Cloud-Berechtigungen, die zum Erfassen des Basissystems erforderlich sind Governance für Cloud-KonfigurationenKonfigurationsschlüssel
Die Governance für Cloud-KonfigurationenErfordert entsprechende Cloud-Berechtigungen, um die Konfigurationsschlüssel des Basissystems aus der Cloud zu erfassen. Daher müssen Sie die entsprechenden Berechtigungen in der Cloud festlegen, die den Anforderungen Ihrer Organisation entsprechen.
Amazon Web Services( AWS) Rechenzentrum
Governance für Cloud-KonfigurationenVerwendet die folgenden Elemente, um den Konfigurationsschlüssel für zu erfassen AWSRechenzentrums-Konfigurationsschlüssel:
- Ressourcensammler: Cloud-Service-Account
- Verwendete Cloud-API: Aktion: BeschreibungRegionen
- Cloud-Berechtigung: ec2: DescribeRegions
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:EC2:VM:DescribeRegions | String |
AWS Anwender von Identitäts- und Zugriffsmanagement (IAM)
Governance für Cloud-KonfigurationenVerwendet die folgenden Elemente, um den Konfigurationsschlüssel für zu erfassen AWSIAM-Anwenderkonfigurationsschlüssel:
- Ressourcensammler: AWSIAM-Anwenderdatensammler
- Verwendete Cloud-API:
- Aktion: CredentialReport abrufen Und Bericht „Anmeldeinformationen generieren“
- Service: AWS IAM service
- Cloud-Berechtigung: Iam:GetCredentialReportUnd Iam:GenerateCredentialReport
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:IAM:Policy:ARN | String |
| AWS:IAM:Policy:AttachmentCount | String |
| AWS:IAM:Policy:CreateDate | String |
| AWS:IAM:Policy:PolicyName | String |
| AWS:IAM:Policy:UpdateDate | String |
| AWS:IAM:User:AccessKey1.active | Boolean |
| AWS:IAM:User:AccessKey1.lastRotated | Date |
| AWS:IAM:User:AccessKey1.lastUsedDate | Date |
| AWS:IAM:User:AccessKey1.lastUsedRegion | String |
| AWS:IAM:User:AccessKey1.lastUsedService | String |
| AWS:IAM:User:AccessKey2.active | Boolean |
| AWS:IAM:User:AccessKey2.lastRotated | Date |
| AWS:IAM:User:AccessKey2.lastUsedDate | Date |
| AWS:IAM:User:AccessKey2.lastUsedRegion | String |
| AWS:IAM:User:AccessKey2.lastUsedService | String |
| AWS:IAM:User:Certificate1.active | Boolean |
| AWS:IAM:User:Certificate1.lastRotated | Date |
| AWS:IAM:User:Certificate2.active | Boolean |
| AWS:IAM:User:Certificate2.lastRotated | Date |
| AWS:IAM:User:CreationTime | Date |
| AWS:IAM:User:LoginProfile.active | Boolean |
| AWS:IAM:User:MfaEnabled | Boolean |
| AWS:IAM:User:PasswordEnabled | Boolean |
| AWS:IAM:User:PasswordLastChanged | String |
| AWS:IAM:User:PasswordLastUsed | Date |
| AWS:IAM:User:PasswordNextRotation | String |
AWS Objektspeicher
Governance für Cloud-KonfigurationenVerwendet die folgenden Elemente, um den Konfigurationsschlüssel für zu erfassen AWSIAM-Anwenderkonfigurationsschlüssel:
- Konfigurationssammler: AWSS3-Verschlüsselungsmetriksammler
- Ressourcensammler: AWSS3-Ressourcensammler
- Verwendete Cloud-API: Aktion: ListBuckets Und GetBucketEncryption Auf S3-Service
- Cloud-Berechtigung: s3:ListBucketUnd s3:GetEncryptionConfiguration
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:S3:Encryption:BucketKeyEnabled | Boolean |
| AWS:S3:Encryption:KMSMasterKeyID | String |
| AWS:S3:Encryption:ServerSideEncryptionEnabled | Boolean |
| AWS:S3:Encryption:SSEAlgorithm | String |
- Konfigurationssammler: AWSS3 ACL-Berechtigungsmetriksammler
- Ressourcensammler: AWSS3-Ressourcensammler
- Verwendete Cloud-API: Aktion: GetBucketAcl
- Cloud-Berechtigung: s3:GetBucketAcl
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:S3:ACL:AuthnUsersListing | Boolean |
| AWS:S3:ACL:AuthnUsersReadACL | Boolean |
| AWS:S3:ACL:AuthnUsersWrite | Boolean |
| AWS:S3:ACL:AuthnUsersWriteACL | Boolean |
| AWS:S3:ACL:OwnerFullControl | Boolean |
| AWS:S3:ACL:OwnerId | String |
| AWS:S3:ACL:OwnerListing | Boolean |
| AWS:S3:ACL:OwnerName | String |
| AWS:S3:ACL:OwnerReadACL | Boolean |
| AWS:S3:ACL:OwnerWrite | Boolean |
| AWS:S3:ACL:OwnerWriteACL | Boolean |
| AWS:S3:ACL:PublicListing | Boolean |
| AWS:S3:ACL:PublicReadACL | Boolean |
| AWS:S3:ACL:PublicWrite | Boolean |
| AWS:S3:ACL:PublicWriteACL | Boolean |
AWS VM-Instanz
Governance für Cloud-KonfigurationenVerwendet die folgenden Elemente, um den Konfigurationsschlüssel für zu erfassen AWSKonfigurationsschlüssel der VM-Instanz:
- Ressourcensammler: AWSVM-Datenerfasser
- Verwendete Cloud-API: Aktion: BeschreibungInstanzen Und AWS EC2-Ressource
- Cloud-Berechtigung: ec2:DescribeInstances
| Konfigurationsschlüssel | Datentyp |
|---|---|
| AWS:EC2:VM:CapacityReservationPreference | String |
| AWS:EC2:VM:CpuOptionsCoreCount | Numeric |
| AWS:EC2:VM:CpuOptionsThreadsPerCore | Numeric |
| AWS:EC2:VM:EbsOptimized | Boolean |
| AWS:EC2:VM:HardwareType | String |
| AWS:EC2:VM:ImageId | String |
| AWS:EC2:VM:InstanceState | String |
| AWS:EC2:VM:KeyName | String |
| AWS:EC2:VM:LaunchTime | Date |
| AWS:EC2:VM:MonitoringState | String |
| AWS:EC2:VM:Platform | String |
| AWS:EC2:VM:PrivateDnsName | String |
| AWS:EC2:VM:PrivateIpAddress | String |
| AWS:EC2:VM:PublicDnsName | String |
| AWS:EC2:VM:PublicIPAddress | String |
| AWS:EC2:VM:SecurityGroups | String |
| AWS:EC2:VM:SubnetId | String |
| AWS:EC2:VM:Tags | Map |
| AWS:EC2:VM:UsageOperation | String |
| AWS:EC2:VM:VpcId | String |
AWS Profil mit minimalen Berechtigungen
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"s3:GetEncryptionConfiguration",
"ec2:DescribeInstances",
"s3:ListBucketVersions",
"ec2:DescribeRegions",
"s3:ListBucket",
"iam:GetCredentialReport"
],
"Resource": "*"
}
]
}
Microsoft Azure VM-Instanz
Governance für Cloud-KonfigurationenVerwendet die folgenden Elemente zum Sammeln von AzureKonfigurationsschlüssel der VM-Instanz:
- Ressourcensammler: AzureVM-Datenerfasser
- Verwendete Cloud-API: Microsoft.Ressourcendiagramm/Ressourcen
- Cloud-Berechtigung: Microsoft.ResourceGraph/resources
| Konfigurationsschlüssel | Datentyp |
|---|---|
| Azure:VM:HardwareType | String |
| Azure:VM:NICID | String |
| Azure:VM:OSDiskCaching | String |
| Azure:VM:OSDiskCreateoption | String |
| Azure:VM:OSDiskDeleteoption | String |
| Azure:VM:OSDiskId | String |
| Azure:VM:OSDiskName | String |
| Azure:VM:OSDiskOSType | String |
| Azure:VM:OSDiskSizeGB | String |
| Azure:VM:OSProfileAllowExtensionOperations | Boolean |
| Azure:VM:OSProfileComputerName | String |
| Azure:VM:OSProfileLinuxConfigurationDisablePasswordAuthentication | Boolean |
| Azure:VM:OSProfileLinuxConfigurationPatchSettingsAssessmentMode | String |
| Azure:VM:OSProfileLinuxConfigurationPatchSettingsPatchMode | String |
| Azure:VM:OSProfileLinuxConfigurationProvisionVmAgent | Boolean |
| Azure:VM:OSProfileLinuxConfigurationSSHKeyData | Map |
| Azure:VM:OSProfileLinuxConfigurationSSHPath | Map |
| Azure:VM:OSProfileRequireGuestProvisionSignal | Boolean |
| Azure:VM:OSWindowsConfigurationEnableAutomaticUpdates | Boolean |
| Azure:VM:OSWindowsConfigurationPatchSettingsAssessmentMode | String |
| Azure:VM:OSWindowsConfigurationPatchSettingsEnableHotpatching | Boolean |
| Azure:VM:OSWindowsConfigurationPatchSettingsPatchMode | String |
| Azure:VM:OSWindowsConfigurationProvisionVMAgent | Boolean |
| Azure:VM:PowerState | String |
| Azure:VM:ProvisioningState | String |
| Azure:VM:ResourceGroup | String |
| Azure:VM:StorageProfileDataDisksCaching | String |
| Azure:VM:StorageProfileDataDisksCreateOption | String |
| Azure:VM:StorageProfileDataDisksDeleteOption | String |
| Azure:VM:StorageProfileDataDisksDetachOption | String |
| Azure:VM:StorageProfileDataDisksDiskIopsReadWrite | String |
| Azure:VM:StorageProfileDataDisksDiskMBpsReadWrite | String |
| Azure:VM:StorageProfileDataDisksDiskSizeGb | Numeric |
| Azure:VM:StorageProfileDataDisksImage | String |
| Azure:VM:StorageProfileDataDisksLun | Numeric |
| Azure:VM:StorageProfileDataDisksManagedDiskDiskEncryptionSet | String |
| Azure:VM:StorageProfileDataDisksManagedDiskId | String |
| Azure:VM:StorageProfileDataDisksManagedDiskResourceGroup | String |
| Azure:VM:StorageProfileDataDisksManagedDiskStorageAccountType | String |
| Azure:VM:StorageProfileDataDisksManagedStorageAccountType | String |
| Azure:VM:StorageProfileDataDisksName | String |
| Azure:VM:StorageProfileDataDisksToBeDetached | Boolean |
| Azure:VM:StorageProfileDataDisksVhd | String |
| Azure:VM:StorageProfileDataDisksWriteAcceleratorEnabled | Boolean |
| Azure:VM:StorageProfileImageReferenceExactVersion | String |
| Azure:VM:StorageProfileImageReferenceId | String |
| Azure:VM:StorageProfileImageReferenceOffer | String |
| Azure:VM:StorageProfileImageReferencePublisher | String |
| Azure:VM:StorageProfileImageReferenceSharedGalleryImageId | String |
| Azure:VM:StorageProfileImageReferenceSku | String |
| Azure:VM:StorageProfileImageReferenceVersion | String |
| Azure:VM:Tags | Map |
| Azure:VM:VMId | String |
- Ressourcensammler: AzureVM-Datenerfasser
- Konfigurationssammler: AzureVM-Metriksammler
- Verwendete Cloud-API: Microsoft.Ressourcendiagramm/Ressourcen
- Cloud-Berechtigung: Microsoft.ResourceGraph/resources
| Konfigurationsschlüssel | Datentyp |
|---|---|
| Azure:VM:PublicIPAddress | String |
| Azure:VM:PublicIPId | String |
- Ressourcensammler: AzureVM-Datenerfasser
- Konfigurationssammler: AzureVM-Überwachungsmetriksammler
- Verwendete Cloud-API: Microsoft.Compute/virtualMachines/{vmName}/instanceView
- Cloud-Berechtigung: Microsoft.Compute/virtualMachines/{vmName}/instanceView
| Konfigurationsschlüssel | Datentyp |
|---|---|
| Azure:VM:MonitoringState | String |
Azure Profil mit minimalen Berechtigungen
{
"properties": {
"roleName": "CCGAzureMinimalPermission",
"description": "Grants access to scan compute resources from azure subscription",
"assignableScopes": [
"/subscriptions/${subscription_id}"
],
"permissions": [
{
"actions": [
"Microsoft.ResourceGraph/resources/read",
"Microsoft.Compute/virtualMachines/instanceView/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}