本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon Inspector 策略语法和示例
Amazon Inspector 策略遵循标准化的 JSON 语法,该语法定义了如何在您的组织中启用和配置 Amazon Inspector。Amazon Inspector 策略是一份根据 Amazon 组织管理策略语法结构的 JSON 文档。它定义了哪些组织实体将自动启用 Amazon Inspector。
## 基本策略结构
Amazon Inspector 政策使用以下基本结构:
```
{
"inspector": {
"enablement": {
"ec2_scanning": {
"enable_in_regions": {
"@@assign": ["us-east-1", "us-west-2"]
},
"disable_in_regions": {
"@@assign": ["eu-west-1"]
}
}
}
}
}
```
## 策略组件
Amazon Inspector 政策包含以下关键组成部分:
`inspector`
Amazon Inspector 政策文件的顶级密钥,这是所有亚马逊 Inspector 政策所必需的。
`enablement`
定义如何在整个组织中启用 Amazon Inspector,并包含扫描类型配置。
`Regions (Array of Strings)`
指定应自动启用 Amazon Inspector 的区域。
## 亚马逊 Inspector 政策示例
以下示例演示了常见的 Amazon Inspector 策略配置。
### 示例 1 — 在组织范围内启用 Amazon Inspector
以下示例`us-west-2`为组织根目录中的`us-east-1`所有账户启用 Amazon Inspector。
创建 `inspector-policy-enable.json` 文件:
```
{
"inspector": {
"enablement": {
"lambda_standard_scanning": {
"enable_in_regions": {
"@@assign": [
"us-east-1",
"us-west-2"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-1"
]
},
"lambda_code_scanning": {
"enable_in_regions": {
"@@assign": [
"us-east-1",
"us-west-2"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-1"
]
}
}
},
"ec2_scanning": {
"enable_in_regions": {
"@@assign": [
"us-east-1",
"us-west-2"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-1"
]
}
},
"ecr_scanning": {
"enable_in_regions": {
"@@assign": [
"us-east-1",
"us-west-2"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-1"
]
}
},
"code_repository_scanning": {
"enable_in_regions": {
"@@assign": [
"us-east-1",
"us-west-2"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-1"
]
}
}
}
}
}
```
连接到根目录后,组织中的所有账户都会自动启用 Amazon Inspector,其扫描结果可供亚马逊检查员授权的管理员使用。
创建并附加策略:
```
POLICY_ID=$(aws organizations create-policy \
--content file://inspector-policy-enable.json \
--name InspectorOrgPolicy \
--type INSPECTOR_POLICY \
--description "Inspector organization policy to enable all resources in IAD and PDX." \
--query 'Policy.PolicySummary.Id' \
--output text)
aws organizations attach-policy --policy-id $POLICY_ID --target-id
```
任何加入组织的新账户都会自动继承启用。
如果已分离,现有账户将保持启用状态,但是 future 账户不会自动启用:
```
aws organizations detach-policy --policy-id $POLICY_ID --target-id
```
### 示例 2 — 为特定 OU 启用 Amazon Inspector
创建 `inspector-policy-eu-west-1.json` 文件:
```
{
"inspector": {
"enablement": {
"lambda_standard_scanning": {
"enable_in_regions": {
"@@assign": [
"eu-west-1"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-2"
]
},
"lambda_code_scanning": {
"enable_in_regions": {
"@@assign": [
"eu-west-1"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-2"
]
}
}
},
"ec2_scanning": {
"enable_in_regions": {
"@@assign": [
"eu-west-1"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-2"
]
}
},
"ecr_scanning": {
"enable_in_regions": {
"@@assign": [
"eu-west-1"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-2"
]
}
},
"code_repository_scanning": {
"enable_in_regions": {
"@@assign": [
"eu-west-1"
]
},
"disable_in_regions": {
"@@assign": [
"eu-west-2"
]
}
}
}
}
}
```
将其附加到 OU 以确保中的所有生产账户都`eu-west-1`将启用 Amazon Inspector 并将其关联到 Amazon Inspector 委托的管理员:
```
aws organizations update-policy --policy-id $POLICY_ID --content file://inspector-policy-eu-west-1.json --description "Inspector organization policy - Enable all (eu-west-1)"
aws organizations attach-policy --policy-id $POLICY_ID --target-id ou-aaaa-12345678
```
OU 之外的账户不受影响。