aws::config的cdk构造库
aws-cdk.aws-config的Python项目详细描述
aws配置构造库
This is a developer preview (public beta) module. Releases might lack important features and might have future breaking changes.
This API is still under active development and subject to non-backward compatible changes or removal in any future version. Use of the API is not recommended in production environments. Experimental APIs are not subject to the Semantic Versioning model.
这个模块是AWS Cloud Development Kit项目的一部分。
支持:
- 配置规则
不支持
- 配置重新编码
- 交付渠道
- 聚合
规则
AWS管理的规则
要设置托管规则,请定义一个ManagedRule
,并指定其标识符:
newManagedRule(this,'AccessKeysRotated',{identifier:'ACCESS_KEYS_ROTATED'});
可用的标识符和参数列在List of AWS Config Managed Rules中。
托管规则的高级结构可用,请参见Managed Rules。如果可用,更愿意使用这些结构(欢迎prs添加更多的结构)。
自定义规则
要设置自定义规则,请定义一个CustomRule
,并指定要运行的lambda函数和触发器类型:
newCustomRule(this,'CustomRule',{lambdaFunction: myFn,configurationChanges: true,periodic: true});
限制范围
默认情况下,规则由对所有resources的更改触发。使用scopeToResource()
、scopeToResources()
或scopeToTag()
方法来限制托管规则和自定义规则的范围:
constsshRule=newManagedRule(this,'SSH',{identifier:'INCOMING_SSH_DISABLED'});// Restrict to a specific security grouprule.scopeToResource('AWS::EC2::SecurityGroup','sg-1234567890abcdefgh');constcustomRule=newCustomRule(this,'CustomRule',{lambdaFunction: myFn,configurationChanges: true});// Restrict to a specific tagcustomRule.scopeToTag('Cost Center','MyApp');
一个规则只能添加一种类型的作用域限制(对scopeToXxx()
的最后一次调用设置作用域)。
事件
要定义amazon cloudwatch事件规则,请使用onComplianceChange()
或onReEvaluationStatus()
方法:
construle=newCloudFormationStackDriftDetectionCheck(this,'Drift');rule.onComplianceChange('TopicEvent',{target: newtargets.SnsTopic(topic))});
示例
创建具有范围限制和事件的自定义和托管规则:
// A custom rule that runs on configuration changes of EC2 instancesconstfn=newlambda.Function(this,'CustomFunction',{code: lambda.AssetCode.fromInline('exports.handler = (event) => console.log(event);'),handler:'index.handler',runtime: lambda.Runtime.NODEJS_8_10});constcustomRule=newconfig.CustomRule(this,'Custom',{configurationChanges: true,lambdaFunction: fn});customRule.scopeToResource('AWS::EC2::Instance');// A rule to detect stacks driftsconstdriftRule=newconfig.CloudFormationStackDriftDetectionCheck(this,'Drift');// Topic for compliance eventsconstcomplianceTopic=newsns.Topic(this,'ComplianceTopic');// Send notification on compliance changedriftRule.onComplianceChange('ComplianceChange',{target: newtargets.SnsTopic(complianceTopic)});