本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon CloudFormation 备份计划模板
我们提供了三个示例 Amazon CloudFormation 模板供您参考。第一个模板可创建一个简单的备份计划。第二个模板在备份计划中启用 VSS 备份。第三个模板在备份计划中启用 Amazon GuardDuty 恶意软件防护扫描。
注意
如果您使用的是默认服务角色,请service-role替换为AWSBackupServiceRolePolicyForBackup。
Description: backup plan template to back up all resources daily at 5am UTC, and tag all recovery points with backup:daily. Resources: KMSKey: Type: AWS::KMS::Key Properties: Description: "Encryption key for daily" EnableKeyRotation: True Enabled: True KeyPolicy: Version: "2012-10-17" Statement: - Effect: Allow Principal: "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } Action: - kms:* Resource: "*" BackupVaultWithDailyBackups: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: "BackupVaultWithDailyBackups" EncryptionKeyArn: !GetAtt KMSKey.Arn BackupPlanWithDailyBackups: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: "BackupPlanWithDailyBackups" BackupPlanRule: - RuleName: "RuleForDailyBackups" TargetBackupVault: !Ref BackupVaultWithDailyBackups ScheduleExpression: "cron(0 5 ? * * *)" DependsOn: BackupVaultWithDailyBackups DDBTableWithDailyBackupTag: Type: "AWS::DynamoDB::Table" Properties: TableName: "TestTable" AttributeDefinitions: - AttributeName: "Album" AttributeType: "S" KeySchema: - AttributeName: "Album" KeyType: "HASH" ProvisionedThroughput: ReadCapacityUnits: "5" WriteCapacityUnits: "5" Tags: - Key: "backup" Value: "daily" BackupRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "backup.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/service-role" TagBasedBackupSelection: Type: "AWS::Backup::BackupSelection" Properties: BackupSelection: SelectionName: "TagBasedBackupSelection" IamRoleArn: !GetAtt BackupRole.Arn ListOfTags: - ConditionType: "STRINGEQUALS" ConditionKey: "backup" ConditionValue: "daily" BackupPlanId: !Ref BackupPlanWithDailyBackups DependsOn: BackupPlanWithDailyBackups
Description: backup plan template to enable Windows VSS and add backup rule to take backup of assigned resources daily at 5am UTC. Resources: KMSKey: Type: AWS::KMS::Key Properties: Description: "Encryption key for daily" EnableKeyRotation: True Enabled: True KeyPolicy: Version: "2012-10-17" Statement: - Effect: Allow Principal: "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } Action: - kms:* Resource: "*" BackupVaultWithDailyBackups: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: "BackupVaultWithDailyBackups" EncryptionKeyArn: !GetAtt KMSKey.Arn BackupPlanWithDailyBackups: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: "BackupPlanWithDailyBackups" AdvancedBackupSettings: - ResourceType: EC2 BackupOptions: WindowsVSS: enabled BackupPlanRule: - RuleName: "RuleForDailyBackups" TargetBackupVault: !Ref BackupVaultWithDailyBackups ScheduleExpression: "cron(0 5 ? * * *)" DependsOn: BackupVaultWithDailyBackups
Description: Backup plan template with Amazon GuardDuty Malware Protection scanning enabled. Resources: BackupVault: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: "MalwareScanBackupVault" BackupPlanWithMalwareScanning: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: "BackupPlanWithMalwareScanning" BackupPlanRule: - RuleName: "DailyBackupWithIncrementalScan" TargetBackupVault: !Ref BackupVault ScheduleExpression: "cron(0 5 ? * * *)" Lifecycle: DeleteAfterDays: 35 ScanActions: - MalwareScanner: GUARDDUTY ScanMode: INCREMENTAL_SCAN - RuleName: "MonthlyBackupWithFullScan" TargetBackupVault: !Ref BackupVault ScheduleExpression: "cron(0 5 1 * ? *)" Lifecycle: DeleteAfterDays: 365 ScanActions: - MalwareScanner: GUARDDUTY ScanMode: FULL_SCAN ScanSettings: - MalwareScanner: GUARDDUTY ResourceTypes: - EBS ScannerRoleArn: !GetAtt ScannerRole.Arn DependsOn: BackupVault ScannerRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "malware-protection.guardduty.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AWSBackupGuardDutyRolePolicyForScans" BackupRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "backup.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/service-role" - "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForScans" TagBasedBackupSelection: Type: "AWS::Backup::BackupSelection" Properties: BackupSelection: SelectionName: "MalwareScanSelection" IamRoleArn: !GetAtt BackupRole.Arn ListOfTags: - ConditionType: "STRINGEQUALS" ConditionKey: "backup" ConditionValue: "true" BackupPlanId: !Ref BackupPlanWithMalwareScanning DependsOn: BackupPlanWithMalwareScanning