如何在AWS上创建未加密的S3桶时创建云监视告警。手动或通过cloudformation模板。
1-一个配置规则,检查您的Amazon S3桶是否启用了Amazon S3默认加密,或者S3桶策略是否明确拒绝没有服务器端加密的放置对象请求。下面是创建它的CloudFormation模板:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
ConfigRule:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
Parameters: {}
Metadata: {}
Conditions: {}
2-使用带有自定义事件模式的EventBridge规则将AWS配置评估规则输出匹配为NON_COMPLIANT。然后,将响应路由到SNS主题
最后,为了强制s3加密,您可以创建SCP策略,要求所有Amazon s3桶使用AES256加密:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
ScpPolicy:
Type: "Custom::ServiceControlPolicy"
Properties:
PolicyName: "scp_s3_encryption"
PolicyDescription: "This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account. "
PolicyContents: "{"Version":"2012-10-17","Statement":[{"Action":["s3:PutObject"],"Resource":"*","Effect":"Deny","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}},{"Action":["s3:PutObject"],"Resource":"*","Effect":"Deny","Condition":{"Bool":{"s3:x-amz-server-side-encryption":false}}}]}"
ServiceToken:
Fn::GetAtt:
- "ScpResourceLambda"
- "Arn"
ScpResourceLambdaRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: "scp-access"
PolicyDocument:
Statement:
- Effect: "Allow"
Action:
- "organizations:UpdatePolicy"
- "organizations:DeletePolicy"
- "organizations:CreatePolicy"
- "organizations:ListPolicies"
Resource: "*"
ScpResourceLambda:
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: "n'use strict';nconst AWS = require('aws-sdk');nconst response = require('cfn-response');nconst organizations = new AWS.Organizations({region: 'us-east-1'});nnexports.handler = (event, context, cb) => {n console.log('Invoke:', JSON.stringify(event));n const done = (err, data) => {n if (err) {n console.log('Error: ', err);n response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');n } else {n response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');n }n };n n const updatePolicies = (policyName, policyAction) => {n organizations.listPolicies({n Filter: "SERVICE_CONTROL_POLICY"n }, function(err, data){n if (err) done(err);n else {n const policy = data.Policies.filter((policy) => (policy.Name === policyName))n let policyId = ''n if (policy.length > 0) n policyId = policy[0].Idn elsen done('policy not found')n if (policyAction === 'Update'){n organizations.updatePolicy({n Content: event.ResourceProperties.PolicyContents,n PolicyId: policyIdn }, done)n }n else {n organizations.deletePolicy({n PolicyId: policyIdn }, done)n }n }n })n }n n if (event.RequestType === 'Update' || event.RequestType === 'Delete') {n updatePolicies(event.ResourceProperties.PolicyName, event.RequestType)n n } else if (event.RequestType === 'Create') {n organizations.createPolicy({n Content: event.ResourceProperties.PolicyContents, n Description: event.ResourceProperties.PolicyDescription, n Name: event.ResourceProperties.PolicyName, n Type: "SERVICE_CONTROL_POLICY"n }, done);n } else {n cb(new Error('unsupported RequestType: ', event.RequestType));n }n};"
Handler: "index.handler"
MemorySize: 128
Role:
Fn::GetAtt:
- "ScpResourceLambdaRole"
- "Arn"
Runtime: "nodejs12.x"
Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}