Amazon Inspector 的服务相关角色权限 - Amazon Inspector

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Inspector 的服务相关角色权限

Amazon Inspector 使用名为的托管策略AWSServiceRoleForAmazonInspector2。该服务相关角色信任 inspector2.amazonaws.com 服务担任该角色。

该角色的权限策略名为 AmazonInspector2ServiceRolePolicy,允许 Amazon Inspector 执行以下任务:

  • 使用亚马逊弹性计算云 (Amazon EC2) 操作来检索有关您的实例和网络路径的信息。

  • 使用 AWS Systems Manager 操作从您的 Amazon EC2 实例中检索库存,并从自定义路径中检索有关第三方包裹的信息。

  • 使用 AWS Systems Manager SendCommand操作调用目标实例的 CIS 扫描。

  • 使用 Amazon Elastic Container Registry 操作检索有关您的容器映像的信息。

  • 使用 AWS Lambda 操作来检索有关您的 Lambda 函数的信息。

  • 使用 AWS Organizations 操作来描述关联的账户。

  • 使用 CloudWatch 操作来检索有关上次调用 Lambda 函数的时间的信息。

  • 使用“选择 IAM”操作检索可能在您的 Lambda 代码中造成安全脆弱性的 IAM policy 的相关信息。

  • 使用 Amazon Q 操作对您的 Lambda 函数中的代码执行扫描。Amazon Inspector 使用以下亚马逊 Q 操作:

    • codeguru-security: CreateScan — 授予创建 Amazon Q; 扫描的权限。

    • codeguru-security:GetScan — 授予检索 Amazon Q 扫描元数据的权限。

    • codeguru-security:ListFindings — 授予检索 Amazon Q 生成的调查结果的权限

    • codeguru-security:DeleteScansByCategory — 授予 Amazon Q 删除由 Amazon Inspector 启动的扫描的权限。

    • codeguru-security:BatchGetFindings — 授予检索 Amazon Q 生成的一批特定调查结果的权限

  • 使用选择 Elastic Load Balancing 操作对属于 Elastic Load Balancing 目标组的 EC2 实例执行网络扫描。

  • 使用 Amazon ECS 和 Amazon EKS 操作允许只读访问权限来查看集群和任务以及描述任务。

注意

Amazon Inspector 不再使用它 CodeGuru 来执行 Lambda 扫描。 AWS 将于 2025 年 11 月 20 CodeGuru 日停止提供支持。有关更多信息,请参阅终止对 CodeGuru 安全的支持。Amazon Inspector 现在使用 Amazon Q 执行 Lambda 扫描,不需要本节中描述的权限。

该角色使用以下权限策略进行配置:

JSON

     {
	"Version":"2012-10-17",		 	 	 
	"Statement": [
		{
			"Sid": "TirosPolicy",
			"Effect": "Allow",
			"Action": [
				"directconnect:DescribeConnections",
				"directconnect:DescribeDirectConnectGatewayAssociations",
				"directconnect:DescribeDirectConnectGatewayAttachments",
				"directconnect:DescribeDirectConnectGateways",
				"directconnect:DescribeVirtualGateways",
				"directconnect:DescribeVirtualInterfaces",
				"ec2:DescribeAddresses",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeCustomerGateways",
				"ec2:DescribeEgressOnlyInternetGateways",
				"ec2:DescribeInstances",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeManagedPrefixLists",
				"ec2:DescribeNatGateways",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribePrefixLists",
				"ec2:DescribeRegions",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSubnets",
				"ec2:DescribeTransitGatewayAttachments",
				"ec2:DescribeTransitGatewayConnects",
				"ec2:DescribeTransitGatewayPeeringAttachments",
				"ec2:DescribeTransitGatewayRouteTables",
				"ec2:DescribeTransitGatewayVpcAttachments",
				"ec2:DescribeTransitGateways",
				"ec2:DescribeVpcEndpointServiceConfigurations",
				"ec2:DescribeVpcEndpoints",
				"ec2:DescribeVpcPeeringConnections",
				"ec2:DescribeVpcs",
				"ec2:DescribeVpnConnections",
				"ec2:DescribeVpnGateways",
				"ec2:GetManagedPrefixListEntries",
				"ec2:GetTransitGatewayRouteTablePropagations",
				"ec2:SearchTransitGatewayRoutes",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeRules",
				"elasticloadbalancing:DescribeTags",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:DescribeTargetGroupAttributes",
				"elasticloadbalancing:DescribeTargetHealth",
				"network-firewall:DescribeFirewall",
				"network-firewall:DescribeFirewallPolicy",
				"network-firewall:DescribeResourcePolicy",
				"network-firewall:DescribeRuleGroup",
				"network-firewall:ListFirewallPolicies",
				"network-firewall:ListFirewalls",
				"network-firewall:ListRuleGroups",
				"tiros:CreateQuery",
				"tiros:GetQueryAnswer"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "PackageVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"ecr:BatchGetImage",
				"ecr:BatchGetRepositoryScanningConfiguration",
				"ecr:DescribeImages",
				"ecr:DescribeRegistry",
				"ecr:DescribeRepositories",
				"ecr:GetAuthorizationToken",
				"ecr:GetDownloadUrlForLayer",
				"ecr:GetRegistryScanningConfiguration",
				"ecr:ListImages",
				"ecr:PutRegistryScanningConfiguration",
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAccounts",
				"ssm:DescribeAssociation",
				"ssm:DescribeAssociationExecutions",
				"ssm:DescribeInstanceInformation",
				"ssm:ListAssociations",
				"ssm:ListResourceDataSync"
			],
			"Resource": "*"
		},
		{
			"Sid": "LambdaPackageVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"lambda:ListFunctions",
				"lambda:GetFunction",
				"lambda:GetLayerVersion",
				"lambda:ListTags",
				"cloudwatch:GetMetricData"
			],
			"Resource": "*"
		},
		{
			"Sid": "GatherInventory",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateAssociation",
				"ssm:StartAssociationsOnce",
				"ssm:UpdateAssociation"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*",
				"arn:aws:ssm:*:*:document/AmazonInspector2-*",
				"arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory",
				"arn:aws:ssm:*:*:managed-instance/*",
				"arn:aws:ssm:*:*:association/*"
			]
		},
		{
			"Sid": "GatherInventoryDeleteAssociation",
			"Effect": "Allow",
			"Action": [
				"ssm:DeleteAssociation"
			],
			"Resource": [
				"arn:aws:ssm:*:*:association/*"
			]
		},
		{
			"Sid": "DataSyncCleanup",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateResourceDataSync",
				"ssm:DeleteResourceDataSync"
			],
			"Resource": [
				"arn:aws:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete"
			]
		},
		{
			"Sid": "ManagedRules",
			"Effect": "Allow",
			"Action": [
				"events:PutRule",
				"events:DeleteRule",
				"events:DescribeRule",
				"events:ListTargetsByRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": [
				"arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule"
			]
		},
		{
			"Sid": "LambdaCodeVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"codeguru-security:CreateScan",
				"codeguru-security:GetAccountConfiguration",
				"codeguru-security:GetFindings",
				"codeguru-security:GetScan",
				"codeguru-security:ListFindings",
				"codeguru-security:BatchGetFindings",
				"codeguru-security:DeleteScansByCategory"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "CodeGuruCodeVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:ListAttachedRolePolicies",
				"iam:ListPolicies",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"lambda:ListVersionsByFunction"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"codeguru-security.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "Ec2DeepInspection",
			"Effect": "Allow",
			"Action": [
				"ssm:PutParameter",
				"ssm:GetParameters",
				"ssm:DeleteParameter"
			],
			"Resource": [
				"arn:aws:ssm:*:*:parameter/inspector-aws/service/inspector-linux-application-paths"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowManagementOfServiceLinkedChannel",
			"Effect": "Allow",
			"Action": [
				"cloudtrail:CreateServiceLinkedChannel",
				"cloudtrail:DeleteServiceLinkedChannel"
			],
			"Resource": [
				"arn:aws:cloudtrail:*:*:channel/aws-service-channel/inspector2/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowListServiceLinkedChannels",
			"Effect": "Allow",
			"Action": [
				"cloudtrail:ListServiceLinkedChannels"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowToRunInvokeCisSpecificDocuments",
			"Effect": "Allow",
			"Action": [
				"ssm:SendCommand",
				"ssm:GetCommandInvocation"
			],
			"Resource": [
				"arn:aws:ssm:*:*:document/AmazonInspector2-InvokeInspectorSsmPluginCIS"
			]
		},
		{
			"Sid": "AllowToRunCisCommandsToSpecificResources",
			"Effect": "Allow",
			"Action": [
				"ssm:SendCommand"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowToPutCloudwatchMetricData",
			"Effect": "Allow",
			"Action": [
				"cloudwatch:PutMetricData"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"cloudwatch:namespace": "AWS/Inspector2"
				}
			}
		},
		{
			"Sid": "AllowListAccessToECSAndEKS",
			"Effect": "Allow",
			"Action": [
			    "ecs:ListClusters",
			    "ecs:ListTasks",
			    "eks:ListClusters"
			],
			"Resource": [
			    "*"
			],
			"Condition": {
			    "StringEquals": {
			        "aws:ResourceAccount": "${aws:PrincipalAccount}"
			    }
			}
			},
			{
			"Sid": "AllowAccessToECSTasks",
			"Effect": "Allow",
			"Action": [
			    "ecs:DescribeTasks"
			],
			"Resource": "arn:aws:ecs:*:*:task/*",
			"Condition": {
			    "StringEquals": {
			        "aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		}
	]
}