了解 AWS-Config 规则和配置更改
Understanding AWS-Config Rules and Confuguration Changes
我目前正在使用 aws-cdk,我的任务是为 15 个左右的规则创建配置规则,我们希望在这些规则上观察和接收通知。这是我的代码供参考:
const vpcFlowLoggingBucket = new s3.Bucket(this,'vpcFlowLoggingBucket', {
accessControl:s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
const iamPasswordPolicyRule = new ManagedRule(this, 'iamPasswordPolicyRule',{
identifier: 'IAM_PASSWORD_POLICY'
});
const userGroupMembershipRule = new ManagedRule(this, 'userGroupMembershipRule',{
identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
});
const userPolicyRule = new ManagedRule(this,'userPolicyRule',{
identifier: 'IAM_USER_NO_POLICIES_CHECK'
});
const rootAccountMfaEnabledRule = new ManagedRule(this, 'rootAccountMfaEnabledRule',{
identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
});
const accessKeysRotatedRule = new ManagedRule(this, 'accessKeysRotatedRule',{
identifier:'ACCESS_KEYS_ROTATED',
inputParameters: {
maxAccessKeyAge: 100, //rule triggers off of config change and keys must be rotated within 100 days
configurationChanges: true
}
//TODO reference your custom lambda for this
//Parameters need to be specified here for the amount of days to rotate
});
const cloudTrailEncryptionRule = new ManagedRule(this, 'cloudTrailEncryptionRule' ,{
identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED'
});
const defaultSecurityGroupEniRule = new ManagedRule(this, 'defaultSecurityGroupEniRule',{
identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
});
const ebsVolumeEncryption = new ManagedRule(this, 'ebsVolumeEncryption',{
identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
});
const rdsStorageEncryptionRule = new ManagedRule(this, 'rdsStorageEncryptionRule',{
identifier: 'RDS_STORAGE_ENCRYPTED'
//This may need the arn of the kms key used for encryption
});
const s3BucketLoggingEnabledRule = new ManagedRule(this, 's3BucketLoggingEnabledRule',{
identifier: 'S3_BUCKET_LOGGING_ENABLED'
//@aroesec may be able to use a custom rule here for this one and my lambda
// TODO add custom lambda to this for future purposes
});
const s3BucketServerSideEncryptionRule = new ManagedRule(this, 's3BucketServerSideEncryptionRule',{
identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
//@aroesec may be able to use a custom rule here for my lambda
// TODO add custom lambda to this for future purposes
});
const vpcFlowLogsEnabledRule = new ManagedRule(this, 'vpcFlowLogsEnabledRule',{
identifier:'VPC_FLOW_LOGS_ENABLED',
inputParameters: {
trafficType:'ALL', //vpcs must track all traffic (ALLOW and DENY) with this rule
configurationChanges: true
}
});
const vpcDefaultSecurityGroupRule = new ManagedRule(this, 'vpcDefaultSecurityGroupRule',{
identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
});
const mfaEnabledForConsoleAccessRule = new ManagedRule(this, 'mfaEnabledForConsoleAccessRule',{
identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
});
const rdsMultiAvailZoneRule = new ManagedRule(this, 'rdsMultiAvailZoneRule',{
identifier:'RDS_MULTI_AZ_SUPPORT'
});
}
}
我的问题是,当我尝试使用 configurationChanges 参数并将其设置为 True 时。我正在寻找那个配置规则来扫描那个资源组,当它注意到那里有变化时。我想这样做而不使用“频率”参数的原因是我们的客户不希望扫描频率高达 24 小时。他们希望他们对每条规则进行大约 2 周的扫描。我的问题是,1. 我可以让配置规则的扫描频率低于 24 小时吗?例如,也许每周一次? 2. 我可以让 lambda 触发配置规则进行扫描吗?例如,让 lambda 检查 vpc 流日志,如果不存在,则触发配置规则 return“不合规”。或 3. 我可以为每个配置规则将 configurationChange 设置为 true 并让 aws 从那里处理它吗?我问这个具体问题是因为我已经阅读了一些有关配置记录器的内容,但不确定如何使用它或者是否有必要使用它。提前谢谢大家!
配置规则扫描的最低频率是24小时,如果检查boto3 API。
你会想要相反的,有配置规则 运行 定期或当配置更改时。
AWS 不知道要处理什么。如果你进行配置更改,你 API 或你的代码(通过 lambda)需要知道要检查什么(即桶对 public 开放),然后当 public 桶检测到,lambda 将捕获它并报告 (PutEvaluationAP
我目前正在使用 aws-cdk,我的任务是为 15 个左右的规则创建配置规则,我们希望在这些规则上观察和接收通知。这是我的代码供参考:
const vpcFlowLoggingBucket = new s3.Bucket(this,'vpcFlowLoggingBucket', {
accessControl:s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
const iamPasswordPolicyRule = new ManagedRule(this, 'iamPasswordPolicyRule',{
identifier: 'IAM_PASSWORD_POLICY'
});
const userGroupMembershipRule = new ManagedRule(this, 'userGroupMembershipRule',{
identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
});
const userPolicyRule = new ManagedRule(this,'userPolicyRule',{
identifier: 'IAM_USER_NO_POLICIES_CHECK'
});
const rootAccountMfaEnabledRule = new ManagedRule(this, 'rootAccountMfaEnabledRule',{
identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
});
const accessKeysRotatedRule = new ManagedRule(this, 'accessKeysRotatedRule',{
identifier:'ACCESS_KEYS_ROTATED',
inputParameters: {
maxAccessKeyAge: 100, //rule triggers off of config change and keys must be rotated within 100 days
configurationChanges: true
}
//TODO reference your custom lambda for this
//Parameters need to be specified here for the amount of days to rotate
});
const cloudTrailEncryptionRule = new ManagedRule(this, 'cloudTrailEncryptionRule' ,{
identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED'
});
const defaultSecurityGroupEniRule = new ManagedRule(this, 'defaultSecurityGroupEniRule',{
identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
});
const ebsVolumeEncryption = new ManagedRule(this, 'ebsVolumeEncryption',{
identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
});
const rdsStorageEncryptionRule = new ManagedRule(this, 'rdsStorageEncryptionRule',{
identifier: 'RDS_STORAGE_ENCRYPTED'
//This may need the arn of the kms key used for encryption
});
const s3BucketLoggingEnabledRule = new ManagedRule(this, 's3BucketLoggingEnabledRule',{
identifier: 'S3_BUCKET_LOGGING_ENABLED'
//@aroesec may be able to use a custom rule here for this one and my lambda
// TODO add custom lambda to this for future purposes
});
const s3BucketServerSideEncryptionRule = new ManagedRule(this, 's3BucketServerSideEncryptionRule',{
identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
//@aroesec may be able to use a custom rule here for my lambda
// TODO add custom lambda to this for future purposes
});
const vpcFlowLogsEnabledRule = new ManagedRule(this, 'vpcFlowLogsEnabledRule',{
identifier:'VPC_FLOW_LOGS_ENABLED',
inputParameters: {
trafficType:'ALL', //vpcs must track all traffic (ALLOW and DENY) with this rule
configurationChanges: true
}
});
const vpcDefaultSecurityGroupRule = new ManagedRule(this, 'vpcDefaultSecurityGroupRule',{
identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
});
const mfaEnabledForConsoleAccessRule = new ManagedRule(this, 'mfaEnabledForConsoleAccessRule',{
identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
});
const rdsMultiAvailZoneRule = new ManagedRule(this, 'rdsMultiAvailZoneRule',{
identifier:'RDS_MULTI_AZ_SUPPORT'
});
}
}
我的问题是,当我尝试使用 configurationChanges 参数并将其设置为 True 时。我正在寻找那个配置规则来扫描那个资源组,当它注意到那里有变化时。我想这样做而不使用“频率”参数的原因是我们的客户不希望扫描频率高达 24 小时。他们希望他们对每条规则进行大约 2 周的扫描。我的问题是,1. 我可以让配置规则的扫描频率低于 24 小时吗?例如,也许每周一次? 2. 我可以让 lambda 触发配置规则进行扫描吗?例如,让 lambda 检查 vpc 流日志,如果不存在,则触发配置规则 return“不合规”。或 3. 我可以为每个配置规则将 configurationChange 设置为 true 并让 aws 从那里处理它吗?我问这个具体问题是因为我已经阅读了一些有关配置记录器的内容,但不确定如何使用它或者是否有必要使用它。提前谢谢大家!
配置规则扫描的最低频率是24小时,如果检查boto3 API。
你会想要相反的,有配置规则 运行 定期或当配置更改时。
AWS 不知道要处理什么。如果你进行配置更改,你 API 或你的代码(通过 lambda)需要知道要检查什么(即桶对 public 开放),然后当 public 桶检测到,lambda 将捕获它并报告 (PutEvaluationAP