Cloud-Berechtigungen, die zum Erfassen der Konfigurationsschlüssel des Cloud Configuration Governance-Basissystems erforderlich sind
Cloud Configuration Governance erfordert geeignete Cloud-Berechtigungen zum Erfassen der Konfigurationsschlüssel des Basissystems aus der Cloud. Daher müssen Sie die entsprechenden Berechtigungen in der Cloud entsprechend den Anforderungen Ihrer Organisation festlegen.
Hinweis:
Ab Cloud Configuration Governance Version 1.3.7 werden die Basissysteminhalte in den CCG Inhaltspaketverschoben. Installieren Sie [], um auf die Inhalte des Basissystems Cloud Configuration GovernanceCCG Inhaltspaket zuzugreifen.
Amazon Web Services (AWS)-Rechenzentrum
Cloud Configuration Governance verwendet die folgenden Elemente, um den Konfigurationsschlüssel für die Konfigurationsschlüssel des AWS-Rechenzentrums zu erfassen:
- Ressourcensammler: Cloud-Servicekonto
- Verwendete Cloud-API: Aktion: DescribeRegions
- Cloud-Berechtigungen: ec2: DescribeRegions
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:EC2:VM:DescribeRegions | String |
AWS Identity and Access Management (IAM)-Benutzer
Cloud Configuration Governance verwendet die folgenden Elemente, um die Konfigurationsschlüssel für AWS IAM-Benutzer zu erfassen:
- Ressourcensammler: AWS IAM User Data Collector
- Verwendete Cloud-API:
- Aktion: GetCredentialReport und GenerateCredentialReport
- Service: AWS IAM service
- Cloud-Berechtigungen: Iam:GetCredentialReport und Iam:GenerateCredentialReport
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:IAM:Policy:ARN | String |
| AWS:IAM:Policy:AttachmentCount | String |
| AWS:IAM:Policy:CreateDate | String |
| AWS:IAM:Policy:PolicyName | String |
| AWS:IAM:Policy:UpdateDate | String |
| AWS:IAM:User:AccessKey1.active | Boolean |
| AWS:IAM:User:AccessKey1.lastRotated | Date |
| AWS:IAM:User:AccessKey1.lastUsedDate | Date |
| AWS:IAM:User:AccessKey1.lastUsedRegion | String |
| AWS:IAM:User:AccessKey1.lastUsedService | String |
| AWS:IAM:User:AccessKey2.active | Boolean |
| AWS:IAM:User:AccessKey2.lastRotated | Date |
| AWS:IAM:User:AccessKey2.lastUsedDate | Date |
| AWS:IAM:User:AccessKey2.lastUsedRegion | String |
| AWS:IAM:User:AccessKey2.lastUsedService | String |
| AWS:IAM:User:Certificate1.active | Boolean |
| AWS:IAM:User:Certificate1.lastRotated | Date |
| AWS:IAM:User:Certificate2.active | Boolean |
| AWS:IAM:User:Certificate2.lastRotated | Date |
| AWS:IAM:User:CreationTime | Date |
| AWS:IAM:User:LoginProfile.active | Boolean |
| AWS:IAM:User:MfaEnabled | Boolean |
| AWS:IAM:User:PasswordEnabled | Boolean |
| AWS:IAM:User:PasswordLastChanged | String |
| AWS:IAM:User:PasswordLastUsed | Date |
| AWS:IAM:User:PasswordNextRotation | String |
AWS-Objektspeicher
Cloud Configuration Governance verwendet die folgenden Elemente, um die Konfigurationsschlüssel für AWS IAM-Benutzer zu erfassen:
- Konfigurationssammler: AWS S3 Encryption Metric Collector
- Ressourcensammler: AWS S3 Resource Collector
- Verwendete Cloud-API: Aktion: ListBuckets und GetBucketEncryption im S3-Service
- Cloud-Berechtigungen: s3:ListBucket und s3:GetEncryptionConfiguration
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:S3:Encryption:BucketKeyEnabled | Boolean |
| AWS:S3:Encryption:KMSMasterKeyID | String |
| AWS:S3:Encryption:ServerSideEncryptionEnabled | Boolean |
| AWS:S3:Encryption:SSEAlgorithm | String |
- Konfigurationssammler: AWS S3 ACL Permission Metric Collector
- Ressourcensammler: AWS S3 Resource Collector
- Verwendete Cloud-API: Aktion: GetBucketAcl
- Cloud-Berechtigungen: s3:GetBucketAcl
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:S3:ACL:AuthnUsersListing | Boolean |
| AWS:S3:ACL:AuthnUsersReadACL | Boolean |
| AWS:S3:ACL:AuthnUsersWrite | Boolean |
| AWS:S3:ACL:AuthnUsersWriteACL | Boolean |
| AWS:S3:ACL:OwnerFullControl | Boolean |
| AWS:S3:ACL:OwnerId | String |
| AWS:S3:ACL:OwnerListing | Boolean |
| AWS:S3:ACL:OwnerName | String |
| AWS:S3:ACL:OwnerReadACL | Boolean |
| AWS:S3:ACL:OwnerWrite | Boolean |
| AWS:S3:ACL:OwnerWriteACL | Boolean |
| AWS:S3:ACL:PublicListing | Boolean |
| AWS:S3:ACL:PublicReadACL | Boolean |
| AWS:S3:ACL:PublicWrite | Boolean |
| AWS:S3:ACL:PublicWriteACL | Boolean |
AWS-VM-Instanz
Cloud Configuration Governance verwendet die folgenden Elemente, um die Konfigurationsschlüssel der AWS-VM-Instanz zu erfassen:
- Ressourcensammler: AWS VM Data Collector
- Verwendete Cloud-API: Aktion: DescribeInstances and AWS EC2 resource
- Cloud-Berechtigungen: ec2:DescribeInstances
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:EC2:VM:CapacityReservationPreference | String |
| AWS:EC2:VM:CpuOptionsCoreCount | Numeric |
| AWS:EC2:VM:CpuOptionsThreadsPerCore | Numeric |
| AWS:EC2:VM:EbsOptimized | Boolean |
| AWS:EC2:VM:HardwareType | String |
| AWS:EC2:VM:ImageId | String |
| AWS:EC2:VM:InstanceState | String |
| AWS:EC2:VM:KeyName | String |
| AWS:EC2:VM:LaunchTime | Date |
| AWS:EC2:VM:MonitoringState | String |
| AWS:EC2:VM:Platform | String |
| AWS:EC2:VM:PrivateDnsName | String |
| AWS:EC2:VM:PrivateIpAddress | String |
| AWS:EC2:VM:PublicDnsName | String |
| AWS:EC2:VM:PublicIPAddress | String |
| AWS:EC2:VM:SecurityGroups | String |
| AWS:EC2:VM:SubnetId | String |
| AWS:EC2:VM:Tags | Map |
| AWS:EC2:VM:UsageOperation | String |
| AWS:EC2:VM:VpcId | String |
AWS-Profil mit minimalen Berechtigungen
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"s3:GetEncryptionConfiguration",
"ec2:DescribeInstances",
"s3:ListBucketVersions",
"ec2:DescribeRegions",
"s3:ListBucket",
"iam:GetCredentialReport"
],
"Resource": "*"
}
]
}Microsoft Azure-VM-Instanz
Cloud Configuration Governance verwendet die folgenden Elemente, um die Konfigurationsschlüssel der Azure-VM-Instanz zu erfassen:
- Ressourcensammler: Azure VM Data Collector
- Verwendete Cloud-API: Microsoft.ResourceGraph/resources
- Cloud-Berechtigungen: Microsoft.ResourceGraph/resources
| Konfigurationsschlüssel | Datentyp |
|---|---|
| Azure:VM:HardwareType | String |
| Azure:VM:NICID | String |
| Azure:VM:OSDiskCaching | String |
| Azure:VM:OSDiskCreateoption | String |
| Azure:VM:OSDiskDeleteoption | String |
| Azure:VM:OSDiskId | String |
| Azure:VM:OSDiskName | String |
| Azure:VM:OSDiskOSType | String |
| Azure:VM:OSDiskSizeGB | String |
| Azure:VM:OSProfileAllowExtensionOperations | Boolean |
| Azure:VM:OSProfileComputerName | String |
| Azure:VM:OSProfileLinuxConfigurationDisablePasswordAuthentication | Boolean |
| Azure:VM:OSProfileLinuxConfigurationPatchSettingsAssessmentMode | String |
| Azure:VM:OSProfileLinuxConfigurationPatchSettingsPatchMode | String |
| Azure:VM:OSProfileLinuxConfigurationProvisionVmAgent | Boolean |
| Azure:VM:OSProfileLinuxConfigurationSSHKeyData | Map |
| Azure:VM:OSProfileLinuxConfigurationSSHPath | Map |
| Azure:VM:OSProfileRequireGuestProvisionSignal | Boolean |
| Azure:VM:OSWindowsConfigurationEnableAutomaticUpdates | Boolean |
| Azure:VM:OSWindowsConfigurationPatchSettingsAssessmentMode | String |
| Azure:VM:OSWindowsConfigurationPatchSettingsEnableHotpatching | Boolean |
| Azure:VM:OSWindowsConfigurationPatchSettingsPatchMode | String |
| Azure:VM:OSWindowsConfigurationProvisionVMAgent | Boolean |
| Azure:VM:PowerState | String |
| Azure:VM:ProvisioningState | String |
| Azure:VM:ResourceGroup | String |
| Azure:VM:StorageProfileDataDisksCaching | String |
| Azure:VM:StorageProfileDataDisksCreateOption | String |
| Azure:VM:StorageProfileDataDisksDeleteOption | String |
| Azure:VM:StorageProfileDataDisksDetachOption | String |
| Azure:VM:StorageProfileDataDisksDiskIopsReadWrite | String |
| Azure:VM:StorageProfileDataDisksDiskMBpsReadWrite | String |
| Azure:VM:StorageProfileDataDisksDiskSizeGb | Numeric |
| Azure:VM:StorageProfileDataDisksImage | String |
| Azure:VM:StorageProfileDataDisksLun | Numeric |
| Azure:VM:StorageProfileDataDisksManagedDiskDiskEncryptionSet | String |
| Azure:VM:StorageProfileDataDisksManagedDiskId | String |
| Azure:VM:StorageProfileDataDisksManagedDiskResourceGroup | String |
| Azure:VM:StorageProfileDataDisksManagedDiskStorageAccountType | String |
| Azure:VM:StorageProfileDataDisksManagedStorageAccountType | String |
| Azure:VM:StorageProfileDataDisksName | String |
| Azure:VM:StorageProfileDataDisksToBeDetached | Boolean |
| Azure:VM:StorageProfileDataDisksVhd | String |
| Azure:VM:StorageProfileDataDisksWriteAcceleratorEnabled | Boolean |
| Azure:VM:StorageProfileImageReferenceExactVersion | String |
| Azure:VM:StorageProfileImageReferenceId | String |
| Azure:VM:StorageProfileImageReferenceOffer | String |
| Azure:VM:StorageProfileImageReferencePublisher | String |
| Azure:VM:StorageProfileImageReferenceSharedGalleryImageId | String |
| Azure:VM:StorageProfileImageReferenceSku | String |
| Azure:VM:StorageProfileImageReferenceVersion | String |
| Azure:VM:Tags | Map |
| Azure:VM:VMId | String |
- Ressourcensammler: Azure VM Data Collector
- Configuration collector (Konfigurationssammler): Azure VM Metric Collector
- Verwendete Cloud-API: Microsoft.ResourceGraph/resources
- Cloud-Berechtigungen: Microsoft.ResourceGraph/resources
| Konfigurationsschlüssel | Datentyp |
|---|---|
| Azure:VM:PublicIPAddress | String |
| Azure:VM:PublicIPId | String |
- Ressourcensammler: Azure VM Data Collector
- Configuration collector (Konfigurationssammler): Azure VM Monitoring Metric Collector
- Verwendete Cloud-API: Microsoft.Compute/virtualMachines/{vmName}/instanceView
- Cloud-Berechtigungen: Microsoft.Compute/virtualMachines/{vmName}/instanceView
| Konfigurationsschlüssel | Datentyp |
|---|---|
| Azure:VM:MonitoringState | String |
Hinweis:
Verwenden Sie scope=https://graph.microsoft.com/.default und scope=https://management.azure.com/.default, um das oAuth-Token für Azure-Ressourcen abzurufen.
Azure-Profil mit minimalen Berechtigungen
{
"properties": {
"roleName": "CCGAzureMinimalPermission",
"description": "Grants access to scan compute resources from azure subscription",
"assignableScopes": [
"/subscriptions/${subscription_id}"
],
"permissions": [
{
"actions": [
"Microsoft.ResourceGraph/resources/read",
"Microsoft.Compute/virtualMachines/instanceView/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}