本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用稽核架構
*架構*是協助您評估備份實務的控制項集合。您可以使用預先建立的可自訂控制項定義政策,評估備份實務是否符合您的政策。您也可以設定每日自動報告,深入瞭解架構的合規性狀態。
每個架構適用於單一 帳戶和 AWS 區域。每個區域每個帳戶最多可以部署 15 個架構。您無法部署重複的架構 (包含相同控制項和參數的架構)。
架構有兩種不同類型:
+ **AWS Backup 架構** (建議):使用 AWS Backup 架構部署所有可用的控制項,根據我們推薦的最佳實務監視備份活動、涵蓋範圍和資源。
+ 您定義的**自訂架構**:使用自訂架構選擇一或多個特定控制項,並自訂控制項參數。
**Topics**
+ [選擇您的控制項](choosing-controls.md)
+ [開啟資源追蹤](turning-on-resource-tracking.md)
+ [使用 AWS Backup 主控台建立架構](creating-frameworks-console.md)
+ [使用 AWS Backup API 建立架構](creating-frameworks-api.md)
+ [檢視架構合規狀態](viewing-frameworks.md)
+ [尋找不合規的資源](finding-non-compliant-resources.md)
+ [更新稽核架構](updating-frameworks.md)
+ [刪除稽核架構](deleting-frameworks.md)
# 選擇您的控制項
下表列出 AWS Backup Audit Manager 控制項、其可自訂的參數及其 AWS Config 錄製資源類型。
**可用的控制項**
| 控制項名稱 | 控制項描述 | 可自訂參數 | AWS Config 錄製資源類型 |
| --- | --- | --- | --- |
| 備份資源包含於至少一個備份計畫中 | 評估資源是否包含在至少一個備份計畫中。 | 無 | AWS Backup: backup selection |
| 備份計畫具有最低的頻率和最短的保留期 | 評估備份頻率是否至少為 [1 天] 且保留期至少為 [35 天]。 | 備份頻率、保留期間 | AWS Backup: backup plans |
| 保存庫可防止手動刪除復原點 | 評估備份保存庫是否不允許手動刪除復原點,但特定 AWS Identity and Access Management (IAM) 角色除外。所有 IAM 角色預設都不得手動刪除復原點。當您使用 AWS Backup 架構部署此控制項時,也沒有任何 IAM 角色例外狀況。 | 最多允許 5 個 IAM 角色可手動刪除復原點 | AWS Backup: backup vaults |
| 復原點已加密 | 評估復原點是否已加密。 | 無 | AWS Backup: recovery points |
| 針對復原點建立的最短保留期 | 評估復原點保留期間是否至少為 [35 天]。 | 復原點保留期間 | AWS Backup: recovery points |
| 已排程跨區域備份副本 | 評估資源是否設定為將自己的備份副本建立在其他 AWS 區域中。 | AWS 區域 | AWS Backup: backup selection |
| 已排程跨帳戶備份副本 | 評估資源是否設定了跨帳戶備份副本。 | AWS 帳戶 ID | AWS Backup: backup selection |
| 資源位於具有保存 AWS Backup 庫鎖定的備份計畫中 | 評估資源是否已設定備份計畫,以將備份存放在鎖定的備份文件庫中。 | 最短保留天數、最長保留天數 | AWS Backup: backup selection |
| 已建立最後復原點 | 評估是否在指定的時段內建立復原點。 | 值以小時 [1 至 744] 或天數 [1 至 31] 為單位。 | AWS Backup recovery points |
| 資源的還原時間符合目標 | 評估還原測試任務是否在目標還原時間內完成 | 值 (以分鐘為單位) | 無 |
| 資源位於邏輯氣隙隔離保存庫內 | 評估資源是否在指定的值和時間範圍內有至少一個復原點複製到邏輯氣隙隔離保存庫。 | 以分鐘、小時或天為單位的值 | AWS Backup: recovery points |
如需這些控制項的詳細資訊,請參閱 [控制與補救](controls-and-remediation.md)。
如需不支援所有控制項的 AWS Backup支援資源清單,請參閱 AWS Backup [各資源的功能可用性](backup-feature-availability.md#features-by-resource)資料表的 Audit Manager 區段。
**注意**
如果您不想使用上述任何控制項,您仍然可以使用 AWS Backup Audit Manager 來建立備份、複製和還原任務的每日報告。請參閱[使用稽核報告](https://docs.aws.amazon.com/aws-backup/latest/devguide/working-with-audit-reports.html)。
# 開啟資源追蹤
您必須先開啟資源追蹤,才能建立第一個與合規性相關的架構。這樣做 AWS Config 可讓 追蹤您的 AWS Backup 資源。如需如何管理資源追蹤的技術文件,請參閱《 *AWS Config 開發人員指南*》中的[AWS Config 使用 主控台設定](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) 。
開啟資源追蹤後需支付費用。如需 AWS Backup Audit Manager 資源追蹤定價和帳單的資訊,請參閱[計量、成本和帳單](https://docs.aws.amazon.com/aws-backup/latest/devguide/metering-and-billing.html)。
**Topics**
+ [使用主控台開啟資源追蹤](#turning-on-resource-tracking-console)
+ [使用 AWS Command Line Interface (AWS CLI) 開啟資源追蹤](#turning-on-resource-tracking-cli)
+ [使用 CloudFormation 範本開啟資源追蹤](#turning-on-resource-tracking-cfn)
## 使用主控台開啟資源追蹤
**使用主控台開啟資源追蹤:**
1. 在 https://[https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup) 開啟 AWS Backup 主控台。
1. 在左側導覽窗格中,選擇 **Audit Manager** 下的 **架構**。
1. 選擇 **管理資源追蹤** 以開啟資源追蹤。
1. 選擇**移至 AWS Config 設定**。
1. 選擇 **啟用或停用記錄**。
1. 選擇 **啟用** 記錄下列所有資源類型,或選擇啟用記錄部分資源類型。請參閱 [AWS Backup Audit Manager 控制項與修補](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html),瞭解控制項需要的資源類型。
+ `AWS Backup: backup plans`
+ `AWS Backup: backup vaults`
+ `AWS Backup: recovery points`
+ `AWS Backup: backup selection`
1. 選擇**關閉**。
1. 等待顯示**開啟資源追蹤**的藍色橫幅,轉換成顯示**已開啟資源追蹤**的綠色橫幅。
您可以在 AWS Backup 主控台的兩個位置檢查是否已開啟資源追蹤,如果是的話,檢查正在記錄哪些資源類型。在左側導覽窗格中,執行兩個動作之一:
+ 選擇 **架構**,然後選擇 **AWS Config 記錄器狀態** 下的文字。
+ 選擇 **設定**,然後選擇 **AWS Config 記錄器狀態** 下的文字。
## 使用 AWS Command Line Interface (AWS CLI) 開啟資源追蹤
如果您尚未加入 AWS Config,使用 加入速度可能會更快 AWS CLI。
**使用 AWS CLI開啟資源追蹤:**
1. 輸入以下命令,確定是否已啟用 AWS Config 記錄器。
```
$ aws configservice describe-configuration-recorders
```
1. 如果您的 `ConfigurationRecorders` 清單空白如下:
```
{
"ConfigurationRecorders": []
}
```
您的記錄器未啟用。請繼續步驟 2 建立您的記錄器。
1. 如已啟用記錄所有資源,您的 `ConfigurationRecorders` 輸出結果會如下所示:
```
{
"ConfigurationRecorders":[
{
"recordingGroup":{
"allSupported":true,
"resourceTypes":[
],
"includeGlobalResourceTypes":true
},
"roleARN":"arn:aws:iam::[account]:role/[roleName]",
"name":"default"
}
]
}
```
因為您已啟用所有已開啟資源追蹤的資源。您不需要完成此程序的其餘部分,即可使用 AWS Backup Audit Manager。
1. 使用 AWS Backup Audit Manager 資源類型建立 AWS Config 記錄器
```
$ aws configservice put-configuration-recorder --configuration-recorder name=default, \
roleARN=arn:aws:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \
'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint']"
```
1. 描述您的 AWS Config 記錄器。
```
$ aws configservice describe-configuration-recorders
```
將輸出與下列預期輸出進行比較,以確認其具有 AWS Backup Audit Manager 資源類型。
```
{
"ConfigurationRecorders":[
{
"name":"default",
"roleARN":"arn:aws:iam::accountId:role/AWSServiceRoleForConfig",
"recordingGroup":{
"allSupported":false,
"includeGlobalResourceTypes":false,
"resourceTypes":[
"AWS::Backup::BackupPlan",
"AWS::Backup::BackupSelection",
"AWS::Backup::BackupVault",
"AWS::Backup::RecoveryPoint"
]
}
}
]
}
```
1. 建立 Amazon S3 儲存貯體做為儲存 AWS Config 組態檔案的目的地。
```
$ aws s3api create-bucket --bucket amzn-s3-demo-bucket —region us-east-1
```
1. 使用 *policy.json* 授予存取儲存貯體的 AWS Config 許可。請參閱下列範例 *policy.json*。
```
$ aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json
```
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AWSConfigBucketPermissionsCheck",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:GetBucketAcl",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid":"AWSConfigBucketExistenceCheck",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid":"AWSConfigBucketDelivery",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*"
}
]
}
```
------
1. 將儲存貯體設定為 AWS Config 交付管道
```
$ aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=amzn-s3-demo-bucket
```
1. 啟用 AWS Config 錄製
```
$ aws configservice start-configuration-recorder --configuration-recorder-name default
```
1. 確認 `DescribeFramework` 輸出最後一行中的 `"FrameworkStatus":"ACTIVE"` 如下所示。
```
$ aws backup describe-framework --framework-name test --region us-east-1
```
```
{
"FrameworkName":"test",
"FrameworkArn":"arn:aws:backup:us-east-1:accountId:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666",
"FrameworkDescription":"",
"FrameworkControls":[
{
"ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":[
{
"ParameterName":"requiredRetentionDays",
"ParameterValue":"1"
}
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":[
{
"ParameterName":"requiredFrequencyUnit",
"ParameterValue":"hours"
},
{
"ParameterName":"requiredRetentionDays",
"ParameterValue":"35"
},
{
"ParameterName":"requiredFrequencyValue",
"ParameterValue":"1"
}
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":[
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":[
],
"ControlScope":{
}
}
],
"CreationTime":1633463605.233,
"DeploymentStatus":"COMPLETED",
"FrameworkStatus":"ACTIVE"
}
```
## 使用 CloudFormation 範本開啟資源追蹤
如需開啟資源追蹤的 CloudFormation 範本,請參閱[搭配使用 AWS Backup Audit Manager CloudFormation](https://docs.aws.amazon.com/aws-backup/latest/devguide/bam-cfn-integration.html)。
# 使用 AWS Backup 主控台建立架構
開啟資源追蹤後,請使用下列步驟建立架構。
1. 在 https://[https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup) 開啟 AWS Backup 主控台。
1. 在左側的導覽窗格中,選擇 **架構**。
1. 選擇 **建立架構**。
1. 在 **架構名稱** 中,輸入唯一的名稱。此架構名稱的長度必須介於 1 到 256 個字元,以英文字母開頭,由英文字母 (a-z、A-Z)、數字 (0-9) 和底線 (\$1) 組成。
1. (選用) 在 **架構描述** 中輸入描述內容。
1. **控制項** 會顯示作用中的控制項。依預設,會列出符合資源資格的所有控制項。
按一下 **編輯控制項** 可變更作用中的控制項。
1. 第一個核取方塊會指出控制項是否已開啟。若要關閉控制項,請不要勾選此方塊。
1. 在 **選擇要評估的資源** 下,您可以選取依類型、依標籤或依單一資源選擇資源。
[AWS Backup Audit Manager 控制項](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html)清單會描述每個控制項的自訂選項。
1. (選用) 選擇 **新增標籤** 以標記您的架構。您可以使用標籤來搜尋和篩選架構,或追蹤成本。
1. 選擇 **建立架構**。
AWS Backup Audit Manager 可能需要幾分鐘的時間來建立架構。
如果發生錯誤 `AlreadyExists`,即表示已有具相同控制項和參數的架構。若要成功建立新的架構,至少必須要有一個控制項或參數與現有的架構不同。
# 使用 AWS Backup API 建立架構
下表包含每個控制項的 [CreateFramework](API_CreateFramework.md) 範例 API 請求,以及對應 [DescribeFramework](API_DescribeFramework.md) 請求的範例 API 回應。若要以程式設計方式使用 AWS Backup Audit Manager,您可以參考這些程式碼片段。
****
| 控制項 | `CreateFramework`請求 | `DescribeFramework` 回應 |
| --- | --- | --- |
| Backup resources are included in at least one backup plan | {"FrameworkName": "Control1",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["RDS"] // Evaluate only RDS instances
}
}
],
"IdempotencyToken": "Control1",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control1",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control1-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["RDS"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control1",
"FrameworkTags":
{"key1": "foo"}
} |
| Backup plan minimum frequency and minimum retention | {"FrameworkName": "Control2",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"},
{"ParameterName": "requiredFrequencyUnit",
"ParameterValue": "hours"},
{"ParameterName": "requiredFrequencyValue",
"ParameterValue": "24"}
],
"ControlScope":
{
"Tags": {"key1": "prod"} // Evaluate backup plans that tagged with "key1": "prod".
}
}
],
"IdempotencyToken": "Control2",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control2",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control2-de7655ae-1e31-45cb-96a0-4f43d8c1969d",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"},
{"ParameterName": "requiredFrequencyUnit",
"ParameterValue": "hours"},
{"ParameterName": "requiredFrequencyValue",
"ParameterValue": "24"}
],
"ControlScope":
{
"Tags": {"key1": "prod"}
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control2",
"FrameworkTags":
{"key1": "foo"}
} |
| Vaults prevent manual deletion of recovery points | {"FrameworkName": "Control3",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":
[
{"ParameterName": "principalArnList",
"ParameterValue":
"arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess,
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer,
arn:aws:iam::123456789012:role/service-role/QuickSightAction"}
],
"ControlScope":
{"ComplianceResourceIds":["default"],
"ComplianceResourceTypes": ["AWS::Backup::BackupVault"]
}
}
],
"IdempotencyToken": "Control3",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control3",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control2-de7655ae-1e31-45cb-96a0-4f43d8c1969d",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":
[
{"ParameterName": "principalArnList",
"ParameterValue":
"arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess,
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer,
arn:aws:iam::123456789012:role/service-role/QuickSightAction"}
],
"ControlScope":
{"ComplianceResourceIds":["default"],
"ComplianceResourceTypes": ["AWS::Backup::BackupVault"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control3",
"FrameworkTags":
{"key1": "foo"}
} |
| Minimum retention established for recovery point | {"FrameworkName": "Control4",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"}
],
"ControlScope": {} // Default scope (no scope input) sets scope to all recovery points.
}
],
"IdempotencyToken": "Control4",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control4",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control6-6e7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"}
],
"ControlScope": {}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control4",
"FrameworkTags":
{"key1": "foo"}
} |
| Backup recovery points are encrypted | {"FrameworkName": "Control5",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":
[],
"ControlScope": {} // Default scope (no scope input) is all recovery points
}
],
"IdempotencyToken": "Control5",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control5",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control7-7e7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":
[],
"ControlScope": {}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control5",
"FrameworkTags":
{"key1": "foo"}
} |
| Cross-Region backup copy is scheduled | {"FrameworkName": "Control6",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control6",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control6",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control6-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control6",
"FrameworkTags":
{"key1": "foo"}
} |
| Cross-account backup copy is scheduled | {"FrameworkName": "Control7",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control7",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control7",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control7-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control7",
"FrameworkTags":
{"key1": "foo"}
} |
| Resources are in a backup plan with an AWS Backup Vault Lock | {"FrameworkName": "Control8",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control8",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control8",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control8-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control8",
"FrameworkTags":
{"key1": "foo"}
} |
| Last recovery point was created | {"FrameworkName": "Control9",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control9",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control9",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control9-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control9",
"FrameworkTags":
{"key1": "foo"}
} |
| Restore time for resources meet target | {"FrameworkName":"Control10",
"FrameworkDescription":"This is a test framework",
"FrameworkControls":[
{
"ControlName":"RESTORE_TIME_FOR_RESOURCES_MEET_TARGET",
"ControlInputParameters":[
{
"ParameterName":"maxRestoreTime",
"ParameterValue":"720"
}
],
"ControlScope":{
"ComplianceResourceIds":[
],
"ComplianceResourceTypes":[
"DynamoDB" // Evaluates only DynamoDB databases
]
}
}
]"IdempotencyToken":"Control10",
"FrameworkTags":{
"key1":"foo"
}
} | {"FrameworkName": "Control10",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control9-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "RESTORE_TIME_FOR_RESOURCES_MEET_TARGET",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control10",
"FrameworkTags":
{"key1": "foo"}
} |
| RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT | {"FrameworkName":"Control11",
"FrameworkDescription":"This is a test framework",
"FrameworkControls":[
{
"ControlName":"RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT",
"ControlInputParameters":[
{
"ParameterName":"recoveryPointAgeValue",
"ParameterValue":"10"
}
{
"ParameterName":"recoveryPointAgeUnit",
"ParameterValue":"days"
}
],
"ControlScope":{
"ComplianceResourceTypes":[
"EC2"
]
}
}
]"IdempotencyToken":"Control11",
"FrameworkTags":{
"key1":"foo"
}
} | {"FrameworkName": "Control11",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control11-ab1234cd-5e67-89fg-06a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2","EBS"]
}
}
],
"CreationTime": 1726087776.316,
"DeploymentStatus": "COMPLETED",
"FrameworkStatus": "ACTIVE",
"IdempotencyToken": "Control11",
"FrameworkTags":
{"key1": "foo"}
} |
# 檢視架構合規狀態
稽核架構建立之後,就會顯示在您的**架構**表中。您可以在 AWS Backup 主控台的左側導覽窗格中選擇**架構**來檢視此資料表。若要檢視架構的稽核結果,請選擇其**架構名稱**。如此即可前往 **架構詳細資訊** 頁面,其包含兩個區段:**摘要** 和 **控制項**。
**摘要** 區段會從左到右列出下列狀態:
+ **合規狀態** 是稽核架構的整體合規狀態,由各個控制項的合規狀態決定。每個控制項的合規狀態都是由其評估之各項資源的合規狀態決定。
只有當控制項評估範圍內的所有資源都通過這些評估時,架構合規狀態才會是 `Compliant`。如有一或多項資源無法通過控制項評估,則合規狀態會是 `Non-Compliant`。如需如何尋找不符合規範資源的相關資訊,請參閱[尋找不符合規範的資源](https://docs.aws.amazon.com/aws-backup/latest/devguide/finding-non-compliant-resources.html)。如需如何使資源符合規範的相關資訊,請參閱 [AWS Backup Audit Manager 控制項與修補](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html)的修補一節。
+ **架構狀態** 會指出您是否已開啟所有資源的資源追蹤。可能的狀態如下:
+ `Active`,當架構評估的所有資源皆開啟記錄時。
+ `Partially active`,當架構評估的資源中至少一項關閉記錄時。
+ `Inactive`,當架構評估的所有資源皆關閉記錄時。
+ `Unavailable` 當 AWS Backup Audit Manager 目前無法驗證記錄狀態時。
**更正 `Partially active` 或 `Inactive` 狀態**
1. 在左側的導覽窗格中選擇 **架構**。
1. 選擇 **管理資源追蹤**。
1. 遵循快顯視窗中的指示,記錄之前未啟用記錄的資源類型。
如需有關哪些資源類型需要根據架構所包含之控制項進行資源追蹤的詳細資訊,請參閱 [AWS Backup Audit Manager 控制項與修補](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html)的資源元件。
+ **部署狀態** 是指架構的部署狀態。此狀態通常應該是 `Completed`,但也會是 `Create in progress`、`Update in progress`、`Delete in progress` 和 `Failed`。
+ `Failed` 狀態表示架構部署不正確。[刪除架構](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-frameworks.html),然後透過 [AWS Backup 主控台](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-console.html)或 [AWS Backup API](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-api.html) 重新建立架構。
+ **合規控制項** 會顯示通過所有評估的架構控制項計數。
+ **不合規控制項** 會顯示至少有一項評估未通過的架構控制項計數。
**控制項** 區段會顯示下列資訊:
+ **控制項狀態** 是指每個控制項的合規狀態。控制項狀態可以是:`Compliant`,表示所有資源都通過該評估;`Non-compliant`,表示至少有一項資源未通過該評估;或者 `Insufficient data`,表示控制項在評估範圍內找不到任何可評估的資源。
+ **評估範圍** 可能會根據您在建立稽核架構時自訂控制項的方式,將每個控制項限制為一或多個 **資源類型**、一個 **資源 ID** 或一對 **標籤索引鍵** 和 **標籤值**。如果所有欄位都是空白的 (以破折號 "-" 表示),則控制項會評估所有適用的資源。
# 尋找不合規的資源
AWS Backup Audit Manager 可協助您以兩種方式找出哪些資源不合規。
+ [檢視架構合規狀態](https://docs.aws.amazon.com/aws-backup/latest/devguide/viewing-frameworks.html) 時,請在 **詳細資訊** 區段中選擇控制項名稱。這樣做會帶您前往 AWS Config 主控台,您可以在其中檢視 `Non-Compliant` 資源的清單。
+ [使用包含架構的資源合規範本建立報告計畫](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html)之後,您可以 [檢視報告](https://docs.aws.amazon.com/aws-backup/latest/devguide/view-reports.html),以識別所有控制項中的所有 `Non-Compliant` 資源。
此外,您的 `Resource compliance report` 還會顯示 AWS Backup Audit Manager 上次評估每個控制項的時間。
# 更新稽核架構
您可以更新現有稽核架構的描述、控制項及參數。
**更新現有的架構**
1. 在 AWS Backup 主控台左側導覽窗格中,選擇**架構**。
1. 選擇要編輯架構的**架構名稱**。
1. 選擇**編輯**。
# 刪除稽核架構
**刪除現有的架構**
1. 在 AWS Backup 主控台左側導覽窗格中,選擇**架構**。
1. 選擇要刪除架構的**架構名稱**。
1. 選擇 **刪除**。
1. 輸入架構的名稱,然後選擇 **刪除架構**。