使用 AWS CLI 的 Security Hub 範例
下列程式碼範例示範如何使用 AWS Command Line Interface 搭配 Security Hub 來執行動作,並實作常見案例。
Actions 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
每個範例均包含完整原始程式碼的連結,您可在連結中找到如何在內容中設定和執行程式碼的相關指示。
主題
動作
以下程式碼範例顯示如何使用 accept-administrator-invitation。
- AWS CLI
-
接受來自管理員帳戶的邀請
下列
accept-administrator-invitation範例會接受來自指定管理員帳戶的指定邀請。aws securityhub accept-invitation \ --administrator-id123456789012\ --invitation-id7ab938c5d52d7904ad09f9e7c20cc4eb此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 AcceptAdministratorInvitation
。
-
以下程式碼範例顯示如何使用 accept-invitation。
- AWS CLI
-
接受來自管理員帳戶的邀請
下列
accept-invitation範例會接受來自指定管理員帳戶的指定邀請。aws securityhub accept-invitation \ --master-id123456789012\ --invitation-id7ab938c5d52d7904ad09f9e7c20cc4eb此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 AcceptInvitation
。
-
以下程式碼範例顯示如何使用 batch-delete-automation-rules。
- AWS CLI
-
刪除自動化規則
以下
batch-delete-automation-rules範例會刪除指定的自動化規則。您可以使用單一命令刪除一或多個規則。只有 Security Hub 管理員帳戶可以執行此命令。aws securityhub batch-delete-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'輸出:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的刪除自動化規則。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchDeleteAutomationRules
。
-
以下程式碼範例顯示如何使用 batch-disable-standards。
- AWS CLI
-
停用標準
下列
batch-disable-standards範例會停用與指定訂閱 ARN 相關聯的標準。aws securityhub batch-disable-standards \ --standards-subscription-arns"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"輸出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "DELETING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的停用或啟用安全標準。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchDisableStandards
。
-
以下程式碼範例顯示如何使用 batch-enable-standards。
- AWS CLI
-
啟用標準
下列
batch-enable-standards範例會啟用請求帳戶的 PCI DSS 標準。aws securityhub batch-enable-standards \ --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1"}'輸出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "PENDING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的停用或啟用安全標準。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchEnableStandards
。
-
以下程式碼範例顯示如何使用 batch-get-automation-rules。
- AWS CLI
-
取得自動化規則的詳細資訊
以下
batch-get-automation-rules範例會取得所指定自動化規則的詳細資訊。您可以使用單一命令取得一或多個自動化規則的詳細資訊。aws securityhub batch-get-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'輸出:
{ "Rules": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "Criteria": { "ProductName": [ { "Value": "GuardDuty", "Comparison": "EQUALS" } ], "SeverityLabel": [ { "Value": "INFORMATIONAL", "Comparison": "EQUALS" } ], "WorkflowStatus": [ { "Value": "NEW", "Comparison": "EQUALS" } ], "RecordState": [ { "Value": "ACTIVE", "Comparison": "EQUALS" } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Automatically suppress GuardDuty findings with Informational severity", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "SUPPRESSED" } } } ], "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ], "UnprocessedAutomationRules": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視自動化規則。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchGetAutomationRules
。
-
以下程式碼範例顯示如何使用 batch-get-configuration-policy-associations。
- AWS CLI
-
取得批次目標的組態關聯詳細資訊
下列
batch-get-configuration-policy-associations範例會擷取指定目標的關聯詳細資訊。您可以提供目標的帳戶 ID、組織單位 ID 或根 ID。aws securityhub batch-get-configuration-policy-associations \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'輸出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchGetConfigurationPolicyAssociations
。
-
以下程式碼範例顯示如何使用 batch-get-security-controls。
- AWS CLI
-
取得安全控制項詳細資訊
下列
batch-get-security-controls範例會取得目前 AWS 帳戶和 AWS 區域中安全控制項 ACM.1 和 IAM.1 的詳細資訊。aws securityhub batch-get-security-controls \ --security-control-ids '["ACM.1", "IAM.1"]'輸出:
{ "SecurityControls": [ { "SecurityControlId": "ACM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": { "daysToExpiration": { "ValueType": CUSTOM, "Value": { "Integer": 15 } } }, "LastUpdateReason": "Updated control parameter" }, { "SecurityControlId": "IAM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1", "Title": "IAM policies should not allow full \"*\" administrative privileges", "Description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", "SeverityRating": "HIGH", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": {} } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視控制項詳細資訊。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchGetSecurityControls
。
-
以下程式碼範例顯示如何使用 batch-get-standards-control-associations。
- AWS CLI
-
取得控制項啟用狀態
下列
batch-get-standards-control-associations範例會識別在指定的標準中是否已啟用指定的控制項。aws securityhub batch-get-standards-control-associations \ --standards-control-association-ids '[{"SecurityControlId": "Config.1","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {"SecurityControlId": "IAM.6","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:standards/aws-foundational-security-best-practices/v/1.0.0"}]'輸出:
{ "StandardsControlAssociationDetails": [ { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "Config.1", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/Config.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.5" ], "UpdatedAt": "2022-10-27T16:07:12.960000+00:00", "StandardsControlTitle": "Ensure AWS Config is enabled", "StandardsControlDescription": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/cis-aws-foundations-benchmark/v/1.2.0/2.5" ] }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "IAM.6", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/IAM.6", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2022-11-22T21:30:35.080000+00:00", "UpdatedReason": "test", "StandardsControlTitle": "Hardware MFA should be enabled for the root user", "StandardsControlDescription": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" ] } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的啟用和停用特定標準中的控制項。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchGetStandardsControlAssociations
。
-
以下程式碼範例顯示如何使用 batch-import-findings。
- AWS CLI
-
更新問題清單
下列
batch-import-findings範例會更新問題清單。aws securityhub batch-import-findings \ --findings '[{ "AwsAccountId": "123456789012", "CreatedAt": "2020-05-27T17:05:54.832Z", "Description": "Vulnerability in a CloudTrail trail", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "10" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "GeneratorId": "TestGeneratorId", "Id": "Id1", "ProductArn": "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", "Resources": [ { "Id": "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", "Partition": "aws", "Region": "us-west-1", "Type": "AwsCloudTrailTrail" } ], "SchemaVersion": "2018-10-08", "Title": "CloudTrail trail vulnerability", "UpdatedAt": "2020-06-02T16:05:54.832Z" }]'輸出:
{ "FailedCount": 0, "SuccessCount": 1, "FailedFindings": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的使用 BatchImportFindings 建立與更新問題清單。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchImportFindings
。
-
以下程式碼範例顯示如何使用 batch-update-automation-rules。
- AWS CLI
-
更新自動化規則
下列
batch-update-automation-rules範例會更新指定的自動化規則。您可以使用單一命令更新一或多個規則。只有 Security Hub 管理員帳戶可以執行此命令。aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '[ \ { \ "Actions": [{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Note": { \ "Text": "Known issue that is a risk", \ "UpdatedBy": "sechub-automation" \ }, \ "Workflow": { \ "Status": "NEW" \ } \ } \ }], \ "Criteria": { \ "SeverityLabel": [{ \ "Value": "LOW", \ "Comparison": "EQUALS" \ }] \ }, \ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", \ "RuleOrder": 1, \ "RuleStatus": "DISABLED" \ } \ ]'輸出:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的編輯自動化規則。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchUpdateAutomationRules
。
-
以下程式碼範例顯示如何使用 batch-update-findings。
- AWS CLI
-
範例 1:更新問題清單
下列
batch-update-findings範例會更新兩個問題清單,以新增備註、變更嚴重性標籤並加以解決。aws securityhub batch-update-findings \ --finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \ --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \ --severity '{"Label": "LOW"}' \ --workflow '{"Status": "RESOLVED"}'輸出:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的使用 BatchUpdateFindings 更新問題清單。
範例 2:使用速記語法更新問題清單
下列
batch-update-findings範例會更新兩個問題清單,以使用速記語法新增備註、變更嚴重性標籤並加以解決。aws securityhub batch-update-findings \ --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" \ --note Text="Known issue that is not a risk.",UpdatedBy="user1" \ --severity Label="LOW" \ --workflow Status="RESOLVED"輸出:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的使用 BatchUpdateFindings 更新問題清單。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchUpdateFindings
。
-
以下程式碼範例顯示如何使用 batch-update-standards-control-associations。
- AWS CLI
-
更新已啟用標準中控制項的啟用狀態
下列
batch-update-standards-control-associations範例會在指定的標準中停用 CloudTrail.1。aws securityhub batch-update-standards-control-associations \ --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'此命令成功後就不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的啟用和停用特定標準中的控制項和啟用和停用所有標準中的控制項。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 BatchUpdateStandardsControlAssociations
。
-
以下程式碼範例顯示如何使用 create-action-target。
- AWS CLI
-
建立自訂動作
以下
create-action-target範例會建立自訂動作。它提供動作的名稱、描述和識別碼。aws securityhub create-action-target \ --name"Send to remediation"\ --description"Action to send the finding for remediation tracking"\ --id"Remediation"輸出:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立自訂動作並將其與 CloudWatch Events 規則建立關聯。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 CreateActionTarget
。
-
以下程式碼範例顯示如何使用 create-automation-rule。
- AWS CLI
-
建立自動化規則
下列
create-automation-rule範例會在目前 AWS 帳戶和 AWS 區域中建立自動化規則。Security Hub 會根據指定條件篩選問題清單,並將動作套用至相符的問題清單。只有 Security Hub 管理員帳戶可以執行此命令。aws securityhub create-automation-rule \ --actions '[{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Severity": { \ "Label": "HIGH" \ }, \ "Note": { \ "Text": "Known issue that is a risk. Updated by automation rules", \ "UpdatedBy": "sechub-automation" \ } \ } \ }]' \ --criteria '{ \ "SeverityLabel": [{ \ "Value": "INFORMATIONAL", \ "Comparison": "EQUALS" \ }] \ }' \ --description"A sample rule"\ --no-is-terminal \ --rule-name"sample rule"\ --rule-order1\ --rule-status"ENABLED"輸出:
{ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立自動化規則。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 CreateAutomationRule
。
-
以下程式碼範例顯示如何使用 create-configuration-policy。
- AWS CLI
-
建立組態政策
下列
create-configuration-policy範例會使用指定的設定值建立組態政策。aws securityhub create-configuration-policy \ --name"SampleConfigurationPolicy"\ --description"SampleDescription"\ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' \ --tags '{"Environment": "Prod"}'輸出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立關聯的 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 CreateConfigurationPolicy
。
-
以下程式碼範例顯示如何使用 create-finding-aggregator。
- AWS CLI
-
啟用問題清單彙總
下列
create-finding-aggregator範例會設定問題清單彙總。範例從美國東部 (維吉尼亞) 執行,其指定美國東部 (維吉尼亞) 做為彙總區域。範例表示僅連結指定的區域,不會自動連結新的區域。它會選取美國西部 (加利佛尼亞北部) 和美國西部 (奧勒岡) 做為連結的區域。aws securityhub create-finding-aggregator \ --regionus-east-1\ --region-linking-modeSPECIFIED_REGIONS\ --regionsus-west-1,us-west-2輸出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的啟用問題清單彙總。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 CreateFindingAggregator
。
-
以下程式碼範例顯示如何使用 create-insight。
- AWS CLI
-
建立自訂洞見
下列
create-insight範例會建立名為「關鍵角色調查結果」的自訂洞見,以傳回與 AWS 角色相關的關鍵問題清單。aws securityhub create-insight \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' \ --group-by-attribute"ResourceId"\ --name"Critical role findings"輸出:
{ "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理自訂洞見。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 CreateInsight
。
-
以下程式碼範例顯示如何使用 create-members。
- AWS CLI
-
將帳戶新增為會員帳戶
下列
create-members範例會將兩個帳戶新增至請求管理員帳戶成為會員帳戶。aws securityhub create-members \ --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'輸出:
{ "UnprocessedAccounts": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 CreateMembers
。
-
以下程式碼範例顯示如何使用 decline-invitations。
- AWS CLI
-
拒絕成為會員帳戶的邀請
下列
decline-invitations範例會拒絕成為所指定管理員帳戶其會員帳戶的邀請。會員帳戶是請求帳戶。aws securityhub decline-invitations \ --account-ids"123456789012"輸出:
{ "UnprocessedAccounts": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeclineInvitations
。
-
以下程式碼範例顯示如何使用 delete-action-target。
- AWS CLI
-
刪除自訂動作
下列
delete-action-target範例會刪除由所指定 ARN 識別的自訂動作。aws securityhub delete-action-target \ --action-target-arn"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"輸出:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立自訂動作並將其與 CloudWatch Events 規則建立關聯。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeleteActionTarget
。
-
以下程式碼範例顯示如何使用 delete-configuration-policy。
- AWS CLI
-
刪除組態政策
下列
delete-configuration-policy範例會刪除指定的組態政策。aws securityhub delete-configuration-policy \ --identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的刪除與取消關聯 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeleteConfigurationPolicy
。
-
以下程式碼範例顯示如何使用 delete-finding-aggregator。
- AWS CLI
-
停止問題清單彙總
下列
delete-finding-aggregator範例會停止問題清單彙總。範例從美國東部 (維吉尼亞) 執行,其為彙總區域。aws securityhub delete-finding-aggregator \ --regionus-east-1\ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的停止問題清單彙總。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeleteFindingAggregator
。
-
以下程式碼範例顯示如何使用 delete-insight。
- AWS CLI
-
刪除自訂的洞見
下列
delete-insight範例會刪除具有指定 ARN 的自訂洞見。aws securityhub delete-insight \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"輸出:
{ "InsightArn": "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理自訂洞見。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeleteInsight
。
-
以下程式碼範例顯示如何使用 delete-invitations。
- AWS CLI
-
刪除成為會員帳戶的邀請
下列
delete-invitations範例會刪除成為所指定管理員帳戶其會員帳戶的邀請。會員帳戶是請求帳戶。aws securityhub delete-invitations \ --account-ids"123456789012"輸出:
{ "UnprocessedAccounts": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeleteInvitations
。
-
以下程式碼範例顯示如何使用 delete-members。
- AWS CLI
-
刪除會員帳戶
下列
delete-members範例會從請求管理員帳戶中刪除指定的會員帳戶。aws securityhub delete-members \ --account-ids"123456789111""123456789222"輸出:
{ "UnprocessedAccounts": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DeleteMembers
。
-
以下程式碼範例顯示如何使用 describe-action-targets。
- AWS CLI
-
擷取自訂動作的詳細資訊
下列
describe-action-targets範例會擷取由指定 ARN 所識別自訂動作的相關資訊。aws securityhub describe-action-targets \ --action-target-arns"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"輸出:
{ "ActionTargets": [ { "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", "Description": "Action to send the finding for remediation tracking", "Name": "Send to remediation" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立自訂動作並將其與 CloudWatch Events 規則建立關聯。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DescribeActionTargets
。
-
以下程式碼範例顯示如何使用 describe-hub。
- AWS CLI
-
取得中樞資源的相關資訊
下列
describe-hub範例會傳回所指定中樞資源的訂閱日期。中樞資源由其 ARN 識別。aws securityhub describe-hub \ --hub-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"輸出:
{ "HubArn": "arn:aws:securityhub:us-west-1:123456789012:hub/default", "SubscribedAt": "2019-11-19T23:15:10.046Z" }如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的 AWS::SecurityHub::Hub。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DescribeHub
。
-
以下程式碼範例顯示如何使用 describe-organization-configuration。
- AWS CLI
-
檢視如何為組織設定 Security Hub
下列
describe-organization-configuration範例會傳回如何在 Security Hub 中設定組織的相關資訊。在此範例中,組織使用中央組態。只有 Security Hub 管理員帳戶可以執行此命令。aws securityhub describe-organization-configuration輸出:
{ "AutoEnable": false, "MemberAccountLimitReached": false, "AutoEnableStandards": "NONE", "OrganizationConfiguration": { "ConfigurationType": "LOCAL", "Status": "ENABLED", "StatusMessage": "Central configuration has been enabled successfully" } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的透過 AWS 組織管理帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DescribeOrganizationConfiguration
。
-
以下程式碼範例顯示如何使用 describe-products。
- AWS CLI
-
傳回可用產品整合的相關資訊
下列
describe-products範例一次傳回一個可用的產品整合。aws securityhub describe-products \ --max-results1輸出:
{ "NextToken": "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", "Products": [ { "ProductArn": "arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon", "ProductName": "CrowdStrike Falcon", "CompanyName": "CrowdStrike", "Description": "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", "Categories": [ "Endpoint Detection and Response (EDR)", "AV Scanning and Sandboxing", "Threat Intelligence Feeds and Reports", "Endpoint Forensics", "Network Forensics" ], "IntegrationTypes": [ "SEND_FINDINGS_TO_SECURITY_HUB" ], "MarketplaceUrl": "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ActivationUrl": "https://falcon.crowdstrike.com/support/documentation", "ProductSubscriptionResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理產品整合。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DescribeProducts
。
-
以下程式碼範例顯示如何使用 describe-standards-controls。
- AWS CLI
-
請求已啟用標準中的控制項清單
下列
describe-standards-controls範例會要求請求者帳戶訂閱 PCI DSS 標準的控制項清單。請求一次會傳回兩個控制項。aws securityhub describe-standards-controls \ --standards-subscription-arn"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"\ --max-results2輸出:
{ "Controls": [ { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.473000+00:00", "ControlId": "PCI.AutoScaling.1", "Title": "Auto scaling groups associated with a load balancer should use health checks", "Description": "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", "SeverityRating": "LOW", "RelatedRequirements": [ "PCI DSS 2.2" ] }, { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.498000+00:00", "ControlId": "PCI.CW.1", "Title": "A log metric filter and alarm should exist for usage of the \"root\" user", "Description": "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", "SeverityRating": "MEDIUM", "RelatedRequirements": [ "PCI DSS 7.2.1" ] } ], "NextToken": "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視控制項詳細資訊。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DescribeStandardsControls
。
-
以下程式碼範例顯示如何使用 describe-standards。
- AWS CLI
-
傳回可用標準清單
下列
describe-standards範例會傳回可用標準清單。aws securityhub describe-standards輸出:
{ "Standards": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", "Description": "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "Name": "CIS AWS Foundations Benchmark v1.2.0", "Description": "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "Name": "PCI DSS v3.2.1", "Description": "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", "EnabledByDefault": false } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的 AWS Security Hub 中的安全標準。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DescribeStandards
。
-
以下程式碼範例顯示如何使用 disable-import-findings-for-product。
- AWS CLI
-
從產品整合停止擷取問題清單
下列
disable-import-findings-for-product範例會停用產品整合其指定訂閱的問題清單流程。aws securityhub disable-import-findings-for-product \ --product-subscription-arn"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理產品整合。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DisableImportFindingsForProduct
。
-
以下程式碼範例顯示如何使用 disable-organization-admin-account。
- AWS CLI
-
移除 Security Hub 管理員帳戶
下列
disable-organization-admin-account範例會將指定帳戶的指派撤銷成為 AWS 組織的 Security Hub 管理員帳戶。aws securityhub disable-organization-admin-account \ --admin-account-id777788889999此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的指定 Security Hub 管理員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DisableOrganizationAdminAccount
。
-
以下程式碼範例顯示如何使用 disable-security-hub。
- AWS CLI
-
停用 AWS Security Hub
下列
disable-security-hub範例會停用請求帳戶的 AWS Security Hub。aws securityhub disable-security-hub此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的停用 AWS Security Hub。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DisableSecurityHub
。
-
以下程式碼範例顯示如何使用 disassociate-from-administrator-account。
- AWS CLI
-
取消與管理員帳戶的關聯
下列
disassociate-from-administrator-account範例會將請求帳戶與其目前管理員帳戶取消關聯。aws securityhub disassociate-from-administrator-account此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DisassociateFromAdministratorAccount
。
-
以下程式碼範例顯示如何使用 disassociate-from-master-account。
- AWS CLI
-
取消與管理員帳戶的關聯
下列
disassociate-from-master-account範例會將請求帳戶與其目前管理員帳戶取消關聯。aws securityhub disassociate-from-master-account此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DisassociateFromMasterAccount
。
-
以下程式碼範例顯示如何使用 disassociate-members。
- AWS CLI
-
取消會員帳戶的關聯
下列
disassociate-members範例會將指定的會員帳戶與請求管理員帳戶取消關聯。aws securityhub disassociate-members \ --account-ids"123456789111""123456789222"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 DisassociateMembers
。
-
以下程式碼範例顯示如何使用 enable-import-findings-for-product。
- AWS CLI
-
從產品整合開始接收問題清單
下列
enable-import-findings-for-product範例會啟用來自指定產品整合的問題清單流程。aws securityhub enable-import-findings-for-product \ --product-arn"arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"輸出:
{ "ProductSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理產品整合。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 EnableImportFindingsForProduct
。
-
以下程式碼範例顯示如何使用 enable-organization-admin-account。
- AWS CLI
-
將組織帳戶指定為 Security Hub 管理員帳戶
下列
enable-organization-admin-account範例會將指定的帳戶指定為 Security Hub 管理員帳戶。aws securityhub enable-organization-admin-account \ --admin-account-id777788889999此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的指定 Security Hub 管理員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 EnableOrganizationAdminAccount
。
-
以下程式碼範例顯示如何使用 enable-security-hub。
- AWS CLI
-
啟用 AWS Security Hub
下列
enable-security-hub範例會為請求帳戶啟用 AWS Security Hub。它會設定 Security Hub 以啟用預設標準。對於中樞資源,它會將值Security指派給標籤Department。aws securityhub enable-security-hub \ --enable-default-standards \ --tags '{"Department": "Security"}'此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的啟用 Security Hub。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 EnableSecurityHub
。
-
以下程式碼範例顯示如何使用 get-administrator-account。
- AWS CLI
-
擷取管理員帳戶的相關資訊
下列
get-administrator-account範例會擷取請求帳戶管理員帳戶的相關資訊。aws securityhub get-administrator-account輸出:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetAdministratorAccount
。
-
以下程式碼範例顯示如何使用 get-configuration-policy-association。
- AWS CLI
-
取得目標的組態關聯詳細資訊
下列
get-configuration-policy-association範例會擷取指定目標的關聯詳細資訊。您可以提供目標的帳戶 ID、組織單位 ID 或根 ID。aws securityhub get-configuration-policy-association \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'輸出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetConfigurationPolicyAssociation
。
-
以下程式碼範例顯示如何使用 get-configuration-policy。
- AWS CLI
-
檢視組態政策詳細資訊
下列
get-configuration-policy範例會刪除指定組態政策的詳細資訊。aws securityhub get-configuration-policy \ --identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"輸出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "ce5ed1e7-9639-4e2f-9313-fa87fcef944b", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetConfigurationPolicy
。
-
以下程式碼範例顯示如何使用 get-enabled-standards。
- AWS CLI
-
擷取已啟用標準的相關資訊
下列
get-enabled-standards範例會擷取 PCI DSS 標準的相關資訊。aws securityhub get-enabled-standards \ --standards-subscription-arn"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"輸出:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "READY", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的 AWS Security Hub 中的安全標準。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetEnabledStandards
。
-
以下程式碼範例顯示如何使用 get-finding-aggregator。
- AWS CLI
-
擷取目前問題清單彙總組態
下列
get-finding-aggregator範例會擷取目前問題清單彙總組態。aws securityhub get-finding-aggregator \ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000輸出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視目前問題清單彙總組態。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetFindingAggregator
。
-
以下程式碼範例顯示如何使用 get-finding-history。
- AWS CLI
-
取得問題清單歷史記錄
下列
get-finding-history範例會取得指定問題清單過去 90 天的歷史記錄。在此範例中,結果僅限於調查結果歷史記錄的兩個記錄。aws securityhub get-finding-history \ --finding-identifier Id="arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"輸出:
{ "Records": [ { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-06-02T03:15:25.685000+00:00", "FindingCreated": false, "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [ { "UpdatedField": "Compliance.RelatedRequirements", "OldValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 SC-12(3)\",\"NIST.800-53.r5 SC-12(6)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\"]", "NewValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"]" }, { "UpdatedField": "LastObservedAt", "OldValue": "2023-06-01T09:15:38.587Z", "NewValue": "2023-06-02T03:15:22.946Z" }, { "UpdatedField": "UpdatedAt", "OldValue": "2023-06-01T09:15:31.049Z", "NewValue": "2023-06-02T03:15:14.861Z" }, { "UpdatedField": "ProcessedAt", "OldValue": "2023-06-01T09:15:41.058Z", "NewValue": "2023-06-02T03:15:25.685Z" } ] }, { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-05-23T02:06:51.518000+00:00", "FindingCreated": "true", "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [] } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的問題清單歷史記錄。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetFindingHistory
。
-
以下程式碼範例顯示如何使用 get-findings。
- AWS CLI
-
範例 1:傳回針對特定標準產生的問題清單
下列
get-findings範例會傳回 PCI DSS 標準的問題清單。aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "pci-dss","Comparison":"PREFIX"}]}' \ --max-items1輸出:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "GeneratorId": "pci-dss/v/3.2.1/PCI.Lambda.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FindingProviderFields": { "Severity": { "Original": 0, "Label": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] }, "FirstObservedAt": "2020-06-02T14:02:49.159Z", "LastObservedAt": "2020-06-02T14:02:52.397Z", "CreatedAt": "2020-06-02T14:02:49.159Z", "UpdatedAt": "2020-06-02T14:02:52.397Z", "Severity": { "Original": 0, "Label": "INFORMATIONAL", "Normalized": 0 }, "Title": "PCI.Lambda.2 Lambda functions should be in a VPC", "Description": "This AWS control checks whether a Lambda function is in a VPC.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.Lambda.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation", "RelatedAWSResources:0/name": "securityhub-lambda-inside-vpc-0e904a3b", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.Lambda.2", "aws/securityhub/SeverityLabel": "INFORMATIONAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "PASSED", "RelatedRequirements": [ "PCI DSS 1.2.1", "PCI DSS 1.3.1", "PCI DSS 1.3.2", "PCI DSS 1.3.4" ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED" } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==" }範例 2:傳回工作流程狀態為 NOTIFIED 的危急嚴重性問題清單
下列
get-findings範例會傳回嚴重性標籤值為 CRITICAL 且工作流程狀態為 NOTIFIED 的問題清單。結果會依信賴度值以遞減順序排序。aws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value": "CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus": [{"Value":"NOTIFIED","Comparison":"EQUALS"}]}' \ --sort-criteria '{ "Field": "Confidence", "SortOrder": "desc"}' \ --max-items1輸出:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-west-1: 123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FindingProviderFields" { "Severity": { "Original": 90, "Label": "CRITICAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "FirstObservedAt": "2020-05-21T20:16:34.752Z", "LastObservedAt": "2020-06-09T08:16:37.171Z", "CreatedAt": "2020-05-21T20:16:34.752Z", "UpdatedAt": "2020-06-09T08:16:36.430Z", "Severity": { "Original": 90, "Label": "CRITICAL", "Normalized": 90 }, "Title": "1.13 Ensure MFA is enabled for the \"root\" account", "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "1.13", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", "RelatedAWSResources:0/name": "securityhub-root-account-mfa-enabled-5pftha", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", "aws/securityhub/SeverityLabel": "CRITICAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NOTIFIED" }, "RecordState": "ACTIVE" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的篩選和排序問題清單。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetFindings
。
-
以下程式碼範例顯示如何使用 get-insight-results。
- AWS CLI
-
擷取洞見的結果
下列
get-insight-results範例會傳回具有指定 ARN 之洞見的洞見結果清單。aws securityhub get-insight-results \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"輸出:
{ "InsightResults": { "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResultValues": [ { "Count": 10, "GroupByAttributeValue": "AWS::::Account:123456789111" }, { "Count": 3, "GroupByAttributeValue": "AWS::::Account:123456789222" } ] } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視洞見結果和問題清單並採取動作。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetInsightResults
。
-
以下程式碼範例顯示如何使用 get-insights。
- AWS CLI
-
擷取洞見的詳細資訊
下列
get-insights範例會擷取具有指定 ARN 之洞見的組態詳細資訊。aws securityhub get-insights \ --insight-arns"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"輸出:
{ "Insights": [ { "Filters": { "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsIamRole" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "CRITICAL" } ], }, "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的 AWS Security Hub 中的洞見。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetInsights
。
-
以下程式碼範例顯示如何使用 get-invitations-count。
- AWS CLI
-
擷取未接受的邀請數量
下列
get-invitations-count範例會擷取請求帳戶拒絕或未回應的邀請數量。aws securityhub get-invitations-count輸出:
{ "InvitationsCount": 3 }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetInvitationsCount
。
-
以下程式碼範例顯示如何使用 get-master-account。
- AWS CLI
-
擷取管理員帳戶的相關資訊
下列
get-master-account範例會擷取請求帳戶管理員帳戶的相關資訊。aws securityhub get-master-account輸出:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetMasterAccount
。
-
以下程式碼範例顯示如何使用 get-members。
- AWS CLI
-
擷取所選會員帳戶的相關資訊
下列
get-members範例會擷取指定會員帳戶的相關資訊。aws securityhub get-members \ --account-ids"444455556666""777788889999"輸出:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], "UnprocessedAccounts": [ ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetMembers
。
-
以下程式碼範例顯示如何使用 get-security-control-definition。
- AWS CLI
-
取得安全控制項定義詳細資訊
下列
get-security-control-definition範例會擷取 Security Hub 安全控制項的定義詳細資訊。詳細資訊包括控制項標題、描述、區域可用性、參數和其他資訊。aws securityhub get-security-control-definition \ --security-control-idACM.1輸出:
{ "SecurityControlDefinition": { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "ParameterDefinitions": { "daysToExpiration": { "Description": "Number of days within which the ACM certificate must be renewed", "ConfigurationOptions": { "Integer": { "DefaultValue": 30, "Min": 14, "Max": 365 } } } } } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的自訂控制參數。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 GetSecurityControlDefinition
。
-
以下程式碼範例顯示如何使用 invite-members。
- AWS CLI
-
傳送邀請給會員帳戶
下列
invite-members範例會將邀請傳送至指定的會員帳戶。aws securityhub invite-members \ --account-ids"123456789111""123456789222"輸出:
{ "UnprocessedAccounts": [] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 InviteMembers
。
-
以下程式碼範例顯示如何使用 list-automation-rules。
- AWS CLI
-
檢視自動化規則清單
下列
list-automation-rules範例會列出 AWS 帳戶的自動化規則。只有 Security Hub 管理員帳戶可以執行此命令。aws securityhub list-automation-rules \ --max-results3\ --next-tokenNULL輸出:
{ "AutomationRulesMetadata": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:37:20.223000+00:00", "UpdatedAt": "2023-07-15T23:37:20.223000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:45:25.126000+00:00", "UpdatedAt": "2023-07-15T23:45:25.126000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視自動化規則。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListAutomationRules
。
-
以下程式碼範例顯示如何使用 list-configuration-policies。
- AWS CLI
-
列出組態政策摘要
下列
list-configuration-policies範例會列出組織的組態政策摘要。aws securityhub list-configuration-policies \ --max-items3輸出:
{ "ConfigurationPolicySummaries": [ { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy1", "Description": "SampleDescription1", "UpdatedAt": "2023-09-26T21:08:36.214000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Name": "SampleConfigurationPolicy2", "Description": "SampleDescription2" "UpdatedAt": "2023-11-28T19:26:25.207000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Name": "SampleConfigurationPolicy3", "Description": "SampleDescription3", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "ServiceEnabled": true } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListConfigurationPolicies
。
-
以下程式碼範例顯示如何使用 list-configuration-policy-associations。
- AWS CLI
-
列出組態關聯
下列
list-configuration-policy-associations範例會列出組織的組態關聯摘要。回應包括與組態政策和自我管理行為的關聯。aws securityhub list-configuration-policy-associations \ --filters '{"AssociationType": "APPLIED"}' \ --max-items4輸出:
{ "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TargetId": "r-1ab2", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T19:26:49.417000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "Policy association failed because 2 organizational units or accounts under this root failed." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "TargetId": "ou-1ab2-c3de4f5g", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:14:05.283000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "One or more children under this target failed association." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }, { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "111122223333", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T22:01:26.409000+00:00", "AssociationStatus": "SUCCESS" } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視組態政策狀態和詳細資訊。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListConfigurationPolicyAssociations
。
-
以下程式碼範例顯示如何使用 list-enabled-products-for-import。
- AWS CLI
-
傳回已啟用產品整合的清單
下列
list-enabled-products-for-import範例會傳回目前已啟用產品整合的訂閱 ARNS 清單。aws securityhub list-enabled-products-for-import輸出:
{ "ProductSubscriptions": [ "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon", "arn:aws:securityhub:us-west-1:123456789012:product-subscription/aws/securityhub" ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理產品整合。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListEnabledProductsForImport
。
-
以下程式碼範例顯示如何使用 list-finding-aggregators。
- AWS CLI
-
列出可用的小工具
下列
list-finding-aggregators範例會傳回題清單彙總組態的 ARN。aws securityhub list-finding-aggregators輸出:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視目前問題清單彙總組態。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListFindingAggregators
。
-
以下程式碼範例顯示如何使用 list-invitations。
- AWS CLI
-
顯示邀請清單
下列
list-invitations範例會擷取傳送給請求帳戶的邀請清單。aws securityhub list-invitations輸出:
{ "Invitations": [ { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } ], }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListInvitations
。
-
以下程式碼範例顯示如何使用 list-members。
- AWS CLI
-
擷取會員帳戶清單
下列
list-members範例會傳回請求管理員帳戶的會員帳戶清單。aws securityhub list-members輸出:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理系統管理員和會員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListMembers
。
-
以下程式碼範例顯示如何使用 list-organization-admin-accounts。
- AWS CLI
-
列出指定的 Security Hub 管理員帳戶
下列
list-organization-admin-accounts範例會列出組織的 Security Hub 管理員帳戶。aws securityhub list-organization-admin-accounts輸出:
{ AdminAccounts": [ { "AccountId": "777788889999" }, { "Status": "ENABLED" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的指定 Security Hub 管理員帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListOrganizationAdminAccounts
。
-
以下程式碼範例顯示如何使用 list-security-control-definitions。
- AWS CLI
-
範例 1:列出所有可用的安全控制項
下列
list-security-control-definitions範例會列出所有 Security Hub 標準的可用安全控制項。此範例會將結果限制為三個控制項。aws securityhub list-security-control-definitions \ --max-items3輸出:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] }, { "SecurityControlId": "ACM.2", "Title": "RSA certificates managed by ACM should use a key length of at least 2,048 bits", "Description": "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.2/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "APIGateway.1", "Title": "API Gateway REST and WebSocket API execution logging should be enabled", "Description": "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the 'loggingLevel' isn't 'ERROR' or 'INFO' for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the logging level is either 'ERROR' or 'INFO'.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] } ], "NextToken": "U2FsdGVkX1/UprCPzxVbkDeHikDXbDxfgJZ1w2RG1XWsFPTMTIQPVE0m/FduIGxS7ObRtAbaUt/8/RCQcg2PU0YXI20hH/GrhoOTgv+TSm0qvQVFhkJepWmqh+NYawjocVBeos6xzn/8qnbF9IuwGg==" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視標準詳細資訊。
範例 2:列出特定標準的可用安全控制項
下列
list-security-control-definitions範例會列出 CIS AWS Foundations Benchmark 1.4.0 版的可用安全控制項。此範例會將結果限制為三個控制項。aws securityhub list-security-control-definitions \ --standards-arn"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"\ --max-items3輸出:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "CloudTrail.1", "Title": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "Description": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.1/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.2", "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.4", "Title": "CloudTrail log file validation should be enabled", "Description": "This AWS control checks whether CloudTrail log file validation is enabled.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAzfQ==" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的檢視標準詳細資訊。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListSecurityControlDefinitions
。
-
以下程式碼範例顯示如何使用 list-standards-control-associations。
- AWS CLI
-
取得每個已啟用標準中控制項的啟用狀態
下列
list-standards-control-associations範例會列出每個已啟用標準中 CloudTrail.1 的啟用狀態。aws securityhub list-standards-control-associations \ --security-control-idCloudTrail.1輸出:
{ "StandardsControlAssociationSummaries": [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/nist-800-53/v/5.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "NIST.800-53.r5 AC-2(4)", "NIST.800-53.r5 AC-4(26)", "NIST.800-53.r5 AC-6(9)", "NIST.800-53.r5 AU-10", "NIST.800-53.r5 AU-12", "NIST.800-53.r5 AU-2", "NIST.800-53.r5 AU-3", "NIST.800-53.r5 AU-6(3)", "NIST.800-53.r5 AU-6(4)", "NIST.800-53.r5 AU-14(1)", "NIST.800-53.r5 CA-7", "NIST.800-53.r5 SC-7(9)", "NIST.800-53.r5 SI-3(8)", "NIST.800-53.r5 SI-4(20)", "NIST.800-53.r5 SI-7(8)", "NIST.800-53.r5 SA-8(22)" ], "UpdatedAt": "2023-05-15T17:52:21.304000+00:00", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.1" ], "UpdatedAt": "2020-02-10T21:22:53.998000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2023-05-15T19:31:52.671000+00:00", "UpdatedReason": "Alternative compensating controls are in place", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.1" ], "UpdatedAt": "2022-11-10T15:40:36.021000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的啟用和停用特定標準中的控制項。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListStandardsControlAssociations
。
-
以下程式碼範例顯示如何使用 list-tags-for-resource。
- AWS CLI
-
擷取指派給資源的標籤
下列
list-tags-for-resource範例會傳回指派給所指定中樞資源的標籤。aws securityhub list-tags-for-resource \ --resource-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"輸出:
{ "Tags": { "Department" : "Operations", "Area" : "USMidwest" } }如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的 AWS::SecurityHub::Hub。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 ListTagsForResource
。
-
以下程式碼範例顯示如何使用 start-configuration-policy-association。
- AWS CLI
-
範例 1:建立組態政策的關聯
下列
start-configuration-policy-association範例會將指定的組態政策與指定的組織單位建立關聯。組態可與目標帳戶、組織單位或根相關聯。aws securityhub start-configuration-policy-association \ --configuration-policy-identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"\ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'輸出:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立關聯的 Security Hub 組態政策。
範例 2:建立自我管理組態的關聯
下列
start-configuration-policy-association範例會將自我管理組態與所指定帳戶建立關聯。aws securityhub start-configuration-policy-association \ --configuration-policy-identifier"SELF_MANAGED_SECURITY_HUB"\ --target '{"OrganizationalUnitId": "123456789012"}'輸出:
{ "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "123456789012", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立關聯的 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 StartConfigurationPolicyAssociation
。
-
以下程式碼範例顯示如何使用 start-configuration-policy-disassociation。
- AWS CLI
-
範例 1:取消組態政策的關聯
下列
start-configuration-policy-disassociation範例會取消組態政策與指定組織單位的關聯。組態可與目標帳戶、組織單位或根取消關聯。aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"\ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的取消組態與帳戶和 OU 的關聯。
範例 2:取消自我管理組態的關聯
下列
start-configuration-policy-disassociation範例會取消自我管理組態與所指定帳戶的關聯。aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier"SELF_MANAGED_SECURITY_HUB"\ --target '{"AccountId": "123456789012"}'此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的取消組態與帳戶和 OU 的關聯。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 StartConfigurationPolicyDisassociation
。
-
以下程式碼範例顯示如何使用 tag-resource。
- AWS CLI
-
將標籤指派給資源
下列
tag-resource範例會將 Department 和 Area 標籤的值指派給指定的中樞資源。aws securityhub tag-resource \ --resource-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"\ --tags '{"Department":"Operations", "Area":"USMidwest"}'此命令不會產生輸出。
如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的 AWS::SecurityHub::Hub。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 TagResource
。
-
以下程式碼範例顯示如何使用 untag-resource。
- AWS CLI
-
將標籤值從資源中移除
下列
untag-resource範例會從所指定中樞資源中移除 Department 標籤。aws securityhub untag-resource \ --resource-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"\ --tag-keys"Department"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS CloudFormation 使用者指南》中的 AWS::SecurityHub::Hub。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UntagResource
。
-
以下程式碼範例顯示如何使用 update-action-target。
- AWS CLI
-
更新自訂動作
下列
update-action-target範例會更新由指定 ARN 所識別自訂動作的名稱。aws securityhub update-action-target \ --action-target-arn"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"\ --name"Send to remediation"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的建立自訂動作並將其與 CloudWatch Events 規則建立關聯。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateActionTarget
。
-
以下程式碼範例顯示如何使用 update-configuration-policy。
- AWS CLI
-
更新組態政策
下列
update-configuration-policy範例會更新現有的組態政策,以使用指定的設定。aws securityhub update-configuration-policy \ --identifier"arn:aws:securityhub:eu-central-1:508236694226:configuration-policy/09f37766-57d8-4ede-9d33-5d8b0fecf70e"\ --name"SampleConfigurationPolicyUpdated"\ --description"SampleDescriptionUpdated"\ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 21}}}}]}}}' \ --updated-reason"Disabling CloudWatch.1 and changing parameter value"輸出:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicyUpdated", "Description": "SampleDescriptionUpdated", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 21 } } } } ] } } } }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的更新 Security Hub 組態政策。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateConfigurationPolicy
。
-
以下程式碼範例顯示如何使用 update-finding-aggregator。
- AWS CLI
-
更新目前問題清單彙總組態
下列
update-finding-aggregator範例會將問題清單彙總組態變更為來自所選區域的連結。範例從美國東部 (維吉尼亞) 執行,其為彙總區域。它會選取美國西部 (加利佛尼亞北部) 和美國西部 (奧勒岡) 做為連結的區域。aws securityhub update-finding-aggregator \ --regionus-east-1\ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000\ --region-linking-modeSPECIFIED_REGIONS\ --regionsus-west-1,us-west-2此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的更新問題清單彙總組態。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateFindingAggregator
。
-
以下程式碼範例顯示如何使用 update-insight。
- AWS CLI
-
範例 1:變更自訂洞見的篩選條件
下列
update-insight範例會變更自訂洞見的篩選條件。更新的洞見會尋找與 AWS 角色相關的高嚴重性問題清單。aws securityhub update-insight \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"\ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' \ --name"High severity role findings"範例 2:變更自訂洞見的分組屬性
下列
update-insight範例會使用指定的 ARN 變更自訂洞見的分組屬性。新的分組屬性是資源 ID。aws securityhub update-insight \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"\ --group-by-attribute"ResourceId"\ --name"Critical role findings"輸出:
{ "Insights": [ { "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings", "Filters": { "SeverityLabel": [ { "Value": "CRITICAL", "Comparison": "EQUALS" } ], "ResourceType": [ { "Value": "AwsIamRole", "Comparison": "EQUALS" } ] }, "GroupByAttribute": "ResourceId" } ] }如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的管理自訂洞見。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateInsight
。
-
以下程式碼範例顯示如何使用 update-organization-configuration。
- AWS CLI
-
更新為組織設定 Security Hub 的方式
下列
update-organization-configuration範例會指定 Security Hub 應使用中央組態來設定組織。執行此命令後,委派的 Security Hub 管理員可以建立和管理組態政策來設定組織。委派管理員也可以使用此命令從中央切換到本機組態。如果本機組態是組態類型,則委派管理員可以選擇是否要在新組織帳戶中自動啟用 Security Hub 和預設安全標準。aws securityhub update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}'此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的透過 AWS 組織管理帳戶。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateOrganizationConfiguration
。
-
以下程式碼範例顯示如何使用 update-security-control。
- AWS CLI
-
更新安全控制項屬性
下列
update-security-control範例會指定 Security Hub 安全控制項參數的自訂值。aws securityhub update-security-control \ --security-control-idACM.1\ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}' \ --last-update-reason"Internal compliance requirement"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的自訂控制參數。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateSecurityControl
。
-
以下程式碼範例顯示如何使用 update-security-hub-configuration。
- AWS CLI
-
更新 Security Hub 組態
下列
update-security-hub-configuration範例會設定 Security Hub 以自動啟用已啟用標準的新控制項。aws securityhub update-security-hub-configuration \ --auto-enable-controls此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的自動啟用新控制項。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateSecurityHubConfiguration
。
-
以下程式碼範例顯示如何使用 update-standards-control。
- AWS CLI
-
範例 1:停用控制項
下列
update-standards-control範例會停用 PCI.AutoScaling.1 控制項。aws securityhub update-standards-control \ --standards-control-arn"arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"\ --control-status"DISABLED"\ --disabled-reason"Not applicable for my service"此命令不會產生輸出。
範例 2:啟用控制項
下列
update-standards-control範例會啟用 PCI.AutoScaling.1 控制項。aws securityhub update-standards-control \ --standards-control-arn"arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"\ --control-status"ENABLED"此命令不會產生輸出。
如需詳細資訊,請參閱《AWS Security Hub 使用者指南》中的停用和啟用個別控制項。
-
如需 API 詳細資訊,請參閱《AWS CLI 命令參考》中的 UpdateStandardsControl
。
-
