用于 Macie 调查发现的 Amazon EventBridge 事件架构 - Amazon Macie
Macie 调查发现的事件架构策略调查发现事件示例敏感数据调查发现事件示例

用于 Macie 调查发现的 Amazon EventBridge 事件架构

为了支持与其他应用程序、服务和系统(例如监控或事件管理系统)集成,Amazon Macie 会自动将调查发现以事件形式发布至 Amazon EventBridge。EventBridge,前身为 Amazon CloudWatch Events,是一项无服务器事件总线服务,可将来自应用程序和其他 AWS 服务 的实时数据流式传输至 AWS Lambda 函数、Amazon Simple Notification Service 主题以及 Amazon Kinesis 流等目标。要了解有关 EventBridge 的更多信息,请参阅《Amazon EventBridge 用户指南》

注意

如果您目前使用的是 CloudWatch Events,请注意 EventBridge 和 CloudWatch Events 是相同的基础服务和 API。但是,EventBridge 包含其他功能,让您能够从软件即服务(SaaS)应用程序和您自己的应用程序接收事件。由于基础服务和 API 相同,因此 Macie 发现的事件架构也相同。

Macie 会自动发布所有新调查发现和现有策略的后续调查发现的事件,但使用抑制规则自动存档的调查发现除外。事件是符合 AWS 事件 EventBridge 架构的 JSON 对象。每个事件都包含特定调查发现的 JSON 表示。由于该数据采用 EventBridge 事件的结构,因此可以使用其他应用程序、服务和工具更轻松地监控、处理调查发现,以及相应采取行动。要详细了解 Macie 如何以及何时发布有关调查发现的事件,请参阅 为调查发现配置发布设置

Macie 调查发现的事件架构

以下示例显示了 Amazon Macie 调查发现的Amazon EventBridge 事件架构。有关调查发现事件中包含字段的详细描述,请参阅 Amazon Macie API 引用中的调查发现。调查发现事件的结构和字段与 Amazon Macie API 的 Finding 对象非常接近。

{
    "version": "0",
    "id": "event ID",
    "detail-type": "Macie Finding",
    "source": "aws.macie",
    "account": "AWS 账户 ID (string)",
    "time": "event timestamp (string)",
    "region": "AWS 区域 (string)",
    "resources": [
        <-- ARNs of the resources involved in the event -->
    ],
    "detail": { 
        <-- Details of a policy or sensitive data finding -->
    },
    "policyDetails": null, <-- Additional details of a policy finding or null for a sensitive data finding -->
    "sample": Boolean,
    "archived": Boolean
}

策略调查发现事件示例

以下示例使用示例数据演示 Amazon EventBridge 事件策略调查发现对象和字段的结构和特性。在此示例中,该事件报告了后续出现的现有策略调查发现:Amazon Macie 检测到禁用阻止 S3 存储桶公开访问设置。以下字段和值可帮助您确定情况是否如此:

  • type 字段设置为 Policy:IAMUser/S3BlockPublicAccessDisabled

  • createdAtupdatedAt 字段的值不同。此指标表明,该事件报告了现有策略调查发现的后续发生。如果事件报告了新调查发现,则这些字段的值将相同。

  • count 字段设置为 2,表示这是调查发现的第二次出现。

  • category 字段设置为 POLICY

  • classificationDetails 字段值为 null,这有助于将此策略调查发现事件与敏感数据调查发现事件区分开来。对于敏感数据调查发现,此值将是一组对象和字段,这些对象和字段提供有关敏感数据的查找方式及数据内容。

请注意,sample 字段值设置为 true。此值强调这是文档中所使用的示例事件。

{
    "version": "0",
    "id": "0948ba87-d3b8-c6d4-f2da-732a1example",
    "detail-type": "Macie Finding",
    "source": "aws.macie",
    "account": "123456789012",
    "time": "2024-04-30T23:12:15Z",
    "region":"us-east-1",
    "resources": [],
    "detail": {
        "schemaVersion": "1.0",
        "id": "64b917aa-3843-014c-91d8-937ffexample",
        "accountId": "123456789012",
        "partition": "aws",
        "region": "us-east-1",
        "type": "Policy:IAMUser/S3BlockPublicAccessDisabled",
        "title": "Block public access settings are disabled for the S3 bucket",
        "description": "All bucket-level block public access settings were disabled for the S3 bucket. Access to the bucket is controlled by account-level block public access settings, access control lists (ACLs), and the bucket’s bucket policy.",
        "severity": {
            "score": 3,
            "description": "High"
        },
        "createdAt": "2024-04-29T15:46:02Z",
        "updatedAt": "2024-04-30T23:12:15Z",
        "count": 2,
        "resourcesAffected": {
            "s3Bucket": {
                "arn": "arn:aws:s3:::amzn-s3-demo-bucket1",
                "name": "amzn-s3-demo-bucket1",
                "createdAt": "2020-04-03T20:46:56.000Z",
                "owner":{
                    "displayName": "johndoe",
                    "id": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example"
                },
                "tags": [
                    {
                        "key": "Division",
                        "value": "HR"
                    },
                    {
                        "key": "Team",
                        "value": "Recruiting"
                    }
                ],                
                "defaultServerSideEncryption": {
                    "encryptionType": "aws:kms",
                    "kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
                },
                "publicAccess": {
                    "permissionConfiguration": {
                        "bucketLevelPermissions": {
                            "accessControlList": {
                                "allowsPublicReadAccess": false,
                                "allowsPublicWriteAccess": false
                            },
                            "bucketPolicy": {
                                "allowsPublicReadAccess": false,
                                "allowsPublicWriteAccess": false
                            },
                            "blockPublicAccess": {
                                "ignorePublicAcls": false,
                                "restrictPublicBuckets": false,
                                "blockPublicAcls": false,
                                "blockPublicPolicy": false
                            }
                        },
                        "accountLevelPermissions": {
                            "blockPublicAccess": {
                                "ignorePublicAcls": true,
                                "restrictPublicBuckets": true,
                                "blockPublicAcls": true,
                                "blockPublicPolicy": true
                            }
                        }
                    },
                    "effectivePermission": "NOT_PUBLIC"
                },
                "allowsUnencryptedObjectUploads": "FALSE"
            },
            "s3Object": null
        },
        "category": "POLICY",
        "classificationDetails": null,
        "policyDetails": {
            "action": {
                "actionType": "AWS_API_CALL",
                "apiCallDetails": {
                    "api": "PutBucketPublicAccessBlock",
                    "apiServiceName": "s3.amazonaws.com",
                    "firstSeen": "2024-04-29T15:46:02.401Z",
                    "lastSeen": "2024-04-30T23:12:15.401Z"
                }
            },
            "actor": {
                "userIdentity": {
                    "type": "AssumedRole",
                    "assumedRole": {
                        "principalId": "AROA1234567890EXAMPLE:AssumedRoleSessionName",
                        "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
                        "accountId": "111122223333",
                        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
                        "sessionContext": {
                            "attributes": {
                                "mfaAuthenticated": false,
                                "creationDate": "2024-04-29T10:25:43.511Z"
                            },
                            "sessionIssuer": {
                                "type": "Role",
                                "principalId": "AROA1234567890EXAMPLE",
                                "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
                                "accountId": "123456789012",
                                "userName": "RoleToBeAssumed"
                            }
                        }
                    },
                    "root": null,
                    "iamUser": null,
                    "federatedUser": null,
                    "awsAccount": null,
                    "awsService": null
                },
                "ipAddressDetails":{
                    "ipAddressV4": "192.0.2.0",
                    "ipOwner": {
                        "asn": "-1",
                        "asnOrg": "ExampleFindingASNOrg",
                        "isp": "ExampleFindingISP",
                        "org": "ExampleFindingORG"
                    },
                    "ipCountry": {
                        "code": "US",
                        "name": "United States"
                    },
                    "ipCity": {
                        "name": "Ashburn"
                    },
                    "ipGeoLocation": {
                        "lat": 39.0481,
                        "lon": -77.4728
                    }
                },
                "domainDetails": null
            }
        },
        "sample": true,
        "archived": false
    }
}

敏感数据调查发现事件示例

以下使用示例数据演示:用于敏感数据调查发现的 Amazon EventBridge 事件的对象和字段的结构和性质。在此示例中,该事件报告了一项新调查发现的敏感数据:Amazon Macie 在 S3 对象中发现了多个类别和类型的敏感数据。以下字段和值可帮助您确定情况是否如此:

  • type 字段设置为 SensitiveData:S3Object/Multiple

  • createdAtupdatedAt 字段值相同。与策略调查发现不同的是,敏感数据调查发现总是如此。所有敏感数据调查发现均被视为新调查发现。

  • count 字段设置为 1,表示这是一项新调查发现。与策略调查发现不同的是,敏感数据调查发现总是如此。所有敏感数据调查发现都被认为具有唯一性(新)。

  • category 字段设置为 CLASSIFICATION

  • policyDetails 字段值为 null,这有助于将敏感数据调查发现事件与策略调查发现事件区分开来。对于策略调查发现,此值将是一组对象和字段,这些对象和字段提供有关 S3 存储桶可能违反策略、安全性或隐私问题的信息。

请注意,sample 字段值设置为 true。此值强调这是文档中所使用的示例事件。

{
    "version": "0",
    "id": "14ddd0b1-7c90-b9e3-8a68-6a408example",
    "detail-type": "Macie Finding",
    "source": "aws.macie",
    "account": "123456789012",
    "time": "2024-04-20T08:19:10Z",
    "region": "us-east-1",
    "resources": [],
    "detail": {
        "schemaVersion": "1.0",
        "id": "4ed45d06-c9b9-4506-ab7f-18a57example",
        "accountId": "123456789012",
        "partition": "aws",
        "region": "us-east-1",
        "type": "SensitiveData:S3Object/Multiple",
        "title": "The S3 object contains multiple categories of sensitive data",
        "description": "The S3 object contains more than one category of sensitive data.",
        "severity": {
            "score": 3,
            "description": "High"
        },
        "createdAt": "2024-04-20T18:19:10Z",
        "updatedAt": "2024-04-20T18:19:10Z",
        "count": 1,
        "resourcesAffected": {
            "s3Bucket": {
                "arn": "arn:aws:s3:::amzn-s3-demo-bucket2",
                "name": "amzn-s3-demo-bucket2",
                "createdAt": "2020-05-15T20:46:56.000Z",
                "owner": {
                    "displayName": "johndoe",
                    "id": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example"
                },
                "tags":[
                    {
                        "key":"Division",
                        "value":"HR"
                    },
                    {
                        "key":"Team",
                        "value":"Recruiting"
                    }
                ],
                "defaultServerSideEncryption": {
                    "encryptionType": "aws:kms",
                    "kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
                },
                "publicAccess": {
                    "permissionConfiguration": {
                        "bucketLevelPermissions": {
                            "accessControlList": {
                                "allowsPublicReadAccess": false,
                                "allowsPublicWriteAccess": false
                            },
                            "bucketPolicy":{
                                "allowsPublicReadAccess": false,
                                "allowsPublicWriteAccess": false
                            },
                            "blockPublicAccess": {
                                "ignorePublicAcls": true,
                                "restrictPublicBuckets": true,
                                "blockPublicAcls": true,
                                "blockPublicPolicy": true
                            }
                        },
                        "accountLevelPermissions": {
                            "blockPublicAccess": {
                                "ignorePublicAcls": false,
                                "restrictPublicBuckets": false,
                                "blockPublicAcls": false,
                                "blockPublicPolicy": false
                            }
                        }
                    },
                    "effectivePermission": "NOT_PUBLIC"
                },
                "allowsUnencryptedObjectUploads": "TRUE"
            },
            "s3Object":{
                "bucketArn": "arn:aws:s3:::amzn-s3-demo-bucket2",
                "key": "2024 Sourcing.csv",
                "path": "amzn-s3-demo-bucket2/2024 Sourcing.csv",
                "extension": "csv",
                "lastModified": "2024-04-19T22:08:25.000Z",
                "versionId": "",
                "serverSideEncryption": {
                    "encryptionType": "aws:kms",
                    "kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
                },
                "size": 4750,
                "storageClass": "STANDARD",
                "tags":[
                    {
                        "key":"Division",
                        "value":"HR"
                    },
                    {
                        "key":"Team",
                        "value":"Recruiting"
                    }
                ],
                "publicAccess": false,
                "etag": "6bb7fd4fa9d36d6b8fb8882caexample" 
            }
        },
        "category": "CLASSIFICATION",
        "classificationDetails": {
            "jobArn": "arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample",
            "jobId": "3ce05dbb7ec5505def334104bexample",
            "result": {
                "status": {
                    "code": "COMPLETE",
                    "reason": null
                },
                "sizeClassified": 4750,
                "mimeType": "text/csv",
                "additionalOccurrences": true,
                "sensitiveData": [
                    {
                        "category": "PERSONAL_INFORMATION",
                        "totalCount": 65,
                        "detections": [
                            {
                                "type": "USA_SOCIAL_SECURITY_NUMBER",
                                "count": 30,
                                "occurrences": {
                                    "lineRanges": null,
                                    "offsetRanges": null,
                                    "pages": null,
                                    "records": null,
                                    "cells": [
                                        {
                                            "row": 2,
                                            "column": 1,
                                            "columnName": "SSN",
                                            "cellReference": null
                                        },
                                        {
                                            "row": 3,
                                            "column": 1,
                                            "columnName": "SSN",
                                            "cellReference": null
                                        },
                                        {
                                            "row": 4,
                                            "column": 1,
                                            "columnName": "SSN",
                                            "cellReference": null
                                        }
                                    ]
                                }
                            },
                            {
                                "type": "NAME",
                                "count": 35,
                                "occurrences": {
                                    "lineRanges": null,
                                    "offsetRanges": null,
                                    "pages": null,
                                    "records": null,
                                    "cells": [
                                        {
                                            "row": 2,
                                            "column": 3,
                                            "columnName": "Name",
                                            "cellReference": null
                                        },
                                        {
                                            "row": 3,
                                            "column": 3,
                                            "columnName": "Name",
                                            "cellReference": null
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "category": "FINANCIAL_INFORMATION",
                        "totalCount": 30,
                        "detections": [
                            {
                                "type": "CREDIT_CARD_NUMBER",
                                "count": 30,
                                "occurrences": {
                                    "lineRanges": null,
                                    "offsetRanges": null,
                                    "pages": null,
                                    "records": null,
                                    "cells": [
                                        {
                                            "row": 2,
                                            "column": 14,
                                            "columnName": "CCN",
                                            "cellReference": null
                                        },
                                        {
                                            "row": 3,
                                            "column": 14,
                                            "columnName": "CCN",
                                            "cellReference": null
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                ],
                "customDataIdentifiers": {
                    "totalCount": 0,
                    "detections": []
                }
            },
            "detailedResultsLocation": "s3://macie-data-discovery-results/AWSLogs/123456789012/Macie/us-east-1/3ce05dbb7ec5505def334104bexample/d48bf16d-0deb-3e49-9d8c-d407cexample.jsonl.gz",
            "originType": "SENSITIVE_DATA_DISCOVERY_JOB"
        },
        "policyDetails": null,
        "sample": true,
        "archived": false
    }
}