Seleziona le tue preferenze relative ai cookie

Utilizziamo cookie essenziali e strumenti simili necessari per fornire il nostro sito e i nostri servizi. Utilizziamo i cookie prestazionali per raccogliere statistiche anonime in modo da poter capire come i clienti utilizzano il nostro sito e apportare miglioramenti. I cookie essenziali non possono essere disattivati, ma puoi fare clic su \"Personalizza\" o \"Rifiuta\" per rifiutare i cookie prestazionali.

Se sei d'accordo, AWS e le terze parti approvate utilizzeranno i cookie anche per fornire utili funzionalità del sito, ricordare le tue preferenze e visualizzare contenuti pertinenti, inclusa la pubblicità pertinente. Per continuare senza accettare questi cookie, fai clic su \"Continua\" o \"Rifiuta\". Per effettuare scelte più dettagliate o saperne di più, fai clic su \"Personalizza\".

Utilizzo di AWS Backup Audit Manager con AWS CloudFormation

Modalità Focus
Utilizzo di AWS Backup Audit Manager con AWS CloudFormation - AWS Backup

Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.

Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.

Forniamo i seguenti AWS CloudFormation modelli di esempio come riferimento:

Attivazione del monitoraggio delle risorse

Il modello seguente attiva il monitoraggio delle risorse come descritto in Attivazione del monitoraggio delle risorse.

AWSTemplateFormatVersion: 2010-09-09 Description: Enable AWS Config Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Recorder Configuration Parameters: - AllSupported - IncludeGlobalResourceTypes - ResourceTypes - Label: default: Delivery Channel Configuration Parameters: - DeliveryChannelName - Frequency - Label: default: Delivery Notifications Parameters: - TopicArn - NotificationEmail ParameterLabels: AllSupported: default: Support all resource types IncludeGlobalResourceTypes: default: Include global resource types ResourceTypes: default: List of resource types if not all supported DeliveryChannelName: default: Configuration delivery channel name Frequency: default: Snapshot delivery frequency TopicArn: default: SNS topic name NotificationEmail: default: Notification Email (optional) Parameters: AllSupported: Type: String Default: True Description: Indicates whether to record all supported resource types. AllowedValues: - True - False IncludeGlobalResourceTypes: Type: String Default: True Description: Indicates whether AWS Config records all supported global resource types. AllowedValues: - True - False ResourceTypes: Type: List<String> Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. Default: <All> DeliveryChannelName: Type: String Default: <Generated> Description: The name of the delivery channel. Frequency: Type: String Default: 24hours Description: The frequency with which AWS Config delivers configuration snapshots. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours TopicArn: Type: String Default: <New Topic> Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. NotificationEmail: Type: String Default: <None> Description: Email address for AWS Config notifications (for new topics). Conditions: IsAllSupported: !Equals - !Ref AllSupported - True IsGeneratedDeliveryChannelName: !Equals - !Ref DeliveryChannelName - <Generated> CreateTopic: !Equals - !Ref TopicArn - <New Topic> CreateSubscription: !And - !Condition CreateTopic - !Not - !Equals - !Ref NotificationEmail - <None> Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" - Sid: AWSConfigBucketSecureTransport Action: - s3:* Effect: Deny Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*" Principal: "*" Condition: Bool: aws:SecureTransport: false ConfigTopic: Condition: CreateTopic Type: AWS::SNS::Topic Properties: TopicName: !Sub "config-topic-${AWS::AccountId}" DisplayName: AWS Config Notification Topic KmsMasterKeyId: "alias/aws/sns" ConfigTopicPolicy: Condition: CreateTopic Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref ConfigTopic PolicyDocument: Statement: - Sid: AWSConfigSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref ConfigTopic Principal: Service: - config.amazonaws.com EmailNotification: Condition: CreateSubscription Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ConfigTopic ConfigRecorderServiceRole: Type: AWS::IAM::ServiceLinkedRole Properties: AWSServiceName: config.amazonaws.com Description: Service Role for AWS Config ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigBucketPolicy - ConfigRecorderServiceRole Properties: RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig RecordingGroup: AllSupported: !Ref AllSupported IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes ResourceTypes: !If - IsAllSupported - !Ref AWS::NoValue - !Ref ResourceTypes ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: !If - IsGeneratedDeliveryChannelName - !Ref AWS::NoValue - !Ref DeliveryChannelName ConfigSnapshotDeliveryProperties: DeliveryFrequency: !FindInMap - Settings - FrequencyMap - !Ref Frequency S3BucketName: !Ref ConfigBucket SnsTopicARN: !If - CreateTopic - !Ref ConfigTopic - !Ref TopicArn

Distribuzione dei controlli predefiniti

Il modello seguente crea un framework con i controlli predefiniti descritti in Controlli e correzione di AWS Backup Audit Manager.

AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ParameterName: requiredFrequencyUnit ParameterValue: 'hours' - ParameterName: requiredFrequencyValue ParameterValue: '24' ControlScope: Tags: - Key: customizedKey Value: customizedValue - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION ControlInputParameters: - ParameterName: crossRegionList ParameterValue: 'eu-west-2' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT ControlInputParameters: - ParameterName: crossAccountList ParameterValue: '111122223333' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK - ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED - ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET ControlInputParameters: - ParameterName: maxRestoreTime ParameterValue: '720' Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn

Esenzione dei ruoli IAM dalla valutazione del controllo

Il controllo BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED consente di esentare fino a cinque ruoli IAM che possono comunque eliminare manualmente i punti di ripristino. Il modello seguente distribuisce questo controllo ed esenta inoltre due ruoli IAM.

AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED ControlInputParameters: - ParameterName: "principalArnList" ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole" Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn

Creazione di un piano di report

Il modello seguente crea un piano di report.

Description: "Basic AWS::Backup::ReportPlan template" Parameters: ReportPlanDescription: Type: String Default: "SomeReportPlanDescription" S3BucketName: Type: String Default: "some-s3-bucket-name" S3KeyPrefix: Type: String Default: "some-s3-key-prefix" ReportTemplate: Type: String Default: "BACKUP_JOB_REPORT" Resources: TestReportPlan: Type: "AWS::Backup::ReportPlan" Properties: ReportPlanDescription: !Ref ReportPlanDescription ReportDeliveryChannel: Formats: - "CSV" S3BucketName: !Ref S3BucketName S3KeyPrefix: !Ref S3KeyPrefix ReportSetting: ReportTemplate: !Ref ReportTemplate Regions: ['us-west-2', 'eu-west-1', 'us-east-1'] Accounts: ['123456789098'] OrganizationUnits: ['ou-abcd-1234wxyz'] ReportPlanTags: - Key: "a" Value: "1" - Key: "b" Value: "2" Outputs: ReportPlanArn: Value: !GetAtt TestReportPlan.ReportPlanArn
PrivacyCondizioni del sitoPreferenze cookie
© 2025, Amazon Web Services, Inc. o società affiliate. Tutti i diritti riservati.