@104corp/cfn-basic-module 中文文档教程
CloudFormation Basic module
- CloudTrail
- IAM Role for administrator
- Role-Administrator (AdministratorAccess)
- AWS Health Event notify owner (slack)
- AWS Config
- AWS Config Rule
- For Monitor
- AWS ACMCERTIFICATEEXPIRATION_CHECK
- For Security
- AWS CLOUDTRAILENABLED
- IAMROOTACCESSKEYCHECK
- ROOTACCOUNTMFA_ENABLED
- RDSINSTANCEPUBLICACCESSCHECK
- ELBLOGGINGENABLED
- VPCFLOWLOGS_ENABLED
- DYNAMODBTABLEENCRYPTION_ENABLED
- For Cost
- AWS EIP_ATTACHED
- AWS EC2VOLUMEINUSE_CHECK
- For Monitor
Install
首先安装 Node.js 和 npm!
npm i @104corp/cfn-basic-module
Usage
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-basic-module example'
Resources:
Basic:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
SlackWebhookURL: '' # optional
CloudTrailS3BucketName: '' # optional
EnableConfigService: '' # optional
ConfigS3BucketName: '' # optional
AdminAccountId: '' # optional
TemplateURL: './node_modules/@104corp/cfn-basic-module/module.yml'
Package
$ aws cloudformation package --template-file example.yml --s3-bucket <your cfn template bucket> --output-template-file packaged.yml
Deploy
$ aws cloudformation deploy --template-file packaged.yml --stack-name <your stack name>
Parameters
templates/module
Description
一个基本模板
Parameters
此模板的参数列表:
MainRegion
类型:String 默认值:无 描述:(可选)在主区域创建
SlackWebhookURL
类型:字符串 默认值:无 描述:(可选)发送通知到 slack webhook url
AdminPrincipal
类型:字符串 默认值:无 描述:(可选)担任角色的管理员账户的 AWS 账户主体
EnableCloudTrail
类型:String
说明:(可选)是否启用 CloudTrail
CloudTrailS3BucketName
类型:String 默认值:无 描述:(可选)如果您已经有一个 cloudtrail s3 存储桶
EnableConfigService
类型:String
描述:(可选)是否启用配置服务
ConfigS3BucketName
类型:字符串 默认值:无 说明:(可选)如果您已有 aws config s3 存储桶
ConfigSNSTopicArn
类型:字符串 默认值:无 说明:(可选)配置 sns 主题 arn。
CofingRulePrefix
类型:字符串 默认值:无 描述:(可选)配置规则名称前缀
ACMCertificatesDaysToExpiration
类型:数字
说明:(可选)检查您账户中的 ACM 证书是否在指定天数内标记为过期。
EnableEIPAttachedConfigRule
类型:字符串
说明:(可选)启用检查分配给 VPC 的所有 EIP 地址是否附加到 EC2 实例或正在使用的 ENI。
EnableEC2VolumeInuseCheckConfigRule
类型:字符串
说明:(可选)启用检查 EBS 卷是否附加到 EC2 实例。
EnableIAMRootKeyCheckConfigRule
类型:字符串
说明:(可选)启用检查根用户访问密钥是否可用。
EnableRootMFAEnabledConfigRule
类型:字符串
说明:(可选)启用检查您的 AWS 账户的根用户是否需要多重身份验证才能登录控制台。
EnableRDSPublicAccessCheckConfigRule
类型:字符串
说明:(可选)启用检查 Amazon 关系数据库服务 (RDS) 实例是否不可公开访问。 如果实例配置项中的 publiclyAccessible 字段为 true,则该规则不合规。
EnableSGOpenOnlyToAuthorizedPortsConfigRule
类型:字符串
说明:(可选)启用检查入站 0.0.0.0/0 的任何安全组是否具有可访问的 TCP 或 UDP 端口。 当具有入站 0.0.0.0/0 的安全组具有未在规则参数中指定的可访问端口时,规则为 NON_COMPLIANT。
SGOpenAuthorizedTcpPorts
类型:字符串 默认值:80,443 说明:(可选)授权向 0.0.0.0/0 打开的 TCP 端口的逗号分隔列表。 范围由破折号定义; 例如,“443,1020-1025”。
SGOpenAuthorizedUdpPorts
类型:字符串 默认值:0 说明:(可选)授权向 0.0.0.0/0 打开的 UDP 端口的逗号分隔列表。 范围由破折号定义; 例如,“500,1020-1025”。
EnableVPCFlowLogsEnabledConfigRule
类型:字符串
说明:(可选)启用检查是否找到 Amazon Virtual Private Cloud 流日志并为 Amazon VPC 启用。
VPCFlowLogTrafficType
类型:字符串 默认值:无 说明:(可选)vpc 流日志流量类型
EnableELBLoggingEnabledConfigRule
类型:String
说明:(可选)启用检查 Application Load Balancer 和 Classic Load Balancer 是否启用了日志记录。
ELBLoggingS3BucketNames
类型:字符串 默认值:无 描述:(可选)elb logging s3 bucket name
EnableDynamodbEncryptionConfigRule
类型:String
说明:(可选)启用检查 Amazon DynamoDB 表是否已加密并检查其状态。 如果状态为启用或启用,则规则是合规的。
Resources
此模板创建的资源列表:
EventRule
类型:AWS::Events::Rule
PermissionForEventsToInvokeLambda
类型:AWS::Lambda::Permission
LambdaExecutionRole
类型:AWS::IAM::Role
LambdaFunction
类型:AWS::Lambda::Function
CloudTrailS3Bucket
类型:AWS::S3 ::存储桶
CloudTrailS3BucketPolicy
类型:AWS::S3::BucketPolicy
CloudTrail
类型:AWS::CloudTrail::Trail
CloudTrailWithS3
类型:AWS::CloudTrail::Trail
AdministratorRole
类型:AWS::IAM::角色
ConfigS3Bucket
类型:AWS::S3::Bucket
ConfigS3BucketPolicy
类型: AWS::S3::BucketPolicy
RoleForConfig
类型:AWS::IAM::Role
ConfigRecorder
类型:AWS::Config::ConfigurationRecorder
ConfigDeliveryChannel
类型:AWS::Config::DeliveryChannel
ConfigDeliveryChannelWithS3
类型:AWS::Config::DeliveryChannel
CloudTrailEnabledConfigRule
类型:AWS::Config: :ConfigRule
EIPAttachedConfigRule
类型:AWS::Config::ConfigRule
EC2VolumeInuseCheckConfigRule
类型:AWS::Config::ConfigRule
ACMExpirationCheckConfigRule
类型:AWS::Config::ConfigRule
IAMRootKeyCheckConfigRule
类型:AWS::Config::ConfigRule
RootMFAEnabledConfigRule
类型:AWS::Config::ConfigRule
RDSPublicAccessCheckConfigRule
类型:AWS ::Config::ConfigRule
SGOpenOnlyToAuthorizedPortsConfigRule
类型:AWS::Config::ConfigRule
VPCFlowLogsEnabledConfigRule
类型:AWS::Config::ConfigRule
ELBLoggingEnabledConfigRule
类型:AWS::Config::ConfigRule
DynamodbEncryptionConfigRule
类型:AWS::Config::ConfigRule
Outputs
此模板公开的输出列表:
Maintenance
维护者:
104corp
CloudFormation Basic module
- CloudTrail
- IAM Role for administrator
- Role-Administrator (AdministratorAccess)
- AWS Health Event notify owner (slack)
- AWS Config
- AWS Config Rule
- For Monitor
- AWS ACMCERTIFICATEEXPIRATION_CHECK
- For Security
- AWS CLOUDTRAILENABLED
- IAMROOTACCESSKEYCHECK
- ROOTACCOUNTMFA_ENABLED
- RDSINSTANCEPUBLICACCESSCHECK
- ELBLOGGINGENABLED
- VPCFLOWLOGS_ENABLED
- DYNAMODBTABLEENCRYPTION_ENABLED
- For Cost
- AWS EIP_ATTACHED
- AWS EC2VOLUMEINUSE_CHECK
- For Monitor
Install
Install Node.js and npm first!
npm i @104corp/cfn-basic-module
Usage
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-basic-module example'
Resources:
Basic:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
SlackWebhookURL: '' # optional
CloudTrailS3BucketName: '' # optional
EnableConfigService: '' # optional
ConfigS3BucketName: '' # optional
AdminAccountId: '' # optional
TemplateURL: './node_modules/@104corp/cfn-basic-module/module.yml'
Package
$ aws cloudformation package --template-file example.yml --s3-bucket <your cfn template bucket> --output-template-file packaged.yml
Deploy
$ aws cloudformation deploy --template-file packaged.yml --stack-name <your stack name>
Parameters
templates/module
Description
A basic template
Parameters
The list of parameters for this template:
MainRegion
Type: String Default: None Description: (Optional) create in main region
SlackWebhookURL
Type: String Default: None Description: (Optional) send notify to slack webhook url
AdminPrincipal
Type: String Default: None Description: (Optional) AWS Account Principal of the administrator account for assume role
EnableCloudTrail
Type: String
Description: (Optional) enable CloudTrail or not
CloudTrailS3BucketName
Type: String Default: None Description: (Optional) If you already have a cloudtrail s3 bucket
EnableConfigService
Type: String
Description: (Optional) enable config service or not
ConfigS3BucketName
Type: String Default: None Description: (Optional) If you already have a aws config s3 bucket
ConfigSNSTopicArn
Type: String Default: None Description: (Optional) config sns topic arn.
CofingRulePrefix
Type: String Default: None Description: (Optional) config rule name prefix
ACMCertificatesDaysToExpiration
Type: Number
Description: (Optional) Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.
EnableEIPAttachedConfigRule
Type: String
Description: (Optional) enable Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs.
EnableEC2VolumeInuseCheckConfigRule
Type: String
Description: (Optional) enable Checks whether EBS volumes are attached to EC2 instances.
EnableIAMRootKeyCheckConfigRule
Type: String
Description: (Optional) enable Checks whether the root user access key is available.
EnableRootMFAEnabledConfigRule
Type: String
Description: (Optional) enable Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
EnableRDSPublicAccessCheckConfigRule
Type: String
Description: (Optional) enable Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.
EnableSGOpenOnlyToAuthorizedPortsConfigRule
Type: String
Description: (Optional) enable Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.
SGOpenAuthorizedTcpPorts
Type: String Default: 80,443 Description: (Optional) Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, "443,1020-1025".
SGOpenAuthorizedUdpPorts
Type: String Default: 0 Description: (Optional) Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, "500,1020-1025".
EnableVPCFlowLogsEnabledConfigRule
Type: String
Description: (Optional) enable Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.
VPCFlowLogTrafficType
Type: String Default: None Description: (Optional) vpc flow log traffic type
EnableELBLoggingEnabledConfigRule
Type: String
Description: (Optional) enable Checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled.
ELBLoggingS3BucketNames
Type: String Default: None Description: (Optional) elb logging s3 bucket name
EnableDynamodbEncryptionConfigRule
Type: String
Description: (Optional) enable Checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is compliant if the status is enabled or enabling.
Resources
The list of resources this template creates:
EventRule
Type: AWS::Events::Rule
PermissionForEventsToInvokeLambda
Type: AWS::Lambda::Permission
LambdaExecutionRole
Type: AWS::IAM::Role
LambdaFunction
Type: AWS::Lambda::Function
CloudTrailS3Bucket
Type: AWS::S3::Bucket
CloudTrailS3BucketPolicy
Type: AWS::S3::BucketPolicy
CloudTrail
Type: AWS::CloudTrail::Trail
CloudTrailWithS3
Type: AWS::CloudTrail::Trail
AdministratorRole
Type: AWS::IAM::Role
ConfigS3Bucket
Type: AWS::S3::Bucket
ConfigS3BucketPolicy
Type: AWS::S3::BucketPolicy
RoleForConfig
Type: AWS::IAM::Role
ConfigRecorder
Type: AWS::Config::ConfigurationRecorder
ConfigDeliveryChannel
Type: AWS::Config::DeliveryChannel
ConfigDeliveryChannelWithS3
Type: AWS::Config::DeliveryChannel
CloudTrailEnabledConfigRule
Type: AWS::Config::ConfigRule
EIPAttachedConfigRule
Type: AWS::Config::ConfigRule
EC2VolumeInuseCheckConfigRule
Type: AWS::Config::ConfigRule
ACMExpirationCheckConfigRule
Type: AWS::Config::ConfigRule
IAMRootKeyCheckConfigRule
Type: AWS::Config::ConfigRule
RootMFAEnabledConfigRule
Type: AWS::Config::ConfigRule
RDSPublicAccessCheckConfigRule
Type: AWS::Config::ConfigRule
SGOpenOnlyToAuthorizedPortsConfigRule
Type: AWS::Config::ConfigRule
VPCFlowLogsEnabledConfigRule
Type: AWS::Config::ConfigRule
ELBLoggingEnabledConfigRule
Type: AWS::Config::ConfigRule
DynamodbEncryptionConfigRule
Type: AWS::Config::ConfigRule
Outputs
The list of outputs this template exposes:
Maintenance
Maintainers:
104corp