.aws config_使用aws config作为代码的合规性

最新推荐文章于 2023-03-07 09:30:00 发布

吴雄辉

最新推荐文章于 2023-03-07 09:30:00 发布

阅读量514

点赞数

文章标签： python java

原文链接：https://medium.com/@eva.georgieva/compliance-as-code-using-aws-config-28f693fa79fa

版权

.aws config

If you’re looking for someone to help you with auditing and compliance of your AWS resources, someone to help you record configurations and changes over time, someone to let you know every time a resource is non-complaint with your security rules, you would think you need several different people for the job, but you don’t. You just need AWS Config.

如果您正在寻找可以帮助您审核和合规AWS资源的人员，正在寻找可以帮助您记录配置和随时间变化的人员，可以在每次资源与您的安全规则不符时让您知道的人员，认为您需要几个不同的人来完成工作，但您却不需要。您只需要AWS Config。

AWS Config谁？ (AWS Config WHO?)

AWS Config is a tool used for auditing and compliance of your AWS resources. It helps with defining security requirements for your Infrastructure Posture and with developing Config Rules.

AWS Config是用于审核和合规您的AWS资源的工具。它有助于定义基础架构状态的安全要求，并有助于开发配置规则。

When we talk AWS Config we talk Continuous Compliance. Continuous compliance is the capability of a Security Operations Team to transform compliance to code, deliver security controls consistently across AWS accounts at scale and make auditing resources part of the day-to-day activities.

当我们谈论AWS Config时，我们谈论的是持续合规性。持续合规性是安全运营团队的能力，可以将合规性转换为代码，在各个AWS账户中大规模一致地提供安全控制，并使审核资源成为日常活动的一部分。

Assessing, auditing and evaluating AWS resources with Config can be done in all regions. This tool allows you to automate the evaluation of recorded configurations against desired configurations.

可以在所有区域中使用Config评估，审核和评估AWS资源。使用此工具，您可以根据所需配置自动评估记录的配置。

With Config you can:

使用配置，您可以：

1. review changes in configurations
2. review relationships between AWS resources
3. dive into detailed resource configuration histories
4. determine your overall compliance against the configuration specified in your internal guidelines

AWS Config概念 (AWS Config Concepts)

AWS Config has a service called Configuration Recorder. This service detects changes in your resource configurations and captures these changes as configuration items.

AWS Config具有一项称为配置记录器的服务。此服务检测资源配置中的更改，并将这些更改捕获为配置项。

If you setup AWS Config using the console or the AWS CLI, AWS Config automatically creates and then starts the Configuration Recorder for you. By default the Configuration Recorder records all supported resources in the region where AWS Config is running.

如果您使用控制台或AWS CLI设置AWS Config，则AWS Config会自动为您创建并启动配置记录器。默认情况下，配置记录器会在运行AWS Config的区域中记录所有受支持的资源。

You can also create a customized Configuration Recorder that only records the types that you specify.

您还可以创建仅记录您指定的类型的自定义配置记录器。

AWS Config also creates Configuration Items whenever it detects a change to a resource type that its recording. So, by definition, a Configuration Item represents a point in time view of the various attributes of the supported AWS resource. For example, if AWS Config is recording an S3 bucket, Config creates a configuration item whenever a bucket is created, updated or deleted.

每当检测到对所记录资源类型的更改时，AWS Config也会创建配置项目。因此，根据定义，配置项表示支持的AWS资源的各种属性的时间点视图。例如，如果AWS Config正在记录S3存储桶，则每当创建，更新或删除存储桶时，Config都会创建一个配置项目。

As AWS Config records the changes that occurred to an AWS resource, it sends notifications and updated configuration states through the AWS Config delivery channel to the Amazon S3 bucket that you specified when you configured your Delivery Channel.

AWS Config记录对AWS资源发生的更改时，会通过AWS Config交付通道将通知和更新的配置状态发送到您在配置交付通道时指定的Amazon S3存储桶。

Now, what AWS Config delivers to the S3 bucket is known as Configuration Snapshot. A Configuration Snapshot is a collection of Configuration Items for the support and resources that exist in your account. These Configuration Snapshot are the full picture of the resources that are being recorded and their configurations.

现在，AWS Config交付给S3存储桶的内容称为Configuration Snapshot 。配置快照是您帐户中存在的支持和资源的配置项目的集合。这些配置快照是正在记录的资源及其配置的全貌。

AWS Config规则 (AWS Config Rules)

Config rules give you the ability to define your compliance requirements in AWS as code. With there rules, you can ensure that your resources comply with your organization’s security guidelines and best practices.

配置规则使您能够将AWS中的合规性要求定义为代码。有了这些规则，您可以确保资源符合组织的安全准则和最佳实践。

There are two types of rules in Config that can be applied to your resources:

Config中有两种类型的规则可应用于您的资源：

1. Managed Rules - predefined rules in Config that you can use and apply on your resources
2. Custom Rules - rules that you define that represent your ideal configuration settings for a resource based on your specific requirements

配置项已分解 (Configuration Item Dissolved)

There are 5 important elements of a configuration item:

配置项有5个重要元素：

1. Metadata — which is information about the configuration item such as the time when the resource was captured, its status2. Attributes — such as resource IDs and tags3. Relationships — which can describe how the resource is related to other resources4. Related events5. The current configuration - which is a description of the current configuration of the resource and is returned with a call such as describe-resourceID

Something to keep in mind, is that the configuration file is in JSON, so if you’re interested in a specific part of the configuration you can extract that out.

请记住，配置文件是JSON格式，因此，如果您对配置的特定部分感兴趣，可以将其提取出来。

自订规则 (Custom Rules)

Each Custom Rule is associated with a Lambda function. AWS Lambda lets you run code without provisioning or managing servers. The code you run on AWS Lambda is called a lambda function. For this case, our Config Rule Lambda function will contain the logic that evaluates whether your AWS resources comply with the rule.

每个自定义规则都与Lambda函数关联。 AWS Lambda允许您运行代码而无需置备或管理服务器。您在AWS Lambda上运行的代码称为lambda函数。对于这种情况，我们的“配置规则Lambda”功能将包含用于评估您的AWS资源是否符合该规则的逻辑。

Each rule when triggered, calls a Lambda function. There can only be one Lambda function per Custom Rule. When the trigger for a Rule occurs, Config invokes the rules function by publishing an event. This invoking event contains information such as configuration item, information and any rule parameters.

每个规则在触发时都会调用Lambda函数。每个自定义规则只能有一个Lambda函数。当规则触发时，Config通过发布事件来调用规则功能。该调用事件包含诸如配置项，信息和任何规则参数之类的信息。

Then, AWS Lambda executes the function by passing the event to the function’s handler. The lambda function contains logic to verify that a configuration complies with the expectation.

然后，AWS Lambda通过将事件传递给函数的处理程序来执行函数。 lambda函数包含用于验证配置符合期望的逻辑。

In this logic you can also read any additional metadata item of the configuration item that you need such as a describe call. Then, once a lambda processes this logic and derives the compliance result it returns this result back to the AWS Config servers via the PutEvaluation() API call, which is then displayed on the AWS Config Console and it states whether the evaluated resource is complaint or non-compliant.

在此逻辑中，您还可以读取所需的配置项的任何其他元数据项，例如describe调用。 然后，一旦lambda处理了此逻辑并得出合规性结果，它将通过PutEvaluation()API调用将该结果返回给AWS Config服务器，然后将其显示在AWS Config控制台上，并指出评估的资源是投诉还是不合规。

配置规则触发器 (Config Rule Triggers)

The trigger for a custom Config Rule can be of two kinds:

自定义配置规则的触发器可以有两种：

1. Configuration Change - AWS Config runs evaluation for the rule when certain types of resources are created, changed or deleted2. Periodic Trigger - AWS Config runs evaluations for the rule at a frequency that you choose, for example every 24 hours.

You can choose for a rule to trigger on change and periodically. If you choose both, Config invokes the lambda function when it detects a configuration change and also at the frequency that you specify.

您可以选择规则以触发更改并定期触发。如果同时选择两者，则Config在检测到配置更改时以及以您指定的频率调用lambda函数。

So, when a trigger for a rule occurs, AWS Config Rules invokes the AWS Lambda Function by publishing an event. The invoking event is a file which contains information such as Configuration Item information and any rule parameters.

因此，当规则触发时，AWS Config Rules通过发布事件来调用AWS Lambda Function。调用事件是一个文件，其中包含诸如配置项信息和任何规则参数之类的信息。

The main difference between Configuration Change trigger and Periodic trigger is that in the Change Trigger Invoking Event, the Configuration Item information will be present, which is not a case for the Periodic Trigger Invoking Event.

配置更改触发和定期触发之间的主要区别在于，在更改触发调用事件中将显示配置项信息，而周期性触发调用事件则不存在这种情况。

好，够了 (Okay, enough)

These are quite a few concepts to grasp, so in summary, we have this Robot that watches all our Configurations, tells every Resource how it should look like and SCREAMS when a Resource doesn’t look like he said he should.

这些是需要掌握的许多概念，因此总而言之，我们有一个机器人来监视我们的所有配置，告诉每个资源它应该是什么样子，并在资源看起来不像他说的那样时告诉SCREAMS 。

I know this was a lot, but if it did catch you attention, feel free to check out their official documentation.

我知道很多东西，但是如果它引起了您的注意，请随时查看其官方文档。

翻译自: https://medium.com/@eva.georgieva/compliance-as-code-using-aws-config-28f693fa79fa