CloudFormation guard rules template for AWS Backup resources

The following rules are included: 

Backup Vaults: 

  • Backup Vault Policy Defined

Backup Plans:

  • Lifecycle Cleanup Rules Configured
  • VSS Snapshots Enabled
  • Minimum Retention of 35 Days Configured

let backup_vaults = Resources.*[
	Type == "AWS:::Backup::BackupVault"
]

let backup_plans = Resources.*[
	Type == "AWS:::Backup::BackupPlan"
]

rule backup_vault_policy when %backup_vaults !empty {
	%backup_vaults {
		Properties {
			AccessPolicy exists <<AccessPolicy is not defined.>>
		}
	}
}

rule backup_plan_cleanup when %backup_plans !empty {
	%backup_plans {
		Properties {
			BackupPlan {
				BackupPlanRule.* {
					Lifecycle exists <<Lifecycle rules are not configured.>>
					when Lifecycle exists {
						Lifecycle {
							DeleteAfterDays exists <<DeleteAfterDays not configured.>>
							MoveToColdStorageAfterDays exists <<MoveToColdStorageAfterDays not configured.>>
						}
					}
				}
			}
		}
	}
}

rule backup_vss_snapshots when %backup_plans !empty {
	%backup_plans {
		Properties {
			BackupPlan {
				AdvancedBackupSettings exists <<AdvancedBackupSettings is not configured.>>
			}
		}
	}
}

rule backup_plan_min_retention_35_days when %backup_plans !empty {
	%backup_plans {
		Properties {
			BackupPlan {
				BackupPlanRule.* {
					Lifecycle exists <<Lifecycle rules are not configured.>>
					when Lifecycle exists {
						Lifecycle {
							DeleteAfterDays exists <<DeleteAfterDays not configured.>>
							when DeleteAfterDays exists {
								DeleteAfterDays >= 35 <<DeleteAfterDays set to less than 35 days.>>
							}
						}
					}
				}
			}
		}
	}
}



Actions



Customize Template

* Required field