本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon Inspector 事件的 Amazon EventBridge 事件結構描述
Amazon EventBridge 會將即時資料從應用程式和其他 AWS 服務 串流傳送至目標,例如 Amazon Kinesis Data Streams 中的 AWS Lambda 函數、Amazon Simple Notification Service 主題和資料串流。為了支援與其他應用程式、服務和系統的整合,Amazon Inspector 會自動將調查結果發佈至 EventBridge 做為事件。您可以使用 Amazon Inspector 發佈問題清單、涵蓋範圍和掃描的事件。本節提供 EventBridge 事件的範例結構描述。
主題
Amazon Inspector 的 Amazon EventBridge 基礎結構描述
以下是 Amazon Inspector EventBridge 事件的基本結構描述範例。事件詳細資訊會根據事件類型而有所不同。
{ "version": "0", "id": "Event ID", "detail-type": "Inspector2 *event type*", "source": "aws.inspector2", "account": "AWS 帳戶 ID (string)", "time": "event timestamp (string)", "region": "AWS 區域 (string)", "resources": [ *IDs or ARNs of the resources involved in the event* ], "detail": { *Details of an Amazon Inspector event type* } }
Amazon Inspector 調查結果事件結構描述範例
下列範例包含 Amazon Inspector 調查結果的 EventBridge 事件結構描述。當 Amazon Inspector 識別其中一個資源中的軟體漏洞或網路問題時,就會建立問題清單事件。如需建立通知以回應此類事件的指南,請參閱 使用 Amazon 創建對 Amazon Inspector 發現的自定義 EventBridge。
下列欄位可識別問題清單事件:
-
detail-type設定為Inspector2 Finding。 -
detail說明問題清單。 -
detail.resources.tags是儲存索引鍵值資料的位置。
您可以篩選標籤,以查看不同資源和問題清單類型的問題清單。
- Amazon EC2 package vulnerability finding
{ "version": "0", "id": "4d621919-f1f4-4201-a0e2-37e4e330ff51", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T17:00:36Z", "region": "eu-central-1", "resources": [ "i-12345678901234567" ], "detail": { "awsAccountId": "123456789012", "description": "In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.", "epss": { "score": 0.00043 }, "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:59:44.356 UTC 2024", "fixAvailable": "YES", "inspectorScore": 4.8, "inspectorScoreDetails": { "adjustedCvss": { "adjustments": [], "cvssSource": "UBUNTU_CVE", "score": 4.8, "scoreSource": "UBUNTU_CVE", "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" } }, "lastObservedAt": "Wed Sep 04 16:59:44.476 UTC 2024", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 4.8, "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "source": "UBUNTU_CVE", "version": "3.1" }, { "baseScore": 7.3, "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://www.cve.org/CVERecord?id=CVE-2024-29069", "https://ubuntu.com/security/notices/USN-6940-1" ], "relatedVulnerabilities": [ "USN-6940-1" ], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-29069.html", "vendorCreatedAt": "Thu Jul 25 20:15:00.000 UTC 2024", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2024-29069", "vulnerablePackages": [ { "arch": "ALL", "epoch": 0, "fixedInVersion": "0:2.63+22.04ubuntu0.1", "name": "snapd", "packageManager": "OS", "remediation": "apt-get update && apt-get upgrade", "version": "2.63" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-02ff980600c693b38", "ipV4Addresses": [ "1.23.456.789", "123.45.67.890" ], "ipV6Addresses": [], "launchedAt": "Wed Sep 04 16:57:40.000 UTC 2024", "platform": "UBUNTU_22_04", "subnetId": "subnet-12345678", "type": "t2.small", "vpcId": "vpc-12345678" } }, "id": "i-12345678901234567", "partition": "aws", "region": "eu-central-1", "type": "AWS_EC2_INSTANCE" } ], "severity": "MEDIUM", "status": "CLOSED", "title": "CVE-2024-29069 - snapd", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Wed Sep 04 17:00:36.951 UTC 2024" } }- Amazon EC2 network reachability finding
-
{ "version": "0", "id": "9eb1603b-4263-19ec-8be2-33184694cb92", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-05T13:06:56Z", "region": "eu-central-1", "resources": ["i-12345678901234567"], "detail": { "awsAccountId": "123456789012", "description": "On the instance i-12345678901234567, the port range 22-22 is reachable from the InternetGateway igw-261bab4d from an attached ENI eni-094ad651219472857.", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Thu Sep 05 13:06:56.334 UTC 2024", "lastObservedAt": "Thu Sep 05 13:06:56.334 UTC 2024", "networkReachabilityDetails": { "networkPath": { "steps": [{ "componentId": "igw-261bab4d", "componentType": "AWS::EC2::InternetGateway" }, { "componentId": "acl-171b527d", "componentType": "AWS::EC2::NetworkAcl" }, { "componentId": "sg-0d34debf87410f2d9", "componentType": "AWS::EC2::SecurityGroup" }, { "componentId": "eni-094ad651219472857", "componentType": "AWS::EC2::NetworkInterface" }, { "componentId": "i-12345678901234567", "componentType": "AWS::EC2::Instance" }] }, "openPortRange": { "begin": 22, "end": 22 }, "protocol": "TCP" }, "remediation": { "recommendation": { "text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path." } }, "resources": [{ "details": { "awsEc2Instance": { "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup", "imageId": "ami-02ff980600c693b38", "ipV4Addresses": ["1.23.456.789", "123.45.67.890"], "ipV6Addresses": [], "launchedAt": "Wed Sep 04 17:41:24.000 UTC 2024", "platform": "UBUNTU_22_04", "subnetId": "subnet-12345678", "type": "t2.small", "vpcId": "vpc-12345678" } }, "id": "i-12345678901234567", "partition": "aws", "region": "eu-central-1", "type": "AWS_EC2_INSTANCE" }], "severity": "MEDIUM", "status": "ACTIVE", "title": "Port 22 is reachable from an Internet Gateway - TCP", "type": "NETWORK_REACHABILITY", "updatedAt": "Thu Sep 05 13:06:56.334 UTC 2024" } } - Amazon ECR package vulnerability finding
{ "version": "0", "id": "5325facf-a1aa-7d97-6bce-25fde6f6d2fc", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T16:55:38Z", "region": "eu-central-1", "resources": [ "arn:aws:ecr:eu-central-1:123456789012:repository/inspector2/sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d" ], "detail.resources.tags.testkey": "allow", "detail": { "awsAccountId": "123456789012", "description": "Possible denial of service in X.509 name checks", "epss": { "score": 0.00045 }, "exploitAvailable": "NO", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:55:38.411 UTC 2024", "fixAvailable": "YES", "lastObservedAt": "Wed Sep 04 16:55:38.411 UTC 2024", "packageVulnerabilityDetails": { "cvss": [], "referenceUrls": [ "https://www.cve.org/CVERecord?id=CVE-2024-6119", "https://ubuntu.com/security/notices/USN-6986-1" ], "relatedVulnerabilities": [ "USN-6986-1" ], "source": "UBUNTU_CVE", "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-6119.html", "vendorCreatedAt": "Tue Sep 03 00:00:00.000 UTC 2024", "vendorSeverity": "medium", "vulnerabilityId": "CVE-2024-6119", "vulnerablePackages": [ { "arch": "ARM64", "epoch": 0, "fixedInVersion": "0:3.0.13-0ubuntu3.4", "name": "libssl3t64", "packageManager": "OS", "release": "0ubuntu3.2", "remediation": "apt-get update && apt-get upgrade", "sourceLayerHash": "sha256:1567e7ea90b67fc95ccdeeec39bdc3045098dee7e0c604975b957a9f8c0e9616", "version": "3.0.13" }, { "arch": "ARM64", "epoch": 0, "fixedInVersion": "0:3.0.13-0ubuntu3.4", "name": "openssl", "packageManager": "OS", "release": "0ubuntu3.2", "remediation": "apt-get update && apt-get upgrade", "sourceLayerHash": "sha256:1567e7ea90b67fc95ccdeeec39bdc3045098dee7e0c604975b957a9f8c0e9616", "version": "3.0.13" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsEcrContainerImage": { "architecture": "arm64", "imageHash": "sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d", "imageTags": [ "ubuntu_latest" ], "platform": "UBUNTU_24_04", "pushedAt": "Wed Sep 04 16:55:28.000 UTC 2024", "registry": "123456789012", "repositoryName": "inspector2" } }, "id": "arn:aws:ecr:eu-central-1:123456789012:repository/inspector2/sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d", "partition": "aws", "region": "eu-central-1", "type": "AWS_ECR_CONTAINER_IMAGE" } ], "severity": "MEDIUM", "status": "ACTIVE", "title": "CVE-2024-6119 - libssl3t64, openssl", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Wed Sep 04 16:55:38.411 UTC 2024" } }- Lambda package vulnerability finding
-
{ "version": "0", "id": "9eadd71a-e49c-9864-6ba9-2a5d3f83c88f", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T16:50:37Z", "region": "eu-central-1", "resources": [ "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST" ], "detail": { "awsAccountId": "123456789012", "description": "Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is ac", "epss": { "score": 0.00208 }, "exploitAvailable": "YES", "exploitabilityDetails": { "lastKnownExploitAt": "Sat Aug 31 00:04:50.000 UTC 2024" }, "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:50:37.627 UTC 2024", "fixAvailable": "YES", "inspectorScore": 7.5, "inspectorScoreDetails": { "adjustedCvss": { "cvssSource": "NVD", "score": 7.5, "scoreSource": "NVD", "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "lastObservedAt": "Wed Sep 04 16:50:37.627 UTC 2024", "packageVulnerabilityDetails": { "cvss": [ { "baseScore": 7.5, "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "source": "NVD", "version": "3.1" } ], "referenceUrls": [ "https://www.debian.org/security/2023/dsa-5442", "https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html" ], "relatedVulnerabilities": [], "source": "NVD", "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861", "vendorCreatedAt": "Tue May 02 18:15:52.000 UTC 2023", "vendorSeverity": "HIGH", "vendorUpdatedAt": "Sun Aug 20 21:15:09.000 UTC 2023", "vulnerabilityId": "CVE-2023-30861", "vulnerablePackages": [ { "epoch": 0, "filePath": "requirements.txt", "fixedInVersion": "2.3.2", "name": "flask", "packageManager": "PIP", "version": "2.0.0" } ] }, "remediation": { "recommendation": { "text": "None Provided" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "O7jkFEmfPB+CK3Y6Pby5zW9gjG+zusAaqRRMGS8B27c=", "executionRoleArn": "arn:aws:iam::123456789012:role/service-role/VulnerableFunction-role-f9vs5mq8", "functionName": "VulnerableFunction", "lastModifiedAt": "Wed Sep 04 16:50:20.000 UTC 2024", "packageType": "ZIP", "runtime": "PYTHON_3_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST", "partition": "aws", "region": "eu-central-1", "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "HIGH", "status": "ACTIVE", "title": "CVE-2023-30861 - flask", "type": "PACKAGE_VULNERABILITY", "updatedAt": "Wed Sep 04 16:50:37.627 UTC 2024" } } - Lambda code vulnerability finding
{ "version": "0", "id": "e764f7be-f931-ff1b-204b-8cab2d91724b", "detail-type": "Inspector2 Finding", "source": "aws.inspector2", "account": "123456789012", "time": "2024-09-04T16:51:01Z", "region": "eu-central-1", "resources": [ "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST" ], "detail": { "awsAccountId": "123456789012", "codeVulnerabilityDetails": { "cwes": [ "CWE-798" ], "detectorId": "python/hardcoded-credentials@v1.0", "detectorName": "Hardcoded credentials", "detectorTags": [ "secrets", "security", "owasp-top10", "top25-cwes", "cwe-798", "Python" ], "filePath": { "endLine": 6, "fileName": "lambda_function.py", "filePath": "lambda_function.py", "startLine": 6 }, "ruleId": "python-detect-hardcoded-aws-credentials" }, "description": "Access credentials, such as passwords and access keys, should not be hardcoded in source code. Hardcoding credentials may cause leaks even after removing them. This is because version control systems might retain older versions of the code. Credentials should be stored securely and obtained from the runtime environment.", "findingArn": "arn:aws:inspector2:eu-central-1:123456789012:finding/FINDING_ID", "firstObservedAt": "Wed Sep 04 16:51:01.869 UTC 2024", "lastObservedAt": "Wed Sep 04 16:51:01.869 UTC 2024", "remediation": { "recommendation": { "text": "Your code uses hardcoded AWS credentials which might allow unauthorized users access to your AWS account. These attacks can occur a long time after the credentials are removed from the code. We recommend that you set AWS credentials with environment variables or an AWS profile instead. You should consider deleting the affected account or rotating the secret key and then monitoring Amazon CloudWatch for unexpected activity.\n[https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html)" } }, "resources": [ { "details": { "awsLambdaFunction": { "architectures": [ "X86_64" ], "codeSha256": "O7jkFEmfPB+CK3Y6Pby5zW9gjG+zusAaqRRMGS8B27c=", "executionRoleArn": "arn:aws:iam::123456789012:role/service-role/VulnerableFunction-role-f9vs5mq8", "functionName": "VulnerableFunction", "lastModifiedAt": "Wed Sep 04 16:50:20.000 UTC 2024", "packageType": "ZIP", "runtime": "PYTHON_3_11", "version": "$LATEST" } }, "id": "arn:aws:lambda:eu-central-1:123456789012:function:VulnerableFunction:$LATEST", "partition": "aws", "region": "eu-central-1", "type": "AWS_LAMBDA_FUNCTION" } ], "severity": "CRITICAL", "status": "ACTIVE", "title": "CWE-798 - Hardcoded credentials", "type": "CODE_VULNERABILITY", "updatedAt": "Wed Sep 04 16:51:01.869 UTC 2024" } }
注意
詳細資訊值會將單一調查結果的 JSON 詳細資訊傳回為 物件。它不會傳回整個調查結果回應語法,這支援陣列中的多個調查結果。
Amazon Inspector 初始掃描完成事件結構描述範例
以下是完成初始掃描的 Amazon Inspector 事件 EventBridge 事件結構描述範例。當 Amazon Inspector 完成其中一個資源的初始掃描時,就會建立此事件。
下列欄位會識別初始掃描完成事件:
detail-type欄位設定為Inspector2 Scan。detail物件包含一個finding-severity-counts物件,詳細說明適用嚴重性類別中的調查結果數量,例如CRITICAL、HIGH和MEDIUM。
從選項中選取 ,依資源類型查看不同的初始掃描事件結構描述。
- Amazon EC2 instance initial scan
-
{ "version": "0", "id": "28a46762-6ac8-6cc4-4f55-bc9ab99af928", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:52:35Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "instance-id": "i-087d63509b8c97098", "version": "1.0" } } - Amazon ECR image initial scan
-
{ "version": "0", "id": "fdaa751a-984c-a709-44f9-9a9da9cd3606", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T23:15:18Z", "region": "us-east-1", "resources": [ "arn:aws:ecr:us-east-1:111122223333:repository/inspector2" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "repository-name": "arn:aws:ecr:us-east-1:111122223333:repository/inspector2", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "image-digest": "sha256:965fbcae990b0467ed5657caceaec165018ef44a4d2d46c7cdea80a9dff0d1ea", "image-tags": [ "ubuntu22" ], "version": "1.0" } } - Lambda function initial scan
-
{ "version": "0", "id": "4f290a7c-361b-c442-03c8-a629f6f20d6c", "detail-type": "Inspector2 Scan", "source": "aws.inspector2", "account": "111122223333", "time": "2023-02-23T18:06:03Z", "region": "us-west-2", "resources": [ "arn:aws:lambda:us-west-2:111122223333:function:lambda-example:$LATEST" ], "detail": { "scan-status": "INITIAL_SCAN_COMPLETE", "finding-severity-counts": { "CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "TOTAL": 0 }, "version": "1.0" } }
Amazon Inspector 涵蓋範圍事件結構描述範例
以下是 Amazon Inspector 事件涵蓋範圍的 EventBridge 事件結構描述範例。當資源的 Amazon Inspector 掃描涵蓋範圍變更時,就會建立此事件。下列欄位會識別涵蓋範圍事件:
detail-type欄位設定為Inspector2 Coverage。detail物件包含scanStatus物件,指出資源的新掃描狀態。
{ "version": "0", "id": "000adda5-0fbf-913e-bc0e-10f0376412aa", "detail-type": "Inspector2 Coverage", "source": "aws.inspector2", "account": "111122223333", "time": "2023-01-20T22:51:39Z", "region": "us-east-1", "resources": [ "i-087d63509b8c97098" ], "detail": { "scanStatus": { "reason": "UNMANAGED_EC2_INSTANCE", "statusCodeValue": "INACTIVE" }, "scanType": "PACKAGE", "eventTimestamp": "2023-01-20T22:51:35.665501Z", "version": "1.0" } }
Amazon Inspector 自動啟用結構描述範例
當 Amazon Inspector 無法支援組織中的成員數量時,自動啟用事件會傳送至委派的管理員。下列欄位識別自動啟用事件:
-
detail-type欄位設定為Inspector2 AutoEnable。 -
detail物件說明自動啟用事件失敗的原因。
{ "version": "0", "id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae", "detail-type": "Inspector2 AutoEnable", "source": "aws.inspector2", "account": "123456789012", "time": "2024-08-21T02:36:48Z", "region": "us-east-1", "detail": { “version”: “1.0.0”, “AutoEnableStatus”: “Failed”, “Reason”: "The number of member accounts enabled with AWS Inspector has reached the maximum limit of 10,000" } }
匯出 SBOMs
Amazon Inspector SBOM 產生器