This topic describes how to push alert notifications to specified Message Service (MNS) topics if Cloud Config detects non-compliant configuration changes of resources. If you receive a non-compliance alert, Cloud Config uses the relevant functions in Alibaba Cloud Function Compute to automatically remediate these resources.

Prerequisites

Scenarios

You create a rule function and associate it with the OSS bucket resource type based on the test-oss-bucket-public-read-prohibited managed rule. Cloud Config evaluates all OSS buckets within your Alibaba Cloud account. One of the OSS buckets is evaluated as Non-compliant, as shown in the following figure. Bucket non-compliance

Parameters

The following content describes the method to automatically remediate non-compliant resources by using MNS topics. In this example, the read and write permissions on an OSS bucket are remediated. The following table describes the items that you can specify.
Cloud service Item Example
Cloud Config Managed rule test-oss-bucket-public-read-prohibited
Rule test-oss-bucket-public-read-prohibited
MNS Topic MNSTestConfig
Region Singapore (Singapore)
OSS OSS bucket config-snapshot
Bucket access control list (ACL) Public read
Function Compute Service resource_repair
System policy AliyunOSSFullAccess
Function oss_repair_acl_trigger
Trigger ConfigRuleNonComplianceMNSTrigger
Note

Cloud Config is deployed in the Singapore (Singapore) region. To reduce packet loss, we recommend that you specify Singapore (Singapore) as the region for the MNS topic.

Workflow

The following figure shows how non-compliant resources are automatically remediated by using MNS topics. Remediation process

Procedure

  1. Log on to the Cloud Config console. Specify an MNS topic to which resource non-compliance events are delivered, such as MNSTestConfig.
  2. Create a service.
    1. Log on to the Function Compute console.
    2. In the top navigation bar, select a region,such as Singapore.
    3. In the left-side navigation pane, click Services and Functions.
    4. In the Services section, click Create Service.
    5. On the Create Service page, enter resource_repair in the Service Name field. Clear the Bind Log check box.
    6. Click Submit.
  3. Authorize the created service to modify the permissions on the OSS bucket.
    1. On the Service Configurations tab, click Modify Configuration.
    2. In the Role Config section, select AliyunFCLogExecutionRole from the drop-down list.
    3. Click Add Policy.
    4. In the Add Policy dialog box, select AliyunOSSFullAccess from the drop-down list.
    5. Click RAM Authorization.
    6. Click Confirm Authorization Policy.
    7. Click Submit.
  4. Create a function.
    1. On the details page of the resource_repair service, click Create Function.
    2. On the Create Function page, move the pointer to the Event Function section and click Configure and Deploy.
    3. On the Create Function page, set the Service Name parameter to resource_repair, the Function Name parameter to oss_repair_acl_trigger, and the Runtime parameter to Python 3. Keep the default values of other parameters.
    4. Click Create.
  5. Set the environment variable of the function.
    1. On the details page of the oss_repair_acl_trigger function, click the Overview tab.
    2. In the Function Properties section of the Overview tab, click Modify Configurations.
    3. On the Modify Configurations page, set the Environment Variables parameter to Key Value. Enter the key name and value of the environment variable.
      • Enter prepareRuleName in the Key field.

        The values of the prepareRuleName and ENV_RULE_NAME parameters must be the same.

      • Enter test-oss-bucket-public-read-prohibited in the Value field.

        The value test-oss-bucket-public-read-prohibited indicates the rule name.

    4. Click Submit.
  6. Create a trigger.
    1. On the details page of the oss_repair_acl_trigger function, click the Triggers tab.
    2. On the Triggers tab, click Create Trigger.
    3. In the Create Trigger panel, set the Trigger Type parameter to MNS Topic Trigger.
    4. Set parameters for the MNS topic trigger.
      • Enter ConfigRuleNonComplianceMNSTrigger in the Trigger Name field.
      • Set the MNS Topic Region parameter to Singapore.
      • Set the Topic parameter to MNSTestConfig.
      • Set the Event Type parameter to JSON.
      Note When you use the MNS topic trigger for the first time, you can set the Role Operation parameter to Quick authorize. You can authorize MNS to assume the AliyunMNSNotificationRjole role to access your cloud resources as prompted. Then, go back to the Create Trigger panel to view the role and create the trigger.
    5. Click OK.
      After the trigger is created, notifications of non-compliant events are sent to you when Cloud Config evaluates resource compliance.
  7. Configure the automatic remediation code.
    1. On the details page of the oss_repair_acl_trigger function, click the Code tab.
    2. In the code editor of the Code tab, select the index.py file.
    3. Copy and paste the following code to the index.py file:
      # -*- coding: utf-8 -*-
      import logging
      import json
      import os
      import base64
      import binascii
      from aliyunsdkcore.acs_exception.exceptions import ClientException, ServerException
      
      IDENTIFIER = 'evaluationResultIdentifier'
      QUALIFIER = 'evaluationResultQualifier'
      RULE_NAME = 'configRuleName'
      ENV_RULE_NAME = 'prepareRuleName'
      RESOURCE_ID = 'resourceId'
      REGION_ID = 'regionId'
      FAIL = 'fail'
      SUCC = 'success'
      
      logger = logging.getLogger()
      
      
      def handler(event, context):
          logger.info("mns_topic trigger event = {}".format(event))
          decoded = None
          if event:
              try:
                  decoded = base64.b64decode(event)
              except binascii.Error as ex:
                  logger.exception('mns_topic trigger event malformed!')
                  return FAIL
          if not decoded:
              return FAIL
          notify_json = json.loads(decoded)
          if notify_json and IDENTIFIER in notify_json:
              evaluationResultIdentifier = notify_json.get(IDENTIFIER)
              if QUALIFIER in evaluationResultIdentifier and RULE_NAME in evaluationResultIdentifier.get(QUALIFIER):
                  evaluationResultQualifier = evaluationResultIdentifier.get(QUALIFIER)
                  configRuleName = evaluationResultQualifier.get(RULE_NAME)
                  # os.environ.get(ENV_RULE_NAME) // Obtain the rule name, such as, test-oss-bucket-public-read-prohibited. 
                  if configRuleName == os.environ.get(ENV_RULE_NAME):
                      if RESOURCE_ID in evaluationResultQualifier and REGION_ID in evaluationResultQualifier:
                          bucket_name = evaluationResultQualifier.get(RESOURCE_ID)
                          region = evaluationResultQualifier.get(REGION_ID)
                          if region and bucket_name:
                              try:
                                  remedy_by_fc_assume(context, region, bucket_name)
                              except Exception as ex:
                                  logger.exception('remedy fail!')
          return FAIL
      
      
      def remedy_by_fc_assume(context, region, bucket_name):
          creds = context.credentials
          auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
          bucket = oss2.Bucket(auth, 'http://oss-' + region + '.aliyuncs.com', bucket_name)
          bucket.put_bucket_acl(oss2.BUCKET_ACL_PRIVATE)
          logger.info('bucket {bucket_name} in {region} acl remedy succ.'.format(bucket_name=bucket_name, region=region))
                                      
      Note The sample code describes the automatic remediation method of non-compliant resources. The prepareRuleName environment variable is used as an example. For information about how to remediate non-compliant resources by using other parameters, see Resource non-compliance events.
    4. In the code editor, click Deploy in the upper-right corner.
  8. Wait 10 minutes and view the remediation result.
    Note If a resource is evaluated as non-compliant based on the rule but no configurations are changed, you must re-evaluate the resource before you perform this step. For more information, see Manually re-evaluate resources.
    • View the remediation result in the Cloud Config console.OSS bucket compliance
    • View the remediation result in the OSS console.OSS bucket compliance