操作场景
该任务指导您在配置审计控制台新建一个自定义的托管规则,帮助您对资源进行审计并且进行评估。
操作步骤
1. 登录配置审计控制台 > 规则
2. 在规则页面,单击新建自定义规则。(可选择账号或者全局账号组进行创建,根据实际登录账号为准)。
![](https://qcloudimg.tencent-cloud.cn/image/document/24f0a688acc3c0135471349679de0780.png)
![](https://qcloudimg.tencent-cloud.cn/image/document/24f0a688acc3c0135471349679de0780.png)
3. 在新建自定义规则基本属性页面,输入规则名称、风险等级、规则描述以及规则函数,单击下一步。
![](https://qcloudimg.tencent-cloud.cn/image/document/5a804251734e2ae8646bc15d87be9d07.png)
![](https://qcloudimg.tencent-cloud.cn/image/document/5a804251734e2ae8646bc15d87be9d07.png)
注意:
规则函数为预先创建的 SCF 函数,需要预先在 云函数控制台 上创建服务和函数。具体操作,请参见 使用控制台创建一个事件函数。
创建函数时,函数类型选择 SCF 事件函数,运行环境选择 python 3.7,其他参数均可根据实际需求设置,函数代码示例如下:
package mainimport ("context""encoding/json""fmt""github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common""github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors""github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"config "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/config/v20220802""github.com/tencentyun/scf-go-lib/cloudfunction")// maingofunc main() {cloudfunction.Start(ReceiveMessage)}type Tag struct {TagKey stringTagValue string}type ClientContext struct {InvokingEvent *InvokingEventRuleParameters map[string]string //规则参数ResultToken string //加密令牌OrderingTimestamp int64 //评估时间戳}type InvokingEvent struct {TriggerType stringConfigurationItem *ConfigurationItem}type ConfigurationItem struct {AccountId int64 //资源所属用户IDRegion string //资源地域Zone string //资源可用区Configuration string //资源详细配置ResourceCreationTime int64 //资源创建时间戳ResourceType string //资源类型ResourceId string //资源IDResourceStatus string //资源IDResourceName string //资源名称Tags []Tag //资源标签CaptureTime int64 //资源快照时间戳}// ReceiveMessage 接受消费消息{// "InvokingEvent": {// "TriggerType": "MANUAL",// "ConfigurationItem": {// "AccountId": 100004293724,// "Region": "ap-guangzhou",// "Zone": "",// "Configuration": { //每种资源类型Configuration内容字段不同// "CidrBlock": "172.16.0.0/16",// "IsDefault": true,// "Ipv6CidrBlock": "",// "DnsServerSet": null,// "DomainName": "",// "DhcpOptionsId": ""// },// "ResourceCreationTime": 1520431078,// "ResourceType": "QCS::VPC::Vpc",// "ResourceId": "vpc-q252nx9j",// "ResourceStatus": "",// "ResourceName": "Default-VPC",// "Tags": null,// "CaptureTime": 1686500243// }// },// "RuleParameters": {// "234": "324"// },// "ResultToken": "Wm9yZlY3WmlKa3cxaW1oQpgtklO2shRhG1gtxnC4qyszJtkSz5ZpZDshF6YyaaIAagGsEAcidC-VFNJHtRfXfam_FHMR_RhhelEAT4ApsKFQIBEZNaWN284dZS02f7uRT6w_zwHz5E1dXmNYvancDRgiCQHip_uUrif0Toypdbh1tuLODHgVN1csbaPKu3hb2-O-PBh824HACVUkDXJAp2KMQnqhNagmlUULjY-GMyM=",// "OrderingTimestamp": 1686537830//}func ReceiveMessage(ctx context.Context, event ClientContext) error {eventStr, _ := json.Marshal(event)fmt.Println("SCF:ReceiveMessage:Event:", string(eventStr))putRuleResule(event)return nil}//自定义判断资源是否合规---对资源进行评估,需要根据实际业务自行实现评估逻辑,返回COMPLIANT、NON_COMPLIANT;以下代码仅供参考func getComplianceType(configurationStr string) string {return "COMPLIANT"}func putRuleResule(event ClientContext) {evaluations := make([]*config.Evaluation, 0)//1:设置评估结果,格式需符合以下示例要求。complianceType := getComplianceType(event.InvokingEvent.ConfigurationItem.Configuration)configuration := "xxxx"desiredValue := "xxxxx"evaluation := &config.Evaluation{ComplianceResourceId: &event.InvokingEvent.ConfigurationItem.ResourceId,ComplianceResourceType: &event.InvokingEvent.ConfigurationItem.ResourceType,ComplianceRegion: &event.InvokingEvent.ConfigurationItem.Region,ComplianceType: &complianceType,Annotation: &config.Annotation{Configuration: &configuration,DesiredValue: &desiredValue,},}evaluations = append(evaluations, evaluation)//2:上报评估结果//需具备权限Config_QCSLinkedRoleInConfigRecorder服务角色credential := common.NewCredential("xxxx","xxxxx",)cpf := profile.NewClientProfile()cpf.HttpProfile.Endpoint = "config.internal.tencentcloudapi.com"client, _ := config.NewClient(credential, "ap-guangzhou", cpf)request := config.NewPutEvaluationsRequest()request.ResultToken = &event.ResultTokenrequest.Evaluations = evaluationsresponse, err := client.PutEvaluations(request)if _, ok := err.(*errors.TencentCloudSDKError); ok {fmt.Printf("An API error has returned: %s", err)return}if err != nil {panic(err)}// 输出json格式的字符串回包fmt.Printf("%s", response.ToJsonString())}
说明:
详细的函数说明可以查看上述代码的注释部分。
4. 在新建自定义规则关联资源页面,选择应用的资源类型,可以按需设置按标签或者按地域来确认应用范围,也可按资源 ID 排除范围,单击下一步。
![](https://qcloudimg.tencent-cloud.cn/image/document/d9ee2e0cf42c9089322e0587eddc5211.png)
![](https://qcloudimg.tencent-cloud.cn/image/document/d9ee2e0cf42c9089322e0587eddc5211.png)
5. 在新建自定义规则触发机制页面,按需选择规则触发机制,单击下一步。
![](https://qcloudimg.tencent-cloud.cn/image/document/cd4c04d2740dc2af55e3d53f540c6111.png)
![](https://qcloudimg.tencent-cloud.cn/image/document/cd4c04d2740dc2af55e3d53f540c6111.png)
6. 在新建自定义规则参数设置页面,设置规则函数的参数值,单击下一步。
![](https://qcloudimg.tencent-cloud.cn/image/document/e98c7ffd73da28ebe4469f52d0b4c045.png)
![](https://qcloudimg.tencent-cloud.cn/image/document/e98c7ffd73da28ebe4469f52d0b4c045.png)
7. 在新建自定义规则预览并保存页面,您可以看到创建的自定义规则的信息,也可以根据需要返回上一步操作,确认无误后单击保存,即可创建成功。
![](https://qcloudimg.tencent-cloud.cn/image/document/2194062623b4e3e7dcf6c06e98b7ef14.png)
![](https://qcloudimg.tencent-cloud.cn/image/document/2194062623b4e3e7dcf6c06e98b7ef14.png)