对云安全的检测中,最重要的一个组成部分就是对配置的验证,今天来介绍一个开源的规则检测引擎项目,Cloud Custodian。
Custodian 特征
$ python3 -m venv custodian
$ source custodian/bin/activate
(custodian) $ pip install c7n
(custodian) $ pip install -e tools/c7n_aliyun
(custodian) $ pip install -e tools/c7n_huawei
(custodian) $ pip install -e tools/c7n_tencent
(custodian) $ pip install -e tools/c7n_baidu
使用 Cloud Custodian 的第一步是编写包含您要运行的策略的 YAML 文件。每个策略指定策略将运行的资源类型,一组控制资源将受此策略影响的过滤器,策略对匹配资源采取的操作,以及控制策略执行方式的模式。
最好的入门指南是云提供商特定的教程。
作为快速浏览,下面是 AWS 资源的一些示例策略
policies:
- name: s3-cross-account
description: |
Checks S3 for buckets with cross-account access and
removes the cross-account access.
resource: aws.s3
region: us-east-1
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
- name: ec2-require-non-public-and-encrypted-volumes
resource: aws.ec2
description: |
Provision a lambda and cloud watch event target
that looks at all new instances and terminates those with
unencrypted volumes.
mode:
type: cloudtrail
role: CloudCustodian-QuickStart
events:
- RunInstances
filters:
- type: ebs
key: Encrypted
value: false
actions:
- terminate
- name: tag-compliance
resource: aws.ec2
description: |
Schedule a resource that does not meet tag compliance policies to be stopped in four days. Note a separate policy using the`marked-for-op` filter is required to actually stop the instances after four days.
filters:
- State.Name: running
- "tag:Environment": absent
- "tag:AppId": absent
- or:
- "tag:OwnerContact": absent
- "tag:DeptID": absent
actions:
- type: mark-for-op
op: stop
days: 4
您可以使用以下命令使用示例策略验证、测试和运行 Cloud Custodian
# Validate the configuration (note this happens by default on run)
$ custodian validate policy.yml
# Dryrun on the policies (no actions executed) to see what resources
# match each policy.
$ custodian run --dryrun -s out policy.yml
# Run the policy
$ custodian run -s out policy.yml
您也可以通过 Docker 运行 Cloud Custodian
# Download the image
$ docker pull cloudcustodian/c7n
$ mkdir output
# Run the policy
#
# This will run the policy using only the environment variables for authentication
$ docker run -it
-v $(pwd)/output:/home/custodian/output
-v $(pwd)/policy.yml:/home/custodian/policy.yml
--env-file <(env | grep "^AWS|^AZURE|^GOOGLE")
cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml
# Run the policy (using AWS's generated credentials from STS)
#
# NOTE: We mount the ``.aws/credentials`` and ``.aws/config`` directories to
# the docker container to support authentication to AWS using the same credentials
# credentials that are available to the local user if authenticating with STS.
$ docker run -it
-v $(pwd)/output:/home/custodian/output
-v $(pwd)/policy.yml:/home/custodian/policy.yml
-v $(cd ~ && pwd)/.aws/credentials:/home/custodian/.aws/credentials
-v $(cd ~ && pwd)/.aws/config:/home/custodian/.aws/config
--env-file <(env | grep "^AWS")
cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml
HummerRisk 对 Cloud Custodian的操作进行可视化的处理,更加的便捷和简单,并且增强了多个方面的能力,如果想体验相关的能力,我们建议直接入手HummerRisk 。
HummerRisk 是开源的云原生安全平台,以非侵入的方式解决云原生的安全和治理问题,核心能力包括混合云的安全治理和K8S容器云安全检测。
页面更新:2024-05-01
本站资料均由网友自行发布提供,仅用于学习交流。如有版权问题,请与我联系,QQ:4156828
© CopyRight 2008-2024 All Rights Reserved. Powered By bs178.com 闽ICP备11008920号-3
闽公网安备35020302034844号