# Using AWS Backup Audit Manager with CloudFormation
We provide the following sample CloudFormation templates for your reference:
**Topics**
+ [Turn on resource tracking](#turning-on-resource-tracking-cfn)
+ [Deploy default controls](#bam-cfn-frameworks-template)
+ [Exempt IAM roles from control evaluation](#bam-cfn-exempt-role-for-manual-delete)
+ [Create a report plan](#bam-cfn-report-plan)
## Turn on resource tracking
The following template turns on resource tracking as described in [Turning on resource tracking](https://docs.aws.amazon.com/aws-backup/latest/devguide/turning-on-resource-tracking.html).
```
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Recorder Configuration
Parameters:
- AllSupported
- IncludeGlobalResourceTypes
- ResourceTypes
- Label:
default: Delivery Channel Configuration
Parameters:
- DeliveryChannelName
- Frequency
- Label:
default: Delivery Notifications
Parameters:
- TopicArn
- NotificationEmail
ParameterLabels:
AllSupported:
default: Support all resource types
IncludeGlobalResourceTypes:
default: Include global resource types
ResourceTypes:
default: List of resource types if not all supported
DeliveryChannelName:
default: Configuration delivery channel name
Frequency:
default: Snapshot delivery frequency
TopicArn:
default: SNS topic name
NotificationEmail:
default: Notification Email (optional)
Parameters:
AllSupported:
Type: String
Default: True
Description: Indicates whether to record all supported resource types.
AllowedValues:
- True
- False
IncludeGlobalResourceTypes:
Type: String
Default: True
Description: Indicates whether AWS Config records all supported global resource types.
AllowedValues:
- True
- False
ResourceTypes:
Type: List
Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
Default:
DeliveryChannelName:
Type: String
Default:
Description: The name of the delivery channel.
Frequency:
Type: String
Default: 24hours
Description: The frequency with which AWS Config delivers configuration snapshots.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
TopicArn:
Type: String
Default:
Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to.
NotificationEmail:
Type: String
Default:
Description: Email address for AWS Config notifications (for new topics).
Conditions:
IsAllSupported: !Equals
- !Ref AllSupported
- True
IsGeneratedDeliveryChannelName: !Equals
- !Ref DeliveryChannelName
-
CreateTopic: !Equals
- !Ref TopicArn
-
CreateSubscription: !And
- !Condition CreateTopic
- !Not
- !Equals
- !Ref NotificationEmail
-
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
Resources:
ConfigBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
- Sid: AWSConfigBucketSecureTransport
Action:
- s3:*
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport:
false
ConfigTopic:
Condition: CreateTopic
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "config-topic-${AWS::AccountId}"
DisplayName: AWS Config Notification Topic
KmsMasterKeyId: "alias/aws/sns"
ConfigTopicPolicy:
Condition: CreateTopic
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref ConfigTopic
PolicyDocument:
Statement:
- Sid: AWSConfigSNSPolicy
Action:
- sns:Publish
Effect: Allow
Resource: !Ref ConfigTopic
Principal:
Service:
- config.amazonaws.com
EmailNotification:
Condition: CreateSubscription
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref ConfigTopic
ConfigRecorderServiceRole:
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: config.amazonaws.com
Description: Service Role for AWS Config
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigBucketPolicy
- ConfigRecorderServiceRole
Properties:
RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
RecordingGroup:
AllSupported: !Ref AllSupported
IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
ResourceTypes: !If
- IsAllSupported
- !Ref AWS::NoValue
- !Ref ResourceTypes
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: !If
- IsGeneratedDeliveryChannelName
- !Ref AWS::NoValue
- !Ref DeliveryChannelName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
S3BucketName: !Ref ConfigBucket
SnsTopicARN: !If
- CreateTopic
- !Ref ConfigTopic
- !Ref TopicArn
```
## Deploy default controls
The following template creates a framework with the default controls described in [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
- ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ParameterName: requiredFrequencyUnit
ParameterValue: 'hours'
- ParameterName: requiredFrequencyValue
ParameterValue: '24'
ControlScope:
Tags:
- Key: customizedKey
Value: customizedValue
- ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION
ControlInputParameters:
- ParameterName: crossRegionList
ParameterValue: 'eu-west-2'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT
ControlInputParameters:
- ParameterName: crossAccountList
ParameterValue: '111122223333'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK
- ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED
- ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET
ControlInputParameters:
- ParameterName: maxRestoreTime
ParameterValue: '720'
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Exempt IAM roles from control evaluation
The control `BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED` allows you to exempt up to five IAM roles that can still manually delete recovery points. The following template deploys this control and also exempts two IAM roles.
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
ControlInputParameters:
- ParameterName: "principalArnList"
ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole"
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Create a report plan
The following template creates a report plan.
```
Description: "Basic AWS::Backup::ReportPlan template"
Parameters:
ReportPlanDescription:
Type: String
Default: "SomeReportPlanDescription"
S3BucketName:
Type: String
Default: "some-s3-bucket-name"
S3KeyPrefix:
Type: String
Default: "some-s3-key-prefix"
ReportTemplate:
Type: String
Default: "BACKUP_JOB_REPORT"
Resources:
TestReportPlan:
Type: "AWS::Backup::ReportPlan"
Properties:
ReportPlanDescription: !Ref ReportPlanDescription
ReportDeliveryChannel:
Formats:
- "CSV"
S3BucketName: !Ref S3BucketName
S3KeyPrefix: !Ref S3KeyPrefix
ReportSetting:
ReportTemplate: !Ref ReportTemplate
Regions: ['us-west-2', 'eu-west-1', 'us-east-1']
Accounts: ['123456789098']
OrganizationUnits: ['ou-abcd-1234wxyz']
ReportPlanTags:
- Key: "a"
Value: "1"
- Key: "b"
Value: "2"
Outputs:
ReportPlanArn:
Value: !GetAtt TestReportPlan.ReportPlanArn
```