기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
참조용으로 다음 샘플 AWS CloudFormation 템플릿을 제공합니다.
리소스 추적 켜기
다음 템플릿은 리소스 추적 켜기에 설명된 대로 리소스 추적을 켭니다.
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Recorder Configuration
Parameters:
- AllSupported
- IncludeGlobalResourceTypes
- ResourceTypes
- Label:
default: Delivery Channel Configuration
Parameters:
- DeliveryChannelName
- Frequency
- Label:
default: Delivery Notifications
Parameters:
- TopicArn
- NotificationEmail
ParameterLabels:
AllSupported:
default: Support all resource types
IncludeGlobalResourceTypes:
default: Include global resource types
ResourceTypes:
default: List of resource types if not all supported
DeliveryChannelName:
default: Configuration delivery channel name
Frequency:
default: Snapshot delivery frequency
TopicArn:
default: SNS topic name
NotificationEmail:
default: Notification Email (optional)
Parameters:
AllSupported:
Type: String
Default: True
Description: Indicates whether to record all supported resource types.
AllowedValues:
- True
- False
IncludeGlobalResourceTypes:
Type: String
Default: True
Description: Indicates whether AWS Config records all supported global resource types.
AllowedValues:
- True
- False
ResourceTypes:
Type: List<String>
Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
Default: <All>
DeliveryChannelName:
Type: String
Default: <Generated>
Description: The name of the delivery channel.
Frequency:
Type: String
Default: 24hours
Description: The frequency with which AWS Config delivers configuration snapshots.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
TopicArn:
Type: String
Default: <New Topic>
Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to.
NotificationEmail:
Type: String
Default: <None>
Description: Email address for AWS Config notifications (for new topics).
Conditions:
IsAllSupported: !Equals
- !Ref AllSupported
- True
IsGeneratedDeliveryChannelName: !Equals
- !Ref DeliveryChannelName
- <Generated>
CreateTopic: !Equals
- !Ref TopicArn
- <New Topic>
CreateSubscription: !And
- !Condition CreateTopic
- !Not
- !Equals
- !Ref NotificationEmail
- <None>
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
Resources:
ConfigBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
- Sid: AWSConfigBucketSecureTransport
Action:
- s3:*
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport:
false
ConfigTopic:
Condition: CreateTopic
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "config-topic-${AWS::AccountId}"
DisplayName: AWS Config Notification Topic
KmsMasterKeyId: "alias/aws/sns"
ConfigTopicPolicy:
Condition: CreateTopic
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref ConfigTopic
PolicyDocument:
Statement:
- Sid: AWSConfigSNSPolicy
Action:
- sns:Publish
Effect: Allow
Resource: !Ref ConfigTopic
Principal:
Service:
- config.amazonaws.com
EmailNotification:
Condition: CreateSubscription
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref ConfigTopic
ConfigRecorderServiceRole:
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: config.amazonaws.com
Description: Service Role for AWS Config
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigBucketPolicy
- ConfigRecorderServiceRole
Properties:
RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
RecordingGroup:
AllSupported: !Ref AllSupported
IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
ResourceTypes: !If
- IsAllSupported
- !Ref AWS::NoValue
- !Ref ResourceTypes
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: !If
- IsGeneratedDeliveryChannelName
- !Ref AWS::NoValue
- !Ref DeliveryChannelName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
S3BucketName: !Ref ConfigBucket
SnsTopicARN: !If
- CreateTopic
- !Ref ConfigTopic
- !Ref TopicArn
기본 컨트롤 배포
다음 템플릿은 AWS Backup Audit Manager 컨트롤 및 문제 해결에 설명된 기본 컨트롤을 포함하는 프레임워크를 생성합니다.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
- ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ParameterName: requiredFrequencyUnit
ParameterValue: 'hours'
- ParameterName: requiredFrequencyValue
ParameterValue: '24'
ControlScope:
Tags:
- Key: customizedKey
Value: customizedValue
- ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION
ControlInputParameters:
- ParameterName: crossRegionList
ParameterValue: 'eu-west-2
'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT
ControlInputParameters:
- ParameterName: crossAccountList
ParameterValue: '111122223333
'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK
- ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED
- ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET
ControlInputParameters:
- ParameterName: maxRestoreTime
ParameterValue: '720'
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
컨트롤 평가에서 IAM 역할 제외
BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
컨트롤을 사용하면 복구 시점을 여전히 수동으로 삭제할 수 있는 IAM 역할을 최대 5개까지 제외할 수 있습니다. 다음 템플릿은 이 컨트롤을 배포하고 IAM 역할 두 개도 제외합니다.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
ControlInputParameters:
- ParameterName: "principalArnList"
ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}
:role/AccAdminRole
,arn:aws:iam::${AWS::AccountId}
:role/ConfigRole
"
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
보고서 계획 생성
다음 템플릿은 보고서 계획을 생성합니다.
Description: "Basic AWS::Backup::ReportPlan template"
Parameters:
ReportPlanDescription:
Type: String
Default: "SomeReportPlanDescription"
S3BucketName:
Type: String
Default: "some-s3-bucket-name"
S3KeyPrefix:
Type: String
Default: "some-s3-key-prefix"
ReportTemplate:
Type: String
Default: "BACKUP_JOB_REPORT"
Resources:
TestReportPlan:
Type: "AWS::Backup::ReportPlan"
Properties:
ReportPlanDescription: !Ref ReportPlanDescription
ReportDeliveryChannel:
Formats:
- "CSV"
S3BucketName: !Ref S3BucketName
S3KeyPrefix: !Ref S3KeyPrefix
ReportSetting:
ReportTemplate: !Ref ReportTemplate
Regions: ['us-west-2', 'eu-west-1', 'us-east-1']
Accounts: ['123456789098']
OrganizationUnits: ['ou-abcd-1234wxyz']
ReportPlanTags:
- Key: "a"
Value: "1"
- Key: "b"
Value: "2"
Outputs:
ReportPlanArn:
Value: !GetAtt TestReportPlan.ReportPlanArn