即使用户具有适当的策略和角色，AWS Security Hub BatchImportFindings API：AccessDeniedException

Question

我想通过外部Python脚本将安全性发现纳入AWS安全中心。为此，我使用了以下API：https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html

我编写了一个简单的python脚本，以将批处理导入结果执行到AWS安全中心，如下所示：

import boto3

client = boto3.client('securityhub', 
                        region_name='us-east-2',
                        aws_access_key_id='API_KEY',
                        aws_secret_access_key='API_SECRET')
response = client.batch_import_findings(finding_obj)

但这会引发以下错误：

Traceback (most recent call last):
  File "aws_hub.py", line 504, in <module>
    'Status': 'NEW',
  File "C:\Users\Aspire5\AppData\Local\Programs\Python\Python36-32\lib\site-packages\botocore\client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "C:\Users\Aspire5\AppData\Local\Programs\Python\Python36-32\lib\site-packages\botocore\client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: arn:aws:iam::355025806062:user/Kaushal is not authorized to perform: securityhub:BatchImportFindings

我已经在AWS上创建了一个用户，该用户具有以下权限策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "securityhub:BatchImportFindings"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

我还尝试使用AWS提供的模拟器来模拟相同的策略，因此，我的用户可以访问此操作，但是通过API调用失败。这是模拟器的屏幕截图：

Answer 1

Kaushal28，

您的find_obj可能具有错误的ProductARN

ProductARN应该设置为：

productArn = "arn:aws:securityhub:"+ AWS_REGION +":" + ACCOUNT_ID +":product/" + ACCOUNT_ID +"/default"