-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathaws-backup-central-backup-account.yaml
143 lines (141 loc) · 4.57 KB
/
aws-backup-central-backup-account.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
AWSTemplateFormatVersion: '2010-09-09'
Description: This template creates the central backup KMS Key and Vault required for the automated centralized backup at scale in AWS Organizations using AWS Backup.
It should be deployed in each member account.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: AWS Backup Configuration
Parameters:
- pCrossAccountBackupRole
- pBackupKeyAlias
- pCentralBackupVaultName
- pOrganizationId
- pTagKey1
- pTagValue1
ParameterLabels:
pCrossAccountBackupRole:
default: Enter an IAM Role Name
pBackupKeyAlias:
default: Backup KMS Key Alias Name
pCentralBackupVaultName:
default: Backup vault name (Case sensitive)
pOrganizationId:
default: Organization ID
pTagKey1:
default: Tag Key
pTagValue1:
default: Tag Value
Parameters:
pCrossAccountBackupRole:
Type: String
Description: This is the IAM role name for the cross-account backup role that carries out the backup activities.
pBackupKeyAlias:
Type: String
Description: This is the name of the AWS Backup KMS key alias.
pCentralBackupVaultName:
Type: String
Description: This is the name of the centralized account backup vault.
AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ConstraintDescription: Backup vault name is case sensitive.
pOrganizationId:
Type: String
Description: This is the AWS Organization ID value.
MinLength: 12
MaxLength: 12
AllowedPattern: '^o-[a-z0-9]{10,32}$'
ConstraintDescription: >
The Organization Id must be a 12 character string starting with o- and followed by 10 lower case
alphanumeric characters
pTagKey1:
Type: String
Description: This is the tag key to assign to resources.
pTagValue1:
Type: String
Description: This is the tag value to assign to resources.
Resources:
rOrgAccountBackupRoleCentral:
Type: "AWS::IAM::Role"
Properties:
Description: Allows AWS Backup to access AWS services
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- backup.amazonaws.com
Action:
- "sts:AssumeRole"
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
RoleName: !Sub ${pCrossAccountBackupRole}
Tags:
- Key: !Ref pTagKey1
Value: !Ref pTagValue1
rCentralAccountBackupKey:
Type: AWS::KMS::Key
Metadata:
cfn_nag:
rules_to_suppress:
- id: F76
reason: The principal is restricted by the condition statement
Properties:
Description: "Backup Key"
EnableKeyRotation: True
KeyPolicy:
Version: "2012-10-17"
Id: !Sub ${pBackupKeyAlias}
Statement:
-
Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
-
Sid: "Allow alias creation during setup"
Effect: "Allow"
Principal:
AWS: "*"
Action: "kms:CreateAlias"
Resource: "*"
Condition:
StringEquals:
"kms:CallerAccount": !Sub ${AWS::AccountId}
"kms:ViaService": !Sub "cloudformation.${AWS::Region}.amazonaws.com"
Tags:
- Key: !Ref pTagKey1
Value: !Ref pTagValue1
rCentralAccountBackupKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub alias/${pBackupKeyAlias}
TargetKeyId:
!Ref rCentralAccountBackupKey
rCentralBackupVault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName: !Ref pCentralBackupVaultName
EncryptionKeyArn: !GetAtt rCentralAccountBackupKey.Arn
AccessPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow access to backup vault"
Effect: Allow
Action: backup:CopyIntoBackupVault
Resource: "*"
Principal: "*"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref pOrganizationId
Outputs:
oCentralBackupVault:
Value: !Ref rCentralBackupVault
oOrgAccountBackupRoleCentral:
Value: !Ref rOrgAccountBackupRoleCentral