如何解决了解AWS-Config规则和配置更改
我当前正在使用aws-cdk,我的任务是为15个左右的规则创建配置规则,以供我们观察和接收通知。这是我的代码供参考:
const vpcFlowLoggingBucket = new s3.Bucket(this,'vpcFlowLoggingBucket',{
accessControl:s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const generalConfigRole = new iam.Role(this,'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this,'cloudTrailEnabledRule',{
identifier: 'CLOUD_TRAIL_ENABLED'
});
const iamPasswordPolicyRule = new ManagedRule(this,'iamPasswordPolicyRule',{
identifier: 'IAM_PASSWORD_POLICY'
});
const userGroupMembershipRule = new ManagedRule(this,'userGroupMembershipRule',{
identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
});
const userPolicyRule = new ManagedRule(this,'userPolicyRule',{
identifier: 'IAM_USER_NO_POLICIES_CHECK'
});
const rootAccountMfaEnabledRule = new ManagedRule(this,'rootAccountMfaEnabledRule',{
identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
});
const accessKeysRotatedRule = new ManagedRule(this,'accessKeysRotatedRule',{
identifier:'ACCESS_KEYS_ROTATED',inputParameters: {
maxAccessKeyAge: 100,//rule triggers off of config change and keys must be rotated within 100 days
configurationChanges: true
}
//TODO reference your custom lambda for this
//Parameters need to be specified here for the amount of days to rotate
});
const cloudTrailEncryptionRule = new ManagedRule(this,'cloudTrailEncryptionRule',{
identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED'
});
const defaultSecurityGroupEniRule = new ManagedRule(this,'defaultSecurityGroupEniRule',{
identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
});
const ebsVolumeEncryption = new ManagedRule(this,'ebsVolumeEncryption',{
identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
});
const rdsStorageEncryptionRule = new ManagedRule(this,'rdsStorageEncryptionRule',{
identifier: 'RDS_STORAGE_ENCRYPTED'
//This may need the arn of the kms key used for encryption
});
const s3BucketLoggingEnabledRule = new ManagedRule(this,'s3BucketLoggingEnabledRule',{
identifier: 'S3_BUCKET_LOGGING_ENABLED'
//@aroesec may be able to use a custom rule here for this one and my lambda
// TODO add custom lambda to this for future purposes
});
const s3BucketServerSideEncryptionRule = new ManagedRule(this,'s3BucketServerSideEncryptionRule',{
identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
//@aroesec may be able to use a custom rule here for my lambda
// TODO add custom lambda to this for future purposes
});
const vpcFlowLogsEnabledRule = new ManagedRule(this,'vpcFlowLogsEnabledRule',{
identifier:'VPC_FLOW_LOGS_ENABLED',inputParameters: {
trafficType:'ALL',//vpcs must track all traffic (ALLOW and DENY) with this rule
configurationChanges: true
}
});
const vpcDefaultSecurityGroupRule = new ManagedRule(this,'vpcDefaultSecurityGroupRule',{
identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
});
const mfaEnabledForConsoleAccessRule = new ManagedRule(this,'mfaEnabledForConsoleAccessRule',{
identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
});
const rdsMultiAvailZoneRule = new ManagedRule(this,'rdsMultiAvailZoneRule',{
identifier:'RDS_MULTI_AZ_SUPPORT'
});
}
}
我的问题是,当我尝试使用configurationChanges参数并将其设置为True时。我正在寻找该配置规则,以在该资源组注意到那里的更改时扫描该资源组。我要执行此操作而不使用“ frequency”参数的原因是我们的客户不希望扫描频率高达24小时。他们希望每条规则扫描2周左右。我的问题是:1.我可以使配置规则扫描的频率降低到24小时以下吗?例如,也许每周一次? 2.我可以让lambda触发配置规则进行扫描吗?例如,让lambda检查vpc流日志,如果不存在,则触发配置规则以返回“不兼容”。或3.是否可以仅将每个配置规则的configurationChange设置为true,然后让aws从那里处理?我问这个特定的问题,因为我已经阅读了一些有关Config Recorder的内容,但不确定如何使用它,甚至不确定是否需要它。预先谢谢大家!
解决方法
-
配置规则扫描的最低频率是 24 小时,不比检查 boto3 API 慢。
-
您可能希望相反,定期或在配置更改时运行配置规则。
AWS 不知道要处理什么。如果您进行配置更改,您的 API 或您的代码(通过 lambda)需要知道要检查什么(即存储桶对公共开放),然后当检测到公共存储桶时,lambda 将捕获它并报告 (PutEvaluationAP
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。