本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 备份策略语法和示例
本页介绍备份策略语法并提供示例。
## 备份策略的语法
备份策略是一个纯文本文件,根据 [JSON](http://json.org) 的规则设置结构。备份策略的语法遵循所有管理策略类型的语法。有关更多信息,请参阅[管理策略类型的策略语法和继承](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_mgmt.html)。本主题重点介绍如何将该常规语法应用于备份策略类型的特定要求。
有关 AWS Backup 套餐的更多信息,请参阅[CreateBackupPlan](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CreateBackupPlan.html)《*AWS Backup 开发人员指南》*。
## 注意事项
**策略语法**
JSON 中会拒绝重复的键名称。
策略必须指定要备份的 AWS 区域 和资源。
策略必须指定 AWS Backup 担任的 IAM 角色。
在同一级别使用 `@@assign` 运算符可能会覆盖现有设置。有关更多信息,请参阅[子策略覆盖父策略中的设置](#backup-policy-example-5)。
继承运算符控制继承的策略和账户策略如何合并到账户的有效策略中。这些运算符包括值设置运算符和子控制运算符。
有关更多信息,请参阅[继承运算符](policy-operators.md)和[备份策略示例](#backup-policy-examples)。
**IAM 角色**
首次创建备份计划时必须存在 IAM 角色。
IAM 角色必须有权访问标签查询标识的资源。
IAM 角色必须具有执行备份的权限。
**Backup 保管库**
在运行备份计划 AWS 区域 之前,每个指定的文件库都必须存在。
每个收到有效策略的 AWS 账户都必须存在文件库。有关更多信息,请参阅《AWS Backup Developer Guide》**中的 [Backup vault creation and deletion](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault.html)。
我们建议您使用 AWS CloudFormation 堆栈集及其与 Organizations 的集成,为组织中的每个成员账户自动创建和配置备份库和 IAM 角色。有关更多信息,请参阅《AWS CloudFormation 用户指南》**中的[创建具有自行管理权限的堆栈集](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#create-stack-set-service-managed-permissions)。
**配额**
有关配额列表,请参阅《AWS Backup Developer Guide》**中的 [AWS Backup quotas](https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-limits.html#aws-backup-policies-quotas-table)。
## 备份语法:概述
备份策略语法包括以下组件:
```
{
"plans": {
"PlanName": {
"rules": { ... },
"regions": { ... },
"selections": { ... },
"advanced_backup_settings": { ... },
"backup_plan_tags": { ... },
"scan_settings": { ... }
}
}
}
```
**备份策略元素**
| Element | 说明 | 必填 |
| --- | --- | --- |
| [规则](#backup-policy-rules) | 备份规则列表。每条规则都定义了备份开始时间以及 regions 和 selections 元素中指定资源的执行窗口。 | 是 |
| [区域](#backup-plan-regions) | 备份策略可以保护资源 AWS 区域 的地方列表。 | 是 |
| [selections](#backup-plan-selections) | 受备份 rules 保护的指定 regions 中的一个或多个资源类型。 | 是 |
| [advanced\$1backup\$1settings](#advanced-backup-settings) | 特定备份情境的配置选项。 目前,唯一支持的高级备份设置是为在 Amazon EC2 实例上运行的 Windows 或 SQL Server 启用 Microsoft 卷影复制服务(VSS)备份。 | 否 |
| [backup\$1plan\$1tags](#backup-plan-tags) | 想要与备份计划关联的标签。每个标签都是由用户定义的键和值组成的标签。 标签有助于您管理、识别、组织、搜索和筛选备份计划。 | 否 |
| [扫描设置](#scan-settings) | 扫描设置的配置选项。目前唯一支持的扫描设置是启用 Amazon GuardDuty 恶意软件防护 AWS Backup。 | 否 |
## 备份语法:rules
`rules` 策略键指定 AWS Backup 对选定资源执行的计划备份任务。
**备份规则元素**
| Element | 说明 | 必填 |
| --- | --- | --- |
| schedule\$1expression | UTC 中的 Cron 表达式,用于指定何时 AWS Backup 启动备份作业。 有关 cron 表达式的信息,请参阅 A *mazon EventBridge 用户*[指南中的使用 cron 和速率表达式调度规则](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html)。 | 是 |
| target\$1backup\$1vault\$1name | 存储备份的备份文件库。 Backup 保管库由用于创建备份存储库的帐户及其创建 AWS 区域 位置所独有的名称进行标识。 | 是 |
| target\$1logically\$1air\$1gapped\$1backup\$1vault\$1arn | 存储备份的逻辑间隙保管库 ARN。 如果提供,则支持的完全托管资源将直接备份到逻辑上空隙的保管库,而其他支持的资源则在备份保管库中创建临时(可计费)快照,然后将其复制到逻辑上空隙的保管库中。不支持的资源只能备份到指定的备份存储库。 ARN 必须使用特殊占位符`$region`和。`$account`例如,对于名为的文件库`AirGappedVault`,正确的值为`arn:aws:backup:$region:$account:backup-vault:AirGappedVault`。 | 否 |
| start\$1backup\$1window\$1minutes | 如果备份作业未成功启动,则取消备份作业前需要等待的分钟数。 如果包含此值,则必须至少为 60 分钟才能避免错误。 | 否 |
| complete\$1backup\$1window\$1minutes | 备份作业成功启动之后必须在该时间之前完成的分钟数,否则将会被 AWS Backup取消。 | 否 |
| enable\$1continuous\$1backup | 指定是否 AWS Backup 创建连续备份。 `True`导致创建 AWS Backup 能够 point-in-time恢复的连续备份 (PITR)。 `False`(或未指定)创建快照备份的原因 AWS Backup 。 有关连续备份的更多信息,请参阅《*AWS Backup 开发人员指南》中的 [P re oint-in-time co](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html) very*。 **注意:**启用 PITR 的备份最多可保留 35 天。 | 否 |
| lifecycle | 指定何 AWS Backup 时将备份转换为冷存储以及何时过期。 《AWS Backup Developer Guide》**的 [Feature availability by resources](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-feature-availability.html#features-by-resource) 中按资源划分的功能可用性表中列出了可以转换为冷存储的资源类型。 每个生命周期都包含以下元素: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) **注意:**转换为冷存储的备份必须在冷存储中存储至少 90 天。 这意味着 `delete_after_days` 必须比 `move_to_cold_storage_after_days` 多 90 天。 | 否 |
| copy\$1actions | 指定是 AWS Backup 将备份复制到一个还是多个其他位置。 每个复制操作都包含以下元素: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) **注意:**转换为冷存储的备份必须在冷存储中存储至少 90 天。 这意味着 `delete_after_days` 必须比 `move_to_cold_storage_after_days` 多 90 天。 | 否 |
| recovery\$1point\$1tags | 想要分配给从备份中还原的资源的标签。 每个标签都包含以下元素: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) | 否 |
| index\$1actions | 指定是否 AWS Backup 为您的 Amazon EBS 快照 and/or 创建 Amazon S3 备份的备份索引。创建备份索引是为了搜索备份的元数据。有关备份索引创建和备份搜索的更多信息,请参阅 [Backup search](https://docs.aws.amazon.com//aws-backup/latest/devguide/backup-search.html#backup-search-overview)。 **注意:**创建 Amazon EBS 快照备份索引需要其他 [IAM 角色权限](https://docs.aws.amazon.com//aws-backup/latest/devguide/backup-search.html#backup-search-access)。 每个索引操作都包含以下元素:`resource_types`,其中支持用于索引的资源类型为 Amazon EBS 和 Amazon S3。此参数指定将选择哪种资源类型用于索引。 | 否 |
| scan\$1actions | 指定是否为给定规则启用扫描操作。您必须指定`ScanMode`。要成功启动扫描作业,必须将备份策略元素与`scan_actions`结合使用。`scan_settings`还请确保您拥有正确的 [IAM 角色权限](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access)。 [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) | 否 |
## 备份语法:regions
`regions`策略密钥指定 AWS 区域 在哪些资源中 AWS Backup 查找与`selections`密钥中的条件相匹配的资源。
**备份区域元素**
| Element | 说明 | 必填 |
| --- | --- | --- |
| regions | 指定 AWS 区域 代码。例如:`["us-east-1", "eu-north-1"]`。 | 是 |
## 备份语法:selections
`selections` 策略键指定由备份策略中的规则备份的资源。
有两个互斥的元素:`tags` 和 `resources`。一项有效策略**必须**在选择中包含 tags 或 `resources` 才能生效。
如果您想要同时包含标签条件和资源条件的选择,请使用 `resources` 键。
**备份选择元素:Tags**
| Element | 说明 | 必填 |
| --- | --- | --- |
| iam\$1role\$1arn | AWS Backup 负责查询、发现和备份指定区域内资源的 IAM 角色。该角色必须具有足够的权限,才能根据标签条件查询资源,并对匹配的资源执行备份操作。 | 是 |
| tag\$1key | 要搜索的标签键名称。 | 是 |
| tag\$1value | 必须与匹配的 tag\$1key 关联的值。AWS Backup 仅在 tag\$1key 和 tag\$1value 都匹配(区分大小写)时才会包含该资源。 | 是 |
| conditions | 想要包含或排除的标签键和值 使用 string\$1equals 或 string\$1not\$1equals 来包含或排除完全匹配项的标签。 使用 string\$1like 和 string\$1not\$1like 来包含或排除包含或不包含特定字符的标签 **注意:**每项选择限 30 个条件。 | 否 |
**备份选择元素:Resources**
| Element | 说明 | 必填 |
| --- | --- | --- |
| iam\$1role\$1arn | AWS Backup 负责查询、发现和备份指定区域内资源的 IAM 角色。该角色必须具有足够的权限,才能根据标签条件查询资源,并对匹配的资源执行备份操作。 **注意:**在中 AWS GovCloud (US) Regions,您必须将分区的名称添加到 ARN。 例如,“`arn:aws:ec2:*:*:volume/*`”必须是“`arn:aws-us-gov:ec2:*:*:volume/*`”。 | 是 |
| resource\$1types | 要包含在备份计划中的资源类型。 | 是 |
| not\$1resource\$1types | 要从备份计划中排除的资源类型。 | 否 |
| conditions | 想要包含或排除的标签键和值 使用 string\$1equals 或 string\$1not\$1equals 来包含或排除完全匹配项的标签。 使用 string\$1like 和 string\$1not\$1like 来包含或排除包含或不包含特定字符的标签 **注意:**每项选择限 30 个条件。 | 否 |
**支持的资源类型**
Organizations 支持 `resource_types` 和 `not_resource_types` 元素的以下资源类型:
+ AWS Backup gateway 虚拟机:`"arn:aws:backup-gateway:*:*:vm/*"`
+ AWS CloudFormation 堆栈:`"arn:aws:cloudformation:*:*:stack/*"`
+ Amazon DynamoDB 表:`"arn:aws:dynamodb:*:*:table/*"`
+ Amazon EC2 实例:`"arn:aws:ec2:*:*:instance/*"`
+ Amazon EBS 卷:`"arn:aws:ec2:*:*:volume/*"`
+ Amazon EFS 文件系统:`"arn:aws:elasticfilesystem:*:*:file-system/*"`
+ 亚马逊 Aurora/Amazon DocumentDB/Amazon Neptune `"arn:aws:rds:*:*:cluster:*"`
+ Amazon RDS 数据库:`"arn:aws:rds:*:*:db:*"`
+ Amazon Redshift 集群:`"arn:aws:redshift:*:*:cluster:*"`
+ Amazon S3:`"arn:aws:s3:::*"`
+ 适用于 SAP 的 AWS Systems Manager HANA 数据库:`"arn:aws:ssm-sap:*:*:HANA/*"`
+ AWS Storage Gateway 网关:`"arn:aws:storagegateway:*:*:gateway/*"`
+ Amazon Timestream 数据库:`"arn:aws:timestream:*:*:database/*"`
+ Amazon FSx 文件系统:`"arn:aws:fsx:*:*:file-system/*"`
+ Amazon 的 FSx 交易量:`"arn:aws:fsx:*:*:volume/*"`
+ 亚马逊 Elastic Kubernetes Service 卷:`"arn:aws:eks:*:*:cluster/*"`
**代码示例**
有关更多信息,请参阅[使用标签块指定资源](#backup-policy-example-6)和[使用资源块指定资源](#backup-policy-example-7)。
## 备份语法:advanced backup settings
`advanced_backup_settings` 键指定了特定备份情境的配置选项。每个设置都包含以下元素:
**高级备份设置元素**
| Element | 说明 | 必填 |
| --- | --- | --- |
| advanced\$1backup\$1settings | 指定特定备份情境的设置。此键包含一个或多个设置。每个设置都是一个 JSON 对象字符串,其中包含以下元素:目前,唯一支持的高级备份设置是为在 Amazon EC2 实例上运行的 Windows 或 SQL Server 启用 Microsoft 卷影复制服务(VSS)备份。 每个高级备份设置都包含以下元素: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) | 否 |
**示例**:
```
"advanced_backup_settings": {
"ec2": {
"windows_vss": {
"@@assign": "enabled"
}
}
},
```
## 备份语法:backup plan tags
`backup_plan_tags` 策略键可指定附加到备份计划本身的标签。这不会影响为 `rules` 或 `selections` 指定的标签。
**备份计划标签元素**
| Element | 说明 | 必填 |
| --- | --- | --- |
| backup\$1plan\$1tags | 每个标签都是由用户定义的键和值组成的标签:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) | 否 |
## Backup 语法:扫描设置
`scan_settings`策略密钥指定使用 Amazon 恶意软件防护进行 GuardDuty 恶意软件扫描的配置 AWS Backup。要成功启动扫描作业,您必须在备份规则`scan_actions`中结合使用`scan_settings`。
**扫描设置元素**
| Element | 说明 | 必填 |
| --- | --- | --- |
| scan\$1settings | 扫描设置的配置选项。目前唯一支持的扫描设置是启用 Amazon GuardDuty 恶意软件防护 AWS Backup。必须指定`ResourceTypes`和`ScannerRoleArn`。 [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html) | 否 |
**示例**:
以下内容显示了如何在备份规则和`scan_settings`计划级别进行配置`scan_actions`以启用 Amazon GuardDuty 恶意软件防护扫描。
`scan_actions`在规则中:
```
"scan_actions": {
"GUARDDUTY": {
"scan_mode": {
"@@assign": "INCREMENTAL_SCAN"
}
}
}
```
`scan_settings`在计划层面:
```
"scan_settings": {
"GUARDDUTY": {
"resource_types": {
"@@assign": ["EBS"]
},
"scanner_role_arn": {
"@@assign": "arn:aws:iam::$account:role/MyGuardDutyScannerRole"
}
}
}
```
## 备份策略示例
下面的示例备份策略仅供参考。在以下某些示例中,可能会压缩 JSON 空白格式以节省空间。
+ [示例 1:分配给父节点的策略](#backup-policy-example-1)
+ [示例 2:父级策略与子级策略合并](#backup-policy-example-2)
+ [示例 3:家长政策禁止子女政策进行任何更改](#backup-policy-example-3)
+ [示例 4:父级策略禁止子级策略更改一个备份计划](#backup-policy-example-4)
+ [示例 5:儿童政策会覆盖家长策略中的设置](#backup-policy-example-5)
+ [示例 6:使用标签块指定资源](#backup-policy-example-6)
+ [示例 7:使用资源块指定资源](#backup-policy-example-7)
+ [示例 8:带有 Amazon GuardDuty 恶意软件防护扫描功能的 Backup 计划](#backup-policy-example-8)
### 示例 1:分配给父节点的策略
以下示例显示了分配给账户的父节点之一的备份策略。
**父策略** – 此策略可以附加到组织根,或附加到作为所有预期账户父级的任何 OU。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": {
"@@assign": [
"ap-northeast-2",
"us-east-1",
"eu-north-1"
]
},
"rules": {
"Hourly": {
"schedule_expression": {
"@@assign": "cron(0 5/1 ? * * *)"
},
"start_backup_window_minutes": {
"@@assign": "480"
},
"complete_backup_window_minutes": {
"@@assign": "10080"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "180"
},
"delete_after_days": {
"@@assign": "270"
},
"opt_in_to_archive_for_supported_resources": {
"@@assign": "false"
}
},
"target_backup_vault_name": {
"@@assign": "FortKnox"
},
"target_logically_air_gapped_backup_vault_arn": {
"@@assign": "arn:aws:backup:$region:$account:backup-vault:AirGappedVault"
},
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
},
"opt_in_to_archive_for_supported_resources": {
"@@assign": "false"
}
}
},
"arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
},
"opt_in_to_archive_for_supported_resources": {
"@@assign": "false"
}
}
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/MyIamRole"
},
"tag_key": {
"@@assign": "dataType"
},
"tag_value": {
"@@assign": [
"PII",
"RED"
]
}
}
}
},
"advanced_backup_settings": {
"ec2": {
"windows_vss": {
"@@assign": "enabled"
}
}
}
}
}
}
```
如果账户没有继承或附加其他保单,则每个适用政策中提供的有效政策如下例所 AWS 账户 示。CRON 表达式会使备份每小时运行一次。账户 ID 123456789012 将是每个账户的实际账户 ID。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": [
"us-east-1",
"ap-northeast-3",
"eu-north-1"
],
"rules": {
"hourly": {
"schedule_expression": "cron(0 0/1 ? * * *)",
"start_backup_window_minutes": "60",
"target_backup_vault_name": "FortKnox",
"target_logically_air_gapped_backup_vault_arn": "arn:aws:backup:$region:$account:backup-vault:AirGappedVault",
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"delete_after_days": "2",
"move_to_cold_storage_after_days": "180",
"opt_in_to_archive_for_supported_resources": "false"
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault"
},
"lifecycle": {
"delete_after_days": "28",
"move_to_cold_storage_after_days": "180",
"opt_in_to_archive_for_supported_resources": "false"
}
},
"arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault"
},
"lifecycle": {
"delete_after_days": "28",
"move_to_cold_storage_after_days": "180",
"opt_in_to_archive_for_supported_resources": "false"
}
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": "arn:aws:iam::123456789012:role/MyIamRole",
"tag_key": "dataType",
"tag_value": [
"PII",
"RED"
]
}
}
},
"advanced_backup_settings": {
"ec2": {
"windows_vss": "enabled"
}
}
}
}
}
```
### 示例 2:父策略与子策略合并
在以下示例中,继承的父级策略和子级策略要么继承,要么直接附加到 AWS 账户 合并,形成有效的策略。
**父策略** – 此策略可以附加到组织根或任何父 OU。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": { "@@append":[ "us-east-1", "ap-northeast-3", "eu-north-1" ] },
"rules": {
"Hourly": {
"schedule_expression": { "@@assign": "cron(0 0/1 ? * * *)" },
"start_backup_window_minutes": { "@@assign": "60" },
"target_backup_vault_name": { "@@assign": "FortKnox" },
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"move_to_cold_storage_after_days": { "@@assign": "28" },
"delete_after_days": { "@@assign": "180" },
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" : {
"target_backup_vault_arn" : {
"@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": { "@@assign": "28" },
"delete_after_days": { "@@assign": "180" },
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
}
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" },
"tag_key": { "@@assign": "dataType" },
"tag_value": { "@@assign": [ "PII", "RED" ] }
}
}
}
}
}
}
```
**子策略** – 此策略可以直接附加到账户,或附加到父策略所附加到的级别以下的任何级别的 OU。
```
{
"plans": {
"Monthly_Backup_Plan": {
"regions": {
"@@append":[ "us-east-1", "eu-central-1" ] },
"rules": {
"Monthly": {
"schedule_expression": { "@@assign": "cron(0 5 1 * ? *)" },
"start_backup_window_minutes": { "@@assign": "480" },
"target_backup_vault_name": { "@@assign": "Default" },
"lifecycle": {
"move_to_cold_storage_after_days": { "@@assign": "30" },
"delete_after_days": { "@@assign": "365" },
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:Default" : {
"target_backup_vault_arn" : {
"@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:Default"
},
"lifecycle": {
"move_to_cold_storage_after_days": { "@@assign": "30" },
"delete_after_days": { "@@assign": "365" },
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
}
}
}
}
},
"selections": {
"tags": {
"MonthlyDatatype": {
"iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyMonthlyBackupIamRole" },
"tag_key": { "@@assign": "BackupType" },
"tag_value": { "@@assign": [ "MONTHLY", "RED" ] }
}
}
}
}
}
}
```
**生成的有效策略** – 应用于账户的有效策略包含两个计划,每个计划都有自己的规则集以及要应用这些规则的资源集。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": [ "us-east-1", "ap-northeast-3", "eu-north-1" ],
"rules": {
"hourly": {
"schedule_expression": "cron(0 0/1 ? * * *)",
"start_backup_window_minutes": "60",
"target_backup_vault_name": "FortKnox",
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"delete_after_days": "2",
"move_to_cold_storage_after_days": "180",
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" : {
"target_backup_vault_arn" : {
"@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": "28",
"delete_after_days": "180",
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
}
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": "arn:aws:iam::$account:role/MyIamRole",
"tag_key": "dataType",
"tag_value": [ "PII", "RED" ]
}
}
}
},
"Monthly_Backup_Plan": {
"regions": [ "us-east-1", "eu-central-1" ],
"rules": {
"monthly": {
"schedule_expression": "cron(0 5 1 * ? *)",
"start_backup_window_minutes": "480",
"target_backup_vault_name": "Default",
"lifecycle": {
"delete_after_days": "365",
"move_to_cold_storage_after_days": "30",
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:Default" : {
"target_backup_vault_arn": {
"@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:Default"
},
"lifecycle": {
"move_to_cold_storage_after_days": "30",
"delete_after_days": "365",
"opt_in_to_archive_for_supported_resources": { "@@assign": "false" }
}
}
}
}
},
"selections": {
"tags": {
"monthlydatatype": {
"iam_role_arn": "arn:aws:iam::&ExampleAWSAccountNo3;:role/MyMonthlyBackupIamRole",
"tag_key": "BackupType",
"tag_value": [ "MONTHLY", "RED" ]
}
}
}
}
}
}
```
### 示例 3:父策略阻止子策略进行任何更改
在以下示例中,继承的父策略使用[子控制运算符](policy-operators.md#child-control-operators)强制执行所有设置,并防止它们被子策略更改或覆盖。
**父策略** – 此策略可以附加到组织根或任何父 OU。策略的每个节点都存在 `"@@operators_allowed_for_child_policies": ["@@none"]` 意味着,子策略不能对计划进行任何类型的更改。子策略也不能将其他计划添加到有效策略。此策略将成为其附加到的每个 OU 以及 OU 下的账户的有效策略。
```
{
"plans": {
"@@operators_allowed_for_child_policies": ["@@none"],
"PII_Backup_Plan": {
"@@operators_allowed_for_child_policies": ["@@none"],
"regions": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@append": [
"us-east-1",
"ap-northeast-3",
"eu-north-1"
]
},
"rules": {
"@@operators_allowed_for_child_policies": ["@@none"],
"Hourly": {
"@@operators_allowed_for_child_policies": ["@@none"],
"schedule_expression": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "cron(0 0/1 ? * * *)"
},
"start_backup_window_minutes": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "60"
},
"target_backup_vault_name": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "FortKnox"
},
"index_actions": {
"@@operators_allowed_for_child_policies": ["@@none"],
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"@@operators_allowed_for_child_policies": ["@@none"],
"move_to_cold_storage_after_days": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "28"
},
"delete_after_days": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "180"
},
"opt_in_to_archive_for_supported_resources": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "false"
}
},
"copy_actions": {
"@@operators_allowed_for_child_policies": ["@@none"],
"arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": {
"@@operators_allowed_for_child_policies": ["@@none"],
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault",
"@@operators_allowed_for_child_policies": ["@@none"]
},
"lifecycle": {
"@@operators_allowed_for_child_policies": ["@@none"],
"delete_after_days": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "28"
},
"move_to_cold_storage_after_days": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "180"
},
"opt_in_to_archive_for_supported_resources": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "false"
}
}
}
}
}
},
"selections": {
"@@operators_allowed_for_child_policies": ["@@none"],
"tags": {
"@@operators_allowed_for_child_policies": ["@@none"],
"datatype": {
"@@operators_allowed_for_child_policies": ["@@none"],
"iam_role_arn": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "arn:aws:iam::$account:role/MyIamRole"
},
"tag_key": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "dataType"
},
"tag_value": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": [
"PII",
"RED"
]
}
}
}
},
"advanced_backup_settings": {
"@@operators_allowed_for_child_policies": ["@@none"],
"ec2": {
"@@operators_allowed_for_child_policies": ["@@none"],
"windows_vss": {
"@@assign": "enabled",
"@@operators_allowed_for_child_policies": ["@@none"]
}
}
}
}
}
}
```
**生成的有效策略** – 如果存在任何子备份策略,则会忽略这些策略,而父策略将成为有效策略。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": [
"us-east-1",
"ap-northeast-3",
"eu-north-1"
],
"rules": {
"hourly": {
"schedule_expression": "cron(0 0/1 ? * * *)",
"start_backup_window_minutes": "60",
"target_backup_vault_name": "FortKnox",
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"delete_after_days": "2",
"move_to_cold_storage_after_days": "180",
"opt_in_to_archive_for_supported_resources": "false"
},
"copy_actions": {
"target_backup_vault_arn": "arn:aws:backup:us-east-1:123456789012:backup-vault:secondary_vault",
"lifecycle": {
"move_to_cold_storage_after_days": "28",
"delete_after_days": "180",
"opt_in_to_archive_for_supported_resources": "false"
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": "arn:aws:iam::123456789012:role/MyIamRole",
"tag_key": "dataType",
"tag_value": [
"PII",
"RED"
]
}
}
},
"advanced_backup_settings": {
"ec2": {"windows_vss": "enabled"}
}
}
}
}
```
### 示例 4:父策略阻止子策略对一个备份计划进行更改
在以下示例中,继承的父策略使用[子控制运算符](policy-operators.md#child-control-operators)强制执行单个计划的设置,并防止它们被子策略更改或覆盖。子策略仍然可以添加其他计划。
**父策略** – 此策略可以附加到组织根或任何父 OU。此示例与前一个示例类似,所有子继承运算符都被阻止,但 `plans` 顶级处除外。该级别的 `@@append` 设置使子策略能够将其他计划添加到有效策略中的集合。对继承计划的任何更改仍被阻止。
为清楚起见,截断了计划中的相应部分。
```
{
"plans": {
"@@operators_allowed_for_child_policies": ["@@append"],
"PII_Backup_Plan": {
"@@operators_allowed_for_child_policies": ["@@none"],
"regions": { ... },
"rules": { ... },
"selections": { ... }
}
}
}
```
**子策略** – 此策略可以直接附加到账户,或附加到父策略所附加到的级别以下的任何级别的 OU。此子策略定义一个新计划。
为清楚起见,截断了计划中的相应部分。
```
{
"plans": {
"MonthlyBackupPlan": {
"regions": { ... },
"rules": { ... },
"selections": { … }
}
}
}
```
**生成的有效策略** – 有效策略包括这两个计划。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": { ... },
"rules": { ... },
"selections": { ... }
},
"MonthlyBackupPlan": {
"regions": { ... },
"rules": { ... },
"selections": { … }
}
}
}
```
### 示例 5:子策略覆盖父策略中的设置
在以下示例中,子策略使用[值设置运算符](policy-operators.md#value-setting-operators)来覆盖从父策略继承的某些设置。
**父策略** – 此策略可以附加到组织根或任何父 OU。子策略可以覆盖任何设置,因为在没有阻止子策略的[子控制运算符](policy-operators.md#child-control-operators)的情况下,默认行为是允许子策略执行 `@@assign`、`@@append` 或 `@@remove`。父策略包含有效备份计划所需的所有元素,因此,如果它按原样继承,则会成功备份您的资源。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": {
"@@append": [
"us-east-1",
"ap-northeast-3",
"eu-north-1"
]
},
"rules": {
"Hourly": {
"schedule_expression": {"@@assign": "cron(0 0/1 ? * * *)"},
"start_backup_window_minutes": {"@@assign": "60"},
"target_backup_vault_name": {"@@assign": "FortKnox"},
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"delete_after_days": {"@@assign": "2"},
"move_to_cold_storage_after_days": {"@@assign": "180"},
"opt_in_to_archive_for_supported_resources": {"@@assign": false}
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:t2": {
"target_backup_vault_arn": {"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:t2"},
"lifecycle": {
"move_to_cold_storage_after_days": {"@@assign": "28"},
"delete_after_days": {"@@assign": "180"},
"opt_in_to_archive_for_supported_resources": {"@@assign": false}
}
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": {"@@assign": "arn:aws:iam::$account:role/MyIamRole"},
"tag_key": {"@@assign": "dataType"},
"tag_value": {
"@@assign": [
"PII",
"RED"
]
}
}
}
}
}
}
}
```
**子策略** – 子策略仅包含需要与继承的父策略不同的设置。必须有一个继承的父策略,该策略在合并到有效策略时提供其他所需设置。否则,有效备份策略会包含无效的备份计划,无法按预期备份您的资源。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": {
"@@assign": [
"us-west-2",
"eu-central-1"
]
},
"rules": {
"Hourly": {
"schedule_expression": {"@@assign": "cron(0 0/2 ? * * *)"},
"start_backup_window_minutes": {"@@assign": "80"},
"target_backup_vault_name": {"@@assign": "Default"},
"lifecycle": {
"move_to_cold_storage_after_days": {"@@assign": "30"},
"delete_after_days": {"@@assign": "365"},
"opt_in_to_archive_for_supported_resources": {"@@assign": false}
}
}
}
}
}
}
```
**生成的有效策略** – 有效策略包括来自这两个策略的设置,由子策略提供的设置将覆盖从父级继承的设置。在此示例中,将发生以下更改:
+ 区域列表替换为完全不同的列表。如果要将区域添加到继承的列表中,请在子策略中使用 `@@append` 而不是 `@@assign`。
+ AWS Backup 每隔一小时执行一次,而不是每小时执行一次。
+ AWS Backup 允许开始备份的时间为 80 分钟,而不是 60 分钟。
+ AWS Backup 使用保`Default`管库而不是`FortKnox`。
+ 向冷存储转移和最终删除备份的生命周期都会延长。
```
{
"plans": {
"PII_Backup_Plan": {
"regions": [
"us-west-2",
"eu-central-1"
],
"rules": {
"hourly": {
"schedule_expression": "cron(0 0/2 ? * * *)",
"start_backup_window_minutes": "80",
"target_backup_vault_name": "Default",
"index_actions": {
"resource_types": {
"@@assign": [
"EBS",
"S3"
]
}
},
"lifecycle": {
"delete_after_days": "365",
"move_to_cold_storage_after_days": "30",
"opt_in_to_archive_for_supported_resources": "false"
},
"copy_actions": {
"arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": {
"target_backup_vault_arn": {"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault"},
"lifecycle": {
"move_to_cold_storage_after_days": "28",
"delete_after_days": "180",
"opt_in_to_archive_for_supported_resources": "false"
}
}
}
}
},
"selections": {
"tags": {
"datatype": {
"iam_role_arn": "arn:aws:iam::$account:role/MyIamRole",
"tag_key": "dataType",
"tag_value": [
"PII",
"RED"
]
}
}
}
}
}
}
```
### 示例 6:使用 `tags` 块指定资源
以下示例包括所有带有 `tag_key` = `“env”` 和 `tag_value` = `"prod"` 或的资源`"gamma"`。此示例不包括 `tag_key` = `"backup"` 和 `tag_value` = `"false"` 的资源。
```
...
"selections":{
"tags":{
"selection_name":{
"iam_role_arn": {"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"tag_key":{"@@assign": "env"},
"tag_value":{"@@assign": ["prod", "gamma"]},
"conditions":{
"string_not_equals":{
"condition_name1":{
"condition_key": { "@@assign": "aws:ResourceTag/backup" },
"condition_value": { "@@assign": "false" }
}
}
}
}
}
},
...
```
### 示例 7:使用 `resources` 块指定资源
以下是使用 `resources` 块指定资源的示例。
------
#### [ Example: Select all resources in my account ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 块使用布尔值 `AND` 来组合资源类型。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"*"
]
}
}
},
...
```
------
#### [ Example: Select all resources in my account, but exclude Amazon EBS volumes ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 和 `"not_resource_types"` 块使用布尔值 `AND` 来组合资源类型。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"*"
]
},
"not_resource_types":{
"@@assign": [
"arn:aws:ec2:*:*:volume/*"
]
}
}
},
...
```
------
#### [ Example: Select all resources tagged with "backup" : "true", but exclude Amazon EBS volumes ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 和 `"not_resource_types"` 块使用布尔值 `AND` 来组合资源类型。`"conditions"` 块使用布尔值 `AND`。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"*"
]
},
"not_resource_types":{
"@@assign": [
"arn:aws:ec2:*:*:volume/*"
]
},
"conditions":{
"string_equals":{
"condition_name1":{
"condition_key": { "@@assign":"aws:ResourceTag/backup"},
"condition_value": { "@@assign":"true" }
}
}
}
}
},
...
```
------
#### [ Example: Select all Amazon EBS volumes and Amazon RDS DB instances tagged with both "backup" : "true" and "stage" : "prod" ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 块使用布尔值 `AND` 来组合资源类型。`"conditions"` 块使用布尔值 `AND` 来组合资源类型和标签条件。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
]
},
"conditions":{
"string_equals":{
"condition_name1":{
"condition_key":{"@@assign":"aws:ResourceTag/backup"},
"condition_value":{"@@assign":"true"}
},
"condition_name2":{
"condition_key":{"@@assign":"aws:ResourceTag/stage"},
"condition_value":{"@@assign":"prod"}
}
}
}
}
},
...
```
------
#### [ Example: Select all Amazon EBS volumes and Amazon RDS instances tagged with "backup" : "true" but not "stage" : "test" ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 块使用布尔值 `AND` 来组合资源类型。`"conditions"` 块使用布尔值 `AND` 来组合资源类型和标签条件。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
]
},
"conditions":{
"string_equals":{
"condition_name1":{
"condition_key":{"@@assign":"aws:ResourceTag/backup"},
"condition_value":{"@@assign":"true"}
}
},
"string_not_equals":{
"condition_name2":{
"condition_key":{"@@assign":"aws:ResourceTag/stage"},
"condition_value":{"@@assign":"test"}
}
}
}
}
},
...
```
------
#### [ Example: Select all resources tagged with "key1" and a value which begins with "include" but not with "key2" and value that contains the word "exclude" ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 块使用布尔值 `AND` 来组合资源类型。`"conditions"` 块使用布尔值 `AND` 来组合资源类型和标签条件。
在此示例中,请注意 `include*`、`*exclude*` 和 `arn:aws:rds:*:*:db:*` 中使用了通配符 `(*)`。您可以在字符串的开头、结尾和中间使用通配符 `(*)`。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"*"
]
},
"conditions":{
"string_like":{
"condition_name1":{
"condition_key":{"@@assign":"aws:ResourceTag/key1"},
"condition_value":{"@@assign":"include*"}
}
},
"string_not_like":{
"condition_name2":{
"condition_key":{"@@assign":"aws:ResourceTag/key2"},
"condition_value":{"@@assign":"*exclude*"}
}
}
}
}
},
...
```
------
#### [ Example: Select all resources tagged with "backup" : "true" except Amazon FSx file systems and Amazon RDS resources ]
布尔逻辑与您在 IAM 策略中可能使用的逻辑类似。`"resource_types"` 和 `"not_resource_types"` 块使用布尔值 `AND` 来组合资源类型。`"conditions"` 块使用布尔值 `AND` 来组合资源类型和标签条件。
```
...
"resources":{
"resource_selection_name":{
"iam_role_arn":{"@@assign": "arn:aws:iam::$account:role/IAMRole"},
"resource_types":{
"@@assign": [
"*"
]
},
"not_resource_types":{
"@@assign":[
"arn:aws:fsx:*:*:file-system/*",
"arn:aws:rds:*:*:db:*"
]
},
"conditions":{
"string_equals":{
"condition_name1":{
"condition_key":{"@@assign":"aws:ResourceTag/backup"},
"condition_value":{"@@assign":"true"}
}
}
}
}
},
...
```
------
### 示例 8:带有 Amazon GuardDuty 恶意软件防护扫描功能的 Backup 计划
以下示例显示了在备份恢复点上启用 Amazon GuardDuty 恶意软件防护扫描的备份策略。该策略在规则`scan_actions`中用于启用扫描,`scan_settings`在计划级别使用该策略来配置扫描仪。
要使用此功能,您必须拥有相应的 IAM 角色权限。有关更多信息,请参阅《*AWS Backup 开发者指南》中的 A [cces](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access) s*。
```
{
"plans": {
"Malware_Scan_Backup_Plan": {
"regions": {
"@@assign": [
"us-east-1",
"us-west-2"
]
},
"rules": {
"Daily_With_Incremental_Scan": {
"schedule_expression": {
"@@assign": "cron(0 5 ? * * *)"
},
"start_backup_window_minutes": {
"@@assign": "60"
},
"target_backup_vault_name": {
"@@assign": "Default"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "35"
}
},
"scan_actions": {
"GUARDDUTY": {
"scan_mode": {
"@@assign": "INCREMENTAL_SCAN"
}
}
}
},
"Monthly_With_Full_Scan": {
"schedule_expression": {
"@@assign": "cron(0 5 1 * ? *)"
},
"start_backup_window_minutes": {
"@@assign": "60"
},
"target_backup_vault_name": {
"@@assign": "Default"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "365"
}
},
"scan_actions": {
"GUARDDUTY": {
"scan_mode": {
"@@assign": "FULL_SCAN"
}
}
}
}
},
"selections": {
"tags": {
"scan_selection": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/MyBackupRole"
},
"tag_key": {
"@@assign": "backup"
},
"tag_value": {
"@@assign": [
"true"
]
}
}
}
},
"scan_settings": {
"GUARDDUTY": {
"resource_types": {
"@@assign": [
"EBS"
]
},
"scanner_role_arn": {
"@@assign": "arn:aws:iam::$account:role/MyGuardDutyScannerRole"
}
}
}
}
}
}
```
此示例中的关键点是:
+ `scan_actions`在每条规则中指定。扫描仪名称`GUARDDUTY`用作密钥。每日规则使用`INCREMENTAL_SCAN`,每月规则使用`FULL_SCAN`。
+ `scan_settings`是在计划层面指定的(不是在规则内部)。它配置要扫描的扫描器角色和资源类型。
+ `scanner_role_arn`必须引用附有`AWSBackupGuardDutyRolePolicyForScans`托管策略的 IAM 角色和允许`malware-protection.guardduty.amazonaws.com`服务委托人担任该角色的信任策略。