我正在尝试使用 AquaSec 监控 AWS 云环境。AquaSec 通过提供 CloudFormation 模板帮助您连接 AWS 环境,您可以在 AWS 环境中部署该模板。部署后,您可以在 AquaSec 中使用它的 ARN 来连接/集成两者。Aquasec 中的任何警报都将发送到 SNS 主题,该主题将进一步发送到 HTTPS 端点。
这是 CloudFormation 模板文件,
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Aqua CSPM security scanner cross-account role",
"Parameters": {
"ExternalId": {
"Type": "String",
"Description": "The external ID auto-generated from the Aqua Cloud dashboard. Do not change this value.",
"AllowedPattern": "[-a-z0-9]*",
"ConstraintDescription": "Must be lowercase or numbers, no spaces, dashes ok."
}
},
"Resources": {
"AquaCSPMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-api"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-collector"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-remediator"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-tasks"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
}
]
},
"Policies": [
{
"PolicyName": "aqua-cspm-supplemental-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:DescribeActiveReceiptRuleSet",
"athena:GetWorkGroup",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"elastictranscoder:ListPipelines",
"elasticfilesystem:DescribeFileSystems",
"servicequotas:ListServiceQuotas",
"ssm:ListAssociations",
"dlm:GetLifecyclePolicies",
"airflow:ListEnvironments",
"glue:GetSecurityConfigurations",
"devops-guru:ListNotificationChannels"
],
"Resource": "*"
}
]
}
}
],
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/SecurityAudit"
]
}
}
},
"Outputs": {
"AquaCSPMeArn": {
"Description": "The role ARN of the cross-account user. Copy this into Aqua Cloud.",
"Value": {
"Fn::GetAtt": [
"AquaCSPMRole",
"Arn"
]
}
},
"StackVersion": {
"Description": "The Aqua CSPM stack version.",
"Value": "2.0"
}
}
}
我正在尝试设置一个Amazon SNS 主题,在 Aquasec 使用它的 ARN 来发送警报。一旦我创建了一个 SNS 主题,并在 Aquasec 复制它的 ARN,并尝试测试通知 - 我一直收到错误,
{“消息”:“用户:arn:aws:sts::057012691312:assumed-role/lambda-cloudsploit-api/cloudsploit-api 无权执行:SNS:在资源上发布:arn:aws:sns:us-东1:940386435759:Sample_Aqua_Integration,“代码”:“AuthorizationError”,“时间”:“2021-04-19T22:15:54.463Z”,“requestId”:“bc808944-3430-5683-aed1-d1bc376a70f5”, “状态代码”:403,“可重试”:假,“重试延迟”:50.2772842473471}
我已经尝试了几乎所有可能的方式 - 在 SNS 主题中更改主题策略(“原则”字段的各种组合),尝试授予特定 IAM 角色的权限。似乎没有任何效果,我得到了同样的错误。我觉得它必须对模板文件做些什么(在' assumeRole '配置中)?
关于如何以及如何更改/尝试的任何建议?谢谢