How To Create An Audit Framework In AWS Backup Service
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
AWS Backup service can also be used to audit your backup compliance with respect to your organization RTO/RPO policy. Backup audit framework can be used to define your backup audit specification and then evaluate your resources and backups against those specification.
AWS Backup audit manager can be used to identify if all the supported resources are being backed up, if the backups are encrypted etc. You can also generate backup audit compliance reports once you configured the backup audit specification.
Note: AWS backup audit framework relied on AWS config recording and AWS config must be enabled before creating the audit framework.
In today’s blog post we will discuss how to create a backup audit specification using an audit framework in AWS backup service. First, we will enable AWS Config for specific backup and config resources, then will create a backup framework to define the audit specification and finally check how to get backup compliance data.
Warning: There is additional cost associated with this demo, please refer the backup and config pricing document for details.
How To Create An Audit Framework In AWS Backup Service:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a S3 buclet with proper bucket policy to store config recordings.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
## --------------------------------------------- ## Create a S3 bucket to store config recordings ## --------------------------------------------- ## Create the S3 bucket aws s3api create-bucket \ --bucket s3-for-config-recording \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat < { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-config-recording/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket s3-for-config-recording \ --policy file://config_bucket_policy.json |
Step 2: Create an IAM role for AWS Config service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
## ----------------------------------------- ## Create an IAM role for AWS Config Service ## ----------------------------------------- ## Create assume role policy definition cat <<'EOF'> config_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat < { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::s3-for-config-recording/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::s3-for-config-recording" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole |
Step 3: Create an IAM role for AWS Backup service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
## ---------------------------------------- ## Create a IAM role for AWS Backup Service ## ---------------------------------------- ## Create assume role policy definition cat <<'EOF'> backup_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name backup_iam_role \ --assume-role-policy-document file://backup_assume_role_policy.json ## Add AWS managed AWS_backupRole policy to the role aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores ## Get the role ARN ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && BACKUP_IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/backup_iam_role && CONFIG_IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/config_iam_role && echo $BACKUP_IAM_ROLE_ARN && echo $CONFIG_IAM_ROLE_ARN |
Step 4: Enable AWS Config service for required backup related recordings.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
## --------------------- ## Enable Config service ## --------------------- ## Create recording group configuration cat <<'EOF' > config_recording_group.json { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": ["AWS::Backup::BackupPlan","AWS::Backup::BackupSelection","AWS::Backup::BackupVault","AWS::Backup::RecoveryPoint","AWS::Config::ResourceCompliance"] } EOF ## Enable AWS Config using AWS CLI aws configservice put-configuration-recorder \ --configuration-recorder name=myconfig,roleARN=$CONFIG_IAM_ROLE_ARN \ --recording-group file://config_recording_group.json ## Create config delivery channel object configuration file cat << EOF > config_delivery_channel.json { "name": "myconfig", "s3BucketName": "s3-for-config-recording", "configSnapshotDeliveryProperties": { "deliveryFrequency": "One_Hour" } } EOF ## Create config delivery channel object aws configservice put-delivery-channel \ --delivery-channel file://config_delivery_channel.json ## Starts recording configurations of recording group aws configservice start-configuration-recorder \ --configuration-recorder-name myconfig |
Observe, we have enabled config recordings for some specific resources that are required for the backup audit framework to work.
Now we are ready to create the backup audit framework.
Step 5: Create a backup audit frameowrk with controls.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
##---------------------------------- ## Creates a framework with controls ##---------------------------------- ## Create a framework control definition cat << EOF > backup_control.json [ { "ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN", "ControlInputParameters": [], "ControlScope": { "ComplianceResourceTypes": ["EC2","EBS","RDS"] } } ] EOF ## Create a new framework aws backup create-framework \ --framework-name myframework \ --framework-description backupcheck \ --framework-controls file://backup_control.json ## List all available frameworks aws backup list-frameworks ## Get details on the framework aws backup describe-framework \ --framework-name myframework ## Wait till "DeploymentStatus": "COMPLETED" |
We have successfully created the backup audit framework with a control to validate if all supported resources in our account is covered by the AWS backup service.
Unfortunetly at the time of writing this blog, I can’t find any Backup API to get the complienece status of the audit framework finings. But you can check the same from the AWS console, under AWS backup => Frameworks => Controls or directly in AWS Config.
Next, we will delete all the resources that are being created in this demo.
Step 6: Clean up.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
##-------- ## Cleanup ##-------- ## Delete the framework aws backup delete-framework \ --framework-name myframework ## Stop config recorder aws configservice stop-configuration-recorder \ --configuration-recorder-name myconfig ## Delete config delivery channel aws configservice delete-delivery-channel \ --delivery-channel-name myconfig ## Disable config service aws configservice delete-configuration-recorder \ --configuration-recorder-name myconfig ## Delete the S3 bucket with objects (configuration items) aws s3 rb \ s3://s3-for-config-recording --force ## Delete IAM Role & Policy aws iam detach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --role-name config_iam_role && aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores && aws iam delete-role \ --role-name backup_iam_role |
Hope you have enjoyed this article. To know more about AWS Backup, please refer below official documentation
https://docs.aws.amazon.com/aws-backup/index.html