使用 Cloud Custodian 仅限制特定安全组中的特定端口
Restrict only Specific Ports in Specific Security Groups using Cloud Custodian
已经为此创建了一个类似的问题。我读了很少的答案,但我无法解决 issue.I 必须为此创建一个单独的 post,因为我没有足够的信誉点来回复 [=17] 中的用户=]. link 是:- here 。除了几个安全组之外,我想限制所有暴露给 public 的端口。例如,对于其中一个安全组,我不希望端口 80 暴露给 public,但是对于安全组来说,我希望端口 80 对 public 开放 "sg-123456789"。如何编写云托管策略?
- name: sg-123456789
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::9797979797:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
-and:
- type: value
key: GroudId
value: "sg-123456789"
op: in
-or:
- type: ingress
OnlyPorts: [80]
Cidr:
value: "0.0.0.0/0"
op: in
- type: ingress
OnlyPorts: [80]
CidrV6:
value: "::/0"
op: in
actions:
- type: remove-permissions
ingress: matched
- name: sg-987654321
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::9797979797:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
-and:
- type: value
key: GroudId
value: "sg-987654321"
op: in
-or:
- type: ingress
OnlyPorts: [3000]
Cidr:
value: "0.0.0.0/0"
op: in
- type: ingress
OnlyPorts: [3000]
CidrV6:
value: "::/0"
op: in
actions:
- type: remove-permissions
ingress: matched
我目前也在从事 cloudcustodian 方面的工作。我尝试创建以下策略,但也没有按预期工作。
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::1234567890:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
Cidr:
value: "0.0.0.0/0"
actions:
- type: remove-permissions
ingress: matched
- name: sg-0987654321-ipv6
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::1234567890:role/custo_role
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
CidrV6:
value: "::/0"
actions:
- type: remove-permissions
ingress: matched
也尝试过应用 and 过滤器,不幸的是没有成功。
filters:
- and:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
Cidr:
value: "0.0.0.0/0"
请告诉我哪里错了。
分享您遇到的错误的屏幕截图,您必须对 ipv4 和 ipv6 使用单独的策略进行补救模式
resource: security-group
filters:
- and:
- type: value
key: GroupId
op: in
value:
- sg-0db5e1ab7ccccc
- or:
- type: ingress
OnlyPorts: [80,443]
Cidr:
value: "0.0.0.0/0"
- type: ingress
OnlyPorts: [80,443]
CidrV6:
value: "::/0"
已经为此创建了一个类似的问题。我读了很少的答案,但我无法解决 issue.I 必须为此创建一个单独的 post,因为我没有足够的信誉点来回复 [=17] 中的用户=]. link 是:- here 。除了几个安全组之外,我想限制所有暴露给 public 的端口。例如,对于其中一个安全组,我不希望端口 80 暴露给 public,但是对于安全组来说,我希望端口 80 对 public 开放 "sg-123456789"。如何编写云托管策略?
- name: sg-123456789
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::9797979797:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
-and:
- type: value
key: GroudId
value: "sg-123456789"
op: in
-or:
- type: ingress
OnlyPorts: [80]
Cidr:
value: "0.0.0.0/0"
op: in
- type: ingress
OnlyPorts: [80]
CidrV6:
value: "::/0"
op: in
actions:
- type: remove-permissions
ingress: matched
- name: sg-987654321
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::9797979797:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
-and:
- type: value
key: GroudId
value: "sg-987654321"
op: in
-or:
- type: ingress
OnlyPorts: [3000]
Cidr:
value: "0.0.0.0/0"
op: in
- type: ingress
OnlyPorts: [3000]
CidrV6:
value: "::/0"
op: in
actions:
- type: remove-permissions
ingress: matched
我目前也在从事 cloudcustodian 方面的工作。我尝试创建以下策略,但也没有按预期工作。
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::1234567890:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
Cidr:
value: "0.0.0.0/0"
actions:
- type: remove-permissions
ingress: matched
- name: sg-0987654321-ipv6
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::1234567890:role/custo_role
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
CidrV6:
value: "::/0"
actions:
- type: remove-permissions
ingress: matched
也尝试过应用 and 过滤器,不幸的是没有成功。
filters:
- and:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
Cidr:
value: "0.0.0.0/0"
请告诉我哪里错了。
分享您遇到的错误的屏幕截图,您必须对 ipv4 和 ipv6 使用单独的策略进行补救模式
resource: security-group
filters:
- and:
- type: value
key: GroupId
op: in
value:
- sg-0db5e1ab7ccccc
- or:
- type: ingress
OnlyPorts: [80,443]
Cidr:
value: "0.0.0.0/0"
- type: ingress
OnlyPorts: [80,443]
CidrV6:
value: "::/0"