本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
在中撰写命名规则块 AWS CloudFormation Guard
使用编写命名规则块时 AWS CloudFormation Guard,可以使用以下两种构图风格:
-
条件依赖关系
-
相关依赖
使用这两种依赖关系组合方式中的任何一种都有助于提高可重用性,并减少命名规则块中的冗长和重复。
先决条件
在编写规则中了解命名规则块。
条件依赖组合
在这种组合方式中,对when
块或命名规则块的评估有条件依赖于一个或多个其他命名规则块或子句的评估结果。以下示例 Guard 规则文件包含演示条件依赖关系的命名规则块。
# Named-rule block, rule_name_A rule rule_name_A { Guard_rule_1 Guard_rule_2 ... } # Example-1, Named-rule block, rule_name_B, takes a conditional dependency on rule_name_A rule rule_name_B when rule_name_A { Guard_rule_3 Guard_rule_4 ... } # Example-2,
when
block takes a conditional dependency on rule_name_A when rule_name_A { Guard_rule_3 Guard_rule_4 ... } # Example-3, Named-rule block, rule_name_C, takes a conditional dependency on rule_name_A ^ rule_name_B rule rule_name_C when rule_name_A rule_name_B { Guard_rule_3 Guard_rule_4 ... } # Example-4, Named-rule block, rule_name_D, takes a conditional dependency on (rule_name_A v clause_A) ^ clause_B ^ rule_name_B rule rule_name_D when rule_name_A OR clause_A clause_B rule_name_B { Guard_rule_3 Guard_rule_4 ... }
在前面的示例规则文件中,可能Example-1
有以下结果:
-
如果
rule_name_A
评估为PASS
,则对封装的守卫规则进行评估。rule_name_B
-
如果
rule_name_A
评估为FAIL
,则不评估封装的rule_name_B
守卫规则。rule_name_B
评估为。SKIP
-
如果
rule_name_A
评估为SKIP
,则不评估封装的rule_name_B
守卫规则。rule_name_B
评估为。SKIP
注意
如果
rule_name_A
有条件地依赖于计算结果为的规则,则会FAIL
发生这种rule_name_A
情况。SKIP
以下是来自入口和出口安全组信息项目的配置管理数据库 (CMDB) 配置 AWS Config 项目的示例。此示例演示了条件依赖项组合。
rule check_resource_type_and_parameter {
resourceType == /AWS::EC2::SecurityGroup/
InputParameters.TcpBlockedPorts NOT EMPTY
}
rule check_parameter_validity when check_resource_type_and_parameter {
InputParameters.TcpBlockedPorts[*] {
this in r[0,65535]
}
}
rule check_ip_procotol_and_port_range_validity when check_parameter_validity {
let ports = InputParameters.TcpBlockedPorts[*]
#
# select all ipPermission instances that can be reached by ANY IP address
# IPv4 or IPv6 and not UDP
#
let configuration = configuration.ipPermissions[
some ipv4Ranges[*].cidrIp == "0.0.0.0/0" or
some ipv6Ranges[*].cidrIpv6 == "::/0"
ipProtocol != 'udp' ]
when %configuration !empty {
%configuration {
ipProtocol != '-1'
when fromPort exists
toPort exists {
let ip_perm_block = this
%ports {
this < %ip_perm_block.fromPort or
this > %ip_perm_block.toPort
}
}
}
}
}
在前面的示例中,check_parameter_validity
有条件地依赖于check_resource_type_and_parameter
并check_ip_procotol_and_port_range_validity
有条件地依赖于。check_parameter_validity
以下是符合上述规则的配置管理数据库 (CMDB) 配置项目。
---
version: '1.3'
resourceType: 'AWS::EC2::SecurityGroup'
resourceId: sg-12345678abcdefghi
configuration:
description: Delete-me-after-testing
groupName: good-sg-test-delete-me
ipPermissions:
- fromPort: 172
ipProtocol: tcp
ipv6Ranges: []
prefixListIds: []
toPort: 172
userIdGroupPairs: []
ipv4Ranges:
- cidrIp: 0.0.0.0/0
ipRanges:
- 0.0.0.0/0
- fromPort: 89
ipProtocol: tcp
ipv6Ranges:
- cidrIpv6: '::/0'
prefixListIds: []
toPort: 89
userIdGroupPairs: []
ipv4Ranges:
- cidrIp: 0.0.0.0/0
ipRanges:
- 0.0.0.0/0
ipPermissionsEgress:
- ipProtocol: '-1'
ipv6Ranges: []
prefixListIds: []
userIdGroupPairs: []
ipv4Ranges:
- cidrIp: 0.0.0.0/0
ipRanges:
- 0.0.0.0/0
tags:
- key: Name
value: good-sg-delete-me
vpcId: vpc-0123abcd
InputParameters:
TcpBlockedPorts:
- 3389
- 20
- 110
- 142
- 1434
- 5500
supplementaryConfiguration: {}
resourceTransitionStatus: None
关联依赖关系构成
在这种组合方式中,对区块或命名规则when
块的评估与一个或多个其他 Guard 规则的评估结果具有相关依赖性。相关依赖可以通过以下方式实现。
# Named-rule block, rule_name_A, takes a correlational dependency on all of the Guard rules encapsulated by the named-rule block rule rule_name_A { Guard_rule_1 Guard_rule_2 ... } #
when
block takes a correlational dependency on all of the Guard rules encapsulated by thewhen
block when condition { Guard_rule_1 Guard_rule_2 ... }
为了帮助您理解关联依赖关系构成,请查看以下警卫规则文件示例。
# # Allowed valid protocols for
AWS::ElasticLoadBalancingV2::Listener
resources # let allowed_protocols = [ "HTTPS", "TLS" ] let elbs = Resources.*[ Type == 'AWS::ElasticLoadBalancingV2::Listener' ] # # If there areAWS::ElasticLoadBalancingV2::Listener
resources present, ensure that they have protocols specified from the # list of allowed protocols and that theCertificates
property is not empty # rule ensure_all_elbs_are_secure when %elbs !empty { %elbs.Properties { Protocol in %allowed_protocols Certificates !empty } } # # In addition to secure settings, ensure thatAWS::ElasticLoadBalancingV2::Listener
resources are private # rule ensure_elbs_are_internal_and_secure when %elbs !empty { ensure_all_elbs_are_secure %elbs.Properties.Scheme == 'internal' }
在前面的规则文件中,ensure_elbs_are_internal_and_secure
具有相关的依赖关系。ensure_all_elbs_are_secure
以下是符合上述规则的示例 CloudFormation 模板。
Resources:
ServiceLBPublicListener46709EAA:
Type: 'AWS::ElasticLoadBalancingV2::Listener'
Properties:
Scheme: internal
Protocol: HTTPS
Certificates:
- CertificateArn: 'arn:aws:acm...'
ServiceLBPublicListener4670GGG:
Type: 'AWS::ElasticLoadBalancingV2::Listener'
Properties:
Scheme: internal
Protocol: HTTPS
Certificates:
- CertificateArn: 'arn:aws:acm...'