-
Notifications
You must be signed in to change notification settings - Fork 15
/
aws-backup-member-account.yaml
169 lines (165 loc) · 5.72 KB
/
aws-backup-member-account.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
AWSTemplateFormatVersion: '2010-09-09'
Description: >
This template creates the regional KMS key used by AWS Backup and the AWS Backup Vault in each target account.
It should be deployed to each AWS Region of a member account where you intend to store backup data/vault.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: AWS Backup Local Configuration
Parameters:
- pMemberBackupVaultName
- pCrossAccountBackupRoleName
- pBackupKeyAlias
-
Label:
default: AWS Backup Central Copy Configuration
Parameters:
- CentralBackupVaultArn
-
Label:
default: AWS Backup Tags
Parameters:
- BusinessUnit
- CostCenter
- Owner
ParameterLabels:
CentralBackupVaultArn:
default: ARN for AWS Backup Central Vault
pCrossAccountBackupRoleName:
default: Enter an IAM service role name that will be used by AWS Backup
pBackupKeyAlias:
default: Name of the AWS Backup KMS key Alias
pMemberBackupVaultName:
default: Name of the AWS Backup vault (Case sensitive)
BusinessUnit:
default: Enter the business unit that owns the resources created by this stack.
CostCenter:
default: Enter the cost center for the resources created by this stack.
Owner:
default: Enter the owner for the resources created by this stack.
Parameters:
CentralBackupVaultArn:
Description: The ARN of a centralized AWS Backup Vault that will be the secondary store for all AWS Backups. The defined organization backup policy plans will "copy_to" this vault.
Type: String
pCrossAccountBackupRoleName:
Type: String
Description: This is the IAM role name for the cross-account backup role that carries out the backup activities.
Default: AWSBackupSolutionRole
pBackupKeyAlias:
Type: String
Description: This is the name of the AWS Backup KMS key alias.
Default: AWSBackupSolutionKey
pMemberBackupVaultName:
Type: String
Description: This is the name of the member account backup vaults.
AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ConstraintDescription: Backup vault name is case sensitive. Must contain from 2 to 50 alphanumeric and '-_' characters.
Default: AWSBackupSolutionVault
# Customer Specific Tags - Example
BusinessUnit:
Description: Business Unit Name
Type: String
MinLength: '1'
MaxLength: '255'
AllowedValues:
- Marketing
- Engineering
- R&D
ConstraintDescription: Must be a valid business unit
Default: Engineering
CostCenter:
Description: Cost Center for AWS Services
Type: String
MinLength: '1'
MaxLength: '255'
Default: '00000'
Owner:
Description: Email address of application owner
Type: String
Default: backupandrecoveryowner@example.com
Resources:
rMemberAccountBackupKey:
Type: AWS::KMS::Key
Metadata:
cfn_nag:
rules_to_suppress:
- id: F76
reason: The principal is restricted by the condition statement
Properties:
Description: Symmetric AWS CMK for Member Account Backup Vault Encryption
EnableKeyRotation: True
KeyPolicy:
Version: "2012-10-17"
Id: !Sub ${pBackupKeyAlias}
Statement:
-
Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: "*"
-
Sid: Allow use of the key by authorized Backup principal
Effect: "Allow"
Principal:
AWS:
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pCrossAccountBackupRoleName}"
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: "*"
Condition:
StringEquals:
"kms:CallerAccount": !Sub ${AWS::AccountId}
"kms:ViaService": !Sub "backup.${AWS::Region}.amazonaws.com"
-
Sid: Allow alias creation during setup
Effect: "Allow"
Principal:
AWS: "*"
Action: "kms:CreateAlias"
Resource: "*"
Condition:
StringEquals:
"kms:CallerAccount": !Sub ${AWS::AccountId}
"kms:ViaService": !Sub "cloudformation.${AWS::Region}.amazonaws.com"
Tags:
- Key: BusinessUnit
Value: !Ref BusinessUnit
- Key: CostCenter
Value: !Ref CostCenter
- Key: Owner
Value: !Ref Owner
rMemberAccountBackupKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub alias/${pBackupKeyAlias}
TargetKeyId:
!Ref rMemberAccountBackupKey
rMemberAccountBackupVault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName: !Ref pMemberBackupVaultName
EncryptionKeyArn: !GetAtt rMemberAccountBackupKey.Arn
AccessPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow access to backup vault for copy operations to centralized backup vault"
Effect: Allow
Action: backup:CopyIntoBackupVault
Resource: !Ref CentralBackupVaultArn
Principal: "*"
Outputs:
oMemberAccountBackupVault:
Value: !Ref rMemberAccountBackupVault
oMemberAccountKMSKey:
Value: !Ref rMemberAccountBackupKey
oOrgAccountBackupRole:
Value: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pCrossAccountBackupRoleName}