本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 在 中測試自訂勾點 AWS 帳戶
現在您已將對應至調用點的處理常式函數編碼,是時候在 CloudFormation 堆疊上測試自訂掛接了。
`FAIL` 如果 CloudFormation 範本未佈建具有下列項目的 S3 儲存貯體,則勾點失敗模式會設為 :
+ Amazon S3 儲存貯體加密已設定。
+ 已啟用儲存貯體的 Amazon S3 儲存貯體金鑰。
+ Amazon S3 儲存貯體的加密演算法集是所需的正確演算法。
+ AWS Key Management Service 金鑰 ID 已設定。
在下列範例中,建立名為 `my-failed-bucket-stack.yml` 且堆疊名稱為 的範本`my-hook-stack`,該範本會讓堆疊組態失敗,並在資源佈建之前停止。
## 透過佈建堆疊來測試勾點
### 範例 1:佈建堆疊
**佈建不合規的堆疊**
1. 撰寫指定 S3 儲存貯體的範本。例如 `my-failed-bucket-stack.yml`。
```
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties: {}
```
1. 建立堆疊,並在 AWS Command Line Interface () 中指定您的範本AWS CLI。在下列範例中,將堆疊名稱指定為 ,`my-hook-stack`並將範本名稱指定為 `my-failed-bucket-stack.yml`。
```
$ aws cloudformation create-stack \
--stack-name my-hook-stack \
--template-body file://my-failed-bucket-stack.yml
```
1. (選用) 透過指定堆疊名稱來檢視堆疊進度。在下列範例中,指定堆疊名稱 `my-hook-stack`。
```
$ aws cloudformation describe-stack-events \
--stack-name my-hook-stack
```
使用 `describe-stack-events`操作來查看建立儲存貯體時的勾點失敗。以下是 命令的範例輸出。
```
{
"StackEvents": [
...
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-hook-stack/2c693970-f57e-11eb-a0fb-061a2a83f0b9",
"EventId": "S3Bucket-CREATE_FAILED-2021-08-04T23:47:03.305Z",
"StackName": "my-hook-stack",
"LogicalResourceId": "S3Bucket",
"PhysicalResourceId": "",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:47:03.305000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "The following hook(s) failed: [MyCompany::Testing::MyTestHook]",
"ResourceProperties": "{}",
"ClientRequestToken": "Console-CreateStack-abe71ac2-ade4-a762-0499-8d34d91d6a92"
},
...
]
}
```
*結果*:Hook 調用使堆疊組態失敗,並停止資源佈建。
**使用 CloudFormation 範本傳遞勾點驗證**
1. 若要建立堆疊並通過勾點驗證,請更新範本,讓您的資源使用加密的 S3 儲存貯體。此範例使用 範本 `my-encrypted-bucket-stack.yml`。
```
AWSTemplateFormatVersion: 2010-09-09
Description: |
This CloudFormation template provisions an encrypted S3 Bucket
Resources:
EncryptedS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub encryptedbucket-${AWS::Region}-${AWS::AccountId}
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: !Ref EncryptionKey
BucketKeyEnabled: true
EncryptionKey:
Type: AWS::KMS::Key
DeletionPolicy: Retain
Properties:
Description: KMS key used to encrypt the resource type artifacts
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable full access for owning account
Effect: Allow
Principal:
AWS: !Ref AWS::AccountId
Action: 'kms:*'
Resource: '*'
Outputs:
EncryptedBucketName:
Value: !Ref EncryptedS3Bucket
```
**注意**
不會針對略過的資源叫用勾點。
1. 建立堆疊並指定您的範本。在此範例中,堆疊名稱為 `my-encrypted-bucket-stack`。
```
$ aws cloudformation create-stack \
--stack-name my-encrypted-bucket-stack \
--template-body file://my-encrypted-bucket-stack.yml \
```
1. (選用) 透過指定堆疊名稱來檢視堆疊進度。
```
$ aws cloudformation describe-stack-events \
--stack-name my-encrypted-bucket-stack
```
使用 `describe-stack-events`命令來檢視回應。以下是 `describe-stack-events` 命令的範例。
```
{
"StackEvents": [
...
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-encrypted-bucket-stack/82a97150-f57a-11eb-8eb2-06a6bdcc7779",
"EventId": "EncryptedS3Bucket-CREATE_COMPLETE-2021-08-04T23:23:20.973Z",
"StackName": "my-encrypted-bucket-stack",
"LogicalResourceId": "EncryptedS3Bucket",
"PhysicalResourceId": "encryptedbucket-us-west-2-123456789012",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:23:20.973000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"ResourceProperties": "{\"BucketName\":\"encryptedbucket-us-west-2-123456789012\",\"BucketEncryption\":{\"ServerSideEncryptionConfiguration\":[{\"BucketKeyEnabled\":\"true\",\"ServerSideEncryptionByDefault\":{\"SSEAlgorithm\":\"aws:kms\",\"KMSMasterKeyID\":\"ENCRYPTION_KEY_ARN\"}}]}}",
"ClientRequestToken": "Console-CreateStack-39df35ac-ca00-b7f6-5661-4e917478d075"
},
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-encrypted-bucket-stack/82a97150-f57a-11eb-8eb2-06a6bdcc7779",
"EventId": "EncryptedS3Bucket-CREATE_IN_PROGRESS-2021-08-04T23:22:59.410Z",
"StackName": "my-encrypted-bucket-stack",
"LogicalResourceId": "EncryptedS3Bucket",
"PhysicalResourceId": "encryptedbucket-us-west-2-123456789012",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:22:59.410000+00:00",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceStatusReason": "Resource creation Initiated",
"ResourceProperties": "{\"BucketName\":\"encryptedbucket-us-west-2-123456789012\",\"BucketEncryption\":{\"ServerSideEncryptionConfiguration\":[{\"BucketKeyEnabled\":\"true\",\"ServerSideEncryptionByDefault\":{\"SSEAlgorithm\":\"aws:kms\",\"KMSMasterKeyID\":\"ENCRYPTION_KEY_ARN\"}}]}}",
"ClientRequestToken": "Console-CreateStack-39df35ac-ca00-b7f6-5661-4e917478d075"
},
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-encrypted-bucket-stack/82a97150-f57a-11eb-8eb2-06a6bdcc7779",
"EventId": "EncryptedS3Bucket-6516081f-c1f2-4bfe-a0f0-cefa28679994",
"StackName": "my-encrypted-bucket-stack",
"LogicalResourceId": "EncryptedS3Bucket",
"PhysicalResourceId": "",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:22:58.349000+00:00",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceStatusReason": "Hook invocations complete. Resource creation initiated",
"ClientRequestToken": "Console-CreateStack-39df35ac-ca00-b7f6-5661-4e917478d075"
},
...
]
}
```
*結果*:CloudFormation 已成功建立堆疊。Hook 的邏輯驗證`AWS::S3::Bucket`資源在佈建資源之前包含伺服器端加密。
### 範例 2:佈建堆疊
**佈建不合規的堆疊**
1. 撰寫指定 S3 儲存貯體的範本。例如 `aes256-bucket.yml`。
```
AWSTemplateFormatVersion: 2010-09-09
Description: |
This CloudFormation template provisions an encrypted S3 Bucket
Resources:
EncryptedS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub encryptedbucket-${AWS::Region}-${AWS::AccountId}
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketKeyEnabled: true
Outputs:
EncryptedBucketName:
Value: !Ref EncryptedS3Bucket
```
1. 建立堆疊,並在 中指定您的範本 AWS CLI。在下列範例中,將堆疊名稱指定為 ,`my-hook-stack`並將範本名稱指定為 `aes256-bucket.yml`。
```
$ aws cloudformation create-stack \
--stack-name my-hook-stack \
--template-body file://aes256-bucket.yml
```
1. (選用) 透過指定堆疊名稱來檢視堆疊進度。在下列範例中,指定堆疊名稱 `my-hook-stack`。
```
$ aws cloudformation describe-stack-events \
--stack-name my-hook-stack
```
使用 `describe-stack-events`操作來查看建立儲存貯體時的勾點失敗。以下是 命令的範例輸出。
```
{
"StackEvents": [
...
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-hook-stack/2c693970-f57e-11eb-a0fb-061a2a83f0b9",
"EventId": "S3Bucket-CREATE_FAILED-2021-08-04T23:47:03.305Z",
"StackName": "my-hook-stack",
"LogicalResourceId": "S3Bucket",
"PhysicalResourceId": "",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:47:03.305000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "The following hook(s) failed: [MyCompany::Testing::MyTestHook]",
"ResourceProperties": "{}",
"ClientRequestToken": "Console-CreateStack-abe71ac2-ade4-a762-0499-8d34d91d6a92"
},
...
]
}
```
*結果*:Hook 調用使堆疊組態失敗,並停止資源佈建。由於 S3 儲存貯體加密設定不正確,堆疊失敗。此儲存貯體使用 `aws:kms`時,需要勾點類型組態`AES256`。
**使用 CloudFormation 範本傳遞勾點驗證**
1. 若要建立堆疊並通過勾點驗證,請更新範本,讓您的資源使用加密的 S3 儲存貯體。此範例使用 範本 `kms-bucket-and-queue.yml`。
```
AWSTemplateFormatVersion: 2010-09-09
Description: |
This CloudFormation template provisions an encrypted S3 Bucket
Resources:
EncryptedS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub encryptedbucket-${AWS::Region}-${AWS::AccountId}
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: !Ref EncryptionKey
BucketKeyEnabled: true
EncryptedQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub encryptedqueue-${AWS::Region}-${AWS::AccountId}
KmsMasterKeyId: !Ref EncryptionKey
EncryptionKey:
Type: AWS::KMS::Key
DeletionPolicy: Retain
Properties:
Description: KMS key used to encrypt the resource type artifacts
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable full access for owning account
Effect: Allow
Principal:
AWS: !Ref AWS::AccountId
Action: 'kms:*'
Resource: '*'
Outputs:
EncryptedBucketName:
Value: !Ref EncryptedS3Bucket
EncryptedQueueName:
Value: !Ref EncryptedQueue
```
**注意**
不會針對略過的資源叫用勾點。
1. 建立堆疊並指定您的範本。在此範例中,堆疊名稱為 `my-encrypted-bucket-stack`。
```
$ aws cloudformation create-stack \
--stack-name my-encrypted-bucket-stack \
--template-body file://kms-bucket-and-queue.yml
```
1. (選用) 透過指定堆疊名稱來檢視堆疊進度。
```
$ aws cloudformation describe-stack-events \
--stack-name my-encrypted-bucket-stack
```
使用 `describe-stack-events`命令來檢視回應。以下是 `describe-stack-events` 命令的範例。
```
{
"StackEvents": [
...
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-encrypted-bucket-stack/82a97150-f57a-11eb-8eb2-06a6bdcc7779",
"EventId": "EncryptedS3Bucket-CREATE_COMPLETE-2021-08-04T23:23:20.973Z",
"StackName": "my-encrypted-bucket-stack",
"LogicalResourceId": "EncryptedS3Bucket",
"PhysicalResourceId": "encryptedbucket-us-west-2-123456789012",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:23:20.973000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"ResourceProperties": "{\"BucketName\":\"encryptedbucket-us-west-2-123456789012\",\"BucketEncryption\":{\"ServerSideEncryptionConfiguration\":[{\"BucketKeyEnabled\":\"true\",\"ServerSideEncryptionByDefault\":{\"SSEAlgorithm\":\"aws:kms\",\"KMSMasterKeyID\":\"ENCRYPTION_KEY_ARN\"}}]}}",
"ClientRequestToken": "Console-CreateStack-39df35ac-ca00-b7f6-5661-4e917478d075"
},
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-encrypted-bucket-stack/82a97150-f57a-11eb-8eb2-06a6bdcc7779",
"EventId": "EncryptedS3Bucket-CREATE_IN_PROGRESS-2021-08-04T23:22:59.410Z",
"StackName": "my-encrypted-bucket-stack",
"LogicalResourceId": "EncryptedS3Bucket",
"PhysicalResourceId": "encryptedbucket-us-west-2-123456789012",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:22:59.410000+00:00",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceStatusReason": "Resource creation Initiated",
"ResourceProperties": "{\"BucketName\":\"encryptedbucket-us-west-2-123456789012\",\"BucketEncryption\":{\"ServerSideEncryptionConfiguration\":[{\"BucketKeyEnabled\":\"true\",\"ServerSideEncryptionByDefault\":{\"SSEAlgorithm\":\"aws:kms\",\"KMSMasterKeyID\":\"ENCRYPTION_KEY_ARN\"}}]}}",
"ClientRequestToken": "Console-CreateStack-39df35ac-ca00-b7f6-5661-4e917478d075"
},
{
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-encrypted-bucket-stack/82a97150-f57a-11eb-8eb2-06a6bdcc7779",
"EventId": "EncryptedS3Bucket-6516081f-c1f2-4bfe-a0f0-cefa28679994",
"StackName": "my-encrypted-bucket-stack",
"LogicalResourceId": "EncryptedS3Bucket",
"PhysicalResourceId": "",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2021-08-04T23:22:58.349000+00:00",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceStatusReason": "Hook invocations complete. Resource creation initiated",
"ClientRequestToken": "Console-CreateStack-39df35ac-ca00-b7f6-5661-4e917478d075"
},
...
]
}
```
*結果*:CloudFormation 已成功建立堆疊。Hook 的邏輯驗證`AWS::S3::Bucket`資源在佈建資源之前包含伺服器端加密。