:aws:ecr:eu-central-1:123456789012:repository/inspector2/sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d" ], "detail.resources.tags.testkey": "allow", "detail": { "awsAccountId": "123456789012", "description": "Possible denial of service in X.509 name checks", "epss": { "score": 0.00045 }, "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:55:38.411 UTC 2024", "fixAvailable": "YES", "lastObservedAt": "Wed Sep 04 16:55:38.411 UTC 2024", "packageVulnerabilityDetails": { "cvss": [], "referenceUrls": [ "https://www.cve.org/CVERecord?id=CVE-2024-6119", "https://ubuntu.com/security/notices/USN-6986-1" ], "relatedVulnerabilities": [ "USN-6986-1" ], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-6119.html", "vendorCreatedAt": "Tue Sep 03 00:00:00.000 UTC 2024", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2024-6119", "vulnerablePackages": [ { "arch": "ARM64", "epoch": 0, "fixedInVersion": "0:3.0.13-0ubuntu3.4", "name": "libssl3t64", "packageManager": "OS", "release": "0ubuntu3.2", "remediation": "apt-get update && apt-get upgrade", "sourceLayerHash": "sha256:1567e7ea90b67fc95ccdeeec39bdc3045098dee7e0c604975b957a9f8c0e9616", "version": "3.0.13" }, { "arch": "ARM64", "epoch": 0, "fixedInVersion": "0:3.0.13-0ubuntu3.4", "name": "openssl", "packageManager": "OS", "release": "0ubuntu3.2", "remediation": "apt-get update && apt-get upgrade", "sourceLayerHash": "sha256:1567e7ea90b67fc95ccdeeec39bdc3045098dee7e0c604975b957a9f8c0e9616", "version": "3.0.13" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEcrContainerImage": { "architecture": "arm64", "imageHash": "sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d", "imageTags": [ "ubuntu_latest" ], "platform": "UBUNTU_24_04", "pushedAt": "Wed Sep 04 16:55:28.000 UTC 2024", "registry": "123456789012", "repositoryName": "inspector2" } }, "id": "arn:aws:ecr:eu-central-1:123456789012:repository/inspector2/sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d", "partition": "aws", "region": "eu-central-1", "type": "AWS_ECR_CONTAINER_IMAGE" } ], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2024-6119 - libssl3t64, openssl", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Wed Sep 04 16:55:38.411 UTC 2024" } }- Lambda package vulnerability finding
-
{ "version": "0", "id": "9eadd71a-e49c-9864-6ba9-2a5d3f83c88f", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T16:50:37Z", "region": "eu-central-1", "resources": [ "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST" ], "detail": { "awsAccountId": "123456789012", "description": "Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is ac", "epss": { "score": 0.00208 }, "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Sat Aug 31 00:04:50.000 UTC 2024" }, "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:50:37.627 UTC 2024", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "lastObservedAt": "Wed Sep 04 16:50:37.627 UTC 2024", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://www.debian.org/security/2023/dsa-5442", "https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861", "vendorCreatedAt": "Tue May 02 18:15:52.000 UTC 2023", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Sun Aug 20 21:15:09.000 UTC 2023", "vulnerabilityId": "CVE-2023-30861", "vulnerablePackages": [ { "epoch": 0, "filePath": "requirements.txt", "fixedInVersion": "2.3.2", "name": "flask", "packageManager": "PIP", "version": "2.0.0" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "O7jkFEmfPB+CK3Y6Pby5zW9gjG+zusAaqRRMGS8B27c=", "executionRoleArn": "arn:aws:iam::123456789012:role/service-role/VulnerableFunction-role-f9vs5mq8", "functionName": "VulnerableFunction", "lastModifiedAt": "Wed Sep 04 16:50:20.000 UTC 2024", "packageType": "ZIP", "runtime": "PYTHON_3_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST", "partition": "aws", "region": "eu-central-1", "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2023-30861 - flask", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Wed Sep 04 16:50:37.627 UTC 2024" } } - Lambda code vulnerability finding
{ "version": "0", "id": "e764f7be-f931-ff1b-204b-8cab2d91724b", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T16:51:01Z", "region": "eu-central-1", "resources": [ "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST" ], "detail": { "awsAccountId": "123456789012", "codeVulnerabilityDetails": { "cwes": [ "CWE-798" ], "detectorId": "python/hardcoded-credentials@v1.0", "detectorName": "Hardcoded credentials", "detectorTags": [ "secrets", "security", "owasp-top10", "top25-cwes", "cwe-798", "Python" ], "filePath": { "endLine": 6, "fileName": "lambda_function.py", "filePath": "lambda_function.py", "startLine": 6 }, "ruleId": "python-detect-hardcoded-aws-credentials" }, "description": "Access credentials, such as passwords and access keys, should not be hardcoded in source code. Hardcoding credentials may cause leaks even after removing them. This is because version control systems might retain older versions of the code. Credentials should be stored securely and obtained from the runtime environment.", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:51:01.869 UTC 2024", "lastObservedAt": "Wed Sep 04 16:51:01.869 UTC 2024", "remediation": { "recommendation": { "text": "Your code uses hardcoded AWS credentials which might allow unauthorized users access to your AWS account. These attacks can occur a long time after the credentials are removed from the code. We recommend that you set AWS credentials with environment variables or an AWS profile instead. You should consider deleting the affected account or rotating the secret key and then monitoring Amazon CloudWatch for unexpected activity.\n[https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html)" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "O7jkFEmfPB+CK3Y6Pby5zW9gjG+zusAaqRRMGS8B27c=", "executionRoleArn": "arn:aws:iam::123456789012:role/service-role/VulnerableFunction-role-f9vs5mq8", "functionName": "VulnerableFunction", "lastModifiedAt": "Wed Sep 04 16:50:20.000 UTC 2024", "packageType": "ZIP", "runtime": "PYTHON_3_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST", "partition": "aws", "region": "eu-central-1", "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "CRITICAL", "status": "ACTIVE", "title": "CWE-798 - Hardcoded credentials", "type": "CODE_VULNERABILITY", "updatedAt": "Wed Sep 04 16:51:01.869 UTC 2024" } }
참고
세부 정보 값은 단일 결과의 JSON 세부 정보를 객체로 반환합니다. 배열 내의 여러 결과를 지원하는 전체 결과 응답 구문은 반환하지 않습니다.
Amazon Inspector 최초 스캔 완료 이벤트 스키마 예제
다음은 초기 스캔을 완료하기 위한 Amazon Inspector 이벤트의 이벤트 EventBridge 스키마의 예입니다. 이 이벤트는 Amazon Inspector에서 리소스 중 하나에 대한 최초 스캔을 완료할 경우에 생성됩니다.
다음은 최초 스캔 완료 이벤트를 식별하는 필드입니다.
detail-type필드가Inspector2 Scan으로 설정되어 있습니다.detail객체에는 해당 심각도 범주(예:CRITICAL,HIGH,MEDIUM)에 있는 결과 수를 자세히 설명하는finding-severity-counts객체가 포함되어 있습니다.
아래 옵션 중 하나를 선택하면 여러 최초 스캔 이벤트 스키마를 리소스 유형별로 확인할 수 있습니다.
- Amazon EC2 instance initial scan
-
{ "version": "0", "id": "28a46762-6ac8-6cc4-4f55-bc9ab99af928", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:52:35Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "instance-id": "i-087d63509b8c97098", "version": "1.0" } } - Amazon ECR image initial scan
-
{ "version": "0", "id": "fdaa751a-984c-a709-44f9-9a9da9cd3606", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T23:15:18Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "repository-name": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "image-digest": "sha256:965fbcae990b0467ed5657caceaec165018ef44a4d2d46c7cdea80a9dff0d1ea", "image-tags": [ "ubuntu22" ], "version": "1.0" } } - Lambda function initial scan
-
{ "version": "0", "id": "4f290a7c-361b-c442-03c8-a629f6f20d6c", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-02-23T18:06:03Z", "region": "us-west-2", "resources": [ "arn:aws:lambda:us-west-2:111122223333:function:lambda-example:$LATEST" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "version": "1.0" } }
Amazon Inspector 적용 범위 이벤트 스키마 예제
다음은 적용 범위에 대한 Amazon Inspector EventBridge 이벤트의 이벤트 스키마의 예입니다. 이 이벤트는 리소스에 대한 Amazon Inspector 스캔 적용 범위가 변경될 때 생성됩니다. 다음은 적용 범위 이벤트를 식별하는 필드입니다.
detail-type필드가Inspector2 Coverage으로 설정되어 있습니다.detail객체에는 리소스의 새 스캔 상태를 나타내는scanStatus객체가 포함되어 있습니다.
{ "version": "0", "id": "000adda5-0fbf-913e-bc0e-10f0376412aa", "detail-type": "Inspector2 Coverage", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:51:39Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scanStatus": { "reason": "UNMANAGED_EC2_INSTANCE", "statusCodeValue": "INACTIVE" }, "scanType": "PACKAGE", "eventTimestamp": "2023-01-20T22:51:35.665501Z", "version": "1.0" } }
익스포트 SBOMs
CI/CD 통합