Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
# Utilisation AWS Backup d'Audit Manager avec CloudFormation
Nous fournissons les exemples de CloudFormation modèles suivants pour votre référence :
**Topics**
+ [Activation du suivi des ressources](#turning-on-resource-tracking-cfn)
+ [Déploiement des contrôles par défaut](#bam-cfn-frameworks-template)
+ [Exonération des rôles IAM de l'évaluation des contrôles](#bam-cfn-exempt-role-for-manual-delete)
+ [Création d'un plan de rapport](#bam-cfn-report-plan)
## Activation du suivi des ressources
Le modèle suivant active le suivi des ressources, comme décrit dans [Activation du suivi des ressources](https://docs.aws.amazon.com/aws-backup/latest/devguide/turning-on-resource-tracking.html).
```
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Recorder Configuration
Parameters:
- AllSupported
- IncludeGlobalResourceTypes
- ResourceTypes
- Label:
default: Delivery Channel Configuration
Parameters:
- DeliveryChannelName
- Frequency
- Label:
default: Delivery Notifications
Parameters:
- TopicArn
- NotificationEmail
ParameterLabels:
AllSupported:
default: Support all resource types
IncludeGlobalResourceTypes:
default: Include global resource types
ResourceTypes:
default: List of resource types if not all supported
DeliveryChannelName:
default: Configuration delivery channel name
Frequency:
default: Snapshot delivery frequency
TopicArn:
default: SNS topic name
NotificationEmail:
default: Notification Email (optional)
Parameters:
AllSupported:
Type: String
Default: True
Description: Indicates whether to record all supported resource types.
AllowedValues:
- True
- False
IncludeGlobalResourceTypes:
Type: String
Default: True
Description: Indicates whether AWS Config records all supported global resource types.
AllowedValues:
- True
- False
ResourceTypes:
Type: List
Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
Default:
DeliveryChannelName:
Type: String
Default:
Description: The name of the delivery channel.
Frequency:
Type: String
Default: 24hours
Description: The frequency with which AWS Config delivers configuration snapshots.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
TopicArn:
Type: String
Default:
Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to.
NotificationEmail:
Type: String
Default:
Description: Email address for AWS Config notifications (for new topics).
Conditions:
IsAllSupported: !Equals
- !Ref AllSupported
- True
IsGeneratedDeliveryChannelName: !Equals
- !Ref DeliveryChannelName
-
CreateTopic: !Equals
- !Ref TopicArn
-
CreateSubscription: !And
- !Condition CreateTopic
- !Not
- !Equals
- !Ref NotificationEmail
-
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
Resources:
ConfigBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
- Sid: AWSConfigBucketSecureTransport
Action:
- s3:*
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport:
false
ConfigTopic:
Condition: CreateTopic
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "config-topic-${AWS::AccountId}"
DisplayName: AWS Config Notification Topic
KmsMasterKeyId: "alias/aws/sns"
ConfigTopicPolicy:
Condition: CreateTopic
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref ConfigTopic
PolicyDocument:
Statement:
- Sid: AWSConfigSNSPolicy
Action:
- sns:Publish
Effect: Allow
Resource: !Ref ConfigTopic
Principal:
Service:
- config.amazonaws.com
EmailNotification:
Condition: CreateSubscription
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref ConfigTopic
ConfigRecorderServiceRole:
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: config.amazonaws.com
Description: Service Role for AWS Config
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigBucketPolicy
- ConfigRecorderServiceRole
Properties:
RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
RecordingGroup:
AllSupported: !Ref AllSupported
IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
ResourceTypes: !If
- IsAllSupported
- !Ref AWS::NoValue
- !Ref ResourceTypes
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: !If
- IsGeneratedDeliveryChannelName
- !Ref AWS::NoValue
- !Ref DeliveryChannelName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
S3BucketName: !Ref ConfigBucket
SnsTopicARN: !If
- CreateTopic
- !Ref ConfigTopic
- !Ref TopicArn
```
## Déploiement des contrôles par défaut
Le modèle suivant crée un framework avec les contrôles par défaut décrits dans [Contrôles et corrections d'AWS Backup Audit Manager](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
- ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ParameterName: requiredFrequencyUnit
ParameterValue: 'hours'
- ParameterName: requiredFrequencyValue
ParameterValue: '24'
ControlScope:
Tags:
- Key: customizedKey
Value: customizedValue
- ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION
ControlInputParameters:
- ParameterName: crossRegionList
ParameterValue: 'eu-west-2'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT
ControlInputParameters:
- ParameterName: crossAccountList
ParameterValue: '111122223333'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK
- ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED
- ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET
ControlInputParameters:
- ParameterName: maxRestoreTime
ParameterValue: '720'
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Exonération des rôles IAM de l'évaluation des contrôles
Le contrôle `BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED` vous permet d'exempter jusqu'à cinq rôles IAM qui peuvent toujours supprimer manuellement des points de récupération. Le modèle suivant déploie ce contrôle et exempte également deux rôles IAM.
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
ControlInputParameters:
- ParameterName: "principalArnList"
ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole"
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Création d'un plan de rapport
Le modèle suivant crée un plan de rapport.
```
Description: "Basic AWS::Backup::ReportPlan template"
Parameters:
ReportPlanDescription:
Type: String
Default: "SomeReportPlanDescription"
S3BucketName:
Type: String
Default: "some-s3-bucket-name"
S3KeyPrefix:
Type: String
Default: "some-s3-key-prefix"
ReportTemplate:
Type: String
Default: "BACKUP_JOB_REPORT"
Resources:
TestReportPlan:
Type: "AWS::Backup::ReportPlan"
Properties:
ReportPlanDescription: !Ref ReportPlanDescription
ReportDeliveryChannel:
Formats:
- "CSV"
S3BucketName: !Ref S3BucketName
S3KeyPrefix: !Ref S3KeyPrefix
ReportSetting:
ReportTemplate: !Ref ReportTemplate
Regions: ['us-west-2', 'eu-west-1', 'us-east-1']
Accounts: ['123456789098']
OrganizationUnits: ['ou-abcd-1234wxyz']
ReportPlanTags:
- Key: "a"
Value: "1"
- Key: "b"
Value: "2"
Outputs:
ReportPlanArn:
Value: !GetAtt TestReportPlan.ReportPlanArn
```