Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
Utilisation AWS Backup d'Audit Manager avec AWS CloudFormation
Nous fournissons les exemples de AWS CloudFormation modèles suivants à titre de référence :
Rubriques
Activation du suivi des ressources
Le modèle suivant active le suivi des ressources, comme décrit dans Activation du suivi des ressources.
AWSTemplateFormatVersion: 2010-09-09 Description: Enable AWS Config Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Recorder Configuration Parameters: - AllSupported - IncludeGlobalResourceTypes - ResourceTypes - Label: default: Delivery Channel Configuration Parameters: - DeliveryChannelName - Frequency - Label: default: Delivery Notifications Parameters: - TopicArn - NotificationEmail ParameterLabels: AllSupported: default: Support all resource types IncludeGlobalResourceTypes: default: Include global resource types ResourceTypes: default: List of resource types if not all supported DeliveryChannelName: default: Configuration delivery channel name Frequency: default: Snapshot delivery frequency TopicArn: default: SNS topic name NotificationEmail: default: Notification Email (optional) Parameters: AllSupported: Type: String Default: True Description: Indicates whether to record all supported resource types. AllowedValues: - True - False IncludeGlobalResourceTypes: Type: String Default: True Description: Indicates whether AWS Config records all supported global resource types. AllowedValues: - True - False ResourceTypes: Type: List<String> Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. Default: <All> DeliveryChannelName: Type: String Default: <Generated> Description: The name of the delivery channel. Frequency: Type: String Default: 24hours Description: The frequency with which AWS Config delivers configuration snapshots. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours TopicArn: Type: String Default: <New Topic> Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. NotificationEmail: Type: String Default: <None> Description: Email address for AWS Config notifications (for new topics). Conditions: IsAllSupported: !Equals - !Ref AllSupported - True IsGeneratedDeliveryChannelName: !Equals - !Ref DeliveryChannelName - <Generated> CreateTopic: !Equals - !Ref TopicArn - <New Topic> CreateSubscription: !And - !Condition CreateTopic - !Not - !Equals - !Ref NotificationEmail - <None> Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" - Sid: AWSConfigBucketSecureTransport Action: - s3:* Effect: Deny Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*" Principal: "*" Condition: Bool: aws:SecureTransport: false ConfigTopic: Condition: CreateTopic Type: AWS::SNS::Topic Properties: TopicName: !Sub "config-topic-${AWS::AccountId}" DisplayName: AWS Config Notification Topic KmsMasterKeyId: "alias/aws/sns" ConfigTopicPolicy: Condition: CreateTopic Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref ConfigTopic PolicyDocument: Statement: - Sid: AWSConfigSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref ConfigTopic Principal: Service: - config.amazonaws.com EmailNotification: Condition: CreateSubscription Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ConfigTopic ConfigRecorderServiceRole: Type: AWS::IAM::ServiceLinkedRole Properties: AWSServiceName: config.amazonaws.com Description: Service Role for AWS Config ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigBucketPolicy - ConfigRecorderServiceRole Properties: RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig RecordingGroup: AllSupported: !Ref AllSupported IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes ResourceTypes: !If - IsAllSupported - !Ref AWS::NoValue - !Ref ResourceTypes ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: !If - IsGeneratedDeliveryChannelName - !Ref AWS::NoValue - !Ref DeliveryChannelName ConfigSnapshotDeliveryProperties: DeliveryFrequency: !FindInMap - Settings - FrequencyMap - !Ref Frequency S3BucketName: !Ref ConfigBucket SnsTopicARN: !If - CreateTopic - !Ref ConfigTopic - !Ref TopicArn
Déploiement des contrôles par défaut
Le modèle suivant crée un framework avec les contrôles par défaut décrits dans Contrôles et corrections d'AWS Backup Audit Manager.
AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ParameterName: requiredFrequencyUnit ParameterValue: 'hours' - ParameterName: requiredFrequencyValue ParameterValue: '24' ControlScope: Tags: - Key: customizedKey Value: customizedValue - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION ControlInputParameters: - ParameterName: crossRegionList ParameterValue: 'eu-west-2' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT ControlInputParameters: - ParameterName: crossAccountList ParameterValue: '111122223333' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK - ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED - ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET ControlInputParameters: - ParameterName: maxRestoreTime ParameterValue: '720' Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn
Exonération des rôles IAM de l'évaluation des contrôles
Le contrôle BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED vous permet d'exempter jusqu'à cinq rôles IAM qui peuvent toujours supprimer manuellement des points de récupération. Le modèle suivant déploie ce contrôle et exempte également deux rôles IAM.
AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED ControlInputParameters: - ParameterName: "principalArnList" ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole" Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn
Création d'un plan de rapport
Le modèle suivant crée un plan de rapport.
Description: "Basic AWS::Backup::ReportPlan template" Parameters: ReportPlanDescription: Type: String Default: "SomeReportPlanDescription" S3BucketName: Type: String Default: "some-s3-bucket-name" S3KeyPrefix: Type: String Default: "some-s3-key-prefix" ReportTemplate: Type: String Default: "BACKUP_JOB_REPORT" Resources: TestReportPlan: Type: "AWS::Backup::ReportPlan" Properties: ReportPlanDescription: !Ref ReportPlanDescription ReportDeliveryChannel: Formats: - "CSV" S3BucketName: !Ref S3BucketName S3KeyPrefix: !Ref S3KeyPrefix ReportSetting: ReportTemplate: !Ref ReportTemplate Regions: ['us-west-2', 'eu-west-1', 'us-east-1'] Accounts: ['123456789098'] OrganizationUnits: ['ou-abcd-1234wxyz'] ReportPlanTags: - Key: "a" Value: "1" - Key: "b" Value: "2" Outputs: ReportPlanArn: Value: !GetAtt TestReportPlan.ReportPlanArn
