本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Macie 调查结果的亚马逊 EventBridge 事件架构
为了支持与其他应用程序、服务和系统(例如监控或事件管理系统)的集成,Amazon Macie 会自动将调查结果 EventBridge 作为事件发布给亚马逊。 EventBridge,前身为 Amazon CloudWatch Events,是一种无服务器事件总线服务,可将来自应用程序和其他应用程序的实时数据流传输 AWS 服务 到目标,例如 AWS Lambda 函数、亚马逊简单通知服务主题和 Amazon Kinesis 流。要了解更多信息 EventBridge,请参阅 Amazon EventBridge 用户指南。
注意
如果您当前使用 CloudWatch 事件,请注意 EventBridge 和 CloudWatch 事件是相同的底层服务和 API。但是, EventBridge 包括其他功能,使您能够接收来自软件即服务 (SaaS) 应用程序和您自己的应用程序的事件。由于基础服务和 API 相同,因此 Macie 发现的事件架构也相同。
Macie 会自动发布所有新调查发现和现有策略的后续调查发现的事件,但使用抑制规则自动存档的调查发现除外。这些事件是符合 AWS 事件 EventBridge 架构的 JSON 对象。每个事件都包含特定调查发现的 JSON 表示。由于数据结构化为 EventBridge 事件,因此您可以使用其他应用程序、服务和工具更轻松地监控、处理发现并根据发现采取行动。要详细了解 Macie 如何以及何时发布有关调查发现的事件,请参阅 为调查发现配置发布设置。
Macie 调查发现的事件架构
以下示例显示了亚马逊 Macie EventBridge 搜索结果的亚马逊事件架构。有关调查发现事件中包含字段的详细描述,请参阅 Amazon Macie API 引用中的调查发现。调查发现事件的结构和字段与 Amazon Macie API 的 Finding 对象非常接近。
{ "version": "0", "id": "event ID", "detail-type": "Macie Finding", "source": "aws.macie", "account": "AWS 账户 ID (string)", "time": "event timestamp (string)", "region": "AWS 区域 (string)", "resources": [ <-- ARNs of the resources involved in the event --> ], "detail": { <-- Details of a policy or sensitive data finding --> }, "policyDetails": null, <-- Additional details of a policy finding or null for a sensitive data finding --> "sample": Boolean, "archived": Boolean }
策略调查发现事件示例
以下示例使用示例数据演示策略调查结果的 Amazon EventBridge 事件中对象和字段的结构和性质。在此示例中,该事件报告了后续出现的现有策略调查发现:Amazon Macie 检测到禁用阻止 S3 存储桶公开访问设置。以下字段和值可帮助您确定情况是否如此:
-
该
type字段设置为Policy:IAMUser/S3BlockPublicAccessDisabled。 -
createdAt和updatedAt字段的值不同。此指标表明,该事件报告了现有策略调查发现的后续发生。如果事件报告了新调查发现,则这些字段的值将相同。 -
count字段设置为2,表示这是调查发现的第二次出现。 -
该
category字段设置为POLICY。 -
classificationDetails字段值为null,这有助于将此策略调查发现事件与敏感数据调查发现事件区分开来。对于敏感数据调查发现,此值将是一组对象和字段,这些对象和字段提供有关敏感数据的查找方式及数据内容。
请注意,sample 字段值设置为 true。此值强调这是文档中所使用的示例事件。
{
"version": "0",
"id": "0948ba87-d3b8-c6d4-f2da-732a1example",
"detail-type": "Macie Finding",
"source": "aws.macie",
"account": "123456789012",
"time": "2024-04-30T23:12:15Z",
"region":"us-east-1",
"resources": [],
"detail": {
"schemaVersion": "1.0",
"id": "64b917aa-3843-014c-91d8-937ffexample",
"accountId": "123456789012",
"partition": "aws",
"region": "us-east-1",
"type": "Policy:IAMUser/S3BlockPublicAccessDisabled",
"title": "Block public access settings are disabled for the S3 bucket",
"description": "All bucket-level block public access settings were disabled for the S3 bucket. Access to the bucket is controlled by account-level block public access settings, access control lists (ACLs), and the bucket’s bucket policy.",
"severity": {
"score": 3,
"description": "High"
},
"createdAt": "2024-04-29T15:46:02Z",
"updatedAt": "2024-04-30T23:12:15Z",
"count": 2,
"resourcesAffected": {
"s3Bucket": {
"arn": "arn:aws:s3:::amzn-s3-demo-bucket1",
"name": "amzn-s3-demo-bucket1",
"createdAt": "2020-04-03T20:46:56.000Z",
"owner":{
"displayName": "johndoe",
"id": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example"
},
"tags": [
{
"key": "Division",
"value": "HR"
},
{
"key": "Team",
"value": "Recruiting"
}
],
"defaultServerSideEncryption": {
"encryptionType": "aws:kms",
"kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"publicAccess": {
"permissionConfiguration": {
"bucketLevelPermissions": {
"accessControlList": {
"allowsPublicReadAccess": false,
"allowsPublicWriteAccess": false
},
"bucketPolicy": {
"allowsPublicReadAccess": false,
"allowsPublicWriteAccess": false
},
"blockPublicAccess": {
"ignorePublicAcls": false,
"restrictPublicBuckets": false,
"blockPublicAcls": false,
"blockPublicPolicy": false
}
},
"accountLevelPermissions": {
"blockPublicAccess": {
"ignorePublicAcls": true,
"restrictPublicBuckets": true,
"blockPublicAcls": true,
"blockPublicPolicy": true
}
}
},
"effectivePermission": "NOT_PUBLIC"
},
"allowsUnencryptedObjectUploads": "FALSE"
},
"s3Object": null
},
"category": "POLICY",
"classificationDetails": null,
"policyDetails": {
"action": {
"actionType": "AWS_API_CALL",
"apiCallDetails": {
"api": "PutBucketPublicAccessBlock",
"apiServiceName": "s3.amazonaws.com",
"firstSeen": "2024-04-29T15:46:02.401Z",
"lastSeen": "2024-04-30T23:12:15.401Z"
}
},
"actor": {
"userIdentity": {
"type": "AssumedRole",
"assumedRole": {
"principalId": "AROA1234567890EXAMPLE:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": false,
"creationDate": "2024-04-29T10:25:43.511Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROA1234567890EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
}
}
},
"root": null,
"iamUser": null,
"federatedUser": null,
"awsAccount": null,
"awsService": null
},
"ipAddressDetails":{
"ipAddressV4": "192.0.2.0",
"ipOwner": {
"asn": "-1",
"asnOrg": "ExampleFindingASNOrg",
"isp": "ExampleFindingISP",
"org": "ExampleFindingORG"
},
"ipCountry": {
"code": "US",
"name": "United States"
},
"ipCity": {
"name": "Ashburn"
},
"ipGeoLocation": {
"lat": 39.0481,
"lon": -77.4728
}
},
"domainDetails": null
}
},
"sample": true,
"archived": false
}
}敏感数据调查发现事件示例
以下示例使用示例数据来演示敏感数据发现的 Amazon EventBridge 事件中对象和字段的结构和性质。在此示例中,该事件报告了一项新调查发现的敏感数据:Amazon Macie 在 S3 对象中发现了多个类别和类型的敏感数据。以下字段和值可帮助您确定情况是否如此:
-
该
type字段设置为SensitiveData:S3Object/Multiple。 -
createdAt和updatedAt字段值相同。与策略调查发现不同的是,敏感数据调查发现总是如此。所有敏感数据调查发现均被视为新调查发现。 -
count字段设置为1,表示这是一项新调查发现。与策略调查发现不同的是,敏感数据调查发现总是如此。所有敏感数据调查发现都被认为具有唯一性(新)。 -
该
category字段设置为CLASSIFICATION。 -
policyDetails字段值为null,这有助于将敏感数据调查发现事件与策略调查发现事件区分开来。对于策略调查发现,此值将是一组对象和字段,这些对象和字段提供有关 S3 存储桶可能违反策略、安全性或隐私问题的信息。
请注意,sample 字段值设置为 true。此值强调这是文档中所使用的示例事件。
{
"version": "0",
"id": "14ddd0b1-7c90-b9e3-8a68-6a408example",
"detail-type": "Macie Finding",
"source": "aws.macie",
"account": "123456789012",
"time": "2024-04-20T08:19:10Z",
"region": "us-east-1",
"resources": [],
"detail": {
"schemaVersion": "1.0",
"id": "4ed45d06-c9b9-4506-ab7f-18a57example",
"accountId": "123456789012",
"partition": "aws",
"region": "us-east-1",
"type": "SensitiveData:S3Object/Multiple",
"title": "The S3 object contains multiple categories of sensitive data",
"description": "The S3 object contains more than one category of sensitive data.",
"severity": {
"score": 3,
"description": "High"
},
"createdAt": "2024-04-20T18:19:10Z",
"updatedAt": "2024-04-20T18:19:10Z",
"count": 1,
"resourcesAffected": {
"s3Bucket": {
"arn": "arn:aws:s3:::amzn-s3-demo-bucket2",
"name": "amzn-s3-demo-bucket2",
"createdAt": "2020-05-15T20:46:56.000Z",
"owner": {
"displayName": "johndoe",
"id": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example"
},
"tags":[
{
"key":"Division",
"value":"HR"
},
{
"key":"Team",
"value":"Recruiting"
}
],
"defaultServerSideEncryption": {
"encryptionType": "aws:kms",
"kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"publicAccess": {
"permissionConfiguration": {
"bucketLevelPermissions": {
"accessControlList": {
"allowsPublicReadAccess": false,
"allowsPublicWriteAccess": false
},
"bucketPolicy":{
"allowsPublicReadAccess": false,
"allowsPublicWriteAccess": false
},
"blockPublicAccess": {
"ignorePublicAcls": true,
"restrictPublicBuckets": true,
"blockPublicAcls": true,
"blockPublicPolicy": true
}
},
"accountLevelPermissions": {
"blockPublicAccess": {
"ignorePublicAcls": false,
"restrictPublicBuckets": false,
"blockPublicAcls": false,
"blockPublicPolicy": false
}
}
},
"effectivePermission": "NOT_PUBLIC"
},
"allowsUnencryptedObjectUploads": "TRUE"
},
"s3Object":{
"bucketArn": "arn:aws:s3:::amzn-s3-demo-bucket2",
"key": "2024 Sourcing.csv",
"path": "amzn-s3-demo-bucket2/2024 Sourcing.csv",
"extension": "csv",
"lastModified": "2024-04-19T22:08:25.000Z",
"versionId": "",
"serverSideEncryption": {
"encryptionType": "aws:kms",
"kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"size": 4750,
"storageClass": "STANDARD",
"tags":[
{
"key":"Division",
"value":"HR"
},
{
"key":"Team",
"value":"Recruiting"
}
],
"publicAccess": false,
"etag": "6bb7fd4fa9d36d6b8fb8882caexample"
}
},
"category": "CLASSIFICATION",
"classificationDetails": {
"jobArn": "arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample",
"jobId": "3ce05dbb7ec5505def334104bexample",
"result": {
"status": {
"code": "COMPLETE",
"reason": null
},
"sizeClassified": 4750,
"mimeType": "text/csv",
"additionalOccurrences": true,
"sensitiveData": [
{
"category": "PERSONAL_INFORMATION",
"totalCount": 65,
"detections": [
{
"type": "USA_SOCIAL_SECURITY_NUMBER",
"count": 30,
"occurrences": {
"lineRanges": null,
"offsetRanges": null,
"pages": null,
"records": null,
"cells": [
{
"row": 2,
"column": 1,
"columnName": "SSN",
"cellReference": null
},
{
"row": 3,
"column": 1,
"columnName": "SSN",
"cellReference": null
},
{
"row": 4,
"column": 1,
"columnName": "SSN",
"cellReference": null
}
]
}
},
{
"type": "NAME",
"count": 35,
"occurrences": {
"lineRanges": null,
"offsetRanges": null,
"pages": null,
"records": null,
"cells": [
{
"row": 2,
"column": 3,
"columnName": "Name",
"cellReference": null
},
{
"row": 3,
"column": 3,
"columnName": "Name",
"cellReference": null
}
]
}
}
]
},
{
"category": "FINANCIAL_INFORMATION",
"totalCount": 30,
"detections": [
{
"type": "CREDIT_CARD_NUMBER",
"count": 30,
"occurrences": {
"lineRanges": null,
"offsetRanges": null,
"pages": null,
"records": null,
"cells": [
{
"row": 2,
"column": 14,
"columnName": "CCN",
"cellReference": null
},
{
"row": 3,
"column": 14,
"columnName": "CCN",
"cellReference": null
}
]
}
}
]
}
],
"customDataIdentifiers": {
"totalCount": 0,
"detections": []
}
},
"detailedResultsLocation": "s3://macie-data-discovery-results/AWSLogs/123456789012/Macie/us-east-1/3ce05dbb7ec5505def334104bexample/d48bf16d-0deb-3e49-9d8c-d407cexample.jsonl.gz",
"originType": "SENSITIVE_DATA_DISCOVERY_JOB"
},
"policyDetails": null,
"sample": true,
"archived": false
}
}