本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 Amazon 監控 EventBridge
Amazon EventBridge 是一種無伺服器事件匯流排服務,可讓您輕鬆地將應用程式與各種來源的資料連接起來。 EventBridge 從您自己的應用程式、S oftware-as-a 服務 (SaaS) 應用程式以及服務提供即時資料串流,並 AWS 將該資料路由到目標 (例如 Lambda)。這可讓您監控在服務中發生的事件,並建置事件導向的架構。如需詳細資訊,請參閱 Amazon EventBridge 使用者指南。
作為受 S3 惡意軟體保護保護的 S3 儲存貯體的擁有者帳戶,在下列情況下,將 EventBridge 通知 GuardDuty發佈到預設事件匯流排:
-
惡意軟體防護規劃任何受保護值區的資源狀態變更。有關各种狀態的更多內容,敬請參閱惡意程式碼防護計劃資源。
-
發生標籤事件失敗,原因如下:
-
您的IAM角色缺少標記物件的權限。
新增IAM原則權限範本包括標記物件的權限。 GuardDuty
-
IAM角色中指定的值區資源或物件不再存在。
-
關聯的 S3 物件已達到標籤上限。如需有關標籤限制的詳細資訊,請參閱 Amazon S3 使用者指南中的使用標籤對儲存進行分類。
-
-
S3 物件掃描結果會發佈至您的預設 EventBridge 事件匯流排。
設定 EventBridge 規則
您可以在帳戶中設定 EventBridge 規則,將資源狀態、掃描後標籤失敗事件或 S3 物件掃描結果傳送給另一個 AWS 服務。身為委派的 GuardDuty 系統管理員帳戶,當狀態發生變更時,您會收到惡意程式碼防護計劃資源狀態通知。
將採用標準 EventBridge 定價。如需詳細資訊,請參閱 Amazon EventBridge 定價
顯示在中的所有值 red 是範例的預留位置。這些值將根據您帳戶中的值以及是否偵測到惡意程式碼而變更。
惡意程式碼防護計劃資源
您可以根據下列案例建立 EventBridge 事件模式:
潛在detail-type值
-
"GuardDuty Malware Protection Resource Status Active" -
"GuardDuty Malware Protection Resource Status Warning" -
"GuardDuty Malware Protection Resource Status Error"
事件模式
{ "detail-type": ["potential detail-type"], "source": ["aws.guardduty"] }
範例通知結構描述 GuardDuty Malware Protection Resource Status Active:
{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "GuardDuty Malware Protection Resource Status Active", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "ACTIVE" } }
範例通知結構描述 GuardDuty Malware Protection Resource Status Warning:
{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "GuardDuty Malware Protection Resource Status warning", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "WARNING", "statusReasons": [ { "code": "INSUFFICIENT_TEST_OBJECT_PERMISSIONS" } ] } }
範例通知結構描述 GuardDuty Malware Protection Resource Status Error:
{ "version": "0", "id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2", "detail-type": "GuardDuty Malware Protection Resource StatusError", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "ERROR", "statusReasons": [ { "code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED" } ] } }
根據背後的原因 resourceStatusERROR,該statusReasons值將被填充。
如需有關下列警告和錯誤之疑難排解步驟的資訊,請參閱疑難排解惡意程式碼防護計劃。
S3 物件掃描結果
{ "detail-type": ["GuardDuty Malware Protection Object Scan Result"], "source": ["aws.guardduty"] }
範例通知結構描述 NO_THREATS_FOUND:
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0171419", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:], "detail": { "schemaVersion": "1.0", "scanStatus": "COMPLETED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "scanResultDetails": { "scanResultStatus": "NO_THREATS_FOUND", "threats": null } } }
範例通知結構描述 THREATS_FOUND:
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0171419", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:], "detail": { "schemaVersion": "1.0", "scanStatus": "COMPLETED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "scanResultDetails": { "scanResultStatus": "THREATS_FOUND", "threats": [ { "name": "EICAR-Test-File (not a virus)" } ] } } }
掃瞄結果狀態的通知結構描述範例UNSUPPORTED(已略過):
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:], "detail": { "schemaVersion": "1.0", "scanStatus": "SKIPPED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "scanResultDetails": { "scanResultStatus": "UNSUPPORTED", "threats": null } } }
掃瞄結果狀態的通知結構描述範例ACCESS_DENIED(已略過):
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:], "detail": { "schemaVersion": "1.0", "scanStatus": "SKIPPED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "scanResultDetails": { "scanResultStatus": "ACCESS_DENIED", "threats": null } } }
掃瞄結果狀態的通知結構描述範例 FAILED:
{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:], "detail": { "schemaVersion": "1.0", "scanStatus": "FAILED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLEamzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "scanResultDetails": { "scanResultStatus": "FAILED", "threats": null } } }
掃描後標籤失敗事件
事件模式:
{ "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty" }
範例通知結構描述 ACCESS_DENIED:
{ "version": "0", "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7", "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty", "account": "111122223333", "time": "2024-06-10T16:16:08Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-06-10T16:16:08Z", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0", "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "postScanActions": [{ "actionType": "TAGGING", "status": "FAILED", "failureReason": "ACCESS_DENIED" }] } }
範例通知結構描述 MAX_TAG_LIMIT_EXCEEDED:
{ "version": "0", "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7", "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty", "account": "111122223333", "time": "2024-06-10T16:16:08Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:"], "detail": { "schemaVersion": "1.0", "eventTime": "us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE2024-06-10T16:16:08Z", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0", "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE" }, "postScanActions": [{ "actionType": "TAGGING", "status": "FAILED", "failureReason": "MAX_TAG_LIMIT_EXCEEDED" }] } }
若要疑難排解這些失敗原因,請參閱疑難排解 S3 物件掃描後標籤失敗。
