@104corp/cfn-basic-module 中文文档教程

发布于 4年前 浏览 28 项目主页 更新于 3年前

CloudFormation Basic module

构建状态NPM version

  • CloudTrail
  • IAM Role for administrator
    • Role-Administrator (AdministratorAccess)
  • AWS Health Event notify owner (slack)
  • AWS Config
  • AWS Config Rule
    • For Monitor
      • AWS ACMCERTIFICATEEXPIRATION_CHECK
    • For Security
      • AWS CLOUDTRAILENABLED
      • IAMROOTACCESSKEYCHECK
      • ROOTACCOUNTMFA_ENABLED
      • RDSINSTANCEPUBLICACCESSCHECK
      • ELBLOGGINGENABLED
      • VPCFLOWLOGS_ENABLED
      • DYNAMODBTABLEENCRYPTION_ENABLED
    • For Cost
      • AWS EIP_ATTACHED
      • AWS EC2VOLUMEINUSE_CHECK

Install

首先安装 Node.js 和 npm

npm i @104corp/cfn-basic-module

Usage

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-basic-module example'
Resources:
  Basic:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        SlackWebhookURL: '' # optional
        CloudTrailS3BucketName: '' # optional
        EnableConfigService: '' # optional
        ConfigS3BucketName: '' # optional  
        AdminAccountId: '' # optional
      TemplateURL: './node_modules/@104corp/cfn-basic-module/module.yml'

Package

$ aws cloudformation package --template-file example.yml --s3-bucket <your cfn template bucket> --output-template-file packaged.yml

Deploy

$ aws cloudformation deploy --template-file packaged.yml --stack-name <your stack name>

Parameters

templates/module

Description

一个基本模板

Parameters

此模板的参数列表:

MainRegion

类型:String 默认值:无 描述:(可选)在主区域创建

SlackWebhookURL

类型:字符串 默认值:无 描述:(可选)发送通知到 slack webhook url

AdminPrincipal

类型:字符串 默认值:无 描述:(可选)担任角色的管理员账户的 AWS 账户主体

EnableCloudTrail

类型:String
说明:(可选)是否启用 CloudTrail

CloudTrailS3BucketName

类型:String 默认值:无 描述:(可选)如果您已经有一个 cloudtrail s3 存储桶

EnableConfigService

类型:String
描述:(可选)是否启用配置服务

ConfigS3BucketName

类型:字符串 默认值:无 说明:(可选)如果您已有 aws config s3 存储桶

ConfigSNSTopicArn

类型:字符串 默认值:无 说明:(可选)配置 sns 主题 arn。

CofingRulePrefix

类型:字符串 默认值:无 描述:(可选)配置规则名称前缀

ACMCertificatesDaysToExpiration

类型:数字
说明:(可选)检查您账户中的 ACM 证书是否在指定天数内标记为过期。

EnableEIPAttachedConfigRule

类型:字符串
说明:(可选)启用检查分配给 VPC 的所有 EIP 地址是否附加到 EC2 实例或正在使用的 ENI。

EnableEC2VolumeInuseCheckConfigRule

类型:字符串
说明:(可选)启用检查 EBS 卷是否附加到 EC2 实例。

EnableIAMRootKeyCheckConfigRule

类型:字符串
说明:(可选)启用检查根用户访问密钥是否可用。

EnableRootMFAEnabledConfigRule

类型:字符串
说明:(可选)启用检查您的 AWS 账户的根用户是否需要多重身份验证才能登录控制台。

EnableRDSPublicAccessCheckConfigRule

类型:字符串
说明:(可选)启用检查 Amazon 关系数据库服务 (RDS) 实例是否不可公开访问。 如果实例配置项中的 publiclyAccessible 字段为 true,则该规则不合规。

EnableSGOpenOnlyToAuthorizedPortsConfigRule

类型:字符串
说明:(可选)启用检查入站 0.0.0.0/0 的任何安全组是否具有可访问的 TCP 或 UDP 端口。 当具有入站 0.0.0.0/0 的安全组具有未在规则参数中指定的可访问端口时,规则为 NON_COMPLIANT。

SGOpenAuthorizedTcpPorts

类型:字符串 默认值:80,443 说明:(可选)授权向 0.0.0.0/0 打开的 TCP 端口的逗号分隔列表。 范围由破折号定义; 例如,“443,1020-1025”。

SGOpenAuthorizedUdpPorts

类型:字符串 默认值:0 说明:(可选)授权向 0.0.0.0/0 打开的 UDP 端口的逗号分隔列表。 范围由破折号定义; 例如,“500,1020-1025”。

EnableVPCFlowLogsEnabledConfigRule

类型:字符串
说明:(可选)启用检查是否找到 Amazon Virtual Private Cloud 流日志并为 Amazon VPC 启用。

VPCFlowLogTrafficType

类型:字符串 默认值:无 说明:(可选)vpc 流日志流量类型

EnableELBLoggingEnabledConfigRule

类型:String
说明:(可选)启用检查 Application Load Balancer 和 Classic Load Balancer 是否启用了日志记录。

ELBLoggingS3BucketNames

类型:字符串 默认值:无 描述:(可选)elb logging s3 bucket name

EnableDynamodbEncryptionConfigRule

类型:String
说明:(可选)启用检查 Amazon DynamoDB 表是否已加密并检查其状态。 如果状态为启用或启用,则规则是合规的。

Resources

此模板创建的资源列表:

EventRule

类型:AWS::Events::Rule

PermissionForEventsToInvokeLambda

类型:AWS::Lambda::Permission

LambdaExecutionRole

类型:AWS::IAM::Role

LambdaFunction

类型:AWS::Lambda::Function

CloudTrailS3Bucket

类型:AWS::S3 ::存储桶

CloudTrailS3BucketPolicy

类型:AWS::S3::BucketPolicy

CloudTrail

类型:AWS::CloudTrail::Trail

CloudTrailWithS3

类型:AWS::CloudTrail::Trail

AdministratorRole

类型:AWS::IAM::角色

ConfigS3Bucket

类型:AWS::S3::Bucket

ConfigS3BucketPolicy

类型: AWS::S3::BucketPolicy

RoleForConfig

类型:AWS::IAM::Role

ConfigRecorder

类型:AWS::Config::ConfigurationRecorder

ConfigDeliveryChannel

类型:AWS::Config::DeliveryChannel

ConfigDeliveryChannelWithS3

类型:AWS::Config::DeliveryChannel

CloudTrailEnabledConfigRule

类型:AWS::Config: :ConfigRule

EIPAttachedConfigRule

类型:AWS::Config::ConfigRule

EC2VolumeInuseCheckConfigRule

类型:AWS::Config::ConfigRule

ACMExpirationCheckConfigRule

类型:AWS::Config::ConfigRule

IAMRootKeyCheckConfigRule

类型:AWS::Config::ConfigRule

RootMFAEnabledConfigRule

类型:AWS::Config::ConfigRule

RDSPublicAccessCheckConfigRule

类型:AWS ::Config::ConfigRule

SGOpenOnlyToAuthorizedPortsConfigRule

类型:AWS::Config::ConfigRule

VPCFlowLogsEnabledConfigRule

类型:AWS::Config::ConfigRule

ELBLoggingEnabledConfigRule

类型:AWS::Config::ConfigRule

DynamodbEncryptionConfigRule

类型:AWS::Config::ConfigRule

Outputs

此模板公开的输出列表:

Maintenance

维护者:

  • 104corp

CloudFormation Basic module

Build StatusNPM version

  • CloudTrail
  • IAM Role for administrator
    • Role-Administrator (AdministratorAccess)
  • AWS Health Event notify owner (slack)
  • AWS Config
  • AWS Config Rule
    • For Monitor
      • AWS ACMCERTIFICATEEXPIRATION_CHECK
    • For Security
      • AWS CLOUDTRAILENABLED
      • IAMROOTACCESSKEYCHECK
      • ROOTACCOUNTMFA_ENABLED
      • RDSINSTANCEPUBLICACCESSCHECK
      • ELBLOGGINGENABLED
      • VPCFLOWLOGS_ENABLED
      • DYNAMODBTABLEENCRYPTION_ENABLED
    • For Cost
      • AWS EIP_ATTACHED
      • AWS EC2VOLUMEINUSE_CHECK

Install

Install Node.js and npm first!

npm i @104corp/cfn-basic-module

Usage

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-basic-module example'
Resources:
  Basic:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        SlackWebhookURL: '' # optional
        CloudTrailS3BucketName: '' # optional
        EnableConfigService: '' # optional
        ConfigS3BucketName: '' # optional  
        AdminAccountId: '' # optional
      TemplateURL: './node_modules/@104corp/cfn-basic-module/module.yml'

Package

$ aws cloudformation package --template-file example.yml --s3-bucket <your cfn template bucket> --output-template-file packaged.yml

Deploy

$ aws cloudformation deploy --template-file packaged.yml --stack-name <your stack name>

Parameters

templates/module

Description

A basic template

Parameters

The list of parameters for this template:

MainRegion

Type: String Default: None Description: (Optional) create in main region

SlackWebhookURL

Type: String Default: None Description: (Optional) send notify to slack webhook url

AdminPrincipal

Type: String Default: None Description: (Optional) AWS Account Principal of the administrator account for assume role

EnableCloudTrail

Type: String
Description: (Optional) enable CloudTrail or not

CloudTrailS3BucketName

Type: String Default: None Description: (Optional) If you already have a cloudtrail s3 bucket

EnableConfigService

Type: String
Description: (Optional) enable config service or not

ConfigS3BucketName

Type: String Default: None Description: (Optional) If you already have a aws config s3 bucket

ConfigSNSTopicArn

Type: String Default: None Description: (Optional) config sns topic arn.

CofingRulePrefix

Type: String Default: None Description: (Optional) config rule name prefix

ACMCertificatesDaysToExpiration

Type: Number
Description: (Optional) Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.

EnableEIPAttachedConfigRule

Type: String
Description: (Optional) enable Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs.

EnableEC2VolumeInuseCheckConfigRule

Type: String
Description: (Optional) enable Checks whether EBS volumes are attached to EC2 instances.

EnableIAMRootKeyCheckConfigRule

Type: String
Description: (Optional) enable Checks whether the root user access key is available.

EnableRootMFAEnabledConfigRule

Type: String
Description: (Optional) enable Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.

EnableRDSPublicAccessCheckConfigRule

Type: String
Description: (Optional) enable Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.

EnableSGOpenOnlyToAuthorizedPortsConfigRule

Type: String
Description: (Optional) enable Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.

SGOpenAuthorizedTcpPorts

Type: String Default: 80,443 Description: (Optional) Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, "443,1020-1025".

SGOpenAuthorizedUdpPorts

Type: String Default: 0 Description: (Optional) Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, "500,1020-1025".

EnableVPCFlowLogsEnabledConfigRule

Type: String
Description: (Optional) enable Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

VPCFlowLogTrafficType

Type: String Default: None Description: (Optional) vpc flow log traffic type

EnableELBLoggingEnabledConfigRule

Type: String
Description: (Optional) enable Checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled.

ELBLoggingS3BucketNames

Type: String Default: None Description: (Optional) elb logging s3 bucket name

EnableDynamodbEncryptionConfigRule

Type: String
Description: (Optional) enable Checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is compliant if the status is enabled or enabling.

Resources

The list of resources this template creates:

EventRule

Type: AWS::Events::Rule

PermissionForEventsToInvokeLambda

Type: AWS::Lambda::Permission

LambdaExecutionRole

Type: AWS::IAM::Role

LambdaFunction

Type: AWS::Lambda::Function

CloudTrailS3Bucket

Type: AWS::S3::Bucket

CloudTrailS3BucketPolicy

Type: AWS::S3::BucketPolicy

CloudTrail

Type: AWS::CloudTrail::Trail

CloudTrailWithS3

Type: AWS::CloudTrail::Trail

AdministratorRole

Type: AWS::IAM::Role

ConfigS3Bucket

Type: AWS::S3::Bucket

ConfigS3BucketPolicy

Type: AWS::S3::BucketPolicy

RoleForConfig

Type: AWS::IAM::Role

ConfigRecorder

Type: AWS::Config::ConfigurationRecorder

ConfigDeliveryChannel

Type: AWS::Config::DeliveryChannel

ConfigDeliveryChannelWithS3

Type: AWS::Config::DeliveryChannel

CloudTrailEnabledConfigRule

Type: AWS::Config::ConfigRule

EIPAttachedConfigRule

Type: AWS::Config::ConfigRule

EC2VolumeInuseCheckConfigRule

Type: AWS::Config::ConfigRule

ACMExpirationCheckConfigRule

Type: AWS::Config::ConfigRule

IAMRootKeyCheckConfigRule

Type: AWS::Config::ConfigRule

RootMFAEnabledConfigRule

Type: AWS::Config::ConfigRule

RDSPublicAccessCheckConfigRule

Type: AWS::Config::ConfigRule

SGOpenOnlyToAuthorizedPortsConfigRule

Type: AWS::Config::ConfigRule

VPCFlowLogsEnabledConfigRule

Type: AWS::Config::ConfigRule

ELBLoggingEnabledConfigRule

Type: AWS::Config::ConfigRule

DynamodbEncryptionConfigRule

Type: AWS::Config::ConfigRule

Outputs

The list of outputs this template exposes:

Maintenance

Maintainers:

  • 104corp
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文