0

已经为此创建了一个类似的问题。我阅读了一些答案,但我无法解决问题。我不得不为此创建一个单独的帖子,因为我没有足够的声誉点来回复该帖子中的用户。链接是:-这里。除了几个安全组之外,我想限制所有公开的端口。例如,对于其中一个安全组,我不希望端口 80 向公众公开,但对于安全组说“sg-123456789”,我希望端口 80 向公众开放。如何编写云托管策略?

  - name: sg-123456789
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::9797979797:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
        -and:
            - type: value
              key: GroudId
              value: "sg-123456789"
              op: in
        -or:
            - type: ingress
              OnlyPorts: [80]
              Cidr:
                 value: "0.0.0.0/0"
                 op: in
            - type: ingress
              OnlyPorts: [80]
              CidrV6:
                 value:  "::/0"
                 op: in
    actions:
        - type: remove-permissions
          ingress: matched

  - name: sg-987654321
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::9797979797:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
        -and:
            - type: value
              key: GroudId
              value: "sg-987654321"
              op: in
        -or:
            - type: ingress
              OnlyPorts: [3000]
              Cidr:
                 value: "0.0.0.0/0"
                 op: in
            - type: ingress
              OnlyPorts: [3000]
              CidrV6:
                 value:  "::/0"
                 op: in
    actions:
        - type: remove-permissions
          ingress: matched
4

2 回答 2

2

分享您遇到的错误的屏幕截图,您必须对 ipv4 和 ipv6 使用单独的策略进行修复模式 

    resource: security-group
    filters:
      - and:
        - type: value
          key: GroupId
          op: in
          value:
            - sg-0db5e1ab7ccccc
        - or:
         - type: ingress
           OnlyPorts: [80,443]
           Cidr:
              value: "0.0.0.0/0" 
         - type: ingress
           OnlyPorts: [80,443]
           CidrV6:
              value: "::/0"
于 2019-12-18T19:15:54.870 回答
0

我目前也在研究 cloudcustodian。我尝试创建以下策略,但这也没有按预期工作。

    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::1234567890:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
            - type: value
              key: GroudId
              value: "sg-0987654321"
              op: in
            - type: ingress
              OnlyPorts: [80, 443, 3000]
              Cidr:
                value: "0.0.0.0/0"
    actions:
        - type: remove-permissions
          ingress: matched

  - name: sg-0987654321-ipv6
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::1234567890:role/custo_role
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
            - type: value
              key: GroudId
              value: "sg-0987654321"
              op: in
            - type: ingress
              OnlyPorts: [80, 443, 3000]
              CidrV6:
                value:  "::/0"
    actions:
        - type: remove-permissions
          ingress: matched

也尝试过and如下应用过滤器,不幸的是没有运气。

    filters:
        - and:
            - type: value
              key: GroudId
              value: "sg-0987654321"
              op: in
            - type: ingress
              OnlyPorts: [80, 443, 3000]
              Cidr:
                value: "0.0.0.0/0"

请让我知道我哪里错了。

于 2019-12-18T11:07:06.870 回答