AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

AWS::Config::ConfigRule

AWS::Config::ConfigRule 资源使用用于评估配置项目的 AWS Lambda (Lambda) 函数,以评估您的 AWS 资源是否符合指定的配置。此函数可在 AWS Config 检测到配置变更或传输配置快照时运行。此函数评估的资源必须位于记录组中。有关更多信息,请参阅 AWS Config Developer Guide 中的使用 AWS Config 评估 AWS 资源配置

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::Config::ConfigRule", "Properties" : { "ConfigRuleName" : String, "Description" : String, "InputParameters" : { ParameterName : Value }, "MaximumExecutionFrequency" : String, "Scope" : Scope, "Source" : Source } }

YAML

Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: String Description: String InputParameters: ParameterName : Value MaximumExecutionFrequency: String Scope: Scope Source: Source

属性

ConfigRuleName

AWS Config 规则的名称。如果不指定名称,则 AWS CloudFormation 生成一个唯一物理 ID 并将该 ID 用作规则名称。有关更多信息,请参阅 名称类型

Required: No

Type: String

更新要求替换

Description

关于此 AWS Config 规则的描述。

Required: No

Type: String

更新要求无需中断

InputParameters

传递到 AWS Config 规则(Lambda 函数)的输入参数值。

Required: No

Type: JSON object

更新要求无需中断

MaximumExecutionFrequency

AWS Config 规则运行评估的最大频率。有关有效值的信息,请参阅 AWS Config API Reference 中的 ConfigRule 数据类型。

如果此规则在 AWS Config 传输配置快照时运行评估,则规则的运行频率不可高于快照的传输频率。设置等于或高于快照传输频率值的执行频率值,此为 AWS::Config::DeliveryChannel 资源的一个属性。

Required: No

Type: String

更新要求无需中断

Scope

定义哪些 AWS 资源的配置发生变更时会触发评估。范围可以包含一种或多种资源类型、标签键/值组合、一种资源类型和一个资源 ID 的组合。指定范围以限制要评估的资源。如果不指定范围,则此规则评估记录组中的所有资源。

Required: No

Type: AWS Config ConfigRule 范围

更新要求无需中断

Source

指定规则所有者、规则标识符及导致函数对您的 AWS 资源进行评估的事件。

Required: Yes

Type: AWS Config ConfigRule 来源

更新要求无需中断

返回值

Ref

当您将 AWS::Config::ConfigRule 资源的逻辑 ID 传递给内部函数 Ref 时,此函数返回规则名称,如 mystack-MyConfigRule-12ABCFPXHV4OV

有关使用 Ref 功能的更多信息,请参阅参考

Fn::GetAtt

Fn::GetAtt 返回一个此类型指定属性的值。以下为可用属性和示例返回值。

Arn

AWS Config 规则的 Amazon 资源名称 (ARN),如 arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi

ConfigRuleId

AWS Config 规则的 ID,如 config-rule-a1bzhi

Compliance.Type

AWS Config 规则的合规性状态,如 COMPLIANTNON_COMPLIANT

有关使用 Fn::GetAtt 的更多信息,请参见 Fn::GetAtt

示例

下面的示例使用了 AWS 托管规则来检查 EC2 卷资源类型是否拥有 CostCenter 标签。

JSON

"ConfigRuleForVolumeTags": { "Type": "AWS::Config::ConfigRule", "Properties": { "InputParameters": {"tag1Key": "CostCenter"}, "Scope": { "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" } } }

YAML

ConfigRuleForVolumeTags: Type: "AWS::Config::ConfigRule" Properties: InputParameters: tag1Key: CostCenter Scope: ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: AWS SourceIdentifier: "REQUIRED_TAGS"

使用 Lambda 函数的规则

下面的示例创建了一条使用 Lambda 函数的自定义配置规则。此函数检查 EC2 卷是否将 AutoEnableIO 属性设为 true。注意:配置规则依赖于 Lambda 策略,因此,规则仅在获得许可后才能调用函数。

JSON

"ConfigPermissionToCallLambda": { "Type": "AWS::Lambda::Permission", "Properties": { "FunctionName": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]}, "Action": "lambda:InvokeFunction", "Principal": "config.amazonaws.com" } }, "VolumeAutoEnableIOComplianceCheck": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": {"Fn::Join": ["\n", [ "var aws = require('aws-sdk');", "var config = new aws.ConfigService();", "var ec2 = new aws.EC2();", "exports.handler = function(event, context) {", " compliance = evaluateCompliance(event, function(compliance, event) {", " var configurationItem = JSON.parse(event.invokingEvent).configurationItem;", " var putEvaluationsRequest = {", " Evaluations: [{", " ComplianceResourceType: configurationItem.resourceType,", " ComplianceResourceId: configurationItem.resourceId,", " ComplianceType: compliance,", " OrderingTimestamp: configurationItem.configurationItemCaptureTime", " }],", " ResultToken: event.resultToken", " };", " config.putEvaluations(putEvaluationsRequest, function(err, data) {", " if (err) context.fail(err);", " else context.succeed(data);", " });", " });", "};", "function evaluateCompliance(event, doReturn) {", " var configurationItem = JSON.parse(event.invokingEvent).configurationItem;", " var status = configurationItem.configurationItemStatus;", " if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))", " doReturn('NOT_APPLICABLE', event);", " else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) {", " if (err) context.fail(err);", " else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);", " else doReturn('NON_COMPLIANT', event);", " });", "}" ]]} }, "Handler": "index.handler", "Runtime": "nodejs4.3", "Timeout": "30", "Role": {"Fn::GetAtt": ["LambdaExecutionRole", "Arn"]} } }, "ConfigRuleForVolumeAutoEnableIO": { "Type": "AWS::Config::ConfigRule", "Properties": { "ConfigRuleName": "ConfigRuleForVolumeAutoEnableIO", "Scope": { "ComplianceResourceId": {"Ref": "Ec2Volume"}, "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceDetails": [{ "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" }], "SourceIdentifier": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]} } }, "DependsOn": "ConfigPermissionToCallLambda" }

YAML

ConfigPermissionToCallLambda: Type: "AWS::Lambda::Permission" Properties: FunctionName: Fn::GetAtt: - VolumeAutoEnableIOComplianceCheck - Arn Action: "lambda:InvokeFunction" Principal: "config.amazonaws.com" VolumeAutoEnableIOComplianceCheck: Type: "AWS::Lambda::Function" Properties: Code: ZipFile: !Sub | var aws = require('aws-sdk'); var config = new aws.ConfigService(); var ec2 = new aws.EC2(); exports.handler = function(event, context) { compliance = evaluateCompliance(event, function(compliance, event) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: configurationItem.configurationItemCaptureTime }], ResultToken: event.resultToken }; config.putEvaluations(putEvaluationsRequest, function(err, data) { if (err) context.fail(err); else context.succeed(data); }); }); }; function evaluateCompliance(event, doReturn) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var status = configurationItem.configurationItemStatus; if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered')) doReturn('NOT_APPLICABLE', event); else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) { if (err) context.fail(err); else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event); else doReturn('NON_COMPLIANT', event); }); } Handler: "index.handler" Runtime: nodejs4.3 Timeout: 30 Role: Fn::GetAtt: - LambdaExecutionRole - Arn ConfigRuleForVolumeAutoEnableIO: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: ConfigRuleForVolumeAutoEnableIO Scope: ComplianceResourceId: Ref: Ec2Volume ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: "CUSTOM_LAMBDA" SourceDetails: - EventSource: "aws.config" MessageType: "ConfigurationItemChangeNotification" SourceIdentifier: Fn::GetAtt: - VolumeAutoEnableIOComplianceCheck - Arn DependsOn: ConfigPermissionToCallLambda

本页内容: