如果托管规则“maxAccessKeyAge”的合规状态为不合规,我尝试通过 cdk 编写电子邮件通知。我已遵循本指南:https://repost.aws/knowledge-center/config-resource-non-compliant
不幸的是,当合规状态发生变化时,我没有收到任何电子邮件。如果我从事件总线查看监控仪表板,我不会注册任何调用。
这是我的事件桥规则的事件模式:
{
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"configRuleName": ["access-keys-rotated"],
"messageType": ["ComplianceChangeNotification"],
"newEvaluationResult": {
"annotation": ["IAM Access Keys are not rotated within an year."],
"complianceType": ["NON_COMPLIANT"]
},
"resourceType": ["AWS::IAM::AccessKey"]
},
"source": ["aws.config"]
}
这是我创建“监控基础设施”的代码
def access_keys_rotated(self, sns_topic: Topic):
managed_rule = ManagedRule(
self,
id="access-keys-rotated",
identifier=ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
config_rule_name=
"access-keys-rotated",
description="Checks if active IAM access keys are rotated within an year.",
input_parameters={"maxAccessKeyAge": 350},
maximum_execution_frequency=MaximumExecutionFrequency.TWENTY_FOUR_HOURS,
)
event_rule = Rule(
self,
id=access-keys-rotated-eventrule",
event_bus=EventBus.from_event_bus_name(
scope=self,
id="iam-compliance-rules-akr",
event_bus_name="eventbus",
),
event_pattern=EventPattern(
source=["aws.config"],
detail_type=["Config Rules Compliance Change"],
detail={
"messageType": ["ComplianceChangeNotification"],
"configRuleName": [managed_rule.config_rule_name],
"resourceType": ["AWS::IAM::AccessKey"],
"newEvaluationResult": {
"complianceType": ["NON_COMPLIANT"],
"annotation": [
"IAM Access Keys are not rotated within an year."
],
},
},
),
)
event_rule.add_target(
targets.SnsTopic(
sns_topic, # type: ignore
retry_attempts=2,
)
)
在控制台中,一切看起来都像我假设的那样。我已通过电子邮件订阅了 sns 主题。事件模式对我来说看起来是正确的。
有人知道我做错了什么吗?我感谢每一个正确方向的提示。
值得仔细看看如何设置 EventBridge 发布到该主题的权限。
当一项 AWS 服务与另一项 AWS 服务配合使用时,通常您有 3 个选项:
此链接介绍了如何添加资源策略以允许 EventBridge 发布到主题:https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-sns-权限