Amazon web services 使用云托管仅限制特定安全组中的特定端口
已经有一个类似的问题。我读了一些答案,但我无法解决这个问题。我不得不为此创建一个单独的帖子,因为我没有足够的信誉点来回复该帖子中的用户。链接是:-。我想限制所有暴露于公众的端口,除了几个安全组。例如,对于其中一个安全组,我不希望端口80向公众公开,但对于一个安全组,如“sg-123456789”,我希望端口80向公众开放。如何编写云托管策略Amazon web services 使用云托管仅限制特定安全组中的特定端口,amazon-web-services,amazon-ec2,cloudcustodian,Amazon Web Services,Amazon Ec2,Cloudcustodian,已经有一个类似的问题。我读了一些答案,但我无法解决这个问题。我不得不为此创建一个单独的帖子,因为我没有足够的信誉点来回复该帖子中的用户。链接是:-。我想限制所有暴露于公众的端口,除了几个安全组。例如,对于其中一个安全组,我不希望端口80向公众公开,但对于一个安全组,如“sg-123456789”,我希望端口80向公众开放。如何编写云托管策略 - name: sg-123456789 resource: security-group description: | R
- name: sg-123456789
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::9797979797:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
-and:
- type: value
key: GroudId
value: "sg-123456789"
op: in
-or:
- type: ingress
OnlyPorts: [80]
Cidr:
value: "0.0.0.0/0"
op: in
- type: ingress
OnlyPorts: [80]
CidrV6:
value: "::/0"
op: in
actions:
- type: remove-permissions
ingress: matched
- name: sg-987654321
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::9797979797:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
-and:
- type: value
key: GroudId
value: "sg-987654321"
op: in
-or:
- type: ingress
OnlyPorts: [3000]
Cidr:
value: "0.0.0.0/0"
op: in
- type: ingress
OnlyPorts: [3000]
CidrV6:
value: "::/0"
op: in
actions:
- type: remove-permissions
ingress: matched
我目前也在从事云托管的工作。我尝试创建一个低于预期的策略,但也没有按预期工作
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::1234567890:role/cloudcustodianrole
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
Cidr:
value: "0.0.0.0/0"
actions:
- type: remove-permissions
ingress: matched
- name: sg-0987654321-ipv6
resource: security-group
description: |
Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
mode:
type: cloudtrail
role: arn:aws:iam::1234567890:role/custo_role
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
CidrV6:
value: "::/0"
actions:
- type: remove-permissions
ingress: matched
也尝试过应用下面的和
过滤器,但不幸的是没有成功
filters:
- and:
- type: value
key: GroudId
value: "sg-0987654321"
op: in
- type: ingress
OnlyPorts: [80, 443, 3000]
Cidr:
value: "0.0.0.0/0"
请告诉我哪里出了问题。共享您遇到的错误的屏幕截图,您必须使用ipv4和ipv6的单独策略进行补救模式
resource: security-group
filters:
- and:
- type: value
key: GroupId
op: in
value:
- sg-0db5e1ab7ccccc
- or:
- type: ingress
OnlyPorts: [80,443]
Cidr:
value: "0.0.0.0/0"
- type: ingress
OnlyPorts: [80,443]
CidrV6:
value: "::/0"
我认为@Chenna建议的答案也应该解决你的问题。