本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Config 規則的自訂通知
可能會發生重大不合規的 Config 規則,需要直接向您的 InfoSec 和領導團隊提高提升意識。針對這類案例,AMS 建議您設定不合規事件驅動的自訂通知。
例如:
ConfigRuleName: required-tags Description: >- A Config rule that checks whether EC2 instances have the mandated tags. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' InputParameters: tag1Key: COST_CENTER tag2Key: APP_ID Source: Owner: AWS SourceIdentifier: REQUIRED_TAGS NotificationEventRule: Type: 'AWS::Events::Rule' Properties: Name: CWEventForrequired-tags Description: >- SNS Notification for Non-Compliant Events of Config Rule: required-tags State: ENABLED EventPattern: detail-type: - Config Rules Compliance Change source: - aws.config detail: newEvaluationResult: complianceType: - NON_COMPLIANT configRuleARN: - 'Fn::GetAtt': - RequiredEC2Tags - Arn Targets: - Id: RemediationNotification Arn: Ref: SnsTopic InputTransformer: InputTemplate: >- "EC2 Instance <Instance_ID> is non-compliant. Please add required tags: COST_CENTER, APP_ID, Name, and Backup." InputPathsMap: instance_id: $.detail.resourceId SnsTopic: Type: 'AWS::SNS::Topic' Properties: Subscription: - Endpoint: Cloud_Ops_Leaders@customer.com Protocol: email TopicName: noncompliant-instance-notification SnsTopicPolicy: Type: 'AWS::SNS::TopicPolicy' Properties: PolicyDocument: Statement: - Sid: __default_statement_ID Effect: Allow Principal: AWS: '*' Action: - 'SNS:GetTopicAttributes' - 'SNS:SetTopicAttributes' - 'SNS:AddPermission' - 'SNS:RemovePermission' - 'SNS:DeleteTopic' - 'SNS:Subscribe' - 'SNS:ListSubscriptionsByTopic' - 'SNS:Publish' - 'SNS:Receive' Resource: Ref: SnsTopic Condition: StringEquals: 'AWS:SourceOwner': Ref: 'AWS::AccountId' - Sid: TrustCWEToPublishEventsToMyTopic Effect: Allow Principal: Service: events.amazonaws.com Action: 'sns:Publish' Resource: Ref: SnsTopic Topics: - Ref: SnsTopic
