AWS配置规则多帐户部署不起作用

时间:2020-08-21 12:46:04

标签: amazon-web-services aws-organizations aws-config

我遵循以下aws文档在组织主帐户的所有子帐户上创建配置规则。 所有子帐户配置规则都应触发我在组织主帐户中部署的lambda函数。 我能够实现它,但是子帐户配置规则未触发我的组织主帐户lambda。 我不知道我在这里想念什么。

https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html

我总共有2个帐户

单位组织主帐户:94XXXXXXXXXX(已启用所有功能) 子帐户:89XXXXXXXXXX default_region:us-east-2

下面是我遵循的步骤:(我使用cloud9环境进行设置)

第1步:

创建具有以下权限的lambda函数(Mycode-Bitbucket

  1. 名称:标签验证
  2. arn:arn:aws:lambda:us-east-2:94XXXXXXXXXX:function:tag-validation 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "config:Put*",
                "config:Get*",
                "config:List*",
                "config:Describe*",
                "config:BatchGet*",
                "config:Select*",
                "organizations:*",
                "logs:*"
            ],
            "Resource": "*"
        }
    ]
}

第二步:

添加/更新lambda资源策略:(允许子帐户configservice触发主帐户lambda)

aws lambda add-permission --function-name tag-validation --statement-id childaccount --action lambda:InvokeFunction --principal 89XXXXXXXXXX --output text
aws lambda add-permission --function-name tag-validation --region us-east-2 --action lambda:InvokeFunction --statement-id config-childaccount \
--principal config.amazonaws.com --source-account 89XXXXXXXXXX

第3步:

在所有帐户上创建配置规则:

aws configservice put-organization-config-rule --cli-input-json file://custom-rule-metadata.json

{
    "OrganizationConfigRuleName": "org_tag_validation",
    "OrganizationCustomRuleMetadata": {
        "Description": "validate the tag at organization level",
        "LambdaFunctionArn": "arn:aws:lambda:us-east-2:94XXXXXXXXXX:function:tag-validation",
        "OrganizationConfigRuleTriggerTypes": [
                    "ConfigurationItemChangeNotification",
                    "OversizedConfigurationItemChangeNotification"
        ],
        "InputParameters": "{\"MandatoryTags\": \"Name,environment,type\"}",
        "ResourceTypesScope": [
            "AWS::EC2:Instance"
        ]
    }
}

描述组织配置规则

aws configservice get-organization-config-rule-detailed-status --organization-config-rule-name org_tag_validation
{
    "OrganizationConfigRuleDetailedStatus": [
        {
            "AccountId": "94XXXXXXXXXX",
            "ConfigRuleName": "OrgConfigRule-org_tag_validation-1xcosgps",
            "MemberAccountRuleStatus": "CREATE_SUCCESSFUL",
            "LastUpdateTime": 1598002336.574
        },
        {
            "AccountId": "89XXXXXXXXXX",
            "ConfigRuleName": "OrgConfigRule-org_tag_validation-1xcosgps",
            "MemberAccountRuleStatus": "CREATE_SUCCESSFUL",
            "LastUpdateTime": 1598002336.574
        }
    ]
}

我能够从主帐户和子帐户查看配置规则

第四步:

创建一个ec2实例(无论是主帐户还是子帐户),并添加一些标签以验证配置规则。

理想情况下,配置规则应触发主帐户lambda,但不会发生。有任何线索吗?

0 个答案:

没有答案
相关问题
最新问题