Using AWS Backup Audit Manager with AWS CloudFormation
We provide the following sample AWS CloudFormation templates for your reference:
Topics
Turn on resource tracking
The following template turns on resource tracking as described in Turning on resource tracking.
AWSTemplateFormatVersion: 2010-09-09 Description: Enable AWS Config Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Recorder Configuration Parameters: - AllSupported - IncludeGlobalResourceTypes - ResourceTypes - Label: default: Delivery Channel Configuration Parameters: - DeliveryChannelName - Frequency - Label: default: Delivery Notifications Parameters: - TopicArn - NotificationEmail ParameterLabels: AllSupported: default: Support all resource types IncludeGlobalResourceTypes: default: Include global resource types ResourceTypes: default: List of resource types if not all supported DeliveryChannelName: default: Configuration delivery channel name Frequency: default: Snapshot delivery frequency TopicArn: default: SNS topic name NotificationEmail: default: Notification Email (optional) Parameters: AllSupported: Type: String Default: True Description: Indicates whether to record all supported resource types. AllowedValues: - True - False IncludeGlobalResourceTypes: Type: String Default: True Description: Indicates whether AWS Config records all supported global resource types. AllowedValues: - True - False ResourceTypes: Type: List<String> Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. Default: <All> DeliveryChannelName: Type: String Default: <Generated> Description: The name of the delivery channel. Frequency: Type: String Default: 24hours Description: The frequency with which AWS Config delivers configuration snapshots. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours TopicArn: Type: String Default: <New Topic> Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. NotificationEmail: Type: String Default: <None> Description: Email address for AWS Config notifications (for new topics). Conditions: IsAllSupported: !Equals - !Ref AllSupported - True IsGeneratedDeliveryChannelName: !Equals - !Ref DeliveryChannelName - <Generated> CreateTopic: !Equals - !Ref TopicArn - <New Topic> CreateSubscription: !And - !Condition CreateTopic - !Not - !Equals - !Ref NotificationEmail - <None> Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" - Sid: AWSConfigBucketSecureTransport Action: - s3:* Effect: Deny Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*" Principal: "*" Condition: Bool: aws:SecureTransport: false ConfigTopic: Condition: CreateTopic Type: AWS::SNS::Topic Properties: TopicName: !Sub "config-topic-${AWS::AccountId}" DisplayName: AWS Config Notification Topic KmsMasterKeyId: "alias/aws/sns" ConfigTopicPolicy: Condition: CreateTopic Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref ConfigTopic PolicyDocument: Statement: - Sid: AWSConfigSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref ConfigTopic Principal: Service: - config.amazonaws.com EmailNotification: Condition: CreateSubscription Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ConfigTopic ConfigRecorderServiceRole: Type: AWS::IAM::ServiceLinkedRole Properties: AWSServiceName: config.amazonaws.com Description: Service Role for AWS Config ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigBucketPolicy - ConfigRecorderServiceRole Properties: RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig RecordingGroup: AllSupported: !Ref AllSupported IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes ResourceTypes: !If - IsAllSupported - !Ref AWS::NoValue - !Ref ResourceTypes ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: !If - IsGeneratedDeliveryChannelName - !Ref AWS::NoValue - !Ref DeliveryChannelName ConfigSnapshotDeliveryProperties: DeliveryFrequency: !FindInMap - Settings - FrequencyMap - !Ref Frequency S3BucketName: !Ref ConfigBucket SnsTopicARN: !If - CreateTopic - !Ref ConfigTopic - !Ref TopicArn
Deploy default controls
The following template creates a framework with the default controls described in AWS Backup Audit Manager controls and remediation.
AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ParameterName: requiredFrequencyUnit ParameterValue: 'hours' - ParameterName: requiredFrequencyValue ParameterValue: '24' ControlScope: Tags: - Key: customizedKey Value: customizedValue - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION ControlInputParameters: - ParameterName: crossRegionList ParameterValue: '
eu-west-2
' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT ControlInputParameters: - ParameterName: crossAccountList ParameterValue: '111122223333
' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK - ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED - ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET ControlInputParameters: - ParameterName: maxRestoreTime ParameterValue: '720' Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn
Exempt IAM roles from control evaluation
The control BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
allows you to
exempt up to five IAM roles that can still manually delete recovery points. The following
template deploys this control and also exempts two IAM roles.
AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED ControlInputParameters: - ParameterName: "principalArnList" ParameterValue: !Sub "arn:aws:iam::
${AWS::AccountId}
:role/AccAdminRole
,arn:aws:iam::${AWS::AccountId}
:role/ConfigRole
" Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn
Create a report plan
The following template creates a report plan.
Description: "Basic AWS::Backup::ReportPlan template" Parameters: ReportPlanDescription: Type: String Default: "SomeReportPlanDescription" S3BucketName: Type: String Default: "some-s3-bucket-name" S3KeyPrefix: Type: String Default: "some-s3-key-prefix" ReportTemplate: Type: String Default: "BACKUP_JOB_REPORT" Resources: TestReportPlan: Type: "AWS::Backup::ReportPlan" Properties: ReportPlanDescription: !Ref ReportPlanDescription ReportDeliveryChannel: Formats: - "CSV" S3BucketName: !Ref S3BucketName S3KeyPrefix: !Ref S3KeyPrefix ReportSetting: ReportTemplate: !Ref ReportTemplate Regions: ['us-west-2', 'eu-west-1', 'us-east-1'] Accounts: ['123456789098'] OrganizationUnits: ['ou-abcd-1234wxyz'] ReportPlanTags: - Key: "a" Value: "1" - Key: "b" Value: "2" Outputs: ReportPlanArn: Value: !GetAtt TestReportPlan.ReportPlanArn