Amazon Inspector 示例使用 AWS CLI - AWS Command Line Interface

本文档 AWS CLI 仅适用于版本 1。有关版本 2 的文档 AWS CLI,请参阅版本 2 用户指南

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Inspector 示例使用 AWS CLI

以下代码示例向您展示了如何使用 AWS Command Line Interface 与 Amazon Inspector 配合使用来执行操作和实现常见场景。

操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。

每个示例都包含一个指向完整源代码的链接,您可以在其中找到有关如何在上下文中设置和运行代码的说明。

主题

操作

以下代码示例显示了如何使用add-attributes-to-findings

AWS CLI

为调查结果添加属性

以下add-attribute-to-finding命令将键为Example和值为的属性分配example给带有 of 的查找结果:ARNarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU

aws inspector add-attributes-to-findings --finding-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU --attributes key=Example,value=example

输出:

{ "failedItems": {} }

有关更多信息,请参阅亚马逊 Inspector 指南中的 A mazon Inspect or 调查结果。

以下代码示例显示了如何使用create-assessment-target

AWS CLI

创建评估目标

以下create-assessment-target命令ExampleAssessmentTarget使用带有的资源组创建名为ARN的评估目标arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv

aws inspector create-assessment-target --assessment-target-name ExampleAssessmentTarget --resource-group-arn arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv

输出:

{ "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX" }

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用create-assessment-template

AWS CLI

创建评估模板

以下create-assessment-template命令使用以下命令创建名ExampleAssessmentTemplate为评估目标的评估模板,其值ARN为arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX

aws inspector create-assessment-template --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX --assessment-template-name ExampleAssessmentTemplate --duration-in-seconds 180 --rules-package-arns arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p --user-attributes-for-findings key=ExampleTag,value=examplevalue

输出:

{ "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T" }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用create-filter

AWS CLI

创建过滤器

以下create-filter示例创建了一个省略ECR实例类型查找结果的抑制规则。

aws inspector2 create-filter \ --name "ExampleSuppressionRuleECR" \ --description "This suppression rule omits ECR instance type findings" \ --action SUPPRESS \ --filter-criteria 'resourceType=[{comparison="EQUALS", value="AWS_ECR_INSTANCE"}]'

输出:

{ "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444" }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的筛选亚马逊检查员的调查结果

以下代码示例显示了如何使用create-findings-report

AWS CLI

创建调查结果报告

以下create-findings-report示例创建了调查结果报告。

aws inspector2 create-findings-report \ --report-format CSV \ --s3-destination bucketName=inspector-sbom-123456789012,keyPrefix=sbom-key,kmsKeyArn=arn:aws:kms:us-west-2:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333 \ --filter-criteria '{"ecrImageRepositoryName":[{"comparison":"EQUALS","value":"debian"}]}'

输出:

{ "reportId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的在 Amazon Inspect or 中管理调查结果

以下代码示例显示了如何使用create-resource-group

AWS CLI

创建资源组

以下create-resource-group命令使用标签键Name和值创建资源组example

aws inspector create-resource-group --resource-group-tags key=Name,value=example

输出:

{ "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv" }

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用create-sbom-export

AWS CLI

创建软件物料清单 (SBOM) 报告

以下create-sbom-export示例创建了软件物料清单 (SBOM) 报告。

aws inspector2 create-sbom-export \ --report-format SPDX_2_3 \ --resource-filter-criteria 'ecrRepositoryName=[{comparison="EQUALS",value="debian"}]' \ --s3-destination bucketName=inspector-sbom-123456789012,keyPrefix=sbom-key,kmsKeyArn=arn:aws:kms:us-west-2:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333

输出:

{ "reportId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" }

有关更多信息,请参阅亚马逊 Ins pector 用户指南中的SBOMs使用亚马逊 Inspector 导

以下代码示例显示了如何使用delete-assessment-run

AWS CLI

要删除评估,请运行

以下delete-assessment-run命令删除使用以下命令运行ARN的评估arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-11LMTAVe

aws inspector delete-assessment-run --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-11LMTAVe

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用delete-assessment-target

AWS CLI

删除评估目标

以下delete-assessment-target命令删除带有 of 的ARN评估目标arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

aws inspector delete-assessment-target --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用delete-assessment-template

AWS CLI

删除评估模板

以下delete-assessment-template命令删除带有 of 的ARN评估模板arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T

aws inspector delete-assessment-template --assessment-template-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用delete-filter

AWS CLI

删除过滤器

以下delete-filter示例删除了一个过滤器。

aws inspector2 delete-filter \ --arn "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444"

输出:

{ "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444" }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的筛选亚马逊检查员的调查结果

以下代码示例显示了如何使用describe-assessment-runs

AWS CLI

描述评估运行

以下describe-assessment-run命令描述了使用以下命令运行ARN的评估arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

aws inspector describe-assessment-runs --assessment-run-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

输出:

{ "assessmentRuns": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw", "completedAt": 1458680301.4, "createdAt": 1458680170.035, "dataCollected": true, "durationInSeconds": 3600, "name": "Run 1 for ExampleAssessmentTemplate", "notifications": [], "rulesPackageArns": [ "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP" ], "startedAt": 1458680170.161, "state": "COMPLETED", "stateChangedAt": 1458680301.4, "stateChanges": [ { "state": "CREATED", "stateChangedAt": 1458680170.035 }, { "state": "START_DATA_COLLECTION_PENDING", "stateChangedAt": 1458680170.065 }, { "state": "START_DATA_COLLECTION_IN_PROGRESS", "stateChangedAt": 1458680170.096 }, { "state": "COLLECTING_DATA", "stateChangedAt": 1458680170.161 }, { "state": "STOP_DATA_COLLECTION_PENDING", "stateChangedAt": 1458680239.883 }, { "state": "DATA_COLLECTED", "stateChangedAt": 1458680299.847 }, { "state": "EVALUATING_RULES", "stateChangedAt": 1458680300.099 }, { "state": "COMPLETED", "stateChangedAt": 1458680301.4 } ], "userAttributesForFindings": [] } ], "failedItems": {} }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用describe-assessment-targets

AWS CLI

描述评估目标

以下describe-assessment-targets命令使用以下命令描述评估目标arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq:ARN

aws inspector describe-assessment-targets --assessment-target-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

输出:

{ "assessmentTargets": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq", "createdAt": 1458074191.459, "name": "ExampleAssessmentTarget", "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI", "updatedAt": 1458074191.459 } ], "failedItems": {} }

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用describe-assessment-templates

AWS CLI

描述评估模板

以下describe-assessment-templates命令使用以下命令描述评估模板arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw:ARN

aws inspector describe-assessment-templates --assessment-template-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw

输出:

{ "assessmentTemplates": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw", "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq", "createdAt": 1458074191.844, "durationInSeconds": 3600, "name": "ExampleAssessmentTemplate", "rulesPackageArns": [ "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP" ], "userAttributesForFindings": [] } ], "failedItems": {} }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用describe-cross-account-access-role

AWS CLI

描述跨账户访问角色

以下describe-cross-account-access-role命令描述了允许 Amazon Inspector 访问您的 AWS 账户的IAM角色:

aws inspector describe-cross-account-access-role

输出:

{ "registeredAt": 1458069182.826, "roleArn": "arn:aws:iam::123456789012:role/inspector", "valid": true }

有关更多信息,请参阅亚马逊 Inspector 指南中的设置 Ama zon Inspect or。

以下代码示例显示了如何使用describe-findings

AWS CLI

描述调查结果

以下describe-findings命令使用以下命令描述ARN了查找结果arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4

aws inspector describe-findings --finding-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4

输出:

{ "failedItems": {}, "findings": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4", "assetAttributes": { "ipv4Addresses": [], "schemaVersion": 1 }, "assetType": "ec2-instance", "attributes": [], "confidence": 10, "createdAt": 1458680301.37, "description": "Amazon Inspector did not find any potential security issues during this assessment.", "indicatorOfCompromise": false, "numericSeverity": 0, "recommendation": "No remediation needed.", "schemaVersion": 1, "service": "Inspector", "serviceAttributes": { "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "rulesPackageArn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP", "schemaVersion": 1 }, "severity": "Informational", "title": "No potential security issues found", "updatedAt": 1458680301.37, "userAttributes": [] } ] }

有关更多信息,请参阅亚马逊 Inspector 指南中的 A mazon Inspect or 调查结果。

以下代码示例显示了如何使用describe-resource-groups

AWS CLI

描述资源组

以下describe-resource-groups命令描述了带有 of ARN 的资源组arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI

aws inspector describe-resource-groups --resource-group-arns arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI

输出:

{ "failedItems": {}, "resourceGroups": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI", "createdAt": 1458074191.098, "tags": [ { "key": "Name", "value": "example" } ] } ] }

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用describe-rules-packages

AWS CLI

描述规则包

以下describe-rules-packages命令描述了带有 of ARN 的规则包arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p

aws inspector describe-rules-packages --rules-package-arns arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p

输出:

{ "failedItems": {}, "rulesPackages": [ { "arn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p", "description": "The rules in this package help verify whether the EC2 instances in your application are exposed to Common Vulnerabilities and Exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference for publicly known information security vulnerabilities and exposures. For more information, see [https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in one of the produced Findings at the end of a completed Inspector assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) using the CVE's ID (for example, \"CVE-2009-0021\") to find detailed information about this CVE, its severity, and how to mitigate it. ", "name": "Common Vulnerabilities and Exposures", "provider": "Amazon Web Services, Inc.", "version": "1.1" } ] }

有关更多信息,请参阅 Amazon Inspector 指南中的 A mazon Inspec tor 规则包和规则。

以下代码示例显示了如何使用get-configuration

AWS CLI

获取 Inspector 扫描的设置配置

以下get-configuration示例获取了 Inspector 扫描的设置配置。

aws inspector2 get-configuration

输出:

{ "ec2Configuration": { "scanModeState": { "scanMode": "EC2_HYBRID", "scanModeStatus": "SUCCESS" } }, "ecrConfiguration": { "rescanDurationState": { "pullDateRescanDuration": "DAYS_90", "rescanDuration": "DAYS_30", "status": "SUCCESS", "updatedAt": "2024-05-14T21:16:20.237000+00:00" } } }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的使用 Amazon Inspect or 自动扫描资源

以下代码示例显示了如何使用get-telemetry-metadata

AWS CLI

获取遥测元数据

以下get-telemetry-metadata命令生成有关为评估运行而收集的数据的信息,使用ARN为arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

aws inspector get-telemetry-metadata --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

输出:

{ "telemetryMetadata": [ { "count": 2, "dataSize": 345, "messageType": "InspectorDuplicateProcess" }, { "count": 3, "dataSize": 255, "messageType": "InspectorTimeEventMsg" }, { "count": 4, "dataSize": 1082, "messageType": "InspectorNetworkInterface" }, { "count": 2, "dataSize": 349, "messageType": "InspectorDnsEntry" }, { "count": 11, "dataSize": 2514, "messageType": "InspectorDirectoryInfoMsg" }, { "count": 1, "dataSize": 179, "messageType": "InspectorTcpV6ListeningPort" }, { "count": 101, "dataSize": 10949, "messageType": "InspectorTerminal" }, { "count": 26, "dataSize": 5916, "messageType": "InspectorUser" }, { "count": 282, "dataSize": 32148, "messageType": "InspectorDynamicallyLoadedCodeModule" }, { "count": 18, "dataSize": 10172, "messageType": "InspectorCreateProcess" }, { "count": 3, "dataSize": 8001, "messageType": "InspectorProcessPerformance" }, { "count": 1, "dataSize": 360, "messageType": "InspectorOperatingSystem" }, { "count": 6, "dataSize": 546, "messageType": "InspectorStopProcess" }, { "count": 1, "dataSize": 1553, "messageType": "InspectorInstanceMetaData" }, { "count": 2, "dataSize": 434, "messageType": "InspectorTcpV4Connection" }, { "count": 474, "dataSize": 2960322, "messageType": "InspectorPackageInfo" }, { "count": 3, "dataSize": 2235, "messageType": "InspectorSystemPerformance" }, { "count": 105, "dataSize": 46048, "messageType": "InspectorCodeModule" }, { "count": 1, "dataSize": 182, "messageType": "InspectorUdpV6ListeningPort" }, { "count": 2, "dataSize": 371, "messageType": "InspectorUdpV4ListeningPort" }, { "count": 18, "dataSize": 8362, "messageType": "InspectorKernelModule" }, { "count": 29, "dataSize": 48788, "messageType": "InspectorConfigurationInfo" }, { "count": 1, "dataSize": 79, "messageType": "InspectorMonitoringStart" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgBegin" }, { "count": 51, "dataSize": 4593, "messageType": "InspectorGroup" }, { "count": 1, "dataSize": 184, "messageType": "InspectorTcpV4ListeningPort" }, { "count": 1159, "dataSize": 3146579, "messageType": "Total" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgEnd" }, { "count": 1, "dataSize": 612, "messageType": "InspectorLoadImageInProcess" } ] }

以下代码示例显示了如何使用list-account-permissions

AWS CLI

列出账户权限

以下list-account-permissions示例列出了您的账户权限。

aws inspector2 list-account-permissions

输出:

{ "permissions": [ { "operation": "ENABLE_SCANNING", "service": "ECR" }, { "operation": "DISABLE_SCANNING", "service": "ECR" }, { "operation": "ENABLE_REPOSITORY", "service": "ECR" }, { "operation": "DISABLE_REPOSITORY", "service": "ECR" }, { "operation": "ENABLE_SCANNING", "service": "EC2" }, { "operation": "DISABLE_SCANNING", "service": "EC2" }, { "operation": "ENABLE_SCANNING", "service": "LAMBDA" }, { "operation": "DISABLE_SCANNING", "service": "LAMBDA" } ] }

有关更多信息,请参阅《亚马逊 Inspector 用户指南》中的 Amazon Inspect or 身份和访问管理

以下代码示例显示了如何使用list-assessment-run-agents

AWS CLI

要列出评估,请运行代理

以下list-assessment-run-agents命令列出了使用指定运行的评估代理ARN。

aws inspector list-assessment-run-agents \ --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

输出:

{ "assessmentRunAgents": [ { "agentHealth": "HEALTHY", "agentHealthCode": "HEALTHY", "agentId": "i-49113b93", "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "telemetryMetadata": [ { "count": 2, "dataSize": 345, "messageType": "InspectorDuplicateProcess" }, { "count": 3, "dataSize": 255, "messageType": "InspectorTimeEventMsg" }, { "count": 4, "dataSize": 1082, "messageType": "InspectorNetworkInterface" }, { "count": 2, "dataSize": 349, "messageType": "InspectorDnsEntry" }, { "count": 11, "dataSize": 2514, "messageType": "InspectorDirectoryInfoMsg" }, { "count": 1, "dataSize": 179, "messageType": "InspectorTcpV6ListeningPort" }, { "count": 101, "dataSize": 10949, "messageType": "InspectorTerminal" }, { "count": 26, "dataSize": 5916, "messageType": "InspectorUser" }, { "count": 282, "dataSize": 32148, "messageType": "InspectorDynamicallyLoadedCodeModule" }, { "count": 18, "dataSize": 10172, "messageType": "InspectorCreateProcess" }, { "count": 3, "dataSize": 8001, "messageType": "InspectorProcessPerformance" }, { "count": 1, "dataSize": 360, "messageType": "InspectorOperatingSystem" }, { "count": 6, "dataSize": 546, "messageType": "InspectorStopProcess" }, { "count": 1, "dataSize": 1553, "messageType": "InspectorInstanceMetaData" }, { "count": 2, "dataSize": 434, "messageType": "InspectorTcpV4Connection" }, { "count": 474, "dataSize": 2960322, "messageType": "InspectorPackageInfo" }, { "count": 3, "dataSize": 2235, "messageType": "InspectorSystemPerformance" }, { "count": 105, "dataSize": 46048, "messageType": "InspectorCodeModule" }, { "count": 1, "dataSize": 182, "messageType": "InspectorUdpV6ListeningPort" }, { "count": 2, "dataSize": 371, "messageType": "InspectorUdpV4ListeningPort" }, { "count": 18, "dataSize": 8362, "messageType": "InspectorKernelModule" }, { "count": 29, "dataSize": 48788, "messageType": "InspectorConfigurationInfo" }, { "count": 1, "dataSize": 79, "messageType": "InspectorMonitoringStart" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgBegin" }, { "count": 51, "dataSize": 4593, "messageType": "InspectorGroup" }, { "count": 1, "dataSize": 184, "messageType": "InspectorTcpV4ListeningPort" }, { "count": 1159, "dataSize": 3146579, "messageType": "Total" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgEnd" }, { "count": 1, "dataSize": 612, "messageType": "InspectorLoadImageInProcess" } ] } ] }

有关更多信息,请参阅 Amazon Inspector 用户指南中的AWS 代理

以下代码示例显示了如何使用list-assessment-runs

AWS CLI

列出评估运行情况

以下list-assessment-runs命令列出了所有现有的评估运行。

aws inspector list-assessment-runs

输出:

{ "assessmentRunArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v" ] }

有关更多信息,请参阅 Amazon Inspector 用户指南中的 Amazon Inspec tor 评估模板和评估运行

以下代码示例显示了如何使用list-assessment-targets

AWS CLI

列出评估目标

以下list-assessment-targets命令列出了所有现有的评估目标:

aws inspector list-assessment-targets

输出:

{ "assessmentTargetArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq" ] }

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用list-assessment-templates

AWS CLI

列出评估模板

以下list-assessment-templates命令列出了所有现有的评估模板:

aws inspector list-assessment-templates

输出:

{ "assessmentTemplateArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw", "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-Uza6ihLh" ] }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用list-coverage-statistics

AWS CLI

示例 1:按组列出覆盖率统计信息

以下list-coverage-statistics示例按组列出了您 AWS 环境的覆盖率统计信息。

aws inspector2 list-coverage-statistics \ --group-by RESOURCE_TYPE

输出:

{ "countsByGroup": [ { "count": 56, "groupKey": "AWS_LAMBDA_FUNCTION" }, { "count": 27, "groupKey": "AWS_ECR_REPOSITORY" }, { "count": 18, "groupKey": "AWS_EC2_INSTANCE" }, { "count": 3, "groupKey": "AWS_ECR_CONTAINER_IMAGE" }, { "count": 1, "groupKey": "AWS_ACCOUNT" } ], "totalCounts": 105 }

有关更多信息,请参阅 Amazon Inspector 用户指南中的评估 Amazon Inspec tor 对您 AWS 环境的覆盖范围

示例 2:按资源类型列出覆盖率统计信息

以下list-coverage-statistics示例按资源类型列出了您 AWS 环境的覆盖率统计信息。

aws inspector2 list-coverage-statistics --filter-criteria '{"resourceType":[{"comparison":"EQUALS","value":"AWS_ECR_REPOSITORY"}]}' --group-by SCAN_STATUS_REASON

输出:

{ "countsByGroup": [ { "count": 27, "groupKey": "SUCCESSFUL" } ], "totalCounts": 27 }

有关更多信息,请参阅 Amazon Inspector 用户指南中的评估 Amazon Inspec tor 对您 AWS 环境的覆盖范围

示例 3:按ECR存储库名称列出覆盖率统计信息

以下list-coverage-statistics示例按ECR存储库名称列出了您 AWS 环境的覆盖率统计信息。

aws inspector2 list-coverage-statistics --filter-criteria '{"ecrRepositoryName":[{"comparison":"EQUALS","value":"debian"}]}' --group-by SCAN_STATUS_REASON

输出:

{ "countsByGroup": [ { "count": 3, "groupKey": "SUCCESSFUL" } ], "totalCounts": 3 }

有关更多信息,请参阅 Amazon Inspector 用户指南中的评估 Amazon Inspec tor 对您 AWS 环境的覆盖范围

以下代码示例显示了如何使用list-coverage

AWS CLI

示例 1:列出有关您的环境的覆盖范围的详细信息

以下list-coverage示例列出了您环境的覆盖范围详细信息。

aws inspector2 list-coverage

输出:

{ "coveredResources": [ { "accountId": "123456789012", "lastScannedAt": "2024-05-20T16:23:20-07:00", "resourceId": "i-EXAMPLE55555555555", "resourceMetadata": { "ec2": { "amiId": "ami-EXAMPLE6666666666", "platform": "LINUX" } }, "resourceType": "AWS_EC2_INSTANCE", "scanStatus": { "reason": "SUCCESSFUL", "statusCode": "ACTIVE" }, "scanType": "PACKAGE" } ] }

示例 2:列出有关 Lambda 函数资源类型的覆盖范围详情

以下list-coverage示例列出了您的 Lamda 函数资源类型详细信息。

aws inspector2 list-coverage --filter-criteria '{"resourceType":[{"comparison":"EQUALS","value":"AWS_LAMBDA_FUNCTION"}]}'

输出:

{ "coveredResources": [ { "accountId": "123456789012", "resourceId": "arn:aws:lambda:us-west-2:123456789012:function:Eval-container-scan-results:$LATEST", "resourceMetadata": { "lambdaFunction": { "functionName": "Eval-container-scan-results", "functionTags": {}, "layers": [], "runtime": "PYTHON_3_7" } }, "resourceType": "AWS_LAMBDA_FUNCTION", "scanStatus": { "reason": "SUCCESSFUL", "statusCode": "ACTIVE" }, "scanType": "CODE" } ] }

以下代码示例显示了如何使用list-delegated-admin-accounts

AWS CLI

列出有关您组织的委派管理员账户的信息

以下list-delegated-admin-accounts示例列出了有关您组织的委派管理员帐户的信息。

aws inspector2 list-delegated-admin-accounts

输出:

{ "delegatedAdminAccounts": [ { "accountId": "123456789012", "status": "ENABLED" } ] }

有关更多信息,请参阅 Amazon In spector 用户指南中的为亚马逊 Inspector 指定委托管理员

以下代码示例显示了如何使用list-event-subscriptions

AWS CLI

列出活动订阅

以下list-event-subscriptions命令列出了评估模板的所有事件订阅,ARN其中带有arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0

aws inspector list-event-subscriptions --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0

输出:

{ "subscriptions": [ { "eventSubscriptions": [ { "event": "ASSESSMENT_RUN_COMPLETED", "subscribedAt": 1459455440.867 } ], "resourceArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0", "topicArn": "arn:aws:sns:us-west-2:123456789012:exampletopic" } ] }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用list-filters

AWS CLI

列出与您用于激活 Amazon Inspector 的账户相关的筛选条件

以下list-filters示例列出了与您用于激活 Amazon Inspector 的账户相关的筛选条件。

aws inspector2 list-filters

输出:

{ "filters": [ { "action": "SUPPRESS", "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444", "createdAt": "2024-05-15T21:11:08.602000+00:00", "criteria": { "resourceType": [ { "comparison": "EQUALS", "value": "AWS_EC2_INSTANCE" }, ] }, "description": "This suppression rule omits EC2 instance type findings", "name": "ExampleSuppressionRuleEC2", "ownerId": "o-EXAMPLE222", "tags": {}, "updatedAt": "2024-05-15T21:11:08.602000+00:00" }, { "action": "SUPPRESS", "arn": "arn:aws:inspector2:us-east-1:813737243517:owner/o-EXAMPLE222/filter/EXAMPLE444444444", "createdAt": "2024-05-15T21:28:27.054000+00:00", "criteria": { "resourceType": [ { "comparison": "EQUALS", "value": "AWS_ECR_INSTANCE" } ] }, "description": "This suppression rule omits ECR instance type findings", "name": "ExampleSuppressionRuleECR", "ownerId": "o-EXAMPLE222", "tags": {}, "updatedAt": "2024-05-15T21:28:27.054000+00:00" } ] }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的筛选亚马逊检查员的调查结果

以下代码示例显示了如何使用list-findings

AWS CLI

列出调查结果

以下list-findings命令列出了所有生成的调查结果:

aws inspector list-findings

输出:

{ "findingArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4", "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v/finding/0-tyvmqBLy" ] }

有关更多信息,请参阅亚马逊 Inspector 指南中的 A mazon Inspect or 调查结果。

以下代码示例显示了如何使用list-rules-packages

AWS CLI

列出规则包

以下list-rules-packages命令列出了所有可用的 Inspector 规则包:

aws inspector list-rules-packages

输出:

{ "rulesPackageArns": [ "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p", "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc", "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ", "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD" ] }

有关更多信息,请参阅 Amazon Inspector 指南中的 A mazon Inspec tor 规则包和规则。

以下代码示例显示了如何使用list-tags-for-resource

AWS CLI

列出资源的标签

以下list-tags-for-resource命令列出了与评估模板相关联的所有标签,ARN其中带有 ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-gcwFliYu

aws inspector list-tags-for-resource --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-gcwFliYu

输出:

{ "tags": [ { "key": "Name", "value": "Example" } ] }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用list-usage-totals

AWS CLI

列出过去 30 天的使用总量

以下list-usage-totals示例列出了过去 30 天的总使用量。

aws inspector2 list-usage-totals

输出:

{ "totals": [ { "accountId": "123456789012", "usage": [ { "currency": "USD", "estimatedMonthlyCost": 4.6022044647, "total": 1893.4784083333334, "type": "EC2_AGENTLESS_INSTANCE_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 18.892449279, "total": 10882.050784722222, "type": "EC2_INSTANCE_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 5.4525363736, "total": 6543.043648333333, "type": "LAMBDA_FUNCTION_CODE_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 3.9064080309, "total": 9375.379274166668, "type": "LAMBDA_FUNCTION_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 0.06, "total": 6.0, "type": "ECR_RESCAN" }, { "currency": "USD", "estimatedMonthlyCost": 0.09, "total": 1.0, "type": "ECR_INITIAL_SCAN" } ] } ] }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的在 Amazon Inspector 中监控使用量和成本

以下代码示例显示了如何使用preview-agents

AWS CLI

预览代理

以下preview-agents命令预览安装在作为评估目标一部分的EC2实例上的代理,其中包含以下ARN内容:arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

aws inspector preview-agents --preview-agents-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

输出:

{ "agentPreviews": [ { "agentId": "i-49113b93" } ] }

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用register-cross-account-access-role

AWS CLI

注册跨账户访问角色

以下register-cross-account-access-role命令将IAM角色注册到您调用 preview-agents 命令时,Amazon Inspector 用于在评估运行开始时列出您的EC2实例:ARNarn:aws:iam::123456789012:role/inspector

aws inspector register-cross-account-access-role --role-arn arn:aws:iam::123456789012:role/inspector

有关更多信息,请参阅亚马逊 Inspector 指南中的设置 Ama zon Inspect or。

以下代码示例显示了如何使用remove-attributes-from-findings

AWS CLI

从调查结果中移除属性

以下remove-attributes-from-finding命令将键为Example和值为的属性example从查找结果中移除,其值ARN为arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU为:

aws inspector remove-attributes-from-findings --finding-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU --attribute-keys key=Example,value=example

输出:

{ "failedItems": {} }

有关更多信息,请参阅亚马逊 Inspector 指南中的 A mazon Inspect or 调查结果。

以下代码示例显示了如何使用set-tags-for-resource

AWS CLI

为资源设置标签

以下set-tags-for-resource命令将键为Example和值为的标签设置example为的评估模板,其值为ARN为arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0

aws inspector set-tags-for-resource --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0 --tags key=Example,value=example

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用start-assessment-run

AWS CLI

开始评估运行

以下start-assessment-run命令examplerun使用评估模板启动名为的评估运行,名称ARN为arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T

aws inspector start-assessment-run --assessment-run-name examplerun --assessment-template-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T

输出:

{ "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY" }

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用stop-assessment-run

AWS CLI

停止评估运行

以下stop-assessment-run命令使用以下命令停止评估运行arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY:ARN

aws inspector stop-assessment-run --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用subscribe-to-event

AWS CLI

订阅活动

以下示例启用了向主题发送有关该ASSESSMENT_RUN_COMPLETED事件的 Amazon SNS 通知的流程,并使用了 ARN arn:aws:sns:us-west-2:123456789012:exampletopic

aws inspector subscribe-to-event \ --event ASSESSMENT_RUN_COMPLETED \ --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0 \ --topic-arn arn:aws:sns:us-west-2:123456789012:exampletopic

此命令不生成任何输出。

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行

以下代码示例显示了如何使用unsubscribe-from-event

AWS CLI

取消订阅活动

以下unsubscribe-from-event命令禁止使用以下命令向主题发送有关该ASSESSMENT_RUN_COMPLETED事件的 Amazon SNS 通知ARN的arn:aws:sns:us-west-2:123456789012:exampletopic过程:

aws inspector unsubscribe-from-event --event ASSESSMENT_RUN_COMPLETED --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0 --topic arn:aws:sns:us-west-2:123456789012:exampletopic

有关更多信息,请参阅 Amazon Inspector 指南中的 Ama zon Inspec tor 评估模板和评估运行。

以下代码示例显示了如何使用update-assessment-target

AWS CLI

更新评估目标

以下update-assessment-target命令使用arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX和名称更新评估目标Example,将资源组更新为ARN为arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-yNbgL5Pt:ARN

aws inspector update-assessment-target --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX --assessment-target-name Example --resource-group-arn arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-yNbgL5Pt

有关更多信息,请参阅 Amazon Inspector 指南中的亚马逊检查员评估目标。

以下代码示例显示了如何使用update-filter

AWS CLI

更新过滤器

以下update-filter示例更新筛选条件以省略 Lambda 查找结果,而不是实例发现ECR。

aws inspector2 update-filter \ --filter-arn "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444" \ --name "ExampleSuppressionRuleLambda" \ --description "This suppression rule omits Lambda instance findings" \ --reason "Updating filter to omit Lambda instance findings instead of ECR instance findings"

输出:

{ "filters": [ { "action": "SUPPRESS", "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444", "createdAt": "2024-05-15T21:28:27.054000+00:00", "criteria": { "resourceType": [ { "comparison": "EQUALS", "value": "AWS_ECR_INSTANCE" } ] }, "description": "This suppression rule omits Lambda instance findings", "name": "ExampleSuppressionRuleLambda", "ownerId": "o-EXAMPLE222", "reason": "Updating filter to omit Lambda instance findings instead of ECR instance findings", "tags": {}, "updatedAt": "2024-05-15T22:23:13.665000+00:00" } ] }

有关更多信息,请参阅亚马逊 Inspector 用户指南中的在 Amazon Inspect or 中管理调查结果