All Products
Search
Document Center

Cloud Config:Remediate non-compliant resources by using MNS topics

Last Updated:Jul 21, 2023

This topic describes how to push alert notifications to specified Message Service (MNS) topics when Cloud Config detects non-compliant configuration changes of resources. If you receive a non-compliance alert, Cloud Config uses the relevant functions in Function Compute to automatically remediate these resources.

Prerequisites

Scenario

You create a rule function and associate it with the OSS bucket resource type based on the test-oss-bucket-public-read-prohibited managed rule. Cloud Config evaluates all OSS buckets within your Alibaba Cloud account. One of the OSS buckets is evaluated as Non-compliant, as shown in the following figure.Bucket non-compliance

Configuration items

The following sections describe the method to automatically remediate non-compliant resources by using MNS topics. In this example, the read and write permissions on an OSS bucket are remediated. The following table describes the configuration items that you can specify.

Alibaba Cloud service

Configuration item

Example

Cloud Config

Managed rule

oss-bucket-public-read-prohibited

Rule name

test-oss-bucket-public-read-prohibited

MNS

Topic

MNSTestConfig

Region

Singapore

OSS

OSS bucket

config-snapshot

Bucket ACL

Public read

Function Compute

Service

resource_repair

System policy

AliyunOSSFullAccess

Function

oss_repair_acl_trigger

Trigger

ConfigRuleNonComplianceMNSTrigger

Note

Cloud Config is deployed in the Singapore region. To reduce packet loss, we recommend that you specify Singapore as the region for the MNS topic.

Workflow

The following figure shows how non-compliant resources are automatically remediated by using MNS topics.Workflow

Procedure

  1. Log on to the Cloud Config console. Specify an MNS topic to which resource non-compliance events are delivered, such as MNSTestConfig.

    For more information, see Deliver resource data to an MNS topic.

  2. Create a service.

    1. Log on to the Function Compute console.

    2. In the left-side navigation pane, click Services & Functions.

    3. In the top navigation bar, select a region. Example: Singapore.

    4. On the Services page, click Create Service.

    5. In the Create Service panel, enter resource_repair in the Name field.

    6. Click OK.

  3. Authorize the created service to modify the permissions on the sample non-compliant OSS bucket.

    1. In the left-side navigation pane of the resource_repair service, click Service Details.

    2. In the Role Settings section, click Modify.

    3. Select a role to which the AliyunOSSFullAccess policy is attached.

      If no role meets the requirements, click Create Role to create a role in the RAM console. When you create the role, you must set the trusted entity type to Alibaba Cloud Service, set the trusted service to Function Compute, and then attach the AliyunOSSFullAccess policy to the role. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

    4. Click Save.

  4. Create a function.

    1. In the left-side navigation pane of the resource_repair service, click Functions.

    2. Click Create Function.

    3. On the Create Function page, set the Function Name parameter to oss_repair_acl_trigger and the Runtime parameter to Python 3.6. Keep the default settings of other parameters.

    4. Click Create.

  5. Configure the environment variables of the function.

    1. On the details page of the oss_repair_acl_trigger function, click the Configurations tab.

    2. In the Environment Variables section, click Modify.

    3. Click Add Variable, and specify a name and a value for the environment variable.

      • Enter prepareRuleName in the Variable field.

        The name prepareRuleName is the same as the value of the ENV_RULE_NAME parameter in the automatic remediation code that is used in this example.

      • Enter test-oss-bucket-public-read-prohibited in the Value field.

        The value test-oss-bucket-public-read-prohibited indicates the rule name used in this example.

    4. Click OK.

  6. Create a trigger.

    1. On the details page of the oss_repair_acl_trigger function, click the Triggers tab.

    2. Click Create Trigger.

    3. Select MNS from the Trigger Type drop-down list.

    4. Configure parameters for the MNS topic trigger.

      In this example, use the following settings:

      • Enter ConfigRuleNonComplianceMNSTrigger in the Name field.

      • Set the MNS Region parameter to Singapore.

      • Set the Topic parameter to MNSTestConfig.

      • Set the Event Format parameter to STREAM.

      • Set the Role Name parameter to AliyunMNSNotificationRole.

    5. Click OK.

      After the trigger is created, notifications of non-compliant events are sent to you when Cloud Config evaluates resource compliance.

  7. Configure the automatic remediation code.

    1. On the details page of the oss_repair_acl_trigger function, click the Code tab.

    2. In the code editor, select the index.py file.

    3. Copy and paste the following code to the index.py file:

      # -*- coding: utf-8 -*-
      import logging
      import json
      import os
      import base64
      import binascii
      import oss2
      from aliyunsdkcore.acs_exception.exceptions import ClientException, ServerException
      
      IDENTIFIER = 'evaluationResultIdentifier'
      QUALIFIER = 'evaluationResultQualifier'
      RULE_NAME = 'configRuleName'
      ENV_RULE_NAME = 'prepareRuleName'
      RESOURCE_ID = 'resourceId'
      REGION_ID = 'regionId'
      FAIL = 'fail'
      SUCC = 'success'
      
      logger = logging.getLogger()
      
      
      def handler(event, context):
          logger.info("mns_topic trigger event = {}".format(event))
          decoded = None
          if event:
              try:
                  decoded = base64.b64decode(event)
              except binascii.Error as ex:
                  logger.exception('mns_topic trigger event malformed!')
                  return FAIL
          if not decoded:
              return FAIL
          notify_json = json.loads(decoded)
          if notify_json and IDENTIFIER in notify_json:
              evaluationResultIdentifier = notify_json.get(IDENTIFIER)
              if QUALIFIER in evaluationResultIdentifier and RULE_NAME in evaluationResultIdentifier.get(QUALIFIER):
                  evaluationResultQualifier = evaluationResultIdentifier.get(QUALIFIER)
                  configRuleName = evaluationResultQualifier.get(RULE_NAME)
                  # os.environ.get(ENV_RULE_NAME) // Specify the rule name, such as test-oss-bucket-public-read-prohibited. 
                  if configRuleName == os.environ.get(ENV_RULE_NAME):
                      if RESOURCE_ID in evaluationResultQualifier and REGION_ID in evaluationResultQualifier:
                          bucket_name = evaluationResultQualifier.get(RESOURCE_ID)
                          region = evaluationResultQualifier.get(REGION_ID)
                          if region and bucket_name:
                              try:
                                  remedy_by_fc_assume(context, region, bucket_name)
                              except Exception as ex:
                                  logger.exception('remedy fail!')
          return FAIL
      
      
      def remedy_by_fc_assume(context, region, bucket_name):
          creds = context.credentials
          auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
          bucket = oss2.Bucket(auth, 'http://oss-' + region + '.aliyuncs.com', bucket_name)
          bucket.put_bucket_acl(oss2.BUCKET_ACL_PRIVATE)
          logger.info('bucket {bucket_name} in {region} acl remedy succ.'.format(bucket_name=bucket_name, region=region))
      Note

      The sample code describes the automatic remediation method of non-compliant resources. The prepareRuleName environment variable is used in this example. For information about how to remediate non-compliant resources by using other parameters, see Examples of resource non-compliance events.

    4. In the code editor, click Deploy in the upper-right corner.

  8. Wait for 10 minutes and view the remediation result.

    Note

    If a resource is evaluated as non-compliant based on the rule but no configurations are changed, you must re-evaluate the resource before you perform this step. For more information, see Manually re-evaluate resources.

    • View the remediation result in the Cloud Config console.OSS bucket compliance

    • View the remediation result in the OSS console.OSS bucket compliance