配置化合规包模板功能为您提供了强大的合规管理能力,允许您定义和导入导出符合自身业务需求的官方规则模板集和灵活的自定义条件规则集,来满足业务合规性要求。通过深入理解合规包模板结构和字段含义,您可以更加高效地定制符合自身业务场景的各种合规规则集。
模板结构
导出的合规包模板是一个JSON格式文件,以合规包名字为文件名,以.json为后缀。您可以导入后缀为.txt或.json的文件(该文件必须小于等于1 MB),文件的结构包括compliancePackTemplate(非必填)和configRuleTemplates(必填)两部分。
compliancePackTemplate
compliancePackTemplate包括合规包的名称、描述和风险等级,其定义的JSON结构如下:
{
"riskLevel": 1,
"compliancePackName": "合规包的名称",
"description": "合规包的描述",
"scope": {
"complianceResourceTypes": [
"适配的资源类型"
],
"complianceResourceIds": [
"评估的资源ID"
],
"complianceExcludeResourceIds": [
"排除的资源ID"
],
"complianceRegionIds": [
"评估的指定地域ID"
],
"complianceExcludeRegionIds": [
"排除的指定地域ID"
],
"complianceResourceGroupIds": [
"评估的指定资源组ID"
],
"complianceExcludeResourceGroupIds": [
"排除的指定资源组ID"
],
"complianceTagsScope": [
{
"tagKey": "生效标签Key",
"tagValue": "生效标签KeyValue"
}
],
"complianceExcludeTagsScope": [
{
"tagKey": "排除标签Key",
"tagValue": "排除标签Value"
}
]
}
}参数 | 是否必填 | 说明 |
compliancePackName | 否 | 合规包名称。建议使用合规场景定义,合规包的命名有以下两种方式:
|
riskLevel | 否 | 合规包风险等级。用于区分不同合规包的重要性,取值:
|
description | 否 | 合规包描述。用于补充描述合规包的应用场景。 |
scope | 否 | 关联设置规则应用范围。 |
示例如下:
{
"configRuleTemplates": [],
"compliancePackTemplate": {
"riskLevel": 2,
"compliancePackName": "配置化合规包模版编写测试",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz97547xg****.i-t4n3u1pz97547xg0****.",
"i-t4n1bxf3xr70wjh5****",
"i-t4n133q6k9czgun****",
"i-t4n3s3qqti2zaxu****"
],
"complianceResourceGroupIds": [
"rg-aek2yl36l*****"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southeast-1"
]
},
"description": "配置化合规包模版编写测试-导入导出测试"
}
}configRuleTemplates
合规包中规则在configRuleTemplates中定义为JSON数组,结构如下:
[
{
"configRuleName": "规则名称",
"scope": {
"complianceResourceTypes": [
"适配的资源类型"
],
"complianceResourceIds": [
"评估的资源ID"
],
"complianceExcludeResourceIds": [
"排除的资源ID"
],
"complianceRegionIds": [
"评估的指定地域ID"
],
"complianceExcludeRegionIds": [
"排除的指定地域ID"
],
"complianceResourceGroupIds": [
"评估的指定资源组ID"
],
"complianceExcludeResourceGroupIds": [
"排除的指定资源组ID"
],
"complianceTagsScope": [
{
"tagKey": "生效标签Key",
"tagValue": "生效标签Value"
}
],
"complianceExcludeTagsScope": [
{
"tagKey": "排除标签Key",
"tagValue": "排除标签Value"
}
]
},
"description": "规则描述",
"source": {
"owner": "规则的来源",
"identifier": "规则的标识符",
"sourceDetails": [
{
"messageType": "规则触发类型",
"maximumExecutionFrequency": "触发周期"
},
{
"messageType": "规则触发类型"
}
],
"conditions": "自定义条件规则的内容"
},
"inputParameters": {
"paramName1": "参数值1",
"paramName2": "参数值2"
}
}
]参数 | 是否必填 | 说明 |
configRuleName | 是 | 规则名称。 |
scope.complianceResourceTypes | 是 | 规则适配的资源类型,可以是多值数组。 |
description | 否 | 规则描述。 |
source.owner | 是 | 规则的来源。取值:
|
source.identifier | 是 | 规则的标识符。包括以下两种:
|
source.sourceDetails.messageType | 是 | 规则触发机制。取值:
|
source.sourceDetails.maximumExecutionFrequency | 否 | 规则执行周期。取值:
说明 当 |
source.conditions | 否 | 自定义条件规则的内容。 说明 当 |
inputParameters | 否 | 规则入参。在规则模板列表的每条规则的规则详情的规则入参中可以看到需要填写的规则入参,所有规则入参均为字符串类型输入。 |
scope | 否 | 关联设置规则应用范围。 |
示例如下:
{
"configRuleTemplates": [
{
"configRuleName": "ECS实例开启释放保护",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz97547xg0****.i-t4n3u1pz97547xg0****",
"i-t4n1bxf3xr70wjh5****",
"i-t4n133q6k9czgun****",
"i-t4n3s3qqti2zaxu****"
],
"complianceResourceGroupIds": [
"rg-aek2yl36lg****"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southea****"
],
"complianceResourceTypes": [
"ACS::ECS::Instance"
]
},
"description": "ECS实例开启释放保护,视为“合规”。",
"source": {
"owner": "ALIYUN",
"identifier": "ecs-instance-deletion-protection-enabled",
"sourceDetails": [
{
"messageType": "ConfigurationItemChangeNotification"
}
]
},
"inputParameters": {}
}
],
"compliancePackTemplate": {
"riskLevel": 2,
"compliancePackName": "配置化合规包模版编写测试",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz97547xg****.i-t4n3u1pz97547xg****",
"i-t4n1bxf3xr70wjh5****",
"i-t4n133q6k9czgunx****",
"i-t4n3s3qqti2zaxux****"
],
"complianceResourceGroupIds": [
"rg-aek2yl36lgo****"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southeast-1"
]
},
"description": "配置化合规包模版编写测试-导入导出测试"
}
}完整示例
{
"configRuleTemplates": [
{
"configRuleName": "ECS实例付费类型为包年包月",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz97547xg0****.i-t4n3u1pz97547xg*****",
"i-t4n1bxf3xr70wjh5*****",
"i-t4n133q6k9czgun*****",
"i-t4n3s3qqti2zaxu*****"
],
"complianceResourceGroupIds": [
"rg-aek2yl36l*****"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southeast-1"
],
"complianceResourceTypes": [
"ACS::ECS::Instance"
]
},
"description": "检测ECS实例的付费类型,若实例付费类型为包年包月,视为“合规”。",
"source": {
"owner": "ALIYUN",
"identifier": "ecs-instance-chargetype-check",
"sourceDetails": [
{
"messageType": "ConfigurationItemChangeNotification"
}
]
},
"inputParameters": {}
},
{
"configRuleName": "ECS实例禁止绑定公网地址",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz97547x*****.i-t4n3u1pz97547*****",
"i-t4n1bxf3xr70w*****",
"i-t4n133q6k9czg*****",
"i-t4n3s3qqti2zax******"
],
"complianceResourceGroupIds": [
"rg-aek2yl36l*****"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southeast-1"
],
"complianceResourceTypes": [
"ACS::ECS::Instance"
]
},
"description": "ECS实例没有直接绑定IPv4公网IP或弹性公网IP,视为“合规”。",
"source": {
"owner": "ALIYUN",
"identifier": "ecs-instance-no-public-ip",
"sourceDetails": [
{
"messageType": "ConfigurationItemChangeNotification"
}
]
},
"inputParameters": {}
},
{
"configRuleName": "ECS实例开启释放保护",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz9754*****.i-t4n3u1pz97547x*****",
"i-t4n1bxf3xr70wj*****",
"i-t4n133q6k9czgu*****",
"i-t4n3s3qqti2zaxu*****"
],
"complianceResourceGroupIds": [
"rg-aek2yl36l****"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southeast-1"
],
"complianceResourceTypes": [
"ACS::ECS::Instance"
]
},
"description": "ECS实例开启释放保护,视为“合规”。",
"source": {
"owner": "ALIYUN",
"identifier": "ecs-instance-deletion-protection-enabled",
"sourceDetails": [
{
"messageType": "ConfigurationItemChangeNotification"
}
]
},
"inputParameters": {}
}
],
"compliancePackTemplate": {
"riskLevel": 2,
"compliancePackName": "配置化合规包模版编写测试",
"scope": {
"complianceResourceIds": [
"i-t4n3u1pz97547xg0*****.i-t4n3u1pz97547xg******",
"i-t4n1bxf3xr70w******",
"i-t4n133q6k9czgun*****",
"i-t4n3s3qqti2zaxux*****"
],
"complianceResourceGroupIds": [
"rg-aek2yl36l******"
],
"complianceTagsScope": [
{
"tagKey": "config",
"tagValue": "configTest"
}
],
"complianceRegionIds": [
"ap-southeast-1"
]
},
"description": "配置化合规包模版编写测试-导入导出测试"
}
}导入导出
您可以通过导入.json或.txt文件的方式将合规包模板导入配置审计。您还可以导出.json格式的合规包模板,导出的模板文件可以方便地分享和备份,提高规则管理的灵活性和便捷性。