本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用 Amazon 监控 S3 对象扫描 EventBridge
*Amazon EventBridge* 是一项无服务器事件总线服务,可以轻松地将您的应用程序与来自各种来源的数据连接起来。 EventBridge 提供来自您自己的应用程序、 Software-as-a-Service (SaaS) 应用程序和 AWS 服务的实时数据流,并将这些数据路由到 Lambda 等目标。这使您能够监控服务中发生的事件,并构建事件驱动的架构。有关更多信息,请参阅 [Amazon EventBridge 用户指南](https://docs.aws.amazon.com/eventbridge/latest/userguide/)。
作为受 S3 恶意软件防护保护的 S3 存储桶的所有者账户,在以下情况下向默认事件总线 GuardDuty 发布 EventBridge 通知:
+ 任何受保护存储桶的**恶意软件防护计划资源状态**会发生变化。有关不同状态的更多信息,请参阅[查看和了解受保护的存储桶状态](malware-protection-s3-bucket-status-gdu.md)。
要为资源状态设置 Amazon EventBridge (EventBridge) 规则,请参阅[恶意软件防护计划资源状态](#resource-status-malware-protection-s3-ev)。
+ S **3 对象扫描结果**将发布到您的默认 EventBridge 事件总线。
`s3Throttled` 字段指示在 Amazon S3 存储桶中上传或检索存储时是否出现延迟。`true` 值指示存在延迟,`false` 指示没有延迟。
如果扫描结果的 `s3Throttled` 为 `true`,则 Amazon S3 会提供有关前缀设置方式的建议,以帮助您减少每个前缀的每秒事务处理量(TPS)。有关更多信息,请参阅《Amazon S3 用户指南》中的[最佳实践设计模式:优化 Amazon S3 性能](https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html)**。
有关为 S3 对象扫描结果设置 Amazon EventBridge (EventBridge) 规则的信息,请参阅[S3 对象扫描结果](#s3-object-scan-status-malware-protection-s3-ev)。
+ 由于以下原因,出现**扫描后标记失败事件**:
+ IAM 角色缺少标记对象的权限。
该[添加 IAM 策略权限](malware-protection-s3-iam-policy-prerequisite.md#attach-iam-policy-s3-malware-protection)模板包括为对象 GuardDuty 添加标签的权限。
+ IAM 角色中指定的存储桶资源或对象已不再存在。
+ 关联的 S3 对象已达到最大标签限制。有关标签限制的更多信息,请参阅《Amazon S3 用户指南》中的[使用标签对存储进行分类](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html)**。
要为扫描后标签失败事件设置 Amazon EventBridge (EventBridge) 规则,请参阅[扫描后标记失败事件](#post-tag-failure-malware-protection-s3-ev)。
## 设置 EventBridge 规则
您可以在账户中设置 EventBridge 规则,将资源状态、扫描后标签失败事件或 S3 对象扫描结果发送给其他 AWS 服务人。作为委托 GuardDuty 管理员帐户,当恶意软件防护计划资源状态发生变化时,您将收到恶意软件防护计划资源状态通知。
将适用标准 EventBridge 定价。有关更多信息,请参阅 [Amazon EventBridge 定价](https://aws.amazon.com/eventbridge/pricing/)。
在该示例中,显示的所有值*red*均为占位符。这些值将根据您账户中的值以及是否检测到恶意软件而改变。
**Topics**
+ [恶意软件防护计划资源状态](#resource-status-malware-protection-s3-ev)
+ [S3 对象扫描结果](#s3-object-scan-status-malware-protection-s3-ev)
+ [扫描后标记失败事件](#post-tag-failure-malware-protection-s3-ev)
### 恶意软件防护计划资源状态
您可以根据以下场景创建 EventBridge 事件模式:
**可能的 `detail-type` 值**
+ `"GuardDuty Malware Protection Resource Status Active"`
+ `"GuardDuty Malware Protection Resource Status Warning"`
+ `"GuardDuty Malware Protection Resource Status Error"`
**事件模式**
```
{
"detail-type": ["potential detail-type"],
"source": ["aws.guardduty"]
}
```
**`GuardDuty Malware Protection Resource Status Active` 示例通知架构**:
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "GuardDuty Malware Protection Resource Status Active",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "ACTIVE"
}
}
```
**`GuardDuty Malware Protection Resource Status Warning` 示例通知架构**:
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "GuardDuty Malware Protection Resource Status warning",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "WARNING",
"statusReasons": [
{
"code": "INSUFFICIENT_TEST_OBJECT_PERMISSIONS"
}
]
}
}
```
**`GuardDuty Malware Protection Resource Status Error` 示例通知架构**:
```
{
"version": "0",
"id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2",
"detail-type": "GuardDuty Malware Protection Resource Status Error",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "ERROR",
"statusReasons": [
{
"code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED"
}
]
}
}
```
`statusReasons` 值将根据 `resourceStatus` `ERROR` 背后的原因填充。
有关以下警告和错误的故障排除步骤的信息,请参阅[恶意软件防护计划状态故障排除](troubleshoot-s3-malware-protection-status-errors.md)。
### S3 对象扫描结果
```
{
"detail-type": ["GuardDuty Malware Protection Object Scan Result"],
"source": ["aws.guardduty"]
}
```
**`NO_THREATS_FOUND` 示例通知架构**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0171419",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "NO_THREATS_FOUND",
"threats": null
}
}
}
```
**`THREATS_FOUND` 示例通知架构**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0171419",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "THREATS_FOUND",
"threats": [
{
"name": "EICAR-Test-File (not a virus)"
}
]
}
}
}
```
**注意**
`scanResultDetails.Threats` 字段仅包含一种威胁。默认情况下,S3 恶意软件防护扫描会报告第一个检测到的威胁。此后,`scanStatus` 将设置为 `COMPLETED`。
**`UNSUPPORTED` 扫描结果状态的示例通知架构(已跳过)**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "UNSUPPORTED",
"threats": null
}
}
}
```
**`ACCESS_DENIED` 扫描结果状态的示例通知架构(已跳过)**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "ACCESS_DENIED",
"threats": null
}
}
}
```
**`FAILED` 扫描结果状态的示例通知架构**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "FAILED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "FAILED",
"threats": null
}
}
}
```
### 扫描后标记失败事件
**事件模式**:
```
{
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty"
}
```
**`ACCESS_DENIED` 示例通知架构**:
```
{
"version": "0",
"id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-06-10T16:16:08Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-06-10T16:16:08Z",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
"eTag": "0e9eeec810ad8b61d69112c15c2a5hb6",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"postScanActions": [{
"actionType": "TAGGING",
"failureReason": "ACCESS_DENIED"
}]
}
}
```
**`MAX_TAG_LIMIT_EXCEEDED` 示例通知架构**:
```
{
"version": "0",
"id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-06-10T16:16:08Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-06-10T16:16:08Z",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
"eTag": "0e9eeec810ad8b61d69112c15c2a5hb6",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"postScanActions": [{
"actionType": "TAGGING",
"failureReason": "MAX_TAG_LIMIT_EXCEEDED"
}]
}
}
```
要对这些失败原因进行故障排除,请参阅[对 S3 对象扫描后标记失败问题进行故障排除](troubleshoot-s3-post-scan-tag-failures.md)。