微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

AWS Config - 资源发现卡在“您的资源正在被发现”上

分类:编程问答

如何解决AWS Config - 资源发现卡在“您的资源正在被发现”上

我的公司有 2 个 AWS 账户。首先(我们称之为游乐场),我拥有完全的管理权限。在第二个(我们称之为生产)我有有限的 IAM 权限

我在两个账户上都启用了 AWS Config(使用附录中的 terraform 文件)。

  • 在操场上运行平稳,一切正常。
  • 生产失败。更具体地说,它无法检测到带有消息“您的资源正在被发现” 的帐户资源,如下面的屏幕截图所示。

我最初怀疑这可能是 IAM 角色权限问题​​。

例如运行

aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile playground 为我提供了 AWS Config 在操场上发现的安全组列表(几乎是我在控制台仪表板上看到的内容)。

另一方面:

aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile production 返回一个空列表(虽然有安全组。其他类型的结果相同,例如 AWS::EC2::Instance

{
    "resourceIdentifiers": []
}

由于 IAM 角色确实有权进行描述 API 调用,因此我放弃了 IAM 权限怀疑。有用。只是它返回null。

会不会是 AWS Config 角色 AWSServiceRoleForConfig?它没有任何意义。由于这是一个服务相关角色,它认应具有所有必需的权限。 (不过会在文末附上政策)

现在是奇怪的部分:

我的规则验证了一些资源(例如 EFS),但抛出此消息:The specified resource is either unkNown or has not been discovered.

我仍然怀疑这可能是 IAM 问题,但我无法弄清楚发生了什么。我已经为此苦苦挣扎了好几天,我真的可以在这里得到一些帮助。

根据官方文档:

AWS Config 通过为您账户中的每个资源调用 Describe 或 List API 来跟踪对您的资源所做的所有更改。该服务使用相同的 API 调用来捕获所有相关资源的配置详细信息。

AWS Config Dashboard

config.tf

# Create the configuration recorder
resource "aws_config_configuration_recorder" "default" {
    name     = "default-recorder"
    role_arn = "arn:aws:iam::${var.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
    recording_group {
        all_supported                 = true
        include_global_resource_types = true
    }
}

# Enable the configuration recorder
resource "aws_config_configuration_recorder_status" "default" {
  name       = aws_config_configuration_recorder.default.name
  is_enabled = true
  depends_on = [aws_config_delivery_channel.default]
}

# Connect AWS Config to the S3 bucket
resource "aws_config_delivery_channel" "default" {
  name           = "default-channel"
  s3_bucket_name = "central-config-bucket" # Central S3 bucket 
  depends_on     = [aws_config_configuration_recorder.default]
}

# Deploy the default HIPAA compliance comformance pack
resource "aws_config_conformance_pack" "hipaa" {
  name = "operational-best-practices-for-HIPAA-Security"
  template_body = data.http.conformance_pack.body
}

data "http" "conformance_pack" {
  url = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
}

resource "aws_config_aggregate_authorization" "main" {
  account_id = "************" 
  region     = "eu-central-1"
}

认的 AWSServiceRoleForConfig 策略:

{
    "Version": "2012-10-17","Statement": [
        {
            "Effect": "Allow","Action": [
                "acm:DescribeCertificate","acm:ListCertificates","acm:ListTagsForCertificate","apigateway:GET","application-autoscaling:DescribescalableTargets","application-autoscaling:DescribeScalingPolicies","autoscaling:DescribeAutoScalingGroups","autoscaling:DescribeLaunchConfigurations","autoscaling:DescribeLifecycleHooks","autoscaling:DescribePolicies","autoscaling:DescribeScheduledActions","autoscaling:DescribeTags","backup:DescribeBackupVault","backup:DescribeRecoveryPoint","backup:GetBackupPlan","backup:GetBackupSelection","backup:GetBackupVaultAccesspolicy","backup:GetBackupVaultNotifications","backup:ListBackupPlans","backup:ListBackupSelections","backup:ListBackupVaults","backup:ListRecoveryPointsByBackupVault","backup:ListTags","cloudformation:DescribeType","cloudformation:ListTypes","cloudfront:ListTagsForResource","cloudtrail:DescribeTrails","cloudtrail:GetEventSelectors","cloudtrail:GetTrailStatus","cloudtrail:ListTags","cloudwatch:DescribeAlarms","codepipeline:GetPipeline","codepipeline:GetPipelinestate","codepipeline:ListPipelines","config:BatchGet*","config:Describe*","config:Get*","config:List*","config:Put*","config:Select*","dax:DescribeClusters","dms:DescribeReplicationInstances","dms:DescribeReplicationsubnetGroups","dms:ListTagsForResource","dynamodb:DescribeContinuousBackups","dynamodb:DescribeLimits","dynamodb:DescribeTable","dynamodb:ListTables","dynamodb:ListTagsOfResource","ec2:Describe*","ec2:GetEbsEncryptionByDefault","ecr:DescribeRepositories","ecr:GetLifecyclePolicy","ecr:GetRepositoryPolicy","ecr:ListTagsForResource","ecs:DescribeClusters","ecs:DescribeServices","ecs:DescribeTaskDeFinition","ecs:DescribeTaskSets","ecs:ListClusters","ecs:ListServices","ecs:ListTagsForResource","ecs:ListTaskDeFinitions","eks:DescribeCluster","eks:DescribeNodegroup","eks:ListClusters","eks:ListNodegroups","elasticache:DescribeCacheClusters","elasticache:DescribeCacheParameterGroups","elasticache:DescribeCachesubnetGroups","elasticache:DescribeReplicationGroups","elasticfilesystem:DescribeAccesspoints","elasticfilesystem:DescribeBackupPolicy","elasticfilesystem:DescribeFileSystemPolicy","elasticfilesystem:DescribeFileSystems","elasticfilesystem:DescribeLifecycleConfiguration","elasticfilesystem:DescribeMountTargets","elasticfilesystem:DescribeMountTargetSecurityGroups","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeLoadBalancerAttributes","elasticloadbalancing:DescribeLoadBalancerPolicies","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTags","elasticmapreduce:DescribeCluster","elasticmapreduce:DescribeSecurityConfiguration","elasticmapreduce:GetBlockPublicAccessConfiguration","elasticmapreduce:ListClusters","elasticmapreduce:ListInstances","es:DescribeElasticsearchDomain","es:DescribeElasticsearchDomains","es:ListDomainNames","es:ListTags","guardduty:GetDetector","guardduty:GetFindings","guardduty:GetMasteraccount","guardduty:ListDetectors","guardduty:ListFindings","iam:GenerateCredentialReport","iam:GetAccountAuthorizationDetails","iam:GetAccountPasswordPolicy","iam:GetAccountSummary","iam:GetCredentialReport","iam:GetGroup","iam:GetGroupPolicy","iam:GetPolicy","iam:GetPolicyVersion","iam:GetRole","iam:GetRolePolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedGroupPolicies","iam:ListAttachedRolePolicies","iam:ListAttachedUserPolicies","iam:ListEntitiesForPolicy","iam:ListGroupPolicies","iam:ListGroupsForUser","iam:ListInstanceProfilesForRole","iam:ListPolicyVersions","iam:ListRolePolicies","iam:ListUserPolicies","iam:ListVirtualMFADevices","kinesis:DescribeStreamSummary","kinesis:ListStreams","kinesis:ListTagsForStream","kms:DescribeKey","kms:GetKeyPolicy","kms:GetKeyRotationStatus","kms:ListKeys","kms:ListResourceTags","lambda:GetAlias","lambda:GetFunction","lambda:GetPolicy","lambda:ListAliases","lambda:ListFunctions","logs:DescribeLogGroups","organizations:DescribeOrganization","rds:DescribedBClusters","rds:DescribedBClusterSnapshotAttributes","rds:DescribedBClusterSnapshots","rds:DescribedBInstances","rds:DescribedBSecurityGroups","rds:DescribedBSnapshotAttributes","rds:DescribedBSnapshots","rds:DescribedBsubnetGroups","rds:DescribeEventSubscriptions","rds:ListTagsForResource","redshift:DescribeClusterParameterGroups","redshift:DescribeClusterParameters","redshift:DescribeClusters","redshift:DescribeClusterSecurityGroups","redshift:DescribeClusterSnapshots","redshift:DescribeClustersubnetGroups","redshift:DescribeEventSubscriptions","redshift:DescribeLoggingStatus","route53:GetHostedZone","route53:ListHostedZones","route53:ListHostedZonesByName","route53:ListResourceRecordSets","route53:ListTagsForResource","s3:GetAccelerateConfiguration","s3:GetAccesspoint","s3:GetAccesspointPolicy","s3:GetAccesspointPolicyStatus","s3:GetAccountPublicAccessBlock","s3:GetBucketAcl","s3:GetBucketCORS","s3:GetBucketLocation","s3:GetBucketLogging","s3:GetBucketNotification","s3:GetBucketobjectLockConfiguration","s3:GetBucketPolicy","s3:GetBucketPublicAccessBlock","s3:GetBucketRequestPayment","s3:GetBucketTagging","s3:GetBucketVersioning","s3:GetBucketWebsite","s3:GetEncryptionConfiguration","s3:GetLifecycleConfiguration","s3:GetReplicationConfiguration","s3:ListAccesspoints","s3:ListAllMyBuckets","s3:ListBucket","sagemaker:DescribeCodeRepository","sagemaker:DescribeEndpointConfig","sagemaker:DescribeNotebookInstance","sagemaker:ListCodeRepositories","sagemaker:ListEndpointConfigs","sagemaker:ListNotebookInstances","sagemaker:ListTags","secretsmanager:ListSecrets","secretsmanager:ListSecretVersionIds","securityhub:describeHub","shield:DescribedRTAccess","shield:DescribeProtection","shield:DescribeSubscription","sns:GetTopicAttributes","sns:ListSubscriptions","sns:ListTagsForResource","sns:ListTopics","sqs:GetQueueAttributes","sqs:ListQueues","sqs:ListQueueTags","ssm:DescribeAutomationExecutions","ssm:Describedocument","ssm:GetAutomationExecution","ssm:GetDocument","ssm:ListDocuments","storagegateway:ListGateways","storagegateway:ListVolumes","support:DescribeCases","tag:GetResources","waf-regional:GetLoggingConfiguration","waf-regional:GetWebACL","waf-regional:GetWebACLForResource","waf:GetLoggingConfiguration","waf:GetWebACL","wafv2:GetLoggingConfiguration"
            ],"Resource": "*"
        }
    ]
}

解决方法

这可能是 AWS terraform 提供程序的错误。

服务关联角色 AWSServiceRoleForConfig 不会在您第一次应用 terraform 计划时自动激活。您需要手动将其添加到 AWS 配置中。然后它工作正常。

编辑

解决方案可能不同于上述解决方案(或两者的组合)。我还注意到,当没有部署规则/一致性包时,AWS Config 会卡在“正在发现资源”上。如果您部署单个规则,它会发现资源 (?!)

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot