AWS aws-backup documentation change
Summary
Added CloudFormation template example for enabling GuardDuty Malware Protection scanning in backup plans
Security assessment
This introduces documentation for implementing malware scanning configurations through infrastructure-as-code. While it documents security features (malware scanning), it demonstrates proper implementation rather than addressing a security issue. The template shows secure role configurations but doesn't indicate response to a vulnerability.
Diff
diff --git a/aws-backup/latest/devguide/plan-cfn.md b/aws-backup/latest/devguide/plan-cfn.md index a748d9d34..d13401150 100644 --- a//aws-backup/latest/devguide/plan-cfn.md +++ b//aws-backup/latest/devguide/plan-cfn.md @@ -7 +7 @@ -We provide two sample CloudFormation templates for your reference. The first template creates a simple backup plan. The second template enables VSS backups in a backup plan. +We provide three sample CloudFormation templates for your reference. The first template creates a simple backup plan. The second template enables VSS backups in a backup plan. The third template enables Amazon GuardDuty Malware Protection scanning in a backup plan. @@ -136,0 +137,82 @@ If you are using the default service role, replace `service-role` with `AWSBacku + + Description: Backup plan template with Amazon GuardDuty Malware Protection scanning enabled. + + Resources: + BackupVault: + Type: "AWS::Backup::BackupVault" + Properties: + BackupVaultName: "MalwareScanBackupVault" + + BackupPlanWithMalwareScanning: + Type: "AWS::Backup::BackupPlan" + Properties: + BackupPlan: + BackupPlanName: "BackupPlanWithMalwareScanning" + BackupPlanRule: + - RuleName: "DailyBackupWithIncrementalScan" + TargetBackupVault: !Ref BackupVault + ScheduleExpression: "cron(0 5 ? * * *)" + Lifecycle: + DeleteAfterDays: 35 + ScanActions: + - MalwareScanner: GUARDDUTY + ScanMode: INCREMENTAL_SCAN + - RuleName: "MonthlyBackupWithFullScan" + TargetBackupVault: !Ref BackupVault + ScheduleExpression: "cron(0 5 1 * ? *)" + Lifecycle: + DeleteAfterDays: 365 + ScanActions: + - MalwareScanner: GUARDDUTY + ScanMode: FULL_SCAN + ScanSettings: + - MalwareScanner: GUARDDUTY + ResourceTypes: + - EBS + ScannerRoleArn: !GetAtt ScannerRole.Arn + DependsOn: BackupVault + + ScannerRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + Service: + - "malware-protection.guardduty.amazonaws.com" + Action: + - "sts:AssumeRole" + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/AWSBackupGuardDutyRolePolicyForScans" + + BackupRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + Service: + - "backup.amazonaws.com" + Action: + - "sts:AssumeRole" + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/service-role/service-role" + - "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForScans" + + TagBasedBackupSelection: + Type: "AWS::Backup::BackupSelection" + Properties: + BackupSelection: + SelectionName: "MalwareScanSelection" + IamRoleArn: !GetAtt BackupRole.Arn + ListOfTags: + - ConditionType: "STRINGEQUALS" + ConditionKey: "backup" + ConditionValue: "true" + BackupPlanId: !Ref BackupPlanWithMalwareScanning + DependsOn: BackupPlanWithMalwareScanning +