Introduction to Author of this article: Ziji zj This article will mainly introduce how to use the [Configuration Audit] function to quickly find out how to locate and repair cases of OSS Bucket without anti-theft chain during the process of enterprise cloud access.
Preface
Configuration audit (Config) integrates your scattered resources into a global resource list, which can easily search for global resources; at the same time, it helps you record the configuration change history of IT resources on the cloud, and continuously and automatically evaluate the resource configuration on the cloud Compliance, to achieve IT compliance governance on the cloud. This article introduces how to use configure the audit (Config) help you quickly discover and repair the OSS Bucket that is not configured with anti-hotlinking.
actual case
Company A has 10 vertical business departments, and each business department allocates 1 to 2 OSS Buckets to store operation pictures, and directly use the links generated by OSS on the web page to display the picture content. We know that OSS costs are divided into storage fees and traffic charges. When a large number of external requests are made for image resources, the traffic charges incurred need to be borne by the customer. In order to prevent illegal websites from embezzling image resources, OSS has developed the "anti-theft chain" function. For detailed function descriptions, please refer to: anti-theft chain
Company A intends to use this technical solution. It needs to enable anti- *.alibaba.com for OSS Bucket and set the referer whitelist to 060ac61311c1d0 and *.aliyun.com . As a company's operation and maintenance student, I very much do not want to check and refer to the document configuration for each bucket. At the same time, it is necessary to formulate additional countermeasures to prevent the bucket configuration from being modified twice.
At this time, he thought of a cloud product of Cloud: 160ac61311c1ff Configuration Audit (Config) .
We can briefly summarize the ability of configuration audit (Config) as 3 points :
- A unified resource perspective, multi-regional, and even cross-account;
- Rule (Rule) detects whether the resource configuration meets the requirements;
- Continuous detection of resources and repair capabilities;
How does configuration audit (Config) work?
The configuration data of the resource will be centrally stored in the configuration audit (Config) database through asynchronous message notification. The rules will use timing, change passive triggering, and user active triggering to evaluate the resource configuration of the database, show the evaluation results to the user, and determine whether corrections are needed according to the rule settings, such as performing correction tasks, new resource configuration The data will be re- configuration audit (Config) enter the next evaluation cycle. Let's take a look at how the operation and maintenance students of company A complete the task configuration audit (Config)
Set rules
Open the configuration audit console , enter the rule list , click create a new rule , you can see the configuration audit (Config) provides users with a large number of hosting rules (the hosting rules are developed by the platform and provided for users to use ), search for "anti-theft chain" or "referer" to find this rule: OSS storage space opens anti-theft chain function .
Click apply rules ,
first step: set the rule name, custom risk level, and custom remarks;
Step 2: can limit the scope of resources to be checked according to actual business scenarios; optional options include resource ID, resource group ID, region, label, etc.;
step 3: set the allowed referer whitelist and whether to allow the referer to be empty;
Step 4: set whether to enable automatic repair, we will skip it for now, and discuss it later;
Step 5 : Preview and submit
Rule evaluation
After the rule is created, the rule starts to evaluate the compliance of the existing bucket configuration. Refer to the evaluation instructions of the rule, " OSS storage space has the anti-theft chain function enabled, which is regarded as compliant ". The rule is checked by checking the bucket configuration information. RefererList.Referer not empty to determine whether the anti-leech function is compliant.
After the rule evaluation is completed, an evaluation result will be generated, marking cumulative evaluation resource number , compliance resource number , non-compliant resource number ; you can manually configure based on this inspection result. Note: For the newly added OSS Bucket, its compliance will also be automatically detected.
The following figure shows the test results: 23 OSS Buckets have been tested in total, and 23 are non-compliant, which means that none of these 23 OSS Buckets has the anti-leech function enabled.
How to fix
is large, heavy manual configuration may cause operational errors. Don’t worry, 160ac61311c4e0 configuration audit (Config) operation and maintenance orchestration (OOS) for non-compliant resources evaluated by the rules will fix it. You can go to the rule details page -> modify details, and then click "modify configuration" to complete the modification configuration.
Note that there is an option: "Automatic correction/Manual correction", we temporarily check it as "Manual correction".
At this time, in the correction details tab, a "Execute Manual Correction" button will appear. Click this button to manually trigger the repair task for non-compliant resources.
Since the repair task is initiated asynchronously, you can go directly to the object storage console -> bucket -> permission management -> anti-theft link to check whether the correction is successful, or wait a while (about 10 minutes) and then come to configuration audit ( Config) console to view the latest configuration information.
As shown in the figure above, the repair action has been executed and the OSS Bucket anti-theft chain has been set normally. Go back to the configuration audit console , and wait for a while. The resource change data triggered by the repair will return to configuration audit (Config) trigger rules Once again, we found that all resources have become compliant.
Continuously evaluate and repair
How to ensure that other operation and maintenance personnel will not change the configuration in the subsequent time? The internal operating mechanism of the organization can barely complete the task, but people always make mistakes. We can use configure the audit (Config) 's continuous detection and repair capabilities. In the configuration repair setting just now, the "manual execution" is changed to "automatic execution". Once the resource is unreasonably changed, the configuration audit (Config) will identify and automatically correct it to the correct configuration to prevent abnormalities. modify.
For example, we modify the configuration rule of a certain OSS Bucket in the OSS console, the change point: *.alibaba.com changed to *.alibaba-inc.com
Wait a few minutes, we will find:
Here appears the OSS Bucket of the wrong anti-hotlinking list we just set. At this time, the automatic correction has been triggered, and the reason why there is still one displayed as non-compliant is because the configuration audit (Config) needs to wait for the corrected version. Only when it is correctly placed in a centralized database can the rules be evaluated again, and non-compliant resources are evaluated as compliant.
As shown in the figure above, after about 10 minutes, the latest Bucket configuration information has reached the configuration audit, and the rule evaluation trigger is deemed "compliant".
Let's go back to the OSS Bucket console again to check whether the latest resource configuration takes effect.
The configuration is reset back to *.alibaba.com *.aliyun.com .
to sum up
The above is configuration audit (Config) detect non-compliant configurations and continue to automatically repair them. We complete the process from discovering problems, locating resources, to manual and automatic changes through setting rules, rule evaluation and repair, etc. The problem is the closed loop of configuration audit (Config)
In addition, we also have many rules and compliance packages applicable to more complex business scenarios, which can help students in corporate operation and maintenance and corporate compliance projects to complete their work more efficiently. go now ->
Copyright Statement: content of this article is voluntarily contributed by Alibaba Cloud real-name registered users. The copyright belongs to the original author. The Alibaba Cloud Developer Community does not own its copyright and does not assume corresponding legal responsibilities. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。