我编写了一个简单的一致性包,以找出我在补救配置资源中引用 ARN 的问题。
一致性包仅检查 SNS 主题以查看哪个已加密,如果未加密,则使用提供的 KMS 密钥对其进行加密。非常基本,不能像 AWS OOBE 一样。
如果我按原样部署以下代码,则一致性包已正确部署:
# *** Resources *** #
Resources:
### SNS ###
# Verify if all the SNS topics are encrypted using the KMS service. If one or more topics are not encrypted, the remediation rule will encrypt the non compliant topics.
SNSEncryptedKMS:
Description: Verify if all the SNS topics are encrypted using the KMS service.
Properties:
ConfigRuleName: sns-encrypted-kms
Scope:
ComplianceResourceTypes:
- AWS::SNS::Topic
Source:
Owner: AWS
SourceIdentifier: SNS_ENCRYPTED_KMS
Type: AWS::Config::ConfigRule
# Remediation action if one or more SNS topics are not encrypted. The remediation action will encrypt non compliant SNS topics using the the default AWS SNS KMS key.
SNSEncryptedKMSRemediation:
DependsOn: SNSEncryptedKMS
Description: Remediation action if one or more SNS topics are not encrypted.
Properties:
Automatic: True
ConfigRuleName: sns-encrypted-kms
ResourceType: AWS::SNS::Topic
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: AWSConfigRemediation-EncryptSNSTopic
TargetType: SSM_DOCUMENT
TargetVersion: 1
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- "arn:aws:iam::xxxxxxxxxxxxx:role/MyAutomationRole"
KmsKeyArn:
StaticValue:
Values:
- "arn:aws:kms:ca-central-1:xxxxxxxxxxxx:key/xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
TopicArn:
ResourceValue:
Value: "RESOURCE_ID"
Type: AWS::Config::RemediationConfiguration
我的意思是,是的,当然,如果我将 ARN 直接放在代码中,它会起作用。
现在,如果我想将 ARN 作为参数引用,即使我将相同的 ARN 作为默认值,控制台也会向我抛出“为自动修复配置提供的角色 ARN 无效”错误。
我在代码中保留了默认部分,但即使我在尝试部署一致性包之前输入了参数,我还是会得到相同的错误:
# *** Parameters *** #
Parameters:
# Input the default AWS automation role ARN for remediation purpose.
ConfigIAMAutomationServiceRoleARN:
Default: "arn:aws:iam::xxxxxxxxxxxxx:role/MyAutomationRole"
Description: Default AWS automation role ARN for remediation purpose.
Type: String
# Input the default AWS SNS KMS key ARN for remediation purpose.
SNSKMSCMKEncryptionKeyARN:
Default: "arn:aws:kms:ca-central-1:xxxxxxxxxxxx:key/xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
Description: Default AWS SNS KMS key ARN for remediation purpose.
Type: String
# *** Resources *** #
Resources:
### SNS ###
# Verify if all the SNS topics are encrypted using the KMS service. If one or more topics are not encrypted, the remediation rule will encrypt the non compliant topics.
SNSEncryptedKMS:
Description: Verify if all the SNS topics are encrypted using the KMS service.
Properties:
ConfigRuleName: sns-encrypted-kms
Scope:
ComplianceResourceTypes:
- AWS::SNS::Topic
Source:
Owner: AWS
SourceIdentifier: SNS_ENCRYPTED_KMS
Type: AWS::Config::ConfigRule
# Remediation action if one or more SNS topics are not encrypted. The remediation action will encrypt non compliant SNS topics using the the default AWS SNS KMS key.
SNSEncryptedKMSRemediation:
DependsOn: SNSEncryptedKMS
Description: Remediation action if one or more SNS topics are not encrypted.
Properties:
Automatic: True
ConfigRuleName: sns-encrypted-kms
ResourceType: AWS::SNS::Topic
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: AWSConfigRemediation-EncryptSNSTopic
TargetType: SSM_DOCUMENT
TargetVersion: 1
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- Ref: ConfigIAMAutomationServiceRoleARN
KmsKeyArn:
StaticValue:
Values:
- Ref: SNSKMSCMKEncryptionKeyARN
TopicArn:
ResourceValue:
Value: "RESOURCE_ID"
Type: AWS::Config::RemediationConfiguration
为什么字符串不是字符串并且不能被参数部分解释为字符串?我现在感觉很愚蠢,不知道自己做错了什么。任何指针将不胜感激。呃,我真的需要一杯咖啡……
编辑
似乎该问题仅适用于 AutomationAssumeRole。为什么它只在 IAM 角色或特定参数上这样做?
编辑 2
删除了有关 SSM 的部分,因为我注意到 SSM:GetParameter 不是服务角色策略中允许的操作的一部分。