From c2bb7a6a8d74aa59692c7fae7203514a81d37317 Mon Sep 17 00:00:00 2001 From: baichenxu3 Date: Tue, 19 Dec 2023 10:28:11 +0800 Subject: [PATCH] add multiple-accounts-support-configuration-auditing template. --- README-CN.md | 6 + README.md | 7 ++ ...ccounts-support-configuration-auditing.yml | 110 ++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 documents/solution/resource-directory/multiple-accounts-support-configuration-auditing.yml diff --git a/README-CN.md b/README-CN.md index ca60ea42..421db988 100644 --- a/README-CN.md +++ b/README-CN.md @@ -516,6 +516,12 @@ ROS 模板的示例和最佳实践。模板分类如下: | [deploy-nginx-services-through-ingress.yml](documents/solution/ops-on-cloud/deploy-nginx-services-through-ingress.yml) | 部署Nginx并通过Ingress暴露和监控服务。 | [解决方案](https://aliyun.com/solution/tech-solution/nginx_ingress) | +- resource-directory + +| Template | 说明 | +|----------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------| +| [multiple-accounts-support-configuration-auditing.yml](documents/solution/resource-directory/multiple-accounts-support-configuration-auditing.yml) | 多账号配置统一合规审计。 | + - product-details-page | Template | Description | diff --git a/README.md b/README.md index 942b6681..751be19c 100644 --- a/README.md +++ b/README.md @@ -529,6 +529,13 @@ Examples and best practices of ROS templates. The templates are categorized as f | [spark-cluster-on-yitian.yml](documents/solution/product-details-page/spark-cluster-on-yitian.yml) | Spark Cluster on Yitian. | +- resource-directory + +| Template | Description | +|----------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------| +| [multiple-accounts-support-configuration-auditing.yml](documents/solution/resource-directory/multiple-accounts-support-configuration-auditing.yml) | Configure unified compliance audit for multiple accounts. | + + - internet-application-development | Template | Description | diff --git a/documents/solution/resource-directory/multiple-accounts-support-configuration-auditing.yml b/documents/solution/resource-directory/multiple-accounts-support-configuration-auditing.yml new file mode 100644 index 00000000..bd460b53 --- /dev/null +++ b/documents/solution/resource-directory/multiple-accounts-support-configuration-auditing.yml @@ -0,0 +1,110 @@ +ROSTemplateFormatVersion: '2015-09-01' +Description: + zh-cn: 多账号配置统一合规审计 + en: Configure unified compliance audit for multiple accounts. +Parameters: + IsEnableRD: + Type: Boolean + Label: + zh-cn: 是否开通资源目录 + en: Whether to enable a Resource Directory + Default: false + RDAccountName1: + Default: Alice1 + Type: String + Label: + zh-cn: 资源目录成员名称1 + en: Resource directory member name 1 + RDAccountName2: + Default: Tom1 + Type: String + Label: + zh-cn: 资源目录成员名称2 + en: Resource directory member name 2 +Outputs: {} +Conditions: + EnableRD: + Fn::Equals: + - true + - Ref: IsEnableRD +Resources: + ResourceDirectory: + Condition: EnableRD + Type: ALIYUN::ResourceManager::ResourceDirectory + RDFolder: + Type: ALIYUN::ResourceManager::Folder + Properties: + FolderName: + Ref: ALIYUN::StackId + RDAccount1: + Type: ALIYUN::ResourceManager::Account + Properties: + DisplayName: + Ref: RDAccountName1 + FolderId: + Fn::GetAtt: + - RDFolder + - FolderId + RDAccount2: + Type: ALIYUN::ResourceManager::Account + Properties: + DisplayName: + Ref: RDAccountName2 + FolderId: + Fn::GetAtt: + - RDFolder + - FolderId + ConfigAggregator: + Type: ALIYUN::Config::Aggregator + Properties: + AggregatorName: + Ref: ALIYUN::StackId + Description: + Ref: ALIYUN::StackId + AggregatorAccounts: + - AccountId: + Fn::GetAtt: + - RDAccount1 + - AccountId + AccountType: ResourceDirectory + AccountName: + Ref: RDAccountName1 + - AccountId: + Fn::GetAtt: + - RDAccount2 + - AccountId + AccountType: ResourceDirectory + AccountName: + Ref: RDAccountName2 + ConfigAggregateCompliancePack: + Type: ALIYUN::Config::AggregateCompliancePack + Properties: + AggregatorId: + Fn::GetAtt: + - ConfigAggregator + - AggregatorId + RiskLevel: 1 + Description: 基于等保三级的部分要求,对阿里云上资源的合规性做检测。 + CompliancePackName: 等保三级预检合规包 + ConfigRules: + - ConfigRuleName: OSS存储空间ACL禁止公共读 + Description: OSS存储空间的ACL策略禁止公共读,视为“合规”。 + RiskLevel: 1 + ManagedRuleIdentifier: oss-bucket-public-read-prohibited + - ConfigRuleName: OSS存储空间ACL禁止公共读写 + Description: OSS存储空间的ACL策略禁止公共读写,视为“合规”。 + RiskLevel: 1 + ManagedRuleIdentifier: oss-bucket-public-write-prohibited +Metadata: + ALIYUN::ROS::Interface: + ParameterGroups: + - Parameters: + - IsEnableRD + - RDAccountName1 + - RDAccountName2 + Label: + zh-cn: 资源目录配置 + en: ResourceDirectory Configuration + TemplateTags: + - acs:technical-solution:resource-directory:多账号配置统一合规审计 +