Comments (2)
MrBe1ieVe
commented on June 12, 2024
1
IAM 配置中,同样建议限制 IP 来源的方式,避免其他人获取AK SK 后获取内部信息。阿里、AWS 配置内容参考如下:
AWS:使用官方配置,再点击可视化编辑后,再点回来配置限制 IP,策略如下
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*",
"cloudwatch:ListMetrics"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ds:ListAuthorizedApplications",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "dynamodb:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:List*",
"ec2:GetEbsEncryptionByDefault",
"ec2:Describe*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "ecr:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": "elasticache:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor8",
"Effect": "Allow",
"Action": [
"glue:SearchTables",
"glue:GetConnections"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor9",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor10",
"Effect": "Allow",
"Action": "lambda:GetFunction",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor11",
"Effect": "Allow",
"Action": "rds:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor12",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:List*",
"s3:GetBucketLocation"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor13",
"Effect": "Allow",
"Action": [
"securityhub:List*",
"securityhub:GetFindings",
"securityhub:BatchImportFindings"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor14",
"Effect": "Allow",
"Action": "support:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
},
{
"Sid": "VisualEditor15",
"Effect": "Allow",
"Action": "tag:GetTagKeys",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Your_IP_ADDR/32"
}
}
}
]
}阿里云:结构与 AWS 类似。如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:Get*",
"oss:List*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "ecs:List*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "rds:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "slb:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "cms:QueryMetric*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ram:Get*",
"ram:List*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "ram:GenerateCredentialReport",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeHaVip*",
"vpc:DescribeRouteTable*",
"vpc:DescribeRouteEntry*",
"vpc:DescribeVSwitch*",
"vpc:DescribeVRouter*",
"vpc:DescribeVpc*",
"vpc:Describe*Cen*",
"vpc:ListTag*",
"vpc:DescribeTag*",
"vpc:DescribeNetworkAcl*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "vpc:DescribeEip*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "kvstore:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": "dds:Describe*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticsearch:List*",
"elasticsearch:Describe*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"Your_IP_ADDR/32"
]
}
}
}
]
}
from hummerrisk.
harris1943
commented on June 12, 2024
v1.3.0已完成
from hummerrisk.
Related Issues (20)
- hummerrisk-ui 日志一直报499状态码,不能显示登陆表单 HOT 3
- 云资源日志同步任务新建失败
- 多云资源管理-资源导出需求 HOT 1
- 源码检测,配置gitlab地址报错 HOT 2
- 优化规则组中的检查结果显示 HOT 1
- 资源态势可以指定同步的region HOT 2
- 主机检测结果无法下载 HOT 2
- 云原生检测中,在资源态势通过 namespace 过滤出来的资源不对 HOT 4
- 云原生检测中,event 资源类型没有太大价值,而且数量太多,建议删除
- 云资源态势里信息显示不全 HOT 1
- 部署检测请求字节较大问题 HOT 1
- 添加部署检测时,从k8s获取yaml下拉菜单添加模糊查询 HOT 1
- 云资源同步日志,同步存在失败的报错的情况下,列表中显示的状态一直是执行中,并未改变为已完成 HOT 1
- 资源检测结果页面遮罩问题 HOT 1
- “混合云安全”执行检测,结果不对,排查日志发现一直在执行check11的检查
- 执行prowler检测时一直是执行"check11"检测
- 安全漏洞 HummerRisk认证后远程命令执行 HOT 1
- 在离线环境无法启动trivy-operator
- 帮助文档看不了
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hummerrisk.