AWS Config Process Checks Within a Conformance Pack - AWS Config
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS Config Process Checks Within a Conformance Pack

Process checks is a type of AWS Config rule that allows you to track your external and internal tasks that require verification as part of the conformance packs. These checks can be added to an existing conformance pack or a new conformance pack. You can track all compliance that includes AWS configurations and manual checks in a single location.

With process checks, you can list the compliance of requirements and actions at a single location. These process checks help increase the coverage of compliance regimes-based conformance packs. You can further expand the conformance pack by adding new process checks that track processes and actions needing manual verification and tracking. This enables conformance pack to become the template that provides details about AWS configurations and manual processes for a compliance regime.

You can track and manage the compliance of processes not associated with resource configuration changes within a conformance packs as process checks. For example, you can add a process check to track the PCI-DSS compliance requirement to store media backup at an offsite location. You will manually evaluate the compliance of this according to PCI-DSS guidelines, or according to your organization's guidance.

Region availability: Process checks with the conformance packs are available in all AWS Regions where AWS Config conformance packs are available. 有关更多信息,请参阅区域支持

Sample Conformance Pack Template for Creating Process Checks

################################################################################ # # Conformance Pack template for process check # ################################################################################ Resources: AWSConfigProcessCheck: Properties: ConfigRuleName: RuleName Description: Description of Rule Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule

See two sample templates, the CIS AWS Foundations 基准版本 1.3 级别 1 的运营最佳实践 template and the CIS AWS Foundations 基准版本 1.3 级别 2 的运营最佳实践 template.

Include Process Checks Within a Conformance Pack

  1. Add a process check in the conformance pack template. Refer to the previous sample template.

    Resources: ConfigEnabledAllRegions: Properties: ConfigRuleName: Config-Enabled-All-Regions Description: Ensure AWS Config is enabled in all Regions. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule
  2. Enter the name for the process check.

  3. Enter the description for the process check.

  4. Deploy the conformance pack from the AWS Management Console. 有关更多信息,请参阅使用 AWS Config 控制台部署一致性包

    注意

    You can also deploy the conformance packs using the Command Line Interface (AWS CLI). 有关更多信息,请参阅使用 AWS Command Line Interface 部署一致性包

Change Compliance Status of a Process Check

Change Compliance Status of a Process Check (Console)

  1. 登录 AWS 管理控制台并通过以下网址打开 AWS Config 控制台:https://console.amazonaws.cn/config/

  2. Navigate to the AWS Config Rules page.

  3. Choose the name of the process check that you specified in the template along with the identifier in the conformance pack.

    注意

    All the process checks from the same conformance pack have the same suffix.

  4. On the Rule details page, you cannot edit the rule but you can edit the compliance of the rule. In the Manual compliance section, choose Edit compliance.

  5. Choose the appropriate compliance from the dropdown list.

  6. (Optional) Enter a description for the compliance status.

  7. 选择 Save

After changing the compliance status, return to your conformance pack to view the process check and its description.

Change Compliance Status of a Process Check (CLI)

You can update the compliance of process checks within a conformance pack using the AWS Command Line Interface (AWS CLI).

要在本地计算机上安装 AWS CLI,请参阅 http://docs.amazonaws.cn/cli/latest/userguide/installing.html 用户指南中的AWS CLI安装 AWS CLI

如有必要,请键入 aws configure 以将 AWS CLI 配置为使用提供 AWS Config 一致性包的 AWS 区域。

  1. 打开命令提示符或终端窗口。

  2. Type the following command to update the compliance of a process check where ComplianceResourceId is your Account ID, and include the name of your rule.

    aws configservice put-external-evaluation --config-rule-name process-check-rule-name --external-evaluation ComplianceResourceType=AWS::::Account,ComplianceResourceId=Account ID,ComplianceType=NON_COMPLIANT,OrderingTimestamp=2020-12-17T00:10:00.000Z
  3. 按 Enter 键运行命令。

Change Compliance Status of a Process Check (API)

After the deployment is complete, to update the evaluations and compliance of the process checks, use the PutExternalEvaluation API. For more information, see PutExternalEvaluation.

View and Edit the Process Check (Console)

You can view process checks only after a compliance state has been added to process checks. Choose the specific conformance pack to view all the process checks within that conformance pack. Here you can see a list of process checks that are in compliant and non-compliant status.

Because this is a service linked rule, you cannot edit the process check through the Rule details page.

注意

However, you can update the compliance of the process check by choosing Edit Compliance and selecting the appropriate value from Compliant, Non-Compliant or Not-Applicable.

You can edit or delete a process check from the conformance pack where you added the process checks.