選取您的 Cookie 偏好設定

我們使用提供自身網站和服務所需的基本 Cookie 和類似工具。我們使用效能 Cookie 收集匿名統計資料,以便了解客戶如何使用我們的網站並進行改進。基本 Cookie 無法停用,但可以按一下「自訂」或「拒絕」以拒絕效能 Cookie。

如果您同意,AWS 與經核准的第三方也會使用 Cookie 提供實用的網站功能、記住您的偏好設定,並顯示相關內容,包括相關廣告。若要接受或拒絕所有非必要 Cookie,請按一下「接受」或「拒絕」。若要進行更詳細的選擇,請按一下「自訂」。

搭配 使用 AWS Backup Audit Manager AWS CloudFormation

焦點模式
搭配 使用 AWS Backup Audit Manager AWS CloudFormation - AWS Backup

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

我們提供下列範例 AWS CloudFormation 範本供您參考:

開啟資源追蹤

下列範本會依開啟資源追蹤所述,開啟資源追蹤。

AWSTemplateFormatVersion: 2010-09-09 Description: Enable AWS Config Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Recorder Configuration Parameters: - AllSupported - IncludeGlobalResourceTypes - ResourceTypes - Label: default: Delivery Channel Configuration Parameters: - DeliveryChannelName - Frequency - Label: default: Delivery Notifications Parameters: - TopicArn - NotificationEmail ParameterLabels: AllSupported: default: Support all resource types IncludeGlobalResourceTypes: default: Include global resource types ResourceTypes: default: List of resource types if not all supported DeliveryChannelName: default: Configuration delivery channel name Frequency: default: Snapshot delivery frequency TopicArn: default: SNS topic name NotificationEmail: default: Notification Email (optional) Parameters: AllSupported: Type: String Default: True Description: Indicates whether to record all supported resource types. AllowedValues: - True - False IncludeGlobalResourceTypes: Type: String Default: True Description: Indicates whether AWS Config records all supported global resource types. AllowedValues: - True - False ResourceTypes: Type: List<String> Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. Default: <All> DeliveryChannelName: Type: String Default: <Generated> Description: The name of the delivery channel. Frequency: Type: String Default: 24hours Description: The frequency with which AWS Config delivers configuration snapshots. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours TopicArn: Type: String Default: <New Topic> Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. NotificationEmail: Type: String Default: <None> Description: Email address for AWS Config notifications (for new topics). Conditions: IsAllSupported: !Equals - !Ref AllSupported - True IsGeneratedDeliveryChannelName: !Equals - !Ref DeliveryChannelName - <Generated> CreateTopic: !Equals - !Ref TopicArn - <New Topic> CreateSubscription: !And - !Condition CreateTopic - !Not - !Equals - !Ref NotificationEmail - <None> Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" - Sid: AWSConfigBucketSecureTransport Action: - s3:* Effect: Deny Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*" Principal: "*" Condition: Bool: aws:SecureTransport: false ConfigTopic: Condition: CreateTopic Type: AWS::SNS::Topic Properties: TopicName: !Sub "config-topic-${AWS::AccountId}" DisplayName: AWS Config Notification Topic KmsMasterKeyId: "alias/aws/sns" ConfigTopicPolicy: Condition: CreateTopic Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref ConfigTopic PolicyDocument: Statement: - Sid: AWSConfigSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref ConfigTopic Principal: Service: - config.amazonaws.com EmailNotification: Condition: CreateSubscription Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ConfigTopic ConfigRecorderServiceRole: Type: AWS::IAM::ServiceLinkedRole Properties: AWSServiceName: config.amazonaws.com Description: Service Role for AWS Config ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigBucketPolicy - ConfigRecorderServiceRole Properties: RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig RecordingGroup: AllSupported: !Ref AllSupported IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes ResourceTypes: !If - IsAllSupported - !Ref AWS::NoValue - !Ref ResourceTypes ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: !If - IsGeneratedDeliveryChannelName - !Ref AWS::NoValue - !Ref DeliveryChannelName ConfigSnapshotDeliveryProperties: DeliveryFrequency: !FindInMap - Settings - FrequencyMap - !Ref Frequency S3BucketName: !Ref ConfigBucket SnsTopicARN: !If - CreateTopic - !Ref ConfigTopic - !Ref TopicArn

部署預設控制項

下列範本會依 AWS Backup Audit Manager 控制項與修補所述,使用預設控制項建立架構。

AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK ControlInputParameters: - ParameterName: requiredRetentionDays ParameterValue: '35' - ParameterName: requiredFrequencyUnit ParameterValue: 'hours' - ParameterName: requiredFrequencyValue ParameterValue: '24' ControlScope: Tags: - Key: customizedKey Value: customizedValue - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION ControlInputParameters: - ParameterName: crossRegionList ParameterValue: 'eu-west-2' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT ControlInputParameters: - ParameterName: crossAccountList ParameterValue: '111122223333' - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK - ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED - ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET ControlInputParameters: - ParameterName: maxRestoreTime ParameterValue: '720' Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn

在控制項評估中豁免 IAM 角色

此控制項 BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED 可讓您豁免仍可手動刪除復原點的 IAM 角色,最多五個。下列範本會部署此控制項,並豁免兩個 IAM 角色。

AWSTemplateFormatVersion: '2010-09-09' Resources: TestFramework: Type: AWS::Backup::Framework Properties: FrameworkControls: - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED ControlInputParameters: - ParameterName: "principalArnList" ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole" Outputs: FrameworkArn: Value: !GetAtt TestFramework.FrameworkArn

建立報告計畫

下列範本會建立報告計畫。

Description: "Basic AWS::Backup::ReportPlan template" Parameters: ReportPlanDescription: Type: String Default: "SomeReportPlanDescription" S3BucketName: Type: String Default: "some-s3-bucket-name" S3KeyPrefix: Type: String Default: "some-s3-key-prefix" ReportTemplate: Type: String Default: "BACKUP_JOB_REPORT" Resources: TestReportPlan: Type: "AWS::Backup::ReportPlan" Properties: ReportPlanDescription: !Ref ReportPlanDescription ReportDeliveryChannel: Formats: - "CSV" S3BucketName: !Ref S3BucketName S3KeyPrefix: !Ref S3KeyPrefix ReportSetting: ReportTemplate: !Ref ReportTemplate Regions: ['us-west-2', 'eu-west-1', 'us-east-1'] Accounts: ['123456789098'] OrganizationUnits: ['ou-abcd-1234wxyz'] ReportPlanTags: - Key: "a" Value: "1" - Key: "b" Value: "2" Outputs: ReportPlanArn: Value: !GetAtt TestReportPlan.ReportPlanArn
隱私權網站條款Cookie 偏好設定
© 2025, Amazon Web Services, Inc.或其附屬公司。保留所有權利。