-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathaws-backup-member-account.yaml
137 lines (136 loc) · 4.56 KB
/
aws-backup-member-account.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
AWSTemplateFormatVersion: '2010-09-09'
Description: >
This template creates the Backup KMS Key and Vault required for the automated centralized backup at scale in AWS Organizations using AWS Backup.
It should be deployed in each member account.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: AWS Backup Configuration
Parameters:
- pCrossAccountBackupRole
- pBackupKeyAlias
- pMemberBackupVaultName
- pOrganizationId
- pTagKey1
- pTagValue1
ParameterLabels:
pCrossAccountBackupRole:
default: Enter the name of the Backup IAM Role
pBackupKeyAlias:
default: Name of the AWS Backup KMS key Alias
pMemberBackupVaultName:
default: Name of the AWS Backup vault (Case sensitive)
pOrganizationId:
default: Organization ID
pTagKey1:
default: Enter a Tag Key
pTagValue1:
default: Enter a Tag Value
Parameters:
pCrossAccountBackupRole:
Type: String
Description: This is the name for the cross-account backup role that carries out the backup activities.
pBackupKeyAlias:
Type: String
Description: This is the name of the AWS Backup KMS key alias.
pMemberBackupVaultName:
Type: String
Description: This is the name of the member account backup vaults.
AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ConstraintDescription: Backup vault name is case sensitive. Must contain from 2 to 50 alphanumeric and '-_' characters.
pOrganizationId:
Type: String
Description: This is the AWS Organization ID value.
MinLength: 12
MaxLength: 12
AllowedPattern: '^o-[a-z0-9]{10,32}$'
ConstraintDescription: >
The Organization Id must be a 12 character string starting with o- and followed by 10 lower case
alphanumeric characters
pTagKey1:
Type: String
Description: This is the tag key to assign to resources.
pTagValue1:
Type: String
Description: This is the tag value to assign to resources.
Resources:
rMemberAccountBackupKey:
Type: AWS::KMS::Key
Metadata:
cfn_nag:
rules_to_suppress:
- id: F76
reason: The principal is restricted by the condition statement
Properties:
Description: Symmetric AWS CMK for Member Account Backup Vault Encryption
EnableKeyRotation: True
KeyPolicy:
Version: "2012-10-17"
Id: !Sub ${pBackupKeyAlias}
Statement:
-
Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: "*"
-
Sid: Allow use of the key by authorized Backup principal
Effect: "Allow"
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/${pCrossAccountBackupRole}
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: "*"
Condition:
StringEquals:
"kms:ViaService": !Sub "backup.amazonaws.com"
-
Sid: Allow alias creation during setup
Effect: "Allow"
Principal:
AWS: "*"
Action: "kms:CreateAlias"
Resource: "*"
Condition:
StringEquals:
"kms:CallerAccount": !Sub ${AWS::AccountId}
"kms:ViaService": !Sub "cloudformation.${AWS::Region}.amazonaws.com"
Tags:
- Key: !Ref pTagKey1
Value: !Ref pTagValue1
rMemberAccountBackupKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub alias/${pBackupKeyAlias}
TargetKeyId:
!Ref rMemberAccountBackupKey
rMemberAccountBackupVault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName: !Ref pMemberBackupVaultName
EncryptionKeyArn: !GetAtt rMemberAccountBackupKey.Arn
AccessPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow access to backup vault"
Effect: Allow
Action: backup:CopyIntoBackupVault
Resource: "*"
Principal: "*"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref pOrganizationId
Outputs:
oMemberAccountBackupVault:
Value: !Ref rMemberAccountBackupVault
oMemberAccountKMSKey:
Value: !Ref rMemberAccountBackupKey