AWS inspector documentation change
Summary
Added support for Azure resources in EventBridge events, including provider-agnostic resource details (vm, image, serverlessFunction) alongside AWS-specific fields. Updated example IP addresses to RFC 5737 standards and added new Azure vulnerability finding examples.
Security assessment
The changes extend multi-cloud support and standardize event schemas but contain no evidence of addressing specific vulnerabilities or security incidents. Updates to example IPs are documentation improvements without security implications.
Diff
diff --git a/inspector/latest/user/eventbridge-integration.md b/inspector/latest/user/eventbridge-integration.md index 4b5cf74b6..ba4e93a1d 100644 --- a//inspector/latest/user/eventbridge-integration.md +++ b//inspector/latest/user/eventbridge-integration.md @@ -63,0 +64,15 @@ The following fields identify a finding event: +Each object in `detail.resources` can also include the following fields. These fields are present for all resources, including AWS resources. + +For AWS resources, these fields appear alongside the AWS-specific fields. You can rely on a single, provider-agnostic representation regardless of where the resource is hosted. + + * `provider` is the cloud provider of the resource, for example `AWS` or `AZURE`. + + * `providerAccountId` is the cloud provider account identifier for the resource, such as an Azure subscription ID. For AWS resources, this matches the `account` field. + + * `providerOrgId` is the cloud provider organization or tenant identifier for the resource, such as an Azure tenant ID. Amazon Inspector populates this field for `AZURE` resources. + + * `detail.resources.details` contains a provider-agnostic resource detail object that corresponds to the resource `type`: `vm` for a virtual machine, `image` for a container image, or `serverlessFunction` for a serverless function. These are the multi-cloud equivalents of the `awsEc2Instance`, `awsEcrContainerImage`, and `awsLambdaFunction` objects. For AWS resources, Amazon Inspector also includes the provider-agnostic object alongside the corresponding AWS-specific object. For example, an Amazon EC2 instance finding includes both `awsEc2Instance` and `vm`. + + + + @@ -154,2 +169,2 @@ Amazon EC2 package vulnerability finding - "1.23.456.789", - "123.45.67.890" + "192.0.2.10", + "203.0.113.20" @@ -162,0 +178,16 @@ Amazon EC2 package vulnerability finding + }, + "vm": { + "type": "t2.small", + "vmImageReference": "ami-02ff980600c693b38", + "ipV4Addresses": [ + "192.0.2.10", + "203.0.113.20" + ], + "ipV6Addresses": [], + "networkId": "vpc-12345678", + "subnetIds": [ + "subnet-12345678" + ], + "launchedAt": "Wed Sep 04 16:57:40.000 UTC 2024", + "platform": "UBUNTU_22_04", + "executionRole": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup" @@ -166,0 +198,2 @@ Amazon EC2 package vulnerability finding + "provider": "AWS", + "providerAccountId": "123456789012", @@ -234 +267 @@ Amazon EC2 network reachability finding - "ipV4Addresses": ["1.23.456.789", "123.45.67.890"], + "ipV4Addresses": ["192.0.2.10", "203.0.113.20"], @@ -240,0 +274,11 @@ Amazon EC2 network reachability finding + }, + "vm": { + "type": "t2.small", + "vmImageReference": "ami-02ff980600c693b38", + "ipV4Addresses": ["192.0.2.10", "203.0.113.20"], + "ipV6Addresses": [], + "networkId": "vpc-12345678", + "subnetIds": ["subnet-12345678"], + "launchedAt": "Wed Sep 04 17:41:24.000 UTC 2024", + "platform": "UBUNTU_22_04", + "executionRole": "arn:aws:iam::123456789012:instance-profile/AmazonSSMRoleForInstancesQuickSetup" @@ -244,0 +289,2 @@ Amazon EC2 network reachability finding + "provider": "AWS", + "providerAccountId": "123456789012", @@ -340,0 +387,11 @@ Amazon ECR package vulnerability finding + }, + "image": { + "repositoryName": "inspector2", + "registry": "123456789012", + "imageTags": [ + "ubuntu_latest" + ], + "imageDigest": "sha256:84f507df33c6864d49c296fb734192696e4cb6f78166ac51ac8b9b118181085d", + "pushedAt": "Wed Sep 04 16:55:28.000 UTC 2024", + "architecture": "arm64", + "platform": "UBUNTU_24_04" @@ -344,0 +402,2 @@ Amazon ECR package vulnerability finding + "provider": "AWS", + "providerAccountId": "123456789012", @@ -446,0 +506,12 @@ Lambda package vulnerability finding + }, + "serverlessFunction": { + "serverlessFunctionName": "VulnerableFunction", + "runtime": "PYTHON_3_11", + "version": "$LATEST", + "codeDigest": "O7jkFEmfPB+CK3Y6Pby5zW9gjG+zusAaqRRMGS8B27c=", + "lastModifiedAt": "Wed Sep 04 16:50:20.000 UTC 2024", + "executionRole": "arn:aws:iam::123456789012:role/service-role/VulnerableFunction-role-f9vs5mq8", + "packageType": "ZIP", + "architectures": [ + "X86_64" + ] @@ -450,0 +522,2 @@ Lambda package vulnerability finding + "provider": "AWS", + "providerAccountId": "123456789012", @@ -525,0 +599,12 @@ Lambda code vulnerability finding + }, + "serverlessFunction": { + "serverlessFunctionName": "VulnerableFunction", + "runtime": "PYTHON_3_11", + "version": "$LATEST", + "codeDigest": "O7jkFEmfPB+CK3Y6Pby5zW9gjG+zusAaqRRMGS8B27c=", + "lastModifiedAt": "Wed Sep 04 16:50:20.000 UTC 2024", + "executionRole": "arn:aws:iam::123456789012:role/service-role/VulnerableFunction-role-f9vs5mq8", + "packageType": "ZIP", + "architectures": [ + "X86_64" + ] @@ -529,0 +615,2 @@ Lambda code vulnerability finding + "provider": "AWS", + "providerAccountId": "123456789012", @@ -542,0 +630,268 @@ Lambda code vulnerability finding +Azure virtual machine package vulnerability finding + + + + { + "version": "0", + "id": "a1b2c3d4-1111-2222-3333-444455556666", + "detail-type": "Inspector2 Finding", + "source": "aws.inspector2", + "account": "123456789012", + "time": "2024-09-04T17:00:36Z", + "region": "us-east-1", + "resources": [ + "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourcegroups/example-rg/providers/microsoft.compute/virtualmachines/example-vm" + ], + "detail": { + "awsAccountId": "123456789012", + "description": "A package vulnerability was detected on an Azure virtual machine monitored by Amazon Inspector.", + "exploitAvailable": "NO", + "findingArn": "arn:aws:inspector2:us-east-1:123456789012:finding/FINDING_ID", + "firstObservedAt": "Wed Sep 04 16:59:44.356 UTC 2024", + "fixAvailable": "YES", + "lastObservedAt": "Wed Sep 04 16:59:44.476 UTC 2024", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 4.8, + "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "source": "UBUNTU_CVE", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-29069" + ], + "relatedVulnerabilities": [], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-29069.html", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-29069", + "vulnerablePackages": [ + { + "arch": "ALL", + "epoch": 0, + "fixedInVersion": "0:2.63+22.04ubuntu0.1", + "name": "snapd", + "packageManager": "OS", + "remediation": "apt-get update && apt-get upgrade", + "version": "2.63" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "vm": { + "type": "Standard_D2s_v3", + "vmName": "example-vm", + "vmImageReference": "Canonical:0001-com-ubuntu-server-jammy:22_04-lts:latest", + "ipV4Addresses": [ + "10.0.0.4" + ], + "ipV6Addresses": [], + "networkId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourcegroups/example-rg/providers/microsoft.network/virtualnetworks/example-vnet", + "subnetIds": [ + "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourcegroups/example-rg/providers/microsoft.network/virtualnetworks/example-vnet/subnets/default" + ], + "securityGroupIds": [ + "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourcegroups/example-rg/providers/microsoft.network/networksecuritygroups/example-nsg" + ], + "launchedAt": "Wed Sep 04 16:57:40.000 UTC 2024", + "platform": "UBUNTU_22_04", + "executionRole": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourcegroups/example-rg/providers/microsoft.managedidentity/userassignedidentities/example-identity", + "keyName": "example-key" + } + }, + "id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourcegroups/example-rg/providers/microsoft.compute/virtualmachines/example-vm", + "provider": "AZURE", + "providerAccountId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "providerOrgId": "11111111-2222-3333-4444-555555555555", + "region": "eastus", + "type": "Microsoft.Compute/virtualMachines" + } + ],