开启资源跟踪 - Amazon Backup
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

开启资源跟踪

在创建第一个与合规性相关的框架之前,必须开启资源跟踪功能。这样做可允许 Amazon Config 跟踪您的 Amazon Backup 资源。有关如何管理资源跟踪的技术文档,请参阅《Amazon Config 开发人员指南》中的通过控制台设置 Amazon Config

当您开启资源跟踪功能时,将收取费用。有关 Amazon Backup Audit Manager 的资源跟踪定价和计费的信息,请参阅计量、成本和计费

使用控制台开启资源跟踪

使用控制台开启资源跟踪:
  1. 打开 Amazon Backup 控制台,网址为:https://console.aws.amazon.com/backup

  2. 在左侧导航窗格的 Audit Manager 下,选择框架

  3. 选择管理资源跟踪,以开启资源跟踪。

  4. 选择前往 Amazon Config 设置

  5. 选择启用或禁用记录

  6. 为以下所有资源类型选择启用记录,或者选择为某些资源类型启用记录。请参阅 Amazon Backup Audit Manager 控件和补救措施,了解您的控件需要哪些资源类型。

    • Amazon Backup: backup plans

    • Amazon Backup: backup vaults

    • Amazon Backup: recovery points

    • Amazon Backup: backup selection

    注意

    Amazon Backup Audit Manager 需要每个控件的 Amazon Config: resource compliance

  7. 选择 关闭

  8. 等待带有文本打开资源跟踪的蓝色横幅变为带有文本资源跟踪已开启的绿色横幅。

您可以在 Amazon Backup 控制台的两个位置查看是否已开启资源跟踪,如果已开启,则可以查看正在记录哪些资源类型。在左侧导航窗格中,执行以下一项操作:

  • 选择框架,然后选择 Amazon Config 记录器状态下的文本。

  • 选择设置,然后选择 Amazon Config 记录器状态下的文本。

使用 Amazon Command Line Interface (Amazon CLI) 开启资源跟踪

如果您尚未注册 Amazon Config,则使用 Amazon CLI 注册可能会更快。

使用 Amazon CLI 开启资源跟踪:
  1. 键入以下命令以确定是否已启用 Amazon Config 记录器。

    $ aws configservice describe-configuration-recorders
    1. 如果 ConfigurationRecorders 列表为空,如下所示:

      { "ConfigurationRecorders": [] }

      则表明您的记录器未启用。请继续执行步骤 2 以创建记录器。

    2. 如果您已经为所有资源启用了记录功能,则 ConfigurationRecorders 输出将如下所示:

      { "ConfigurationRecorders":[ { "recordingGroup":{ "allSupported":true, "resourceTypes":[ ], "includeGlobalResourceTypes":true }, "roleARN":"arn:aws:iam::[account]:role/[roleName]", "name":"default" } ] }

      由于您启用了所有资源,表明您已经开启资源跟踪功能。您无需完成此过程的其余部分,即可使用 Amazon Backup Audit Manager。

    3. 如果 ConfigurationRecorders 不为空,但您尚未为所有资源启用记录功能,请使用以下命令将备份资源添加到现有记录器中。然后,跳至步骤 3。

      $ aws configservice describe-configuration-recorders { "ConfigurationRecorders":[ { "name":"default", "roleARN":"arn:aws:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] }
  2. 使用 Amazon Backup Audit Manager 资源类型创建 Amazon Config 记录器

    $ aws configservice put-configuration-recorder --configuration-recorder name=default, \ roleARN=roleARN=arn:aws:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \ --recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \ 'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint','AWS::Config::ResourceCompliance']"
  3. 描述您的 Amazon Config 记录器。

    $ aws configservice describe-configuration-recorders

    通过将您的输出与以下预期输出进行比较,验证其是否具有 Amazon Backup Audit Manager 资源类型。

    { "ConfigurationRecorders":[ { "name":"default", "roleARN":"arn:aws:iam::accountId:role/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] }
  4. 创建一个 Amazon S3 存储桶作为存储 Amazon Config 配置文件的目的地。

    $ aws s3api create-bucket --bucket my-bucket —region us-east-1
  5. 使用 policy.json 授予访问您的存储桶的 Amazon Config 权限。查看下面的示例 policy.json

    $ aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json
    { "Version":"2012-10-17", "Statement":[ { "Sid":"AWSConfigBucketPermissionsCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:GetBucketAcl", "Resource":"arn:aws:s3:::my-bucket" }, { "Sid":"AWSConfigBucketExistenceCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::my-bucket" }, { "Sid":"AWSConfigBucketDelivery", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::my-bucket/*" } ] }
  6. 将您的存储桶配置为 Amazon Config 传输通道

    $ aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=my-bucket
  7. 启用 Amazon Config 记录

    $ aws configservice start-configuration-recorder —configuration-recorder-name default
  8. 验证 DescribeFramework 输出最后一行中的 "FrameworkStatus":"ACTIVE",如下所示。

    $ aws backup describe-framework --framework-name test --region us-east-1
    { "FrameworkName":"test", "FrameworkArn":"arn:aws:backup:us-east-1:accountId:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666", "FrameworkDescription":"", "FrameworkControls":[ { "ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredRetentionDays", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredFrequencyUnit", "ParameterValue":"hours" }, { "ParameterName":"requiredRetentionDays", "ParameterValue":"35" }, { "ParameterName":"requiredFrequencyValue", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED", "ControlInputParameters":[ ], "ControlScope":{ } } ], "CreationTime":1633463605.233, "DeploymentStatus":"COMPLETED", "FrameworkStatus":"ACTIVE" }

使用 Amazon CloudFormation 模板开启资源跟踪

有关开启资源跟踪的 Amazon CloudFormation 模板,请参阅将 Amazon Backup Audit Manager 与 Amazon CloudFormation 配合使用