Amazon Inspector 的服務連結角色許可 - Amazon Inspector

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Amazon Inspector 的服務連結角色許可

Amazon Inspector 使用名為 的受管政策AWSServiceRoleForAmazonInspector2。此服務連結角色信任inspector2.amazonaws.com服務擔任該角色。

名為 的角色的許可政策AmazonInspector2ServiceRolePolicy允許 Amazon Inspector 執行下列任務:

  • 使用 Amazon Elastic Compute Cloud (Amazon EC2) 動作來擷取執行個體和網路路徑的相關資訊。

  • 使用 AWS Systems Manager 動作從 Amazon EC2 執行個體擷取庫存,以及從自訂路徑擷取第三方套件的相關資訊。

  • 使用 AWS Systems Manager SendCommand動作來叫用目標執行個體的 CIS 掃描。

  • 使用 Amazon Elastic Container Registry 動作來擷取容器映像的相關資訊。

  • 使用 AWS Lambda 動作來擷取 Lambda 函數的相關資訊。

  • 使用 AWS Organizations 動作來描述相關聯的帳戶。

  • 使用 CloudWatch 動作擷取有關上次叫用 Lambda 函數的資訊。

  • 使用選取 IAM 動作擷取 IAM 政策的相關資訊,這些政策可能會在 Lambda 程式碼中建立安全漏洞。

  • 使用 Amazon Q 動作對 Lambda 函數中的程式碼執行掃描。Amazon Inspector 使用以下 Amazon Q 動作:

    • codeguru-security:CreateScan – 准許建立 Amazon Q; 掃描。

    • codeguru-security:GetScan – 准許擷取 Amazon Q 掃描中繼資料。

    • codeguru-security:ListFindings – 准許擷取 Amazon Q 產生的問題清單。

    • codeguru-security:DeleteScansByCategory – 准許 Amazon Q 刪除由 Amazon Inspector 啟動的掃描。

    • codeguru-security:BatchGetFindings – 准許擷取 Amazon Q 產生的一批特定問題清單。

  • 使用選取 Elastic Load Balancing 動作,對屬於 Elastic Load Balancing 目標群組的 EC2 執行個體執行網路掃描。

  • 使用 Amazon ECS 和 Amazon EKS 動作允許唯讀存取以檢視叢集和任務並描述任務。

注意

Amazon Inspector 不再使用 CodeGuru 執行 Lambda 掃描。 AWS 將於 2025 年 11 月 20 日停止對 CodeGuru 的支援。如需詳細資訊,請參閱 CodeGuru Security 的終止支援。Amazon Inspector 現在使用 Amazon Q 執行 Lambda 掃描,不需要本節所述的許可。

角色是使用下列許可政策來設定。

JSON

     {
	"Version":"2012-10-17",		 	 	 
	"Statement": [
		{
			"Sid": "TirosPolicy",
			"Effect": "Allow",
			"Action": [
				"directconnect:DescribeConnections",
				"directconnect:DescribeDirectConnectGatewayAssociations",
				"directconnect:DescribeDirectConnectGatewayAttachments",
				"directconnect:DescribeDirectConnectGateways",
				"directconnect:DescribeVirtualGateways",
				"directconnect:DescribeVirtualInterfaces",
				"ec2:DescribeAddresses",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeCustomerGateways",
				"ec2:DescribeEgressOnlyInternetGateways",
				"ec2:DescribeInstances",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeManagedPrefixLists",
				"ec2:DescribeNatGateways",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribePrefixLists",
				"ec2:DescribeRegions",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSubnets",
				"ec2:DescribeTransitGatewayAttachments",
				"ec2:DescribeTransitGatewayConnects",
				"ec2:DescribeTransitGatewayPeeringAttachments",
				"ec2:DescribeTransitGatewayRouteTables",
				"ec2:DescribeTransitGatewayVpcAttachments",
				"ec2:DescribeTransitGateways",
				"ec2:DescribeVpcEndpointServiceConfigurations",
				"ec2:DescribeVpcEndpoints",
				"ec2:DescribeVpcPeeringConnections",
				"ec2:DescribeVpcs",
				"ec2:DescribeVpnConnections",
				"ec2:DescribeVpnGateways",
				"ec2:GetManagedPrefixListEntries",
				"ec2:GetTransitGatewayRouteTablePropagations",
				"ec2:SearchTransitGatewayRoutes",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeRules",
				"elasticloadbalancing:DescribeTags",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:DescribeTargetGroupAttributes",
				"elasticloadbalancing:DescribeTargetHealth",
				"network-firewall:DescribeFirewall",
				"network-firewall:DescribeFirewallPolicy",
				"network-firewall:DescribeResourcePolicy",
				"network-firewall:DescribeRuleGroup",
				"network-firewall:ListFirewallPolicies",
				"network-firewall:ListFirewalls",
				"network-firewall:ListRuleGroups",
				"tiros:CreateQuery",
				"tiros:GetQueryAnswer"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "PackageVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"ecr:BatchGetImage",
				"ecr:BatchGetRepositoryScanningConfiguration",
				"ecr:DescribeImages",
				"ecr:DescribeRegistry",
				"ecr:DescribeRepositories",
				"ecr:GetAuthorizationToken",
				"ecr:GetDownloadUrlForLayer",
				"ecr:GetRegistryScanningConfiguration",
				"ecr:ListImages",
				"ecr:PutRegistryScanningConfiguration",
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAccounts",
				"ssm:DescribeAssociation",
				"ssm:DescribeAssociationExecutions",
				"ssm:DescribeInstanceInformation",
				"ssm:ListAssociations",
				"ssm:ListResourceDataSync"
			],
			"Resource": "*"
		},
		{
			"Sid": "LambdaPackageVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"lambda:ListFunctions",
				"lambda:GetFunction",
				"lambda:GetLayerVersion",
				"lambda:ListTags",
				"cloudwatch:GetMetricData"
			],
			"Resource": "*"
		},
		{
			"Sid": "GatherInventory",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateAssociation",
				"ssm:StartAssociationsOnce",
				"ssm:UpdateAssociation"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*",
				"arn:aws:ssm:*:*:document/AmazonInspector2-*",
				"arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory",
				"arn:aws:ssm:*:*:managed-instance/*",
				"arn:aws:ssm:*:*:association/*"
			]
		},
		{
			"Sid": "GatherInventoryDeleteAssociation",
			"Effect": "Allow",
			"Action": [
				"ssm:DeleteAssociation"
			],
			"Resource": [
				"arn:aws:ssm:*:*:association/*"
			]
		},
		{
			"Sid": "DataSyncCleanup",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateResourceDataSync",
				"ssm:DeleteResourceDataSync"
			],
			"Resource": [
				"arn:aws:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete"
			]
		},
		{
			"Sid": "ManagedRules",
			"Effect": "Allow",
			"Action": [
				"events:PutRule",
				"events:DeleteRule",
				"events:DescribeRule",
				"events:ListTargetsByRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": [
				"arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule"
			]
		},
		{
			"Sid": "LambdaCodeVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"codeguru-security:CreateScan",
				"codeguru-security:GetAccountConfiguration",
				"codeguru-security:GetFindings",
				"codeguru-security:GetScan",
				"codeguru-security:ListFindings",
				"codeguru-security:BatchGetFindings",
				"codeguru-security:DeleteScansByCategory"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "CodeGuruCodeVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:ListAttachedRolePolicies",
				"iam:ListPolicies",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"lambda:ListVersionsByFunction"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"codeguru-security.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "Ec2DeepInspection",
			"Effect": "Allow",
			"Action": [
				"ssm:PutParameter",
				"ssm:GetParameters",
				"ssm:DeleteParameter"
			],
			"Resource": [
				"arn:aws:ssm:*:*:parameter/inspector-aws/service/inspector-linux-application-paths"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowManagementOfServiceLinkedChannel",
			"Effect": "Allow",
			"Action": [
				"cloudtrail:CreateServiceLinkedChannel",
				"cloudtrail:DeleteServiceLinkedChannel"
			],
			"Resource": [
				"arn:aws:cloudtrail:*:*:channel/aws-service-channel/inspector2/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowListServiceLinkedChannels",
			"Effect": "Allow",
			"Action": [
				"cloudtrail:ListServiceLinkedChannels"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowToRunInvokeCisSpecificDocuments",
			"Effect": "Allow",
			"Action": [
				"ssm:SendCommand",
				"ssm:GetCommandInvocation"
			],
			"Resource": [
				"arn:aws:ssm:*:*:document/AmazonInspector2-InvokeInspectorSsmPluginCIS"
			]
		},
		{
			"Sid": "AllowToRunCisCommandsToSpecificResources",
			"Effect": "Allow",
			"Action": [
				"ssm:SendCommand"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowToPutCloudwatchMetricData",
			"Effect": "Allow",
			"Action": [
				"cloudwatch:PutMetricData"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"cloudwatch:namespace": "AWS/Inspector2"
				}
			}
		},
		{
			"Sid": "AllowListAccessToECSAndEKS",
			"Effect": "Allow",
			"Action": [
			    "ecs:ListClusters",
			    "ecs:ListTasks",
			    "eks:ListClusters"
			],
			"Resource": [
			    "*"
			],
			"Condition": {
			    "StringEquals": {
			        "aws:ResourceAccount": "${aws:PrincipalAccount}"
			    }
			}
			},
			{
			"Sid": "AllowAccessToECSTasks",
			"Effect": "Allow",
			"Action": [
			    "ecs:DescribeTasks"
			],
			"Resource": "arn:aws:ecs:*:*:task/*",
			"Condition": {
			    "StringEquals": {
			        "aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		}
	]
}