AWS Config - 资源发现停留在“正在发现您的资源”
Posted
技术标签:
【中文标题】AWS Config - 资源发现停留在“正在发现您的资源”【英文标题】:AWS Config - Resource discovery stuck on "Your resources are being discovered" 【发布时间】:2021-08-01 14:59:53 【问题描述】:我的公司有 2 个 AWS 账户。在第一个(我们称之为游乐场)上,我拥有完全的管理权限。在第二个(我们称之为生产)我有有限的 IAM 权限
我在两个账户上都启用了 AWS Config(使用附录中的 terraform 文件)。
在操场上运行流畅,一切都很好。 一个生产,它失败了。更具体地说,它无法检测到帐户的资源,并显示消息“正在发现您的资源”,如下面的屏幕截图所示。我最初怀疑这可能是 IAM 角色权限问题。
例如跑步
aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile playground
给我一个由 AWS Config 在操场上发现的 SecurityGroups 的列表(和我在控制台仪表板上看到的差不多)。
另一方面:
aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile production 返回一个空列表(虽然有安全组。与AWS::EC2::Instance 等其他类型的结果相同)
"resourceIdentifiers": []
由于 IAM 角色确实有权进行描述 API 调用,因此我放弃了对 IAM 权限的怀疑。有用。只是它返回null。
可能是 AWS Config 角色AWSServiceRoleForConfig?它没有任何意义。由于这是一个服务相关角色,默认情况下它应该具有所有必需的权限。 (不过会在帖子末尾附加政策)
现在是奇怪的部分:
我的规则验证了一些资源(例如 EFS),但抛出此消息:The specified resource is either unknown or has not been discovered.
我仍然怀疑这可能是 IAM 问题,但我不知道发生了什么。这几天我一直在苦苦挣扎,我真的可以在这里寻求帮助。
根据官方文档:
AWS Config 通过为您账户中的每个资源调用 Describe 或 List API 来跟踪您的资源的所有更改。该服务使用这些相同的 API 调用来捕获所有相关资源的配置详细信息。
config.tf
# Create the configuration recorder
resource "aws_config_configuration_recorder" "default"
name = "default-recorder"
role_arn = "arn:aws:iam::$var.account_id:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
recording_group
all_supported = true
include_global_resource_types = true
# Enable the configuration recorder
resource "aws_config_configuration_recorder_status" "default"
name = aws_config_configuration_recorder.default.name
is_enabled = true
depends_on = [aws_config_delivery_channel.default]
# Connect AWS Config to the S3 bucket
resource "aws_config_delivery_channel" "default"
name = "default-channel"
s3_bucket_name = "central-config-bucket" # Central S3 bucket
depends_on = [aws_config_configuration_recorder.default]
# Deploy the default HIPAA compliance comformance pack
resource "aws_config_conformance_pack" "hipaa"
name = "operational-best-practices-for-HIPAA-Security"
template_body = data.http.conformance_pack.body
data "http" "conformance_pack"
url = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
resource "aws_config_aggregate_authorization" "main"
account_id = "************"
region = "eu-central-1"
默认 AWSServiceRoleForConfig 策略:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"apigateway:GET",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeTags",
"backup:DescribeBackupVault",
"backup:DescribeRecoveryPoint",
"backup:GetBackupPlan",
"backup:GetBackupSelection",
"backup:GetBackupVaultAccessPolicy",
"backup:GetBackupVaultNotifications",
"backup:ListBackupPlans",
"backup:ListBackupSelections",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags",
"cloudformation:DescribeType",
"cloudformation:ListTypes",
"cloudfront:ListTagsForResource",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudwatch:DescribeAlarms",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:ListPipelines",
"config:BatchGet*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:Put*",
"config:Select*",
"dax:DescribeClusters",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationSubnetGroups",
"dms:ListTagsForResource",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTaskSets",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTaskDefinitions",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"es:ListTags",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"iam:GenerateCredentialReport",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices",
"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"kms:ListResourceTags",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListAliases",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"organizations:DescribeOrganization",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeEventSubscriptions",
"redshift:DescribeLoggingStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListCodeRepositories",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListTags",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"securityhub:describeHub",
"shield:DescribeDRTAccess",
"shield:DescribeProtection",
"shield:DescribeSubscription",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:GetDocument",
"ssm:ListDocuments",
"storagegateway:ListGateways",
"storagegateway:ListVolumes",
"support:DescribeCases",
"tag:GetResources",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf:GetLoggingConfiguration",
"waf:GetWebACL",
"wafv2:GetLoggingConfiguration"
],
"Resource": "*"
]
【问题讨论】:
可能是只有 AWS 支持才能解决的问题?另外,这个账户在 AWS 组织下吗?也许在 AWS 组织级别有一些策略会阻止某些权限? 最后,这是一个 terraform/aws 问题。服务相关角色AWSServiceRoleForConfig 不会在第一次自动激活。您需要手动将其添加到 AWS 配置中。然后它工作正常。 @Marcin
很高兴它成功了。您可以详细回答自己的问题,也可以接受以供将来参考。
【参考方案1】:
这可能是 AWS terraform 提供商的错误。
第一次应用 terraform 计划时,服务相关角色 AWSServiceRoleForConfig 不会自动激活。您需要手动将其添加到 AWS 配置中。然后就可以正常使用了。
编辑
解决方案可以是上述以外的其他解决方案(或两者的组合)。我还注意到,当没有部署规则/一致性包时,AWS Config 会卡在“正在发现资源”上。如果您部署单个规则,它会发现资源 (?!)
【讨论】:
以上是关于AWS Config - 资源发现停留在“正在发现您的资源”的主要内容,如果未能解决你的问题,请参考以下文章
使用 Pulumi 创建 EKS 后如何修改 `aws-auth` Config Map?
Terraform 0.11:aws_lambda_function 中的条件 vpc_config
当将namesilo域名指向AWS ec2实例而不使用路由53时,域名停留在nginx欢迎页面上