쿠키 기본 설정 선택

당사는 사이트와 서비스를 제공하는 데 필요한 필수 쿠키 및 유사한 도구를 사용합니다. 고객이 사이트를 어떻게 사용하는지 파악하고 개선할 수 있도록 성능 쿠키를 사용해 익명의 통계를 수집합니다. 필수 쿠키는 비활성화할 수 없지만 '사용자 지정' 또는 ‘거부’를 클릭하여 성능 쿠키를 거부할 수 있습니다.

사용자가 동의하는 경우 AWS와 승인된 제3자도 쿠키를 사용하여 유용한 사이트 기능을 제공하고, 사용자의 기본 설정을 기억하고, 관련 광고를 비롯한 관련 콘텐츠를 표시합니다. 필수가 아닌 모든 쿠키를 수락하거나 거부하려면 ‘수락’ 또는 ‘거부’를 클릭하세요. 더 자세한 내용을 선택하려면 ‘사용자 정의’를 클릭하세요.

에서 AWS Backup Audit Manager 사용 AWS CloudFormation

포커스 모드
에서 AWS Backup Audit Manager 사용 AWS CloudFormation - AWS Backup

기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.

기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.

참조용으로 다음 샘플 AWS CloudFormation 템플릿을 제공합니다.

리소스 추적 켜기

다음 템플릿은 리소스 추적 켜기에 설명된 대로 리소스 추적을 켭니다.

AWSTemplateFormatVersion: 2010-09-09 Description: Enable AWS Config Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Recorder Configuration Parameters: - AllSupported - IncludeGlobalResourceTypes - ResourceTypes - Label: default: Delivery Channel Configuration Parameters: - DeliveryChannelName - Frequency - Label: default: Delivery Notifications Parameters: - TopicArn - NotificationEmail ParameterLabels: AllSupported: default: Support all resource types IncludeGlobalResourceTypes: default: Include global resource types ResourceTypes: default: List of resource types if not all supported DeliveryChannelName: default: Configuration delivery channel name Frequency: default: Snapshot delivery frequency TopicArn: default: SNS topic name NotificationEmail: default: Notification Email (optional) Parameters: AllSupported: Type: String Default: True Description: Indicates whether to record all supported resource types. AllowedValues: - True - False IncludeGlobalResourceTypes: Type: String Default: True Description: Indicates whether AWS Config records all supported global resource types. AllowedValues: - True - False ResourceTypes: Type: List<String> Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. Default: <All> DeliveryChannelName: Type: String Default: <Generated> Description: The name of the delivery channel. Frequency: Type: String Default: 24hours Description: The frequency with which AWS Config delivers configuration snapshots. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours TopicArn: Type: String Default: <New Topic> Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. NotificationEmail: Type: String Default: <None> Description: Email address for AWS Config notifications (for new topics). Conditions: IsAllSupported: !Equals - !Ref AllSupported - True IsGeneratedDeliveryChannelName: !Equals - !Ref DeliveryChannelName - <Generated> CreateTopic: !Equals - !Ref TopicArn - <New Topic> CreateSubscription: !And - !Condition CreateTopic - !Not - !Equals - !Ref NotificationEmail - <None> Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" - Sid: AWSConfigBucketSecureTransport Action: - s3:* Effect: Deny Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*" Principal: "*" Condition: Bool: aws:SecureTransport: false ConfigTopic: Condition: CreateTopic Type: AWS::SNS::Topic Properties: TopicName: !Sub "config-topic-${AWS::AccountId}" DisplayName: AWS Config Notification Topic KmsMasterKeyId: "alias/aws/sns" ConfigTopicPolicy: Condition: CreateTopic Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref ConfigTopic PolicyDocument: Statement: - Sid: AWSConfigSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref ConfigTopic Principal: Service: - config.amazonaws.com EmailNotification: Condition: CreateSubscription Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ConfigTopic ConfigRecorderServiceRole: Type: AWS::IAM::ServiceLinkedRole Properties: AWSServiceName: config.amazonaws.com Description: Service Role for AWS Config ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigBucketPolicy - ConfigRecorderServiceRole Properties: RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig RecordingGroup: AllSupported: !Ref AllSupported IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes ResourceTypes: !If - IsAllSupported - !Ref AWS::NoValue - !Ref ResourceTypes ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: !If - IsGeneratedDeliveryChannelName - !Ref AWS::NoValue - !Ref DeliveryChannelName ConfigSnapshotDeliveryProperties: DeliveryFrequency: !FindInMap - Settings - FrequencyMap - !Ref Frequency S3BucketName: !Ref ConfigBucket SnsTopicARN: !If - CreateTopic - !Ref ConfigTopic - !Ref TopicArn

기본 컨트롤 배포

다음 템플릿은 AWS Backup Audit Manager 컨트롤 및 문제 해결에 설명된 기본 컨트롤을 포함하는 프레임워크를 생성합니다.

AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ParameterName: requiredFrequencyUnit ParameterValue: 'hours' - ParameterName: requiredFrequencyValue ParameterValue: '24' ControlScope: Tags: - Key: customizedKey Value: customizedValue - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION ControlInputParameters: - ParameterName: crossRegionList ParameterValue: 'eu-west-2' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT ControlInputParameters: - ParameterName: crossAccountList ParameterValue: '111122223333' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK - ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED - ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET ControlInputParameters: - ParameterName: maxRestoreTime ParameterValue: '720' Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn

컨트롤 평가에서 IAM 역할 제외

BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED 컨트롤을 사용하면 복구 시점을 여전히 수동으로 삭제할 수 있는 IAM 역할을 최대 5개까지 제외할 수 있습니다. 다음 템플릿은 이 컨트롤을 배포하고 IAM 역할 두 개도 제외합니다.

AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED ControlInputParameters: - ParameterName: "principalArnList" ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole" Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn

보고서 계획 생성

다음 템플릿은 보고서 계획을 생성합니다.

Description: "Basic AWS::Backup::ReportPlan template" Parameters: ReportPlanDescription: Type: String Default: "SomeReportPlanDescription" S3BucketName: Type: String Default: "some-s3-bucket-name" S3KeyPrefix: Type: String Default: "some-s3-key-prefix" ReportTemplate: Type: String Default: "BACKUP_JOB_REPORT" Resources: TestReportPlan: Type: "AWS::Backup::ReportPlan" Properties: ReportPlanDescription: !Ref ReportPlanDescription ReportDeliveryChannel: Formats: - "CSV" S3BucketName: !Ref S3BucketName S3KeyPrefix: !Ref S3KeyPrefix ReportSetting: ReportTemplate: !Ref ReportTemplate Regions: ['us-west-2', 'eu-west-1', 'us-east-1'] Accounts: ['123456789098'] OrganizationUnits: ['ou-abcd-1234wxyz'] ReportPlanTags: - Key: "a" Value: "1" - Key: "b" Value: "2" Outputs: ReportPlanArn: Value: !GetAtt TestReportPlan.ReportPlanArn
프라이버시사이트 이용 약관쿠키 기본 설정
© 2025, Amazon Web Services, Inc. 또는 계열사. All rights reserved.