AWS Config - 资源发现停留在 "Your resources are being discovered"
AWS Config - Resource discovery stuck on "Your resources are being discovered"
我公司有 2 个 AWS 账户。在第一个(我们称之为游乐场)上,我拥有完全的管理权限。在第二个(我们称之为生产)我有有限的 IAM 权限
我在两个账户上都启用了 AWS Config(使用附录中的 terraform 文件)。
- 在操场上运行很顺利,一切都很好。
- 一个生产,它失败了。更具体地说,它无法通过消息 “正在发现您的资源” 来检测帐户的资源,如下面的屏幕截图所示。
我最初怀疑这可能是 IAM 角色权限问题。
例如运行
aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile playground
为我提供了 AWS Config 在 playground 上发现的 SecurityGroups 的列表(与我在控制台仪表板上看到的差不多)。
另一方面:
aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile production returns 空列表(虽然有安全组。与其他类型的结果相同,例如 AWS::EC2::Instance)
{
"resourceIdentifiers": []
}
由于 IAM 角色确实有权调用 describe API,因此我放弃了对 IAM 权限的怀疑。有用。只是它 returns null.
会不会是 AWS Config 角色 AWSServiceRoleForConfig?它没有任何意义。由于这是服务相关角色,因此默认情况下它应该具有所有必需的权限。 (尽管如此,将在 post 末尾附加政策)
现在是奇怪的部分:
我的规则验证了一些资源(例如 EFS)但抛出此消息:The specified resource is either unknown or has not been discovered.
我仍然怀疑这可能是 IAM 问题,但我不知道发生了什么。我已经为此苦苦挣扎了好几天,我真的需要一些帮助。
根据官方文档:
AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources.
config.tf
# Create the configuration recorder
resource "aws_config_configuration_recorder" "default" {
name = "default-recorder"
role_arn = "arn:aws:iam::${var.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
recording_group {
all_supported = true
include_global_resource_types = true
}
}
# Enable the configuration recorder
resource "aws_config_configuration_recorder_status" "default" {
name = aws_config_configuration_recorder.default.name
is_enabled = true
depends_on = [aws_config_delivery_channel.default]
}
# Connect AWS Config to the S3 bucket
resource "aws_config_delivery_channel" "default" {
name = "default-channel"
s3_bucket_name = "central-config-bucket" # Central S3 bucket
depends_on = [aws_config_configuration_recorder.default]
}
# Deploy the default HIPAA compliance comformance pack
resource "aws_config_conformance_pack" "hipaa" {
name = "operational-best-practices-for-HIPAA-Security"
template_body = data.http.conformance_pack.body
}
data "http" "conformance_pack" {
url = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
}
resource "aws_config_aggregate_authorization" "main" {
account_id = "************"
region = "eu-central-1"
}
默认的 AWSServiceRoleForConfig 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"apigateway:GET",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeTags",
"backup:DescribeBackupVault",
"backup:DescribeRecoveryPoint",
"backup:GetBackupPlan",
"backup:GetBackupSelection",
"backup:GetBackupVaultAccessPolicy",
"backup:GetBackupVaultNotifications",
"backup:ListBackupPlans",
"backup:ListBackupSelections",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags",
"cloudformation:DescribeType",
"cloudformation:ListTypes",
"cloudfront:ListTagsForResource",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudwatch:DescribeAlarms",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:ListPipelines",
"config:BatchGet*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:Put*",
"config:Select*",
"dax:DescribeClusters",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationSubnetGroups",
"dms:ListTagsForResource",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTaskSets",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTaskDefinitions",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"es:ListTags",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"iam:GenerateCredentialReport",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices",
"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"kms:ListResourceTags",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListAliases",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"organizations:DescribeOrganization",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeEventSubscriptions",
"redshift:DescribeLoggingStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListCodeRepositories",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListTags",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"securityhub:describeHub",
"shield:DescribeDRTAccess",
"shield:DescribeProtection",
"shield:DescribeSubscription",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:GetDocument",
"ssm:ListDocuments",
"storagegateway:ListGateways",
"storagegateway:ListVolumes",
"support:DescribeCases",
"tag:GetResources",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf:GetLoggingConfiguration",
"waf:GetWebACL",
"wafv2:GetLoggingConfiguration"
],
"Resource": "*"
}
]
}
这可能是 AWS terraform 提供程序错误。
第一次应用 Terraform 计划时,服务关联角色 AWSServiceRoleForConfig 不会自动激活。您需要手动将其添加到 AWS 配置中。然后就正常了。
编辑
解决方案可能不同于上述(或两者的组合)。我还注意到,当没有部署 rules/conformance 包时,AWS Config 卡在“正在发现资源”上。如果您部署单个规则,它会发现资源 (?!)
我公司有 2 个 AWS 账户。在第一个(我们称之为游乐场)上,我拥有完全的管理权限。在第二个(我们称之为生产)我有有限的 IAM 权限
我在两个账户上都启用了 AWS Config(使用附录中的 terraform 文件)。
- 在操场上运行很顺利,一切都很好。
- 一个生产,它失败了。更具体地说,它无法通过消息 “正在发现您的资源” 来检测帐户的资源,如下面的屏幕截图所示。
我最初怀疑这可能是 IAM 角色权限问题。
例如运行
aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile playground
为我提供了 AWS Config 在 playground 上发现的 SecurityGroups 的列表(与我在控制台仪表板上看到的差不多)。
另一方面:
aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile production returns 空列表(虽然有安全组。与其他类型的结果相同,例如 AWS::EC2::Instance)
{
"resourceIdentifiers": []
}
由于 IAM 角色确实有权调用 describe API,因此我放弃了对 IAM 权限的怀疑。有用。只是它 returns null.
会不会是 AWS Config 角色 AWSServiceRoleForConfig?它没有任何意义。由于这是服务相关角色,因此默认情况下它应该具有所有必需的权限。 (尽管如此,将在 post 末尾附加政策)
现在是奇怪的部分:
我的规则验证了一些资源(例如 EFS)但抛出此消息:The specified resource is either unknown or has not been discovered.
我仍然怀疑这可能是 IAM 问题,但我不知道发生了什么。我已经为此苦苦挣扎了好几天,我真的需要一些帮助。
根据官方文档:
AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources.
config.tf
# Create the configuration recorder
resource "aws_config_configuration_recorder" "default" {
name = "default-recorder"
role_arn = "arn:aws:iam::${var.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
recording_group {
all_supported = true
include_global_resource_types = true
}
}
# Enable the configuration recorder
resource "aws_config_configuration_recorder_status" "default" {
name = aws_config_configuration_recorder.default.name
is_enabled = true
depends_on = [aws_config_delivery_channel.default]
}
# Connect AWS Config to the S3 bucket
resource "aws_config_delivery_channel" "default" {
name = "default-channel"
s3_bucket_name = "central-config-bucket" # Central S3 bucket
depends_on = [aws_config_configuration_recorder.default]
}
# Deploy the default HIPAA compliance comformance pack
resource "aws_config_conformance_pack" "hipaa" {
name = "operational-best-practices-for-HIPAA-Security"
template_body = data.http.conformance_pack.body
}
data "http" "conformance_pack" {
url = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
}
resource "aws_config_aggregate_authorization" "main" {
account_id = "************"
region = "eu-central-1"
}
默认的 AWSServiceRoleForConfig 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"apigateway:GET",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeTags",
"backup:DescribeBackupVault",
"backup:DescribeRecoveryPoint",
"backup:GetBackupPlan",
"backup:GetBackupSelection",
"backup:GetBackupVaultAccessPolicy",
"backup:GetBackupVaultNotifications",
"backup:ListBackupPlans",
"backup:ListBackupSelections",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags",
"cloudformation:DescribeType",
"cloudformation:ListTypes",
"cloudfront:ListTagsForResource",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudwatch:DescribeAlarms",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:ListPipelines",
"config:BatchGet*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:Put*",
"config:Select*",
"dax:DescribeClusters",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationSubnetGroups",
"dms:ListTagsForResource",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTaskSets",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTaskDefinitions",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"es:ListTags",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"iam:GenerateCredentialReport",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices",
"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"kms:ListResourceTags",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListAliases",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"organizations:DescribeOrganization",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeEventSubscriptions",
"redshift:DescribeLoggingStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListCodeRepositories",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListTags",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"securityhub:describeHub",
"shield:DescribeDRTAccess",
"shield:DescribeProtection",
"shield:DescribeSubscription",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:GetDocument",
"ssm:ListDocuments",
"storagegateway:ListGateways",
"storagegateway:ListVolumes",
"support:DescribeCases",
"tag:GetResources",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf:GetLoggingConfiguration",
"waf:GetWebACL",
"wafv2:GetLoggingConfiguration"
],
"Resource": "*"
}
]
}
这可能是 AWS terraform 提供程序错误。
第一次应用 Terraform 计划时,服务关联角色 AWSServiceRoleForConfig 不会自动激活。您需要手动将其添加到 AWS 配置中。然后就正常了。
编辑
解决方案可能不同于上述(或两者的组合)。我还注意到,当没有部署 rules/conformance 包时,AWS Config 卡在“正在发现资源”上。如果您部署单个规则,它会发现资源 (?!)