本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
精选规则 SCPs 和 Config 规则
AMS Advanced 的精选规则 SCPs 和 Config 规则。
服务控制策略 (SCPs):提供的策略 SCPs 是默认 AMS 策略的补充。
您可以将这些库控件与默认库控件配合使用,以满足特定的安全要求。
配置规则:作为基准衡量标准,AMS 建议应用一致性包(参见 AWS Config 指南中的一致性包)以及默认 AMS 配置规则(有关默认规则,请参阅 AMS Artifacts)。合规包涵盖了大部分合规要求,AWS 会定期对其进行更新。
此处列出的规则可用于弥补一致性包未涵盖的特定用例差距
注意
随着 AMS 默认规则和一致性包会随着时间的推移而更新,您可能会看到这些规则的重复内容。
一般而言,AMS 建议定期清理重复的 Config 规则。
对于 AMS Advanced,为了避免更改,配置规则不应使用自动修复(请参阅通过 AWS Config 规则修复不合规的 AWS 资源)。 out-of-band
SCP-AMS-001:限制 EBS 的创建
如果您未启用加密,请阻止创建 EBS 卷。
{ "Condition": { "Bool": { "ec2:Encrypted": "false" } }, "Action": "ec2:CreateVolume", "Resource": "*", "Effect": "Deny" }
SCP-AMS-002:限制 EC2 启动
如果 EBS 卷未加密,则禁止启动 EC2 实例。这包括拒绝未加密的 EC2 启动, AMIs 因为此 SCP 也适用于根卷。
{ "Condition": { "Bool": { "ec2:Encrypted": "false" } }, "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:volume/*", "Effect": "Deny" }
SCP-ADV-001:限制 RFC 提交
限制默认 AMS 角色自动提交特定的角色, RFCs 例如创建 VPC 或删除 VPC。如果您想对联合角色应用更精细的权限,这会很有用。
例如,您可能希望默认AWSManagedServicesChangeManagement Role用户能够提交大部分可用信息,但允许创建和删除 VPC、创建其他子网、退出应用程序账户、更新或删除 SAML 身份提供商的 RFCs 除外:
SCP-AMS-003:限制在 AMS 中创建 RDS EC2 或 RDS
防止创建没有特定标签的 Amazon EC2 和 RDS 实例,同时允许 AMS 默认AMS Backup IAM角色这样做。这是灾难恢复或灾难恢复所必需的
{ "Sid": "DenyRunInstanceWithNoOrganizationTag", "Effect": "Deny", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:rds:*:*:db:*" ], "Condition": { "Null": { "aws:RequestTag/organization": "true" }, "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::<Account_Number>:role/ams-backup-iam-role" ] } } }
SCP-AMS-004:限制 S3 的上传
防止上传未加密的 S3 对象。
{ "Sid": "DenyUnencryptedS3Uploads", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "*", "Condition": { "StringNotLike": { "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"] }, "Null": { "s3:x-amz-server-side-encryption": "false" } } } ] }
SCP-AMS-005:限制 API 和控制台访问权限
阻止 AWS 控制台和 API 以确定的客户身份访问来自已知不良 IP 地址的请求 InfoSec。
SCP-AMS-006:阻止 IAM 实体从组织中移除成员账户
防止 AWS Identity and Access Management 实体从组织中移除成员帐户。
{ "Effect": "Deny", "Action": ["organizations:LeaveOrganization"], "Resource": ["*"] }
SCP-AMS-007:防止与组织外部的账户共享资源
防止与 AWS 组织外部帐户共享资源
{ "Effect": "Deny", "Action": [ "ram:*" ], "Resource": [ "*" ], "Condition": { "Bool": { "ram:AllowsExternalPrincipals": "true" } } }, { "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:UpdateResourceShare" ], "Resource": "*", "Condition": { "Bool": { "ram:RequestedAllowsExternalPrincipals": "true" } } }
SCP-AMS-008:防止与组织或组织单位共享 (OUs)
防止与组织中的账户 and/or OU 共享资源。
{ "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "ram:Principal": [ "arn:aws:organizations::*:account/o-${OrganizationId}/${AccountId}", "arn:aws:organizations::*:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}" ] } } }
SCP-AMS-009:阻止用户接受资源共享邀请
阻止成员账户接受加入资源共享 AWS RAM 的邀请。此 API 不支持任何条件,并且只能阻止来自外部账户的共享。
{ "Effect": "Deny", "Action": ["ram:AcceptResourceShareInvitation"], "Resource": ["*"] }
SCP-AMS-010:禁止使用账户区域启用和禁用操作
防止为您的 AWS 账户启用或禁用任何新 AWS 区域。
{ "Effect": "Deny", "Action": [ "account:EnableRegion", "account:DisableRegion" ], "Resource": "*" }
SCP-AMS-011:阻止账单修改操作
防止修改账单和付款配置。
{ "Effect": "Deny", "Action": [ "aws-portal:ModifyBilling", "aws-portal:ModifyAccount", "aws-portal:ModifyPaymentMethods" ], "Resource": "*" }
SCP-AMS-012:防止对特定内容进行删除或修改 CloudTrails
防止修改特定 AWS CloudTrail 路径。
{ "Effect": "Deny", "Action": [ "cloudtrail:DeleteEventDataStore", "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:PutInsightSelectors", "cloudtrail:UpdateEventDataStore", "cloudtrail:UpdateTrail", "cloudtrail:StopLogging" ], "Resource": [ "arn:${Partition}:cloudtrail:${Region}:${Account}:trail/${TrailName}" ] }
SCP-AMS-013:防止禁用默认 EBS 加密
防止禁用默认 Amazon EBS 加密。
{ "Effect": "Deny", "Action": [ "ec2:DisableEbsEncryptionByDefault" ], "Resource": "*" }
SCP-AMS-014:防止创建默认 VPC 和子网
防止创建默认 Amazon VPC 和子网。
{ "Effect": "Deny", "Action": [ "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc" ], "Resource": "*" }
SCP-AMS-015:防止禁用和修改 GuardDuty
GuardDuty 防止亚马逊被修改或禁用。
{ "Effect": "Deny", "Action": [ "guardduty:AcceptInvitation", "guardduty:ArchiveFindings", "guardduty:CreateDetector", "guardduty:CreateFilter", "guardduty:CreateIPSet", "guardduty:CreateMembers", "guardduty:CreatePublishingDestination", "guardduty:CreateSampleFindings", "guardduty:CreateThreatIntelSet", "guardduty:DeclineInvitations", "guardduty:DeleteDetector", "guardduty:DeleteFilter", "guardduty:DeleteInvitations", "guardduty:DeleteIPSet", "guardduty:DeleteMembers", "guardduty:DeletePublishingDestination", "guardduty:DeleteThreatIntelSet", "guardduty:DisableOrganizationAdminAccount", "guardduty:DisassociateFromMasterAccount", "guardduty:DisassociateMembers", "guardduty:InviteMembers", "guardduty:StartMonitoringMembers", "guardduty:StopMonitoringMembers", "guardduty:TagResource", "guardduty:UnarchiveFindings", "guardduty:UntagResource", "guardduty:UpdateDetector", "guardduty:UpdateFilter", "guardduty:UpdateFindingsFeedback", "guardduty:UpdateIPSet", "guardduty:UpdateMalwareScanSettings", "guardduty:UpdateMemberDetectors", "guardduty:UpdateOrganizationConfiguration", "guardduty:UpdatePublishingDestination", "guardduty:UpdateThreatIntelSet" ], "Resource": "*" }
SCP-AMS-016:防止 root 用户活动
阻止 root 用户执行任何操作。
{ "Action": "*", "Resource": "*", "Effect": "Deny", "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } }
SCP-AMS-017:阻止为 root 用户创建访问密钥
阻止为 root 用户创建访问密钥。
{ "Effect": "Deny", "Action": "iam:CreateAccessKey", "Resource": "arn:aws:iam::*:root" }
SCP-AMS-018:防止禁用 S3 账户公共访问封锁
防止禁用 Amazon S3 账户的公开访问封锁。这样可以防止账户中的任何存储桶被公开。
{ "Effect": "Deny", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "*" }
SCP-AMS-019:防止禁用 AWS Config 或修改配置规则
防止禁用或修改 AWS Config 规则。
{ "Effect": "Deny", "Action": [ "config:DeleteConfigRule", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteEvaluationResults", "config:StopConfigurationRecorder" ], "Resource": "*" }
SCP-AMS-020:阻止所有 IAM 操作
阻止所有 IAM 操作。
{ "Effect": "Deny", "Action": [ "iam:*" ], "Resource": "*" }
SCP-AMS-021:防止删除 CloudWatch 日志组和流
防止删除 Amazon CloudWatch 日志组和直播。
{ "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" }
SCP-AMS-022:防止 Glacier 被删除
防止删除 Amazon Glacier。
{ "Effect": "Deny", "Action": [ "glacier:DeleteArchive", "glacier:DeleteVault" ], "Resource": "*" }
SCP-AMS-023:防止删除 IAM 访问分析器
防止删除 IAM 访问分析器。
{ "Action": [ "access-analyzer:DeleteAnalyzer" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-024:防止对 Security Hub 进行修改
防止删除 AWS Security Hub。
{ "Action": [ "securityhub:DeleteInvitations", "securityhub:DisableSecurityHub", "securityhub:DisassociateFromMasterAccount", "securityhub:DeleteMembers", "securityhub:DisassociateMembers" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-025:防止在 Directory Service 下删除
防止删除下的资源 Directory Service。
{ "Action": [ "ds:DeleteDirectory", "ds:DeleteLogSubscription", "ds:DeleteSnapshot", "ds:DeleteTrust", "ds:DeregisterCertificate", "ds:DeregisterEventTopic", "ds:DisableLDAPS", "ds:DisableRadius", "ds:DisableSso", "ds:UnshareDirectory" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-026:禁止使用列入拒绝名单的服务
防止使用被拒绝名单的服务。
注意
service2用您的服务名称替换service1和。示例access-analyzer或IAM。
{ "Effect": "Deny", "Resource": "*", "Action": ["service1:*", "service2:*"] }
SCP-AMS-027:禁止在特定地区使用被拒绝名单的服务
禁止在特定 AWS 地区使用被拒绝名单的服务。
注意
service2用您的服务名称替换service1和。示例access-analyzer或IAM。
region2用您的服务名称替换region1和。示例us-west-2或use-east-1。
{ "Effect": "Deny", "Resource": "*", "Action": ["service1:*", "service2:*"], "Condition": { "StringEquals": { "aws:RequestedRegion": [ "region1", "region2" ] } } }
SCP-AMS-028:禁止除授权委托人之外修改标签
防止除授权委托人之外的任何用户修改标签。使用授权标签对委托人进行授权。授权标签必须与资源和委托人关联。 user/role 只有当资源和主体上的标签都匹配时,才会将A视为已授权。有关更多信息,请参阅以下资源:
{ "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ec2:ResourceTag/access-project": "${aws:PrincipalTag/access-project}", "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "Null": { "ec2:ResourceTag/access-project": false } } }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}", "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "access-project" ] } } }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "Null": { "aws:PrincipalTag/access-project": true } } }
SCP-AMS-029:防止用户删除亚马逊 VPC 流日志
防止删除 Amazon VPC 流日志。
{ "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream", "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutLifecycleConfiguration", "firehose:DeleteDeliveryStream" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-030:防止与网络账户以外的账户共享 VPC 子网
防止与网络账户以外的账户共享 Amazon VPC 子网。
注意
NETWORK_ACCOUNT_ID替换为您的网络账户 ID。
{ "Effect": "Deny", "Action": [ "ram:AssociateResourceShare", "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringNotEquals": { "ram:Principal": "NETWORK_ACCOUNT_ID" }, "StringEquals": { "ram:RequestedResourceType": "ec2:Subnet" } } }
SCP-AMS-031:防止启动具有违禁实例类型的实例
防止启动禁止的 Amazon EC2 实例类型。
注意
将instance_type1和instance_type2替换为要限制的实例类型,例如t2.micro或通配符字符串,例如。*.nano
{ "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringLike": { "ec2:InstanceType": [ "instance_type1", "instance_type2" ] } } }
SCP-AMS-032:防止在没有的情况下启动实例 IMDSv2
防止不 EC2 使用亚马逊实例 IMDSv2。
[ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } }, { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "NumericGreaterThan": { "ec2:MetadataHttpPutResponseHopLimit": "3" } } }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NumericLessThan": { "ec2:RoleDelivery": "2.0" } } }, { "Effect": "Deny", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "*" } ]
SCP-AMS-033:防止修改特定 IAM 角色
防止修改指定的 IAM 角色。
{ "Action": [ "iam:AttachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:TagRole", "iam:UntagRole", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}" ], "Effect": "Deny" }
SCP-AMS-034:防止 AssumeRolePolicy 修改特定 IAM 角色
防止修改指定 AssumeRolePolicy IAM 角色的。
{ "Action": [ "iam:UpdateAssumeRolePolicy" ], "Resource": [ "arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}" ], "Effect": "Deny" }
ConfigRule: 必填标签
检查 EC2 实例是否具有您所需的自定义标签。此外 InfoSec,这对您的成本管理也很有用
ConfigRuleName: required-tags Description: >- A Config rule that checks whether EC2 instances have the required tags. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' InputParameters: tag1Key: COST_CENTER tag2Key: APP_ID Source: Owner: AWS SourceIdentifier: REQUIRED_TAGS
ConfigRule: 访问密钥已轮换
检查访问密钥是否在指定的时间段内轮换。根据典型的合规性要求,通常将其设置为 90 天。
ConfigRuleName: access-keys-rotated Description: >- A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: '90' Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule: AMS 中的 IAM 根访问密钥
检查账户上是否没有根访问密钥。对于 AMS 高级账户,这应该是合规的 out-of-the-box。
ConfigRuleName: iam-root-access-key-check Description: >- A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule: SSM 托管 EC2
检查您的系统 EC2s 是否由 SSM Systems Manager 管理。
ConfigRuleName: ec2-instance-managed-by-systems-manager Description: >- A Config rule that checks whether the EC2 instances in the account are managed by AWS Systems Manager. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' - 'AWS::SSM::ManagedInstanceInventory' Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
ConfigRule: AMS 中未使用的 IAM 用户
检查是否有在指定持续时间内未使用的 IAM 用户证书。与密钥轮换检查一样,根据典型的合规性要求,这通常默认为 90 天。
ConfigRuleName: iam-user-unused-credentials-check Description: >- A config rule that checks whether IAM users have passwords or active access keys that have not been used within the specified number of days provided. InputParameters: maxCredentialUsageAge: '90' Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule: S3 存储桶日志
检查账户中的 S3 存储桶是否已启用日志记录。
ConfigRuleName: s3-bucket-logging-enabled Description: >- A Config rule that checks whether logging is enabled for S3 buckets. Scope: ComplianceResourceTypes: - 'AWS::S3::Bucket' Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
ConfigRule: S3 存储桶版本控制
检查所有 S3 存储桶上是否启用了版本控制和 mfa-Delete(可选)
ConfigRuleName: s3-bucket-versioning-enabled Description: >- A Config rule that checks whether versioning is enabled for S3 buckets. Optionally, the rule checks if MFA delete is enabled for S3 buckets. Scope: ComplianceResourceTypes: - 'AWS::S3::Bucket' Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
ConfigRule: S3 公共访问权限
检查账户中的公共访问设置(公共 ACL、公共策略、公共存储桶)是否受到限制
ConfigRuleName: s3-account-level-public-access-blocks Description: >- A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item. Scope: ComplianceResourceTypes: - 'AWS::S3::AccountPublicAccessBlock' InputParameters: IgnorePublicAcls: 'True' BlockPublicPolicy: 'True' BlockPublicAcls: 'True' RestrictPublicBuckets: 'True' Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
ConfigRule: 未存档 GuardDuty 的调查结果
检查是否存在超过指定持续时间的未存档搜索 GuardDuty 结果。低sev的默认持续时间为30天,中sev的默认持续时间为7天,高sev发现的默认持续时间为1天。
ConfigRuleName: guardduty-non-archived-findings Description: >- A Config rule that checks whether the Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if GuardDuty has non archived low/medium/high severity findings older than the specified number. InputParameters: daysLowSev: '30' daysMediumSev: '7' daysHighSev: '1' Source: Owner: AWS SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule: 已删除 CMK
检查是否有计划删除(又名待处理CMKs)的 AWS Key Management Service 自定义主密钥 ()。这一点至关重要,因为对删除 CMK 一无所知会导致数据无法恢复
ConfigRuleName: kms-cmk-not-scheduled-for-deletion Description: >- A config rule that checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if CMKs are scheduled for deletion. Source: Owner: AWS SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule: 密钥轮换
检查账户中的每个 CMK 是否启用了自动轮换
ConfigRuleName: cmk-backing-key-rotation-enabled Description: >- A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material. Source: Owner: AWS SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED MaximumExecutionFrequency: TwentyFour_Hours
