配置:CIS 扫描评估系统配置是否符合特定的 CIS 基准建议,每个检查都链接到一个 CIS 检查 ID 和标题。
执行:扫描根据实例标签和定义的计划执行或安排。
结果:扫描后的结果指示哪些检查通过、跳过或失败,提供每个实例安全态势的洞察。
枚举
# Administrator and member accounts ### Retrieve information about the AWS Inpsector delegated administrator for your organization (ReadOnlyAccess policy is enough for this)awsinspector2get-delegated-admin-account## List the members who are associated with the AWS Inspector administrator account (ReadOnlyAccess policy is enough for this)awsinspector2list-members [--only-associated |--no-only-associated]## Retrieve information about a member account (ReadOnlyAccess policy is enough for this)awsinspector2get-member--account-id<value>## Retrieve the status of AWS accounts within your environment (ReadOnlyAccess policy is enough for this)awsinspector2batch-get-account-status [--account-ids <value>]## Retrieve the free trial status for the specified accounts (ReadOnlyAccess policy is enough for this)awsinspector2batch-get-free-trial-info--account-ids<value>## Retrieve the EC2 Deep Inspection status for the member accounts (Requires to be the delegated administrator)awsinspector2batch-get-member-ec2-deep-inspection-status [--account-ids <value>]## List an account's permissions associated with AWS Inspectorawsinspector2list-account-permissions# Findings ### List a subset of information of the findings for your envionment (ReadOnlyAccess policy is enough for this)awsinspector2list-findings## Retrieve vulnerability intelligence details for the specified findingsawsinspector2batch-get-finding-details--finding-arns<value>## List statistical and aggregated finding data (ReadOnlyAccess policy is enough for this)awsinspector2list-finding-aggregations--aggregation-type<FINDING_TYPE|PACKAGE|TITLE|REPOSITORY|AMI|AWS_EC2_INSTANCE|AWS_ECR_CONTAINER|IMAGE_LAYER\|ACCOUNTAWS_LAMBDA_FUNCTION|LAMBDA_LAYER> [--account-ids <value>]## Retrieve code snippet information about one or more specified code vulnerability findingsawsinspector2batch-get-code-snippet--finding-arns<value>## Retrieve the status for the specified findings report (ReadOnlyAccess policy is enough for this)awsinspector2get-findings-report-status--report-id<value># CIS ### List CIS scan configurations (ReadOnlyAccess policy is enough for this)awsinspector2list-cis-scan-configurations## List the completed CIS scans (ReadOnlyAccess policy is enough for this)awsinspector2list-cis-scans## Retrieve a report from a completed CIS scanawsinspector2get-cis-scan-report--scan-arn<value> [--target-accounts <value>]## Retrieve details about the specific CIS scan over the specified resourceawsinspector2get-cis-scan-result-details--account-id<value>--scan-arn<value>--target-resource-id<value>## List CIS scan results broken down by checkawsinspector2list-cis-scan-results-aggregated-by-checks--scan-arn<value>## List CIS scan results broken down by target resourceawsinspector2list-cis-scan-results-aggregated-by-target-resource--scan-arn<value># Configuration ### Describe AWS Inspector settings for AWS Organization (ReadOnlyAccess policy is enough for this)awsinspector2describe-organization-configuration## Retrieve the configuration settings about EC2 scan and ECR re-scanawsinspector2get-configuration## Retrieve EC2 Deep Inspection configuration associated with your accountawsinspector2get-ec2-deep-inspection-configuration# Miscellaneous ### Retrieve the details of a Software Bill of Materials (SBOM) reportawsinspector2get-sbom-export--report-id<value>## Retrieve the coverage details for the specified vulnerabilitiesawsinspector2search-vulnerabilities--filter-criteria<vulnerabilityIds=id1,id2..>## Retrieve the tags attached to the specified resourceawsinspector2list-tags-for-resource--resource-arn<value>## Retrieve the AWS KMS key used to encrypt the specified code snippetsawsinspector2get-encryption-key--resource-type<AWS_EC2_INSTANCE|AWS_ECR_CONTAINER_IMAGE|AWS_ECR_REPOSITORY|AWS_LAMBDA_FUNCTION> --scan-type<NETWORK|PACKAGE|CODE>## List the filters associated to your AWS accountawsinspector2list-filters## List the types of statistics AWS Inspector can generate (ReadOnlyAccess policy is enough for this)awsinspector2list-coverage## Retrieve statistical data and about the resources AWS Inspector monitors (ReadOnlyAccess policy is enough for this)awsinspector2list-coverage-statistics## List the aggregated usage total over the last 30 daysawsinspector2list-usage-totals [--account-ids <value>]### INSPECTOR CLASSIC ##### Assessments info, there is a "describe" action for each one to get more infoawsinspectorlist-assessment-runsawsinspectorlist-assessment-targetsawsinspectorlist-assessment-templatesawsinspectorlist-event-subscriptions## Get findingsawsinspectorlist-findings## Get exclusionsawsinspectorlist-exclusions--assessment-run-arn<arn>## Rule packagesawsinspectorlist-rules-packages
{"Version":"2012-10-17","Id":"key-policy","Statement": [{...},{"Sid":"Allow victim Amazon Inspector to use the key","Effect":"Allow","Principal": {"Service":"inspector2.amazonaws.com"},"Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource":"*","Condition": {"StringEquals": {"aws:SourceAccount":"<victim-account-id>"}}}]}