本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
統籌 SCPs和 Config 規則
AMS Advanced 的統籌 SCPs 和 Config 規則。
服務控制政策 (SCPs):提供的 SCPs 是預設 AMS 政策的補充。
您可以將這些程式庫控制與預設的程式庫控制搭配使用,以滿足特定的安全需求。
組態規則:AMS 建議除了預設 AMS 組態規則之外,還要套用一致性套件 (請參閱 AWS Config 指南中的一致性套件) (如需預設規則,請參閱 AMS 成品)。一致性套件涵蓋大部分的合規要求,AWS 會定期更新這些要求。
此處列出的規則可用於涵蓋 Conformance Packs 未涵蓋的使用案例特定差距
注意
隨著 AMS 預設規則和一致性套件隨著時間更新,您可能會看到這些規則的重複。
AMS 建議定期清除重複的 Config 規則。
對於 AMS Advanced,Config 規則不應使用自動修復 (請參閱透過 AWS Config 規則修復不合規 AWS 資源),以避免out-of-band變更。
SCP-AMS-001:限制 EBS 建立
如果您未啟用加密,請防止建立 EBS 磁碟區。
{ "Condition": { "Bool": { "ec2:Encrypted": "false" } }, "Action": "ec2:CreateVolume", "Resource": "*", "Effect": "Deny" }
SCP-AMS-002:限制 EC2 啟動
如果未加密 EBS 磁碟區,請防止 EC2 執行個體啟動。這包括拒絕從未加密 AMIs 啟動 EC2,因為此 SCP 也適用於根磁碟區。
{ "Condition": { "Bool": { "ec2:Encrypted": "false" } }, "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:volume/*", "Effect": "Deny" }
SCP-ADV-001:限制 RFC 提交
限制預設 AMS 角色提交特定的自動化 RFCs例如建立 VPC 或刪除 VPC。如果您想要將更精細的許可套用至聯合角色,這會很有幫助。
例如,您可能希望預設值AWSManagedServicesChangeManagement Role能夠提交大多數可用的 RFCs,但允許建立和刪除 VPC、建立其他子網路、停止應用程式帳戶、更新或刪除 SAML 身分提供者的 RFC 除外:
SCP-AMS-003:限制在 AMS 中建立 EC2 或 RDS
防止建立沒有特定標籤的 Amazon EC2 和 RDS 執行個體,同時允許 AMS 預設AMS Backup IAM角色這樣做。這是災難復原或 DR 所需的。
{ "Sid": "DenyRunInstanceWithNoOrganizationTag", "Effect": "Deny", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:rds:*:*:db:*" ], "Condition": { "Null": { "aws:RequestTag/organization": "true" }, "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::<Account_Number>:role/ams-backup-iam-role" ] } } }
SCP-AMS-004:限制 S3 上傳
防止上傳未加密的 S3 物件。
{ "Sid": "DenyUnencryptedS3Uploads", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "*", "Condition": { "StringNotLike": { "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"] }, "Null": { "s3:x-amz-server-side-encryption": "false" } } } ] }
SCP-AMS-005:限制 API 和主控台存取
針對來自已知不良 IP 地址的請求,防止 AWS 主控台和 API 存取,視客戶 InfoSec 的判斷而定。
SCP-AMS-006:防止 IAM 實體從組織中移除成員帳戶
防止 AWS Identity and Access Management 實體從組織中移除成員帳戶。
{ "Effect": "Deny", "Action": ["organizations:LeaveOrganization"], "Resource": ["*"] }
SCP-AMS-007:防止與組織外部帳戶共用資源
防止與 AWS 組織外部帳戶共用資源
{ "Effect": "Deny", "Action": [ "ram:*" ], "Resource": [ "*" ], "Condition": { "Bool": { "ram:AllowsExternalPrincipals": "true" } } }, { "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:UpdateResourceShare" ], "Resource": "*", "Condition": { "Bool": { "ram:RequestedAllowsExternalPrincipals": "true" } } }
SCP-AMS-008:防止與組織或組織單位 (OUs共用
防止與組織中的帳戶和/或 OU 共用資源。
{ "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "ram:Principal": [ "arn:aws:organizations::*:account/o-${OrganizationId}/${AccountId}", "arn:aws:organizations::*:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}" ] } } }
SCP-AMS-009:防止使用者接受資源共享邀請
防止成員帳戶接受來自 AWS RAM 加入資源共享的邀請。此 API 不支援任何條件,並防止僅從外部帳戶共用。
{ "Effect": "Deny", "Action": ["ram:AcceptResourceShareInvitation"], "Resource": ["*"] }
SCP-AMS-010:防止帳戶區域啟用和停用動作
防止啟用或停用您 AWS 帳戶的任何新 AWS 區域。
{ "Effect": "Deny", "Action": [ "account:EnableRegion", "account:DisableRegion" ], "Resource": "*" }
SCP-AMS-011:防止帳單修改動作
防止對帳單和付款組態進行修改。
{ "Effect": "Deny", "Action": [ "aws-portal:ModifyBilling", "aws-portal:ModifyAccount", "aws-portal:ModifyPaymentMethods" ], "Resource": "*" }
SCP-AMS-012:防止刪除或修改特定 CloudTrails
防止修改特定 AWS CloudTrail 線索。
{ "Effect": "Deny", "Action": [ "cloudtrail:DeleteEventDataStore", "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:PutInsightSelectors", "cloudtrail:UpdateEventDataStore", "cloudtrail:UpdateTrail", "cloudtrail:StopLogging" ], "Resource": [ "arn:${Partition}:cloudtrail:${Region}:${Account}:trail/${TrailName}" ] }
SCP-AMS-013:防止停用預設 EBS 加密
防止停用預設 Amazon EBS 加密。
{ "Effect": "Deny", "Action": [ "ec2:DisableEbsEncryptionByDefault" ], "Resource": "*" }
SCP-AMS-014:防止建立預設 VPC 和子網路
防止建立預設 Amazon VPC 和子網路。
{ "Effect": "Deny", "Action": [ "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc" ], "Resource": "*" }
SCP-AMS-015:防止停用和修改 GuardDuty
防止修改或停用 Amazon GuardDuty。
{ "Effect": "Deny", "Action": [ "guardduty:AcceptInvitation", "guardduty:ArchiveFindings", "guardduty:CreateDetector", "guardduty:CreateFilter", "guardduty:CreateIPSet", "guardduty:CreateMembers", "guardduty:CreatePublishingDestination", "guardduty:CreateSampleFindings", "guardduty:CreateThreatIntelSet", "guardduty:DeclineInvitations", "guardduty:DeleteDetector", "guardduty:DeleteFilter", "guardduty:DeleteInvitations", "guardduty:DeleteIPSet", "guardduty:DeleteMembers", "guardduty:DeletePublishingDestination", "guardduty:DeleteThreatIntelSet", "guardduty:DisableOrganizationAdminAccount", "guardduty:DisassociateFromMasterAccount", "guardduty:DisassociateMembers", "guardduty:InviteMembers", "guardduty:StartMonitoringMembers", "guardduty:StopMonitoringMembers", "guardduty:TagResource", "guardduty:UnarchiveFindings", "guardduty:UntagResource", "guardduty:UpdateDetector", "guardduty:UpdateFilter", "guardduty:UpdateFindingsFeedback", "guardduty:UpdateIPSet", "guardduty:UpdateMalwareScanSettings", "guardduty:UpdateMemberDetectors", "guardduty:UpdateOrganizationConfiguration", "guardduty:UpdatePublishingDestination", "guardduty:UpdateThreatIntelSet" ], "Resource": "*" }
SCP-AMS-016:防止根使用者活動
防止根使用者執行任何動作。
{ "Action": "*", "Resource": "*", "Effect": "Deny", "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } }
SCP-AMS-017:防止為根使用者建立存取金鑰
防止為根使用者建立存取金鑰。
{ "Effect": "Deny", "Action": "iam:CreateAccessKey", "Resource": "arn:aws:iam::*:root" }
SCP-AMS-018:防止停用 S3 帳戶公有存取區塊
防止停用 Amazon S3 帳戶公有存取區塊。這可防止帳戶中的任何儲存貯體變成公有。
{ "Effect": "Deny", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "*" }
SCP-AMS-019:防止停用 AWS Config 或修改 Config 規則
防止停用或修改 AWS Config 規則。
{ "Effect": "Deny", "Action": [ "config:DeleteConfigRule", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteEvaluationResults", "config:StopConfigurationRecorder" ], "Resource": "*" }
SCP-AMS-020:防止所有 IAM 動作
防止所有 IAM 動作。
{ "Effect": "Deny", "Action": [ "iam:*" ], "Resource": "*" }
SCP-AMS-021:防止刪除 CloudWatch Logs 群組和串流
防止刪除 Amazon CloudWatch Logs 群組和串流。
{ "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" }
SCP-AMS-022:防止 Glacier 刪除
防止刪除 Amazon Glacier。
{ "Effect": "Deny", "Action": [ "glacier:DeleteArchive", "glacier:DeleteVault" ], "Resource": "*" }
SCP-AMS-023:防止刪除 IAM Access Analyzer
防止刪除 IAM Access Analyzer。
{ "Action": [ "access-analyzer:DeleteAnalyzer" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-024:防止修改 Security Hub
防止刪除 AWS Security Hub。
{ "Action": [ "securityhub:DeleteInvitations", "securityhub:DisableSecurityHub", "securityhub:DisassociateFromMasterAccount", "securityhub:DeleteMembers", "securityhub:DisassociateMembers" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-025:防止在 Directory Service 下刪除
防止刪除 下的資源 Directory Service。
{ "Action": [ "ds:DeleteDirectory", "ds:DeleteLogSubscription", "ds:DeleteSnapshot", "ds:DeleteTrust", "ds:DeregisterCertificate", "ds:DeregisterEventTopic", "ds:DisableLDAPS", "ds:DisableRadius", "ds:DisableSso", "ds:UnshareDirectory" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-026:防止使用列入拒絕清單的服務
防止使用拒絕清單的服務。
注意
將 service1 和 service2 取代為您的服務名稱。Access-analyzer 或 IAM 範例。
{ "Effect": "Deny", "Resource": "*", "Action": ["service1:*", "service2:*"] }
SCP-AMS-027:防止在特定區域中使用列入拒絕清單的服務
防止在特定 AWS 區域中使用列入拒絕清單的服務。
注意
將 service1 和 service2 取代為您的服務名稱。Access-analyzer 或 IAM 範例。
將 region1 和 region2 取代為您的服務名稱。範例 us-west-2 或 use-east-1。
{ "Effect": "Deny", "Resource": "*", "Action": ["service1:*", "service2:*"], "Condition": { "StringEquals": { "aws:RequestedRegion": [ "region1", "region2" ] } } }
SCP-AMS-028:防止修改標籤,授權委託人除外
防止授權委託人以外的任何使用者修改標籤。使用授權標籤來授權委託人。授權標籤必須與資源和主體建立關聯。只有在資源和委託人上的標籤都相符時,使用者/角色才會被視為已授權。如需詳細資訊,請參閱下列資源:
{ "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ec2:ResourceTag/access-project": "${aws:PrincipalTag/access-project}", "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "Null": { "ec2:ResourceTag/access-project": false } } }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}", "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "access-project" ] } } }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "Null": { "aws:PrincipalTag/access-project": true } } }
SCP-AMS-029:防止使用者刪除 Amazon VPC 流程日誌
防止刪除 Amazon VPC 流程日誌。
{ "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream", "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutLifecycleConfiguration", "firehose:DeleteDeliveryStream" ], "Resource": "*", "Effect": "Deny" }
SCP-AMS-030:防止與網路帳戶以外的帳戶共用 VPC 子網路
防止與網路帳戶以外的帳戶共用 Amazon VPC 子網路。
注意
將 NETWORK_ACCOUNT_ID 取代為您的網路帳戶 ID。
{ "Effect": "Deny", "Action": [ "ram:AssociateResourceShare", "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringNotEquals": { "ram:Principal": "NETWORK_ACCOUNT_ID" }, "StringEquals": { "ram:RequestedResourceType": "ec2:Subnet" } } }
SCP-AMS-031:防止使用禁止的執行個體類型啟動執行個體
防止延遲禁止的 Amazon EC2 執行個體類型。
注意
將 instance_type1 和 instance_type2 取代為您想要限制的執行個體類型,例如 t2.micro 或萬用字元字串,例如 *.nano。
{ "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringLike": { "ec2:InstanceType": [ "instance_type1", "instance_type2" ] } } }
SCP-AMS-032:防止在沒有 IMDSv2 的情況下啟動執行個體
防止沒有 IMDSv2 的 Amazon EC2 執行個體。 IMDSv2
[ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } }, { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "NumericGreaterThan": { "ec2:MetadataHttpPutResponseHopLimit": "3" } } }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NumericLessThan": { "ec2:RoleDelivery": "2.0" } } }, { "Effect": "Deny", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "*" } ]
SCP-AMS-033:防止修改特定 IAM 角色
防止修改指定的 IAM 角色。
{ "Action": [ "iam:AttachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:TagRole", "iam:UntagRole", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}" ], "Effect": "Deny" }
SCP-AMS-034:防止在特定 IAM 角色上修改 AssumeRolePolicy
防止修改指定 IAM 角色的 AssumeRolePolicy。
{ "Action": [ "iam:UpdateAssumeRolePolicy" ], "Resource": [ "arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}" ], "Effect": "Deny" }
ConfigRule:必要標籤
檢查 EC2 執行個體是否有您需要的自訂標籤。除了 InfoSec 之外,這也適用於您的成本管理
ConfigRuleName: required-tags Description: >- A Config rule that checks whether EC2 instances have the required tags. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' InputParameters: tag1Key: COST_CENTER tag2Key: APP_ID Source: Owner: AWS SourceIdentifier: REQUIRED_TAGS
ConfigRule:已輪換存取金鑰
檢查存取金鑰是否在指定的期間內輪換。根據典型的合規要求,這通常設定為 90 天。
ConfigRuleName: access-keys-rotated Description: >- A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: '90' Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule:AMS 中的 IAM 根存取金鑰
檢查 帳戶中沒有根存取金鑰。對於 AMS Advanced 帳戶,預期這是out-of-the-box可用的合規。
ConfigRuleName: iam-root-access-key-check Description: >- A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule:SSM 受管 EC2
檢查您的 EC2s是否由 SSM Systems Manager 管理。
ConfigRuleName: ec2-instance-managed-by-systems-manager Description: >- A Config rule that checks whether the EC2 instances in the account are managed by AWS Systems Manager. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' - 'AWS::SSM::ManagedInstanceInventory' Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
ConfigRule:AMS 中未使用的 IAM 使用者
檢查是否有指定期間內未使用的 IAM 使用者登入資料。如同金鑰輪換檢查,這通常會根據一般合規要求預設為 90 天。
ConfigRuleName: iam-user-unused-credentials-check Description: >- A config rule that checks whether IAM users have passwords or active access keys that have not been used within the specified number of days provided. InputParameters: maxCredentialUsageAge: '90' Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule:S3 儲存貯體記錄
檢查帳戶中的 S3 儲存貯體是否已啟用記錄。
ConfigRuleName: s3-bucket-logging-enabled Description: >- A Config rule that checks whether logging is enabled for S3 buckets. Scope: ComplianceResourceTypes: - 'AWS::S3::Bucket' Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
ConfigRule:S3 儲存貯體版本控制
檢查是否已啟用所有 S3 儲存貯體的版本控制和 MFA-delete (選用)
ConfigRuleName: s3-bucket-versioning-enabled Description: >- A Config rule that checks whether versioning is enabled for S3 buckets. Optionally, the rule checks if MFA delete is enabled for S3 buckets. Scope: ComplianceResourceTypes: - 'AWS::S3::Bucket' Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
ConfigRule:S3 公有存取
檢查公有存取設定 (公有 ACL、公有政策、公有儲存貯體) 是否在帳戶間受到限制
ConfigRuleName: s3-account-level-public-access-blocks Description: >- A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item. Scope: ComplianceResourceTypes: - 'AWS::S3::AccountPublicAccessBlock' InputParameters: IgnorePublicAcls: 'True' BlockPublicPolicy: 'True' BlockPublicAcls: 'True' RestrictPublicBuckets: 'True' Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
ConfigRule:非封存的 GuardDuty 調查結果
檢查是否有任何非封存的 GuardDuty 調查結果早於指定的持續時間。預設持續時間為低 sev 30 天,中 sev 7 天,高 sev 問題清單 1 天。
ConfigRuleName: guardduty-non-archived-findings Description: >- A Config rule that checks whether the Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if GuardDuty has non archived low/medium/high severity findings older than the specified number. InputParameters: daysLowSev: '30' daysMediumSev: '7' daysHighSev: '1' Source: Owner: AWS SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule:CMK 刪除
檢查是否有任何已排程 (也稱為待定) 要刪除的 AWS Key Management Service 自訂主金鑰 (CMKs)。這一點至關重要,因為 CMK 刪除的不知道可能會導致資料無法復原
ConfigRuleName: kms-cmk-not-scheduled-for-deletion Description: >- A config rule that checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if CMKs are scheduled for deletion. Source: Owner: AWS SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule:CMK 輪換
檢查帳戶中的每個 CMK 是否已啟用自動輪換
ConfigRuleName: cmk-backing-key-rotation-enabled Description: >- A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material. Source: Owner: AWS SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED MaximumExecutionFrequency: TwentyFour_Hours
