CloudSecurityConfigurationSkill cloud-security-configuration

提供AWS、Azure和GCP云平台的安全配置指南,包括身份管理、数据加密、网络安全、合规性和威胁检测等关键领域的实施示例和最佳实践,以确保云环境的安全性。

云安全 0 次安装 0 次浏览 更新于 3/3/2026

云安全配置

概述 云安全需要全面的策略,涵盖身份管理、加密、网络控制、合规性和威胁检测。实施多层保护和持续监控的深度防御。

何时使用

  • 保护云中敏感数据
  • 符合法规(GDPR、HIPAA、PCI-DSS)
  • 实施零信任安全
  • 保护多云环境
  • 威胁检测和响应
  • 身份和访问管理
  • 网络隔离和分段
  • 加密和密钥管理

实施示例

1. AWS安全配置

# 启用GuardDuty(威胁检测)
aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES

# 启用CloudTrail(审计日志)
aws cloudtrail create-trail \
  --name organization-trail \
  --s3-bucket-name audit-bucket \
  --is-multi-region-trail

# 启用S3桶默认加密
aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "arn:aws:kms:region:account:key/key-id"
      },
      "BucketKeyEnabled": true
    }]
  }'

# 启用VPC流日志
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-12345 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /aws/vpc/flowlogs

# 配置安全组
aws ec2 authorize-security-group-ingress \
  --group-id sg-12345 \
  --protocol tcp \
  --port 443 \
  --cidr 0.0.0.0/0

# 为根账户启用MFA
aws iam get-account-summary

# 创建密码策略
aws iam update-account-password-policy \
  --minimum-password-length 14 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --allow-users-to-change-password \
  --expire-passwords \
  --max-password-age 90

2. Terraform安全配置

# security.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

# KMS密钥用于加密
resource "aws_kms_key" "main" {
  description             = "主加密密钥"
  deletion_window_in_days = 10
  enable_key_rotation     = true

  tags = { Name = "master-key" }
}

resource "aws_kms_alias" "main" {
  name          = "alias/master-key"
  target_key_id = aws_kms_key.main.key_id
}

# 敏感数据的秘密管理器
resource "aws_secretsmanager_secret" "db_password" {
  name_prefix             = "db/"
  recovery_window_in_days = 7
  kms_key_id              = aws_kms_key.main.id
}

resource "aws_secretsmanager_secret_version" "db_password" {
  secret_id       = aws_secretsmanager_secret.db_password.id
  secret_string   = random_password.db.result
}

# 最小权限的IAM角色
resource "aws_iam_role" "app_role" {
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "ec2.amazonaws.com"
      }
    }]
  })
}

resource "aws_iam_role_policy" "app_policy" {
  role = aws_iam_role.app_role.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:ListBucket"
        ]
        Resource = [
          aws_s3_bucket.data.arn,
          "${aws_s3_bucket.data.arn}/*"
        ]
      },
      {
        Effect = "Allow"
        Action = [
          "kms:Decrypt",
          "kms:DescribeKey"
        ]
        Resource = aws_kms_key.main.arn
      },
      {
        Effect = "Allow"
        Action = [
          "secretsmanager:GetSecretValue"
        ]
        Resource = aws_secretsmanager_secret.db_password.arn
      },
      {
        Effect = "Allow"
        Action = [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ]
        Resource = "arn:aws:logs:*:*:*"
      }
    ]
  })
}

# 安全的VPC
resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = { Name = "main-vpc" }
}

# 公共子网
resource "aws_subnet" "public" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = data.aws_availability_zones.available.names[0]
  map_public_ip_on_launch = false

  tags = { Name = "public-subnet" }
}

# 私有子网
resource "aws_subnet" "private" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.10.0/24"
  availability_zone = data.aws_availability_zones.available.names[0]

  tags = { Name = "private-subnet" }
}

# 网络ACL用于深度防御
resource "aws_network_acl" "main" {
  vpc_id = aws_vpc.main.id

  ingress {
    protocol   = "tcp"
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 443
    to_port    = 443
  }

  ingress {
    protocol   = "tcp"
    rule_no    = 110
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 80
    to_port    = 80
  }

  egress {
    protocol   = "-1"
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }
}

# 安全组
resource "aws_security_group" "app" {
  name_prefix = "app-"
  vpc_id      = aws_vpc.main.id

  # Egress规则(默认拒绝)
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# WAF Web ACL
resource "aws_wafv2_web_acl" "main" {
  scope = "REGIONAL"
  name  = "app-waf"

  default_action {
    allow {}
  }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 1

    action {
      block {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "app-waf"
    sampled_requests_enabled   = true
  }
}

# GuardDuty用于威胁检测
resource "aws_guardduty_detector" "main" {
  enable = true

  datasources {
    flow_logs {
      enable = true
    }
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
  }
}

# CloudTrail用于审计日志
resource "aws_cloudtrail" "main" {
  name                          = "organization-trail"
  s3_bucket_name                = aws_s3_bucket.audit_logs.id
  include_global_service_events = true
  is_multi_region_trail         = true
  enable_log_file_validation    = true
  depends_on                    = [aws_s3_bucket_policy.audit_logs]

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::*/"]
    }
  }
}

# 审计日志桶
resource "aws_s3_bucket" "audit_logs" {
  bucket = "audit-logs-${data.aws_caller_identity.current.account_id}"
}

resource "aws_s3_bucket_policy" "audit_logs" {
  bucket = aws_s3_bucket.audit_logs.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowCloudTrailAcl"
        Effect = "Allow"
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        }
        Action   = "s3:GetBucketAcl"
        Resource = aws_s3_bucket.audit_logs.arn
      },
      {
        Sid    = "AllowCloudTrailPutObject"
        Effect = "Allow"
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        }
        Action   = "s3:PutObject"
        Resource = "${aws_s3_bucket.audit_logs.arn}/*"
        Condition = {
          StringEquals = {
            "s3:x-amz-acl" = "bucket-owner-full-control"
          }
        }
      }
    ]
  })
}

# 合规性监控配置
resource "aws_config_configuration_recorder" "main" {
  name       = "main"
  role_arn   = aws_iam_role.config.arn
  depends_on = [aws_iam_role_policy_attachment.config]

  recording_group {
    all_supported = true
    include_global = true
  }
}

resource "aws_config_configuration_recorder_status" "main" {
  name              = aws_config_configuration_recorder.main.name
  depends_on        = [aws_config_delivery_channel.main]
  is_enabled        = true
  start_recording   = true
}

# 配置传送通道
resource "aws_config_delivery_channel" "main" {
  name          = "main"
  s3_bucket_name = aws_s3_bucket.config.id
  depends_on    = [aws_config_configuration_recorder.main]
}

# CloudWatch用于安全监控
resource "aws_cloudwatch_metric_alarm" "unauthorized_actions" {
  alarm_name          = "unauthorized-api-calls"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  metric_name         = "UnauthorizedOperationCount"
  namespace           = "CloudTrailMetrics"
  period              = 300
  statistic           = "Sum"
  threshold           = 5
  alarm_description   = "未经授权的API调用警报"
}

# 数据源
data "aws_caller_identity" "current" {}
data "aws_availability_zones" "available" {
  state = "available"
}

# 随机密码
resource "random_password" "db" {
  length  = 16
  special = true
}

# 配置IAM角色
resource "aws_iam_role" "config" {
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "config.amazonaws.com"
      }
    }]
  })
}

resource "aws_iam_role_policy_attachment" "config" {
  role       = aws_iam_role.config.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/ConfigRole"
}

resource "aws_s3_bucket" "config" {
  bucket = "config-bucket-${data.aws_caller_identity.current.account_id}"
}

3. Azure安全配置

# 启用Azure安全中心
az security auto-provisioning-setting update \
  --auto-provision on

# 启用Azure Defender
az security atp storage update \
  --storage-account myaccount \
  --is-enabled true

# 配置NSG规则
az network nsg rule create \
  --resource-group mygroup \
  --nsg-name mynsg \
  --name AllowHTTPS \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes '*' \
  --destination-port-ranges 443

# 启用Azure策略
az policy assignment create \
  --name EnforceHttps \
  --policy /subscriptions/{subscription}/providers/Microsoft.Authorization/policyDefinitions/{policyId}

# 创建Key Vault
az keyvault create \
  --resource-group mygroup \
  --name mykeyvault \
  --enable-rbac-authorization

4. GCP安全配置

# 启用Cloud Armor
gcloud compute security-policies create my-policy \
  --description "安全策略"

# 添加规则
gcloud compute security-policies rules create 100 \
  --security-policy=my-policy \
  --action "deny-403" \
  --expression "origin.country_code == 'CN'"

# 启用Cloud KMS
gcloud kms keyrings create my-keyring --location us-east1

gcloud kms keys create my-key \
  --location us-east1 \
  --keyring my-keyring \
  --purpose encryption

# 设置IAM绑定
gcloud projects add-iam-policy-binding MY_PROJECT \
  --member=serviceAccount:my-sa@MY_PROJECT.iam.gserviceaccount.com \
  --role=roles/container.developer

# 启用二进制授权
gcloud container binauthz policy import policy.yaml

# VPC服务控制
gcloud access-context-manager perimeters create my-perimeter \
  --resources=projects/MY_PROJECT

最佳实践

✅ DO

  • 实施最小权限访问
  • 启用MFA
  • 为应用程序使用服务账户
  • 加密数据在休息和传输中
  • 启用全面日志记录
  • 实施网络分段
  • 使用秘密管理
  • 启用威胁检测
  • 定期安全评估
  • 保持系统补丁

❌ DON’T

  • 使用root/default凭据
  • 在代码中存储秘密
  • 过度权限的安全组
  • 禁用加密
  • 忽略日志和监控
  • 共享凭据
  • 跳过合规性要求
  • 信任未经验证的数据源

合规性标准

  • GDPR:数据保护
  • HIPAA:医疗保健数据
  • PCI-DSS:支付卡数据
  • SOC 2:安全控制
  • ISO 27001:信息安全
  • CIS基准:安全硬化

安全层

  1. 身份和访问:IAM、MFA、SSO
  2. 网络:VPCs、安全组、WAF
  3. 数据:加密、秘密、DLP
  4. 应用程序:输入验证、补丁
  5. 监控:日志记录、警报、威胁检测

资源