本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon Inspector 政策語法和範例
Amazon Inspector 政策遵循標準化 JSON 語法,定義如何在您的組織中啟用和設定 Amazon Inspector。Amazon Inspector 政策是根據 AWS Organizations management-policy 語法建構的 JSON 文件。它定義哪些組織實體會自動啟用 Amazon Inspector。
基本政策結構
Amazon Inspector 政策使用此基本結構:
{ "inspector": { "enablement": { "ec2_scanning": { "enable_in_regions": { "@@assign": ["us-east-1", "us-west-2"] }, "disable_in_regions": { "@@assign": ["eu-west-1"] } } } } }
政策元件
Amazon Inspector 政策包含下列重要元件:
inspector-
Amazon Inspector 政策文件的最上層金鑰,所有 Amazon Inspector 政策都需要此金鑰。
enablement-
定義如何在整個組織中啟用 Amazon Inspector,並包含掃描類型組態。
Regions (Array of Strings)-
指定應自動啟用 Amazon Inspector 的區域。
Amazon Inspector 政策範例
下列範例示範常見的 Amazon Inspector 政策組態。
範例 1 – 啟用整個組織的 Amazon Inspector
下列範例us-west-2會在 中為組織根目錄中的所有帳戶啟用 us-east-1 和 中的 Amazon Inspector。
建立檔案 inspector-policy-enable.json:
{ "inspector": { "enablement": { "lambda_standard_scanning": { "enable_in_regions": { "@@assign": [ "us-east-1", "us-west-2" ] }, "disable_in_regions": { "@@assign": [ "eu-west-1" ] }, "lambda_code_scanning": { "enable_in_regions": { "@@assign": [ "us-east-1", "us-west-2" ] }, "disable_in_regions": { "@@assign": [ "eu-west-1" ] } } }, "ec2_scanning": { "enable_in_regions": { "@@assign": [ "us-east-1", "us-west-2" ] }, "disable_in_regions": { "@@assign": [ "eu-west-1" ] } }, "ecr_scanning": { "enable_in_regions": { "@@assign": [ "us-east-1", "us-west-2" ] }, "disable_in_regions": { "@@assign": [ "eu-west-1" ] } }, "code_repository_scanning": { "enable_in_regions": { "@@assign": [ "us-east-1", "us-west-2" ] }, "disable_in_regions": { "@@assign": [ "eu-west-1" ] } } } } }
連接到根目錄時,組織中的所有帳戶會自動啟用 Amazon Inspector,Amazon Inspector 委派管理員可以使用其掃描調查結果。
建立並連接政策:
POLICY_ID=$(aws organizations create-policy \ --content file://inspector-policy-enable.json \ --name InspectorOrgPolicy \ --type INSPECTOR_POLICY \ --description "Inspector organization policy to enable all resources in IAD and PDX." \ --query 'Policy.PolicySummary.Id' \ --output text) aws organizations attach-policy --policy-id $POLICY_ID --target-id <root-id>
加入組織的任何新帳戶會自動繼承啟用。
如果分離,現有帳戶會保持啟用狀態,但未來帳戶不會自動啟用:
aws organizations detach-policy --policy-id $POLICY_ID --target-id <root-id>
範例 2 – 針對特定 OU 啟用 Amazon Inspector
建立檔案 inspector-policy-eu-west-1.json:
{ "inspector": { "enablement": { "lambda_standard_scanning": { "enable_in_regions": { "@@assign": [ "eu-west-1" ] }, "disable_in_regions": { "@@assign": [ "eu-west-2" ] }, "lambda_code_scanning": { "enable_in_regions": { "@@assign": [ "eu-west-1" ] }, "disable_in_regions": { "@@assign": [ "eu-west-2" ] } } }, "ec2_scanning": { "enable_in_regions": { "@@assign": [ "eu-west-1" ] }, "disable_in_regions": { "@@assign": [ "eu-west-2" ] } }, "ecr_scanning": { "enable_in_regions": { "@@assign": [ "eu-west-1" ] }, "disable_in_regions": { "@@assign": [ "eu-west-2" ] } }, "code_repository_scanning": { "enable_in_regions": { "@@assign": [ "eu-west-1" ] }, "disable_in_regions": { "@@assign": [ "eu-west-2" ] } } } } }
將此附加至 OU,以確保 中的所有生產帳戶eu-west-1都會啟用 Amazon Inspector 並連結至 Amazon Inspector 委派管理員:
aws organizations update-policy --policy-id $POLICY_ID --content file://inspector-policy-eu-west-1.json --description "Inspector organization policy - Enable all (eu-west-1)" aws organizations attach-policy --policy-id $POLICY_ID --target-id ou-aaaa-12345678
OU 以外的帳戶不受影響。
