我正在尝试创建 AWS Config 自定义规则来检查我的集群的合规性。例如,我想检查他们是否启用了控制平面日志记录。我检查了 AWS::EKS::Cluster文档参考,我希望这些属性出现在我的 lambda 中收到的事件中,但是当 AWS Config 执行我的 lambda 并打印事件时,它看起来非常不同:
console.info("EVENT\n" + JSON.stringify(event, null, 2))
打印:
{
"configurationItemDiff":null,
"configurationItem":{
"relatedEvents":[
],
"relationships":[
],
"configuration":{
"Arn":"arn:aws:eks:eu-west-2:XXXXXXX:cluster/eks-cluster",
"CertificateAuthorityData":"LS0tLS1....",
"Endpoint":"https://xxxxx.gr7.eu-west-2.eks.amazonaws.com",
"Name":"eks-cluster",
"ResourcesVpcConfig":{
"SecurityGroupIds":[
"sg-0999999352ef8963b"
],
"SubnetIds":[
"subnet-08e9879878977832c",
"subnet-022c665678587c77d",
"subnet-0143345543345af8c"
]
},
"RoleArn":"arn:aws:iam::xxxxxx:role/eks-cluster-role",
"Version":"1.21",
"Tags":[
]
},
"supplementaryConfiguration":{
},
"tags":{
},
"configurationItemVersion":"1.3",
"configurationItemCaptureTime":"2022-02-15T03:04:01.223Z",
"configurationStateId":1644894241223,
"awsAccountId":"xxxxxxx",
"configurationItemStatus":"OK",
"resourceType":"AWS::EKS::Cluster",
"resourceId":"eks-cluster",
"resourceName":"eks-cluster",
"ARN":"arn:aws:eks:eu-west-2:xxxxxxxx:cluster/eks-cluster",
"awsRegion":"eu-west-2",
"availabilityZone":"Regional",
"configurationStateMd5Hash":"",
"resourceCreationTime":null
},
"notificationCreationTime":"2022-02-15T10:36:01.432Z",
"messageType":"ConfigurationItemChangeNotification",
"recordVersion":"1.3"
}
有没有办法使用 AWS Config 中的自定义 Lambda 检查那些 AWS::EKS::Cluster 属性(KubernetesNetworkConfig、Logging...)?