Template name
ACS-VPC-BulkyDeleteForwardEntry Deletes specified ports that are identified as threats from a DNAT mapping on a NAT Gateway.
Template description
Deletes a high-risk port that is mapped using a DNAT entry on a NAT gateway.
Template type
Automated
Owner
Alibaba Cloud
Input parameters
Parameter | Description | Type | Required | Default value | Limit |
instanceId | The ID of the NAT gateway. | String | Yes | ||
port | The high-risk port. | List | Yes | ||
regionId | The region ID. | String | No | {{ ACS::RegionId }} | |
rateControl | Task execution concurrency rate | Json | No | {'Mode': 'Concurrency', 'MaxErrors': 0, 'Concurrency': 10} | |
OOSAssumeRole | The Resource Access Management (RAM) role that is assumed by CloudOps Orchestration Service (OOS). | String | No | "" |
Output parameters
None
Permission policy that is required to execute the template
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DeleteForwardEntry",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeNatGateways"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Details
For more information, see ACS-VPC-BulkyDeleteForwardEntry.yml at GitHub.
Template content
FormatVersion: OOS-2019-06-01
Description:
en: Deletes the specified high-risk ports mapped on the DNAT table.
zh-cn: Deletes the specified high-risk ports mapped on the DNAT table.
name-en: ACS-VPC-BulkyDeleteForwardEntry
name-zh-cn: ACS-VPC-BulkyDeleteForwardEntry
categories:
- security
Parameters:
regionId:
Label:
en: Region ID
zh-cn: Region ID
Type: String
AssociationProperty: RegionId
Default: '{{ ACS::RegionId }}'
instanceId:
Label:
en: The instance ID of the NAT Gateway.
zh-cn: The instance ID of the NAT Gateway.
Type: String
port:
Label:
en: The high-risk port (backend port)
zh-cn: The high-risk port (backend port)
Type: List
rateControl:
Label:
en: Rate Control
zh-cn: Concurrency rate for task execution
Type: Json
AssociationProperty: RateControl
Default:
Mode: Concurrency
MaxErrors: 0
Concurrency: 10
OOSAssumeRole:
Label:
en: OOSAssumeRole
zh-cn: The RAM role that OOS assumes
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: describeNatGateways
Action: ACS::ExecuteAPI
Description:
en: Queries the DNAT table ID of the NAT Gateway instance.
zh-cn: Queries the DNAT table ID of the NAT Gateway instance.
Properties:
Service: VPC
API: DescribeNatGateways
Parameters:
RegionId: '{{ regionId }}'
NatGatewayId: '{{ instanceId }}'
Outputs:
ForwardTableIds:
Type: String
ValueSelector: .NatGateways.NatGateway[].ForwardTableIds.ForwardTableId[]
- Name: describeForwardTableEntries
Action: ACS::ExecuteAPI
Description:
en: Queries the IDs of DNAT entries that match the high-risk ports.
zh-cn: Queries the IDs of DNAT entries that match the high-risk ports.
Properties:
Service: VPC
API: DescribeForwardTableEntries
Parameters:
RegionId: '{{ regionId }}'
ForwardTableId: '{{ describeNatGateways.ForwardTableIds }}'
InternalPort: '{{ ACS::TaskLoopItem }}'
Loop:
RateControl: '{{ rateControl }}'
Items: '{{ port }}'
Outputs:
ForwardEntryId-all:
AggregateType: Fn::ListJoin
AggregateField: ForwardEntryId
Outputs:
ForwardEntryId:
Type: Json
ValueSelector: .ForwardTableEntries.ForwardTableEntry[].ForwardEntryId
- Name: deleteForwardEntry
Action: ACS::ExecuteAPI
Description:
en: Deletes the specified high-risk ports mapped on the DNAT table.
zh-cn: Deletes the specified high-risk ports mapped on the DNAT table.
Properties:
Service: VPC
API: DeleteForwardEntry
Parameters:
RegionId: '{{ regionId }}'
ForwardEntryId: '{{ ACS::TaskLoopItem }}'
ForwardTableId: '{{ describeNatGateways.ForwardTableIds }}'
Loop:
Items:
'Fn::Jq':
- All
- '.[] | (select(. != null))'
- '{{ describeForwardTableEntries.ForwardEntryId-all }}'
RateControl:
Mode: Concurrency
MaxErrors: 0
Concurrency: 1
Metadata:
ALIYUN::OOS::Interface:
ParameterGroups:
- Parameters:
- port
Label:
default:
zh-cn: Configure Parameters
en: Configure Parameters
- Parameters:
- regionId
- instanceId
Label:
default:
zh-cn: Select Instance
en: Select Instance
- Parameters:
- rateControl
- OOSAssumeRole
Label:
default:
zh-cn: Advanced Options
en: Advanced Options