Suscripción a los anuncios de Amazon SNS para GuardDuty
En esta sección se proporciona información sobre cómo suscribirse a Amazon SNS (Simple Notification Service) para anuncios de GuardDuty a fin de recibir notificaciones sobre nuevos tipos de resultados publicados, actualizaciones para los tipos de resultados existentes u otros cambios en funcionalidades. Las notificaciones están disponibles en todos los formatos que admite Amazon SNS.
El tema de SNS para GuardDuty envía anuncios sobre las actualizaciones del servicio GuardDuty en AWS a cualquier cuenta suscrita. Para recibir notificaciones sobre los resultados de su cuenta, consulte Procesamiento de resultados de GuardDuty con Amazon EventBridge.
nota
Su usuario de IAM debe disponer de los permisos sns::subscribe para suscribirse a un tema de SNS.
Puede suscribir una cola de Amazon SQS a este tema de notificación, pero debe utilizar un ARN de tema que esté en la misma región. Para obtener más información, consulte Tutorial: Subscribing an Amazon SQS queue to an Amazon SNS topic en la Guía para desarrolladores de Amazon Simple Queue Service.
También puede utilizar una función de AWS Lambda para desencadenar eventos cuando se reciban notificaciones. Para obtener más información, consulte Invocación de funciones de Lambda mediante notificaciones de Amazon SNS en la Guía para desarrolladores de Amazon Simple Queue Service.
Los ARN de tema de Amazon SNS para cada región se muestran a continuación.
| Región de AWS | ARN del tema de Amazon SNS |
|---|---|
Este de EE. UU. (Norte de Virginia) - us-east-1 |
arn:aws:sns:us-east-1:242987662583:GuardDutyAnnouncements |
Este de EE. UU. (Ohio) - us-east-2 |
arn:aws:sns:us-east-2:118283430703:GuardDutyAnnouncements |
Oeste de EE. UU. (Norte de California) - us-west-1 |
arn:aws:sns:us-west-1:144182107116:GuardDutyAnnouncements |
Oeste de EE. UU. (Oregón) - us-west-2 |
arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements |
Canadá (centro) - ca-central-1 |
arn:aws:sns:ca-central-1:107430051933:GuardDutyAnnouncements |
Oeste de Canadá (Calgary) - ca-west-1 |
arn:aws:sns:ca-west-1:440427180217:GuardDutyAnnouncements |
Europa (Estocolmo) - eu-north-1 |
arn:aws:sns:eu-north-1:973841112453:GuardDutyAnnouncements |
Europa (Irlanda) - eu-west-1 |
arn:aws:sns:eu-west-1:965013871422:GuardDutyAnnouncements |
Europa (Londres) - eu-west-2 |
arn:aws:sns:eu-west-2:506403581195:GuardDutyAnnouncements |
Europa (París) - eu-west-3 |
arn:aws:sns:eu-west-3:436163563069:GuardDutyAnnouncements |
Europa (Fráncfort) - eu-central-1 |
arn:aws:sns:eu-central-1:378365507264:GuardDutyAnnouncements |
Europa (Zúrich): | | ) - eu-central-2 |
arn:aws:sns:eu-central-2:383009515534:GuardDutyAnnouncements |
Asia-Pacífico (Hong Kong) - ap-east-1 |
arn:aws:sns:ap-east-1:646602203151:GuardDutyAnnouncements |
Asia-Pacífico (Tokio) - ap-northeast-1 |
arn:aws:sns:ap-northeast-1:741172661024:GuardDutyAnnouncements |
Asia-Pacífico (Seúl) - ap-northeast-2 |
arn:aws:sns:ap-northeast-2:464168911255:GuardDutyAnnouncements |
Asia-Pacífico (Singapur) - ap-southeast-1 |
arn:aws:sns:ap-southeast-1:476419727788:GuardDutyAnnouncements |
Asia-Pacífico (Sídney) - ap-southeast-2 |
arn:aws:sns:ap-southeast-2:457615622431:GuardDutyAnnouncements |
Asia-Pacífico (Mumbai) - ap-south-1 |
arn:aws:sns:ap-south-1:926826061926:GuardDutyAnnouncements |
América del Sur (São Paulo): | | ) - sa-east-1 |
arn:aws:sns:sa-east-1:955633302743:GuardDutyAnnouncements |
AWS GovCloud (Oeste de EE. UU) - us-gov-west-1 |
arn:aws-us-gov:sns:us-gov-west-1:430639793359:GuardDutyAnnouncements |
China (Pekín) - cn-north-1 |
arn:aws-cn:sns:cn-north-1:002991280229:GuardDutyAnnouncements |
China (Ningxia) - cn-northwest-1 |
arn:aws-cn:sns:cn-northwest-1:003033775354:GuardDutyAnnouncements |
Medio Oriente (Baréin): | | ) - me-south-1 |
arn:aws:sns:me-south-1:552740612889:GuardDutyAnnouncements |
Medio Oriente (EAU): | | ) - me-central-1 |
arn:aws:sns:me-central-1:030935290150:GuardDutyAnnouncements |
Europa (Milán) - eu-south-1 |
arn:aws:sns:eu-south-1:188461706213:GuardDutyAnnouncements |
Europa (España): | | ) - eu-south-2 |
arn:aws:sns:eu-south-2:445632894446:GuardDutyAnnouncements |
AWS GovCloud (Este de EE. UU) - us-gov-east-1 |
arn:aws:sns:us-gov-east-1:143972945659:GuardDutyAnnouncements |
Asia-Pacífico (Osaka): ap-northeast-3 |
arn:aws:sns:ap-northeast-3:129086577509:GuardDutyAnnouncements |
Asia-Pacífico (Yakarta): | | ) - ap-southeast-3 |
arn:aws:sns:ap-southeast-3:225965583551:GuardDutyAnnouncements |
Asia-Pacífico (Hyderabad): | | ) - ap-south-2 |
arn:aws:sns:ap-south-2:595653072700:GuardDutyAnnouncements |
Asia-Pacífico (Melbourne): | | ) - ap-southeast-4 |
arn:aws:sns:ap-southeast-4:529900636122:GuardDutyAnnouncements |
Asia-Pacífico (Malasia) - ap-southeast-5 |
arn:aws:sns:ap-southeast-5:343218181797:GuardDutyAnnouncements |
Israel (Tel Aviv) - il-central-1 |
arn:aws:sns:il-central-1:847886274986:GuardDutyAnnouncements |
Asia-Pacífico (Tailandia): | | ) - ap-southeast-7 |
arn:aws:sns:ap-southeast-7:863518448376:GuardDutyAnnouncements |
México (centro): | | ) - mx-central-1 |
arn:aws:sns:mx-central-1:060795916546:GuardDutyAnnouncements |
Asia-Pacífico (Taipéi) - ap-east-2 |
arn:aws:sns:ap-east-2:604225987917:GuardDutyAnnouncements |
Suscripción al correo electrónico de notificación de actualizaciones de GuardDuty en la Consola de administración de AWS
Abra la consola de Amazon SNS en https://console.aws.amazon.com/sns/v3/home
. -
En la lista de regiones, elija la misma región que la del ARN del tema al que desea suscribirse. En este ejemplo se utiliza la región
us-west-2. -
En el panel de navegación izquierdo, elija Subscriptions (Suscripciones), Create subscription (Crear suscripción).
-
En el cuadro de diálogo Create Subscription (Crear suscripción), en Topic ARN (ARN del tema), pegue el ARN del tema:
arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements. -
En Protocolo, elige Correo electrónico. En Endpoint (Punto de enlace), escriba una dirección de correo electrónico que pueda utilizar para recibir la notificación.
-
Elija Crear suscripción.
-
En su aplicación de correo electrónico, abra el mensaje de Notificaciones de AWS y abra el enlace para confirmar la suscripción.
El navegador web muestra una respuesta de confirmación de Amazon SNS.
Suscripción al correo electrónico de notificación de actualizaciones de GuardDuty con la AWS CLI
-
Ejecute el siguiente comando con la AWS CLI:
aws sns --regionus-west-2subscribe --topic-arn arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements --protocolemail--notification-endpointyour_email@your_domain.com -
En su aplicación de correo electrónico, abra el mensaje de Notificaciones de AWS y abra el enlace para confirmar la suscripción.
El navegador web muestra una respuesta de confirmación de Amazon SNS.
Formato de los mensajes de Amazon SNS
Un ejemplo de mensaje de notificación general de GuardDuty:
{ "Type" : "Notification", "MessageId" : "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn" : "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message" : "{\"version\":\"1\",\"type\":\"GENERAL\",\"message\":[{\"title\":\"Updated AmazonGuardDutyFullAccess_v2 policy\",\"body\":\"Added permission that allows you to pass an IAM role to GuardDuty when you enable Malware Protection for S3.\",\"links\":[\"https://docs.aws.amazon.com//guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2\"]}]}", "Timestamp" : "2018-03-09T00:25:43.483Z", "SignatureVersion" : "1", "Signature" : "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
El valor Mensaje analizado (sin las comillas de escape) se muestra a continuación:
{ "version": "1", "type": "GENERAL", "message": [ { "title": "Updated AmazonGuardDutyFullAccess policy", "body": "Added permission that allows you to pass an IAM role to GuardDuty when you enable Malware Protection for S3.", "links": [ "https://docs.aws.amazon.com//guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2" ] } ] }
A continuación se muestra un mensaje de ejemplo de notificación de actualizaciones de GuardDuty sobre nuevos resultados:
{ "Type" : "Notification", "MessageId" : "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn" : "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message" : "{\"version\":\"1\",\"type\":\"NEW_FINDINGS\",\"findingDetails\":[{\"link\":\"https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html\",\"findingType\":\"UnauthorizedAccess:EC2/TorClient\",\"findingDescription\":\"This finding informs you that an EC2 instance in your AWS environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance is acting as a client on a Tor network. A common use for a Tor client is to circumvent network monitoring and filter for access to unauthorized or illicit content. Tor clients can also generate nefarious Internet traffic, including attacking SSH servers. This activity can indicate that your EC2 instance is compromised.\"}]}", "Timestamp" : "2018-03-09T00:25:43.483Z", "SignatureVersion" : "1", "Signature" : "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
El valor Mensaje analizado (sin las comillas de escape) se muestra a continuación:
{ "version": "1", "type": "NEW_FINDINGS", "findingDetails": [{ "link": "https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html", "findingType": "UnauthorizedAccess:EC2/TorClient", "findingDescription": "This finding informs you that an EC2 instance in your AWS environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance is acting as a client on a Tor network. A common use for a Tor client is to circumvent network monitoring and filter for access to unauthorized or illicit content. Tor clients can also generate nefarious Internet traffic, including attacking SSH servers. This activity can indicate that your EC2 instance is compromised." }] }
A continuación se muestra un mensaje de ejemplo de notificación de actualizaciones de GuardDuty sobre actualizaciones de funcionalidades de GuardDuty:
{ "Type" : "Notification", "MessageId" : "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn" : "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message" : "{\"version\":\"1\",\"type\":\"NEW_FEATURES\",\"featureDetails\":[{\"featureDescription\":\"Customers with high-volumes of global CloudTrail events should see a net positive impact on their GuardDuty costs.\",\"featureLink\":\"https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_data-sources.html#guardduty_controlplane\"}]}", "Timestamp" : "2018-03-09T00:25:43.483Z", "SignatureVersion" : "1", "Signature" : "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
El valor Mensaje analizado (sin las comillas de escape) se muestra a continuación:
{ "version": "1", "type": "NEW_FEATURES", "featureDetails": [{ "featureDescription": "Customers with high-volumes of global CloudTrail events should see a net positive impact on their GuardDuty costs.", "featureLink": "https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_data-sources.html#guardduty_controlplane" }] }
A continuación se muestra un mensaje de ejemplo de notificación de actualizaciones de GuardDuty sobre resultados actualizados:
{ "Type": "Notification", "MessageId": "9101dc6b-726f-4df0-8646-ec2f94e674bc", "TopicArn": "arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements", "Message": "{\"version\":\"1\",\"type\":\"UPDATED_FINDINGS\",\"findingDetails\":[{\"link\":\"https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html\",\"findingType\":\"UnauthorizedAccess:EC2/TorClient\",\"description\":\"Increased severity value from 5 to 8.\"}]}", "Timestamp": "2018-03-09T00:25:43.483Z", "SignatureVersion": "1", "Signature": "XWox8GDGLRiCgDOXlo/fG9Lu/88P8S0FL6M6oQYOmUFzkucuhoblsdea3BjqdCHcWR7qdhMPQnLpN7y9iBrWVUqdAGJrukAI8athvAS+4AQD/V/QjrhsEnlj+GaiW+ozAu006X6GopOzFGnCtPMROjCMrMonjz7Hpv/8KRuMZR3pyQYm5d4wWB7xBPYhUMuLoZ1V8YFs55FMtgQV/YLhSYuEu0BP1GMtLQauxDkscOtPP/vjhGQLFx1Q9LTadcQiRHtNIBxWL87PSI+BVvkin6AL7PhksvdQ7FAgHfXsit+6p8GyOvKCqaeBG7HZhR1AbpyVka7JSNRO/6ssyrlj1g==", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-433026a4050d206028891664da859041.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:934957504740:GuardDutyAnnouncements:9225ed2b-7228-4665-8a01-c8a5db6859f4" }
El valor Mensaje analizado (sin las comillas de escape) se muestra a continuación:
{ "version": "1", "type": "UPDATED_FINDINGS", "findingDetails": [{ "link": "https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_unauthorized.html", "findingType": "UnauthorizedAccess:EC2/TorClient", "description": "Increased severity value from 5 to 8." }] }
