在AWS中创建cloudwatch警报

Question

如何在未加密的情况下创建S3存储桶时创建云监控告警。手动或通过cloudformation模板。

Answer 1

1-一个配置规则，用于检查您的亚马逊S3存储桶是否启用了亚马逊S3默认加密，或者S3存储桶策略是否明确拒绝了没有服务器端加密的put-object请求。下面是一个创建它的CloudFormation模板：

AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
Parameters: {}
Metadata: {}
Conditions: {}

2-使用具有自定义事件模式的EventBridge规则，以匹配输出为NON_COMPLIANT的AWS Config评估规则。然后，将响应路由到SNS主题

最后，为了实施s3加密，您可以创建要求所有亚马逊S3存储桶都使用AES256加密的SCP策略：

AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ScpPolicy:
    Type: "Custom::ServiceControlPolicy"
    Properties:
      PolicyName: "scp_s3_encryption"
      PolicyDescription: "This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account. "
      PolicyContents: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:PutObject\"],\"Resource\":\"*\",\"Effect\":\"Deny\",\"Condition\":{\"StringNotEquals\":{\"s3:x-amz-server-side-encryption\":\"AES256\"}}},{\"Action\":[\"s3:PutObject\"],\"Resource\":\"*\",\"Effect\":\"Deny\",\"Condition\":{\"Bool\":{\"s3:x-amz-server-side-encryption\":false}}}]}"
      ServiceToken:
        Fn::GetAtt:
          - "ScpResourceLambda"
          - "Arn"
  ScpResourceLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: "scp-access"
          PolicyDocument:
            Statement:
              - Effect: "Allow"
                Action:
                  - "organizations:UpdatePolicy"
                  - "organizations:DeletePolicy"
                  - "organizations:CreatePolicy"
                  - "organizations:ListPolicies"
                Resource: "*"
  ScpResourceLambda:
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        ZipFile: "\n'use strict';\nconst AWS = require('aws-sdk');\nconst response = require('cfn-response');\nconst organizations = new AWS.Organizations({region: 'us-east-1'});\n\nexports.handler = (event, context, cb) => {\n  console.log('Invoke:', JSON.stringify(event));\n  const done = (err, data) => {\n    if (err) {\n      console.log('Error: ', err);\n      response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');\n    } else {\n      response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');\n    }\n  };\n  \n  const updatePolicies = (policyName, policyAction) => {\n    organizations.listPolicies({\n      Filter: \"SERVICE_CONTROL_POLICY\"\n     }, function(err, data){\n         if (err) done(err);\n         else {\n           const policy = data.Policies.filter((policy) => (policy.Name === policyName))\n           let policyId = ''\n           if (policy.length > 0) \n            policyId = policy[0].Id\n           else\n            done('policy not found')\n           if (policyAction === 'Update'){\n             organizations.updatePolicy({\n               Content: event.ResourceProperties.PolicyContents,\n               PolicyId: policyId\n             }, done)\n           }\n           else {\n              organizations.deletePolicy({\n                PolicyId: policyId\n              }, done)\n           }\n         }\n     })\n  }\n  \n  if (event.RequestType === 'Update' || event.RequestType === 'Delete') {\n    updatePolicies(event.ResourceProperties.PolicyName, event.RequestType)\n    \n  } else if (event.RequestType === 'Create') {\n    organizations.createPolicy({\n          Content: event.ResourceProperties.PolicyContents, \n          Description: event.ResourceProperties.PolicyDescription, \n          Name: event.ResourceProperties.PolicyName, \n          Type: \"SERVICE_CONTROL_POLICY\"\n         }, done);\n  } else {\n    cb(new Error('unsupported RequestType: ', event.RequestType));\n  }\n};"
      Handler: "index.handler"
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - "ScpResourceLambdaRole"
          - "Arn"
      Runtime: "nodejs12.x"
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}