本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
开启资源跟踪
在创建第一个与合规性相关的框架之前,必须开启资源跟踪功能。这样 Amazon Config 做可以跟踪您的 Amazon Backup 资源。有关如何管理资源跟踪的技术文档,请参阅Amazon Config 开发人员指南中的 Amazon Config 使用控制台进行设置。
当您开启资源跟踪功能时,将收取费用。有关 Audit Manager 的 Amazon Backup 资源跟踪定价和账单的信息,请参阅计量、成本和账单。
使用控制台开启资源跟踪
使用控制台开启资源跟踪:
在 https://console.aws.amazon.com/backup
上打开 Amazon Backup 控制台。 -
在左侧导航窗格的 Audit Manager 下,选择框架。
-
选择管理资源跟踪,以开启资源跟踪。
-
选择 “前往 Amazon Config 设置”。
-
选择启用或禁用记录。
-
为以下所有资源类型选择启用记录,或者选择为某些资源类型启用记录。请参阅 Amazon Backup Audit Manager 控件和补救措施,了解您的控件需要哪些资源类型。
-
Amazon Backup: backup plans
-
Amazon Backup: backup vaults
-
Amazon Backup: recovery points
-
Amazon Backup: backup selection
注意
Amazon Backup Audit Manager 需要每
Amazon Config: resource compliance
项控制。 -
-
选择关闭。
-
等待带有文本打开资源跟踪的蓝色横幅变为带有文本资源跟踪已开启的绿色横幅。
您可以在 Amazon Backup 控制台的两个位置查看是否已开启资源跟踪,如果是,则可以查看正在记录哪些资源类型。在左侧导航窗格中,执行以下一项操作:
-
选择框架,然后选择 Amazon Config 记录器状态下的文本。
-
选择设置,然后选择 Amazon Config 记录器状态下的文本。
使用 Amazon Command Line Interface (Amazon CLI) 开启资源跟踪
如果您尚未登录 Amazon Config,则使用上手可能会更快地上手。 Amazon CLI
使用 Amazon CLI开启资源跟踪:
-
键入以下命令以确定是否已启用 Amazon Config 记录器。
$ aws configservice describe-configuration-recorders
-
如果
ConfigurationRecorders
列表为空,如下所示:{ "ConfigurationRecorders": [] }
则表明您的记录器未启用。请继续执行步骤 2 以创建记录器。
-
如果您已经为所有资源启用了记录功能,则
ConfigurationRecorders
输出将如下所示:{ "ConfigurationRecorders":[ { "recordingGroup":{ "allSupported":true, "resourceTypes":[ ], "includeGlobalResourceTypes":true }, "roleARN":"arn:aws:iam::[account]:role/[roleName]", "name":"default" } ] }
由于您启用了所有资源,表明您已经开启资源跟踪功能。您无需完成本过程的其余部分即可使用 Audit M Amazon Backup anager。
-
如果
ConfigurationRecorders
不为空,但您尚未为所有资源启用记录功能,请使用以下命令将备份资源添加到现有记录器中。然后,跳至步骤 3。$ aws configservice describe-configuration-recorders { "ConfigurationRecorders":[ { "name":"default", "roleARN":"arn:aws:iam::
accountId
:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] }
-
-
使用 Au Amazon Config dit Manag Amazon Backup er 资源类型创建记录器
$ aws configservice put-configuration-recorder --configuration-recorder name=
default
, \ roleARN=arn:aws:iam::accountId
:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \ --recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \ 'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint','AWS::Config::ResourceCompliance']" -
描述一下你的 Amazon Config 录音机。
$ aws configservice describe-configuration-recorders
通过将您的输出与以下预期输出进行比较,验证其是否具有 Audit Manager 资源类型。 Amazon Backup
{ "ConfigurationRecorders":[ { "name":"
default
", "roleARN":"arn:aws:iam::accountId
:role/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] } -
创建一个 Amazon S3 存储桶作为存储 Amazon Config 配置文件的目标。
$ aws s3api create-bucket --bucket
amzn-s3-demo-bucket
—regionus-east-1
-
使用
policy.json
授予访问您的存储桶的 Amazon Config 权限。参见以下示例policy.json
.$ aws s3api put-bucket-policy --bucket
amzn-s3-demo-bucket
--policyfile://policy.json
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AWSConfigBucketPermissionsCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:GetBucketAcl", "Resource":"arn:aws:s3:::
amzn-s3-demo-bucket
" }, { "Sid":"AWSConfigBucketExistenceCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::amzn-s3-demo-bucket
" }, { "Sid":"AWSConfigBucketDelivery", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::amzn-s3-demo-bucket
/*" } ] } -
将您的存储桶配置为 Amazon Config 配送渠道
$ aws configservice put-delivery-channel --delivery-channel name=
default
,s3BucketName=amzn-s3-demo-bucket
-
启用 Amazon Config 录制
$ aws configservice start-configuration-recorder --configuration-recorder-name
default
-
验证
DescribeFramework
输出最后一行中的"FrameworkStatus":"ACTIVE"
,如下所示。$ aws backup describe-framework --framework-name
test
--regionus-east-1
{ "FrameworkName":"test", "FrameworkArn":"arn:aws:backup:us-east-1:
accountId
:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666
", "FrameworkDescription":"", "FrameworkControls":[ { "ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredRetentionDays", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredFrequencyUnit", "ParameterValue":"hours" }, { "ParameterName":"requiredRetentionDays", "ParameterValue":"35" }, { "ParameterName":"requiredFrequencyValue", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED", "ControlInputParameters":[ ], "ControlScope":{ } } ], "CreationTime":1633463605.233, "DeploymentStatus":"COMPLETED", "FrameworkStatus":"ACTIVE" }
使用 Amazon CloudFormation 模板开启资源跟踪
有关启用资源跟踪的 Amazon CloudFormation 模板,请参阅将 Audit Manager 与一起使用 Amazon BackupAmazon CloudFormation。