기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
Config 규칙에 대한 사용자 지정 알림
InfoSec 및 리더십 팀에 직접 에스컬레이션된 인식을 높여야 하는 규정을 준수하지 않는 중요한 Config 규칙이 발생할 수 있습니다. 이러한 시나리오의 경우 AMS는 규정 미준수 이벤트 기반 사용자 지정 알림을 구성할 것을 권장합니다.
예:
ConfigRuleName: required-tags Description: >- A Config rule that checks whether EC2 instances have the mandated tags. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' InputParameters: tag1Key: COST_CENTER tag2Key: APP_ID Source: Owner: AWS SourceIdentifier: REQUIRED_TAGS NotificationEventRule: Type: 'AWS::Events::Rule' Properties: Name: CWEventForrequired-tags Description: >- SNS Notification for Non-Compliant Events of Config Rule: required-tags State: ENABLED EventPattern: detail-type: - Config Rules Compliance Change source: - aws.config detail: newEvaluationResult: complianceType: - NON_COMPLIANT configRuleARN: - 'Fn::GetAtt': - RequiredEC2Tags - Arn Targets: - Id: RemediationNotification Arn: Ref: SnsTopic InputTransformer: InputTemplate: >- "EC2 Instance <Instance_ID> is non-compliant. Please add required tags: COST_CENTER, APP_ID, Name, and Backup." InputPathsMap: instance_id: $.detail.resourceId SnsTopic: Type: 'AWS::SNS::Topic' Properties: Subscription: - Endpoint: Cloud_Ops_Leaders@customer.com Protocol: email TopicName: noncompliant-instance-notification SnsTopicPolicy: Type: 'AWS::SNS::TopicPolicy' Properties: PolicyDocument: Statement: - Sid: __default_statement_ID Effect: Allow Principal: AWS: '*' Action: - 'SNS:GetTopicAttributes' - 'SNS:SetTopicAttributes' - 'SNS:AddPermission' - 'SNS:RemovePermission' - 'SNS:DeleteTopic' - 'SNS:Subscribe' - 'SNS:ListSubscriptionsByTopic' - 'SNS:Publish' - 'SNS:Receive' Resource: Ref: SnsTopic Condition: StringEquals: 'AWS:SourceOwner': Ref: 'AWS::AccountId' - Sid: TrustCWEToPublishEventsToMyTopic Effect: Allow Principal: Service: events.amazonaws.com Action: 'sns:Publish' Resource: Ref: SnsTopic Topics: - Ref: SnsTopic
