Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich.
# Verwenden von AWS Backup Audit Manager mit CloudFormation
Wir stellen Ihnen die folgenden CloudFormation Beispielvorlagen als Referenz zur Verfügung:
**Topics**
+ [Aktivieren der Ressourcennachverfolgung](#turning-on-resource-tracking-cfn)
+ [Bereitstellen von Standardkontrollen](#bam-cfn-frameworks-template)
+ [Ausschließen von IAM-Rollen aus der Kontrollauswertung](#bam-cfn-exempt-role-for-manual-delete)
+ [Erstellen eines Berichtsplans](#bam-cfn-report-plan)
## Aktivieren der Ressourcennachverfolgung
Mit der folgenden Vorlage wird die Ressourcennachverfolgung aktiviert, wie in [Aktivieren der Ressourcennachverfolgung](https://docs.aws.amazon.com/aws-backup/latest/devguide/turning-on-resource-tracking.html) beschrieben.
```
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Recorder Configuration
Parameters:
- AllSupported
- IncludeGlobalResourceTypes
- ResourceTypes
- Label:
default: Delivery Channel Configuration
Parameters:
- DeliveryChannelName
- Frequency
- Label:
default: Delivery Notifications
Parameters:
- TopicArn
- NotificationEmail
ParameterLabels:
AllSupported:
default: Support all resource types
IncludeGlobalResourceTypes:
default: Include global resource types
ResourceTypes:
default: List of resource types if not all supported
DeliveryChannelName:
default: Configuration delivery channel name
Frequency:
default: Snapshot delivery frequency
TopicArn:
default: SNS topic name
NotificationEmail:
default: Notification Email (optional)
Parameters:
AllSupported:
Type: String
Default: True
Description: Indicates whether to record all supported resource types.
AllowedValues:
- True
- False
IncludeGlobalResourceTypes:
Type: String
Default: True
Description: Indicates whether AWS Config records all supported global resource types.
AllowedValues:
- True
- False
ResourceTypes:
Type: List
Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
Default:
DeliveryChannelName:
Type: String
Default:
Description: The name of the delivery channel.
Frequency:
Type: String
Default: 24hours
Description: The frequency with which AWS Config delivers configuration snapshots.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
TopicArn:
Type: String
Default:
Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to.
NotificationEmail:
Type: String
Default:
Description: Email address for AWS Config notifications (for new topics).
Conditions:
IsAllSupported: !Equals
- !Ref AllSupported
- True
IsGeneratedDeliveryChannelName: !Equals
- !Ref DeliveryChannelName
-
CreateTopic: !Equals
- !Ref TopicArn
-
CreateSubscription: !And
- !Condition CreateTopic
- !Not
- !Equals
- !Ref NotificationEmail
-
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
Resources:
ConfigBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
- Sid: AWSConfigBucketSecureTransport
Action:
- s3:*
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport:
false
ConfigTopic:
Condition: CreateTopic
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "config-topic-${AWS::AccountId}"
DisplayName: AWS Config Notification Topic
KmsMasterKeyId: "alias/aws/sns"
ConfigTopicPolicy:
Condition: CreateTopic
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref ConfigTopic
PolicyDocument:
Statement:
- Sid: AWSConfigSNSPolicy
Action:
- sns:Publish
Effect: Allow
Resource: !Ref ConfigTopic
Principal:
Service:
- config.amazonaws.com
EmailNotification:
Condition: CreateSubscription
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref ConfigTopic
ConfigRecorderServiceRole:
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: config.amazonaws.com
Description: Service Role for AWS Config
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigBucketPolicy
- ConfigRecorderServiceRole
Properties:
RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
RecordingGroup:
AllSupported: !Ref AllSupported
IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
ResourceTypes: !If
- IsAllSupported
- !Ref AWS::NoValue
- !Ref ResourceTypes
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: !If
- IsGeneratedDeliveryChannelName
- !Ref AWS::NoValue
- !Ref DeliveryChannelName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
S3BucketName: !Ref ConfigBucket
SnsTopicARN: !If
- CreateTopic
- !Ref ConfigTopic
- !Ref TopicArn
```
## Bereitstellen von Standardkontrollen
Die folgende Vorlage erstellt ein Framework mit den in [AWS Backup Audit Manager – Kontrollen und Abhilfe](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html) beschriebenen Standardkontrollen.
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
- ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ParameterName: requiredFrequencyUnit
ParameterValue: 'hours'
- ParameterName: requiredFrequencyValue
ParameterValue: '24'
ControlScope:
Tags:
- Key: customizedKey
Value: customizedValue
- ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION
ControlInputParameters:
- ParameterName: crossRegionList
ParameterValue: 'eu-west-2'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT
ControlInputParameters:
- ParameterName: crossAccountList
ParameterValue: '111122223333'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK
- ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED
- ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET
ControlInputParameters:
- ParameterName: maxRestoreTime
ParameterValue: '720'
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Ausschließen von IAM-Rollen aus der Kontrollauswertung
Mit der Kontrolle `BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED` können bis zu fünf IAM-Rollen ausgenommen werden, die Wiederherstellungspunkte dennoch manuell löschen können. Die folgende Vorlage stellt diese Kontrolle bereit und schließt außerdem zwei IAM-Rollen aus.
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
ControlInputParameters:
- ParameterName: "principalArnList"
ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole"
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Erstellen eines Berichtsplans
Die folgende Vorlage erstellt einen Berichtsplan.
```
Description: "Basic AWS::Backup::ReportPlan template"
Parameters:
ReportPlanDescription:
Type: String
Default: "SomeReportPlanDescription"
S3BucketName:
Type: String
Default: "some-s3-bucket-name"
S3KeyPrefix:
Type: String
Default: "some-s3-key-prefix"
ReportTemplate:
Type: String
Default: "BACKUP_JOB_REPORT"
Resources:
TestReportPlan:
Type: "AWS::Backup::ReportPlan"
Properties:
ReportPlanDescription: !Ref ReportPlanDescription
ReportDeliveryChannel:
Formats:
- "CSV"
S3BucketName: !Ref S3BucketName
S3KeyPrefix: !Ref S3KeyPrefix
ReportSetting:
ReportTemplate: !Ref ReportTemplate
Regions: ['us-west-2', 'eu-west-1', 'us-east-1']
Accounts: ['123456789098']
OrganizationUnits: ['ou-abcd-1234wxyz']
ReportPlanTags:
- Key: "a"
Value: "1"
- Key: "b"
Value: "2"
Outputs:
ReportPlanArn:
Value: !GetAtt TestReportPlan.ReportPlanArn
```