# AWS Backup Audit Manager
You can use AWS Backup Audit Manager to audit the compliance of your AWS Backup policies against controls that you define. A *control* is a procedure designed to audit the compliance of a backup requirement, such as the backup frequency or the backup retention period.
AWS Backup Audit Manager helps you answer questions such as:
+ "Am I backing up all my resources?"
+ "Are all of my backups encrypted?"
+ "Are my backups taking place daily?"
You can use AWS Backup Audit Manager to find backup activity and resources that are not yet compliant with the controls that you defined. Note that only active resources will be included when controls evaluate resources for compliance. For example, an Amazon EC2 instance in a running state will be evaluated. An EC2 instance in a stopped state will not be included in the compliance evaluation.
You can also use it to automatically generate an audit trail of daily and on-demand reports for your backup governance purposes.
The following steps provide an overview of how to use AWS Backup Audit Manager. For detailed walkthroughs, choose one of the topics at the end of this page.
1. Create frameworks that contain one or more governance control templates. The preceding questions are examples of three governance control templates. You can customize the parameters of some governance control templates. For example, you can customize the last control to ask, “Are my backups taking place weekly?” instead of daily.
1. View your framework to see how many of your resources are compliant (or non-compliant) with the controls you defined in that framework.
1. Create reports of your backup and compliance status. Store these reports as demonstrable evidence of your compliance practices, or to identify individual backup activities and resources that are not yet in compliance.
AWS Backup Audit Manager automatically generates a new report for you every 24 hours and publishes it to Amazon S3. You can also generate on-demand reports.
**Note**
Before you create your first compliance-related framework, you must turn on resource tracking. Doing so allows AWS Config to track your AWS Backup resources. For technical documentation about how to manage resource tracking, see [Setting up AWS Config with the console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) in the *AWS Config Developer Guide*.
Charges apply when you turn on resource tracking. For information about resource tracking pricing and billing for AWS Backup Audit Manager, see [Metering, costs, and billing](https://docs.aws.amazon.com/aws-backup/latest/devguide/metering-and-billing.html).
**Topics**
+ [Working with audit frameworks](working-with-audit-frameworks.md)
+ [Working with audit reports](working-with-audit-reports.md)
+ [Using AWS Backup Audit Manager with CloudFormation](bam-cfn-integration.md)
+ [Using AWS Backup Audit Manager with AWS Audit Manager](aws-audit-manager-integration.md)
+ [Controls and remediation](controls-and-remediation.md)
# Working with audit frameworks
A *framework* is a collection of controls that helps you to evaluate your backup practices. You can use pre-built, customizable controls to define your policies and evaluate whether your backup practices comply with your policies. You can also set up automatic daily reports to gain insights into the compliance status of your frameworks.
Each framework applies to a single account and AWS Region. You can deploy a maximum of 15 frameworks per account per Region. You cannot deploy duplicate frameworks (frameworks that contain the same controls and parameters).
There are two different types of frameworks:
+ The **AWS Backup framework** (recommended) – Use the AWS Backup framework to deploy all available controls to monitor your backup activity, coverage, and resources against the best practices that we recommend.
+ A **custom framework** that you define – Use a custom framework to choose one or more specific controls and to customize control parameters.
**Topics**
+ [Choosing your controls](choosing-controls.md)
+ [Turning on resource tracking](turning-on-resource-tracking.md)
+ [Creating frameworks using the AWS Backup console](creating-frameworks-console.md)
+ [Creating frameworks using the AWS Backup API](creating-frameworks-api.md)
+ [Viewing framework compliance status](viewing-frameworks.md)
+ [Finding non-compliant resources](finding-non-compliant-resources.md)
+ [Updating audit frameworks](updating-frameworks.md)
+ [Deleting audit frameworks](deleting-frameworks.md)
# Choosing your controls
The following table lists the AWS Backup Audit Manager controls, their customizable parameters, and their AWS Config recording resource types.
**Available controls**
| Control name | Control description | Customizable parameters | AWS Config recording resource type |
| --- | --- | --- | --- |
| Backup resources are included in at least one backup plan | Evaluates if resources are included in at least one backup plan. | None | AWS Backup: backup selection |
| Backup plan has minimum frequency and minimum retention | Evaluates if backup frequency is at least [1 day] and retention period is at least [35 days]. | Backup frequency; retention period | AWS Backup: backup plans |
| Vaults prevent manual deletion of recovery points | Evaluates if backup vaults do not allow manual deletion of recovery points except by certain AWS Identity and Access Management (IAM) roles. By default, there are no IAM role exceptions. There are also no IAM role exceptions when you deploy this control with the AWS Backup framework. | Up to 5 IAM roles that allow manual deletion of recovery points | AWS Backup: backup vaults |
| Recovery points are encrypted | Evaluates if the recovery points are encrypted. | None | AWS Backup: recovery points |
| Minimum retention established for recovery point | Evaluates if the recovery point retention period is at least [35 days]. | Recovery point retention period | AWS Backup: recovery points |
| Cross-Region backup copy is scheduled | Evaluates if a resource is configured to create copies of its backups to another AWS Region. | AWS Region | AWS Backup: backup selection |
| Cross-account backup copy is scheduled | Evaluates if a resource has a cross-account backup copy configured. | AWS account ID | AWS Backup: backup selection |
| Resources are in a backup plan with an AWS Backup Vault Lock | Evaluates if a resource has a backup plan configured to store backups in a locked backup vault. | Min Retention Days; Max Retention Days | AWS Backup: backup selection |
| Last recovery point was created | Evaluates if a recovery point was created within specified time frame. | Value in hours [1 to 744] or days [1 to 31]. | AWS Backup recovery points |
| Restore time for resources meet target | Evaluates if restore testing job completed within target restore time | Value in minutes | None |
| Resources are inside a logically air-gapped vault | Evaluates if resources have at least one recovery point copied to a logically air-gapped vault within the specified value and timeframe. | Value in minutes, hours, or days | AWS Backup: recovery points |
For detailed information about these controls, see [Controls and remediation](controls-and-remediation.md).
For a list of AWS Backup-supported resources that don't support all controls, see the AWS Backup Audit Manager section of the [Feature availability by resource](backup-feature-availability.md#features-by-resource) table.
**Note**
If you don't want to use any of the preceding controls, you can still use AWS Backup Audit Manager to create daily reports of your backup, copy, and restore jobs. See [Working with audit reports](https://docs.aws.amazon.com/aws-backup/latest/devguide/working-with-audit-reports.html).
# Turning on resource tracking
Before you create your first compliance-related framework, you must turn on resource tracking. Doing so allows AWS Config to track your AWS Backup resources. For technical documentation about how to manage resource tracking, see [Setting up AWS Config with the console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) in the *AWS Config Developer Guide*.
Charges apply when you turn on resource tracking. For information about resource tracking pricing and billing for AWS Backup Audit Manager, see [Metering, costs, and billing](https://docs.aws.amazon.com/aws-backup/latest/devguide/metering-and-billing.html).
**Topics**
+ [Turning on resource tracking using the console](#turning-on-resource-tracking-console)
+ [Turning on resource tracking using the AWS Command Line Interface (AWS CLI)](#turning-on-resource-tracking-cli)
+ [Turning on resource tracking using a CloudFormation template](#turning-on-resource-tracking-cfn)
## Turning on resource tracking using the console
**To turn on resource tracking using the console:**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, under **Audit Manager**, choose **Frameworks**.
1. Turn on resource tracking by choosing **Manage resource tracking**.
1. Choose **Go to AWS Config Settings**.
1. Choose **Enable or disable recording**.
1. Choose **Enable** recording for all of the following resource types, or choose to enable recording for some resource types. Refer to [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html) for which resource types are required for your controls.
+ `AWS Backup: backup plans`
+ `AWS Backup: backup vaults`
+ `AWS Backup: recovery points`
+ `AWS Backup: backup selection`
1. Choose **Close**.
1. Wait for the blue banner with the text **Turning on resource tracking** to transition to the green banner with the text **Resource tracking is on**.
You can check whether you have turned on resource tracking and, if so, which resource types you are recording, in two places in the AWS Backup console. In the left navigation pane, either:
+ Choose **Frameworks**, then choose the text under **AWS Config recorder status**.
+ Choose **Settings**, then choose the text under **AWS Config recorder status**.
## Turning on resource tracking using the AWS Command Line Interface (AWS CLI)
If you have not yet onboarded to AWS Config, it might be faster to onboard using the AWS CLI.
**To turn on resource tracking using the AWS CLI:**
1. Type the following command to determine if you already enabled your AWS Config recorder.
```
$ aws configservice describe-configuration-recorders
```
1. If your `ConfigurationRecorders` list is empty like this:
```
{
"ConfigurationRecorders": []
}
```
Your recorder is not enabled. Continue to step 2 to create your recorder.
1. If you already enabled recording for all resources, your `ConfigurationRecorders` output will look like this:
```
{
"ConfigurationRecorders":[
{
"recordingGroup":{
"allSupported":true,
"resourceTypes":[
],
"includeGlobalResourceTypes":true
},
"roleARN":"arn:aws:iam::[account]:role/[roleName]",
"name":"default"
}
]
}
```
Because you enabled all resources you already turned on resource tracking. You do not need to complete the rest of this procedure to use AWS Backup Audit Manager.
1. Create a AWS Config recorder with the AWS Backup Audit Manager resource types
```
$ aws configservice put-configuration-recorder --configuration-recorder name=default, \
roleARN=arn:aws:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \
'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint']"
```
1. Describe your AWS Config recorder.
```
$ aws configservice describe-configuration-recorders
```
Verify that it has the AWS Backup Audit Manager resource types by comparing your output with the following expected output.
```
{
"ConfigurationRecorders":[
{
"name":"default",
"roleARN":"arn:aws:iam::accountId:role/AWSServiceRoleForConfig",
"recordingGroup":{
"allSupported":false,
"includeGlobalResourceTypes":false,
"resourceTypes":[
"AWS::Backup::BackupPlan",
"AWS::Backup::BackupSelection",
"AWS::Backup::BackupVault",
"AWS::Backup::RecoveryPoint"
]
}
}
]
}
```
1. Create an Amazon S3 bucket as the destination to store the AWS Config configuration files.
```
$ aws s3api create-bucket --bucket amzn-s3-demo-bucket —region us-east-1
```
1. Use *policy.json* to grant AWS Config permission to access your bucket. See the following sample *policy.json*.
```
$ aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json
```
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AWSConfigBucketPermissionsCheck",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:GetBucketAcl",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid":"AWSConfigBucketExistenceCheck",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid":"AWSConfigBucketDelivery",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*"
}
]
}
```
------
1. Configure your bucket as an AWS Config delivery channel
```
$ aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=amzn-s3-demo-bucket
```
1. Enable AWS Config recording
```
$ aws configservice start-configuration-recorder --configuration-recorder-name default
```
1. Verify that `"FrameworkStatus":"ACTIVE"` in the last line of your `DescribeFramework` output as follows.
```
$ aws backup describe-framework --framework-name test --region us-east-1
```
```
{
"FrameworkName":"test",
"FrameworkArn":"arn:aws:backup:us-east-1:accountId:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666",
"FrameworkDescription":"",
"FrameworkControls":[
{
"ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":[
{
"ParameterName":"requiredRetentionDays",
"ParameterValue":"1"
}
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":[
{
"ParameterName":"requiredFrequencyUnit",
"ParameterValue":"hours"
},
{
"ParameterName":"requiredRetentionDays",
"ParameterValue":"35"
},
{
"ParameterName":"requiredFrequencyValue",
"ParameterValue":"1"
}
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":[
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":[
],
"ControlScope":{
}
}
],
"CreationTime":1633463605.233,
"DeploymentStatus":"COMPLETED",
"FrameworkStatus":"ACTIVE"
}
```
## Turning on resource tracking using a CloudFormation template
For a CloudFormation template that turns on resource tracking, see [ Using AWS Backup Audit Manager with CloudFormation](https://docs.aws.amazon.com/aws-backup/latest/devguide/bam-cfn-integration.html).
# Creating frameworks using the AWS Backup console
After turning on resource tracking, create a framework using the following steps.
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Frameworks**.
1. Choose **Create Framework**.
1. For **Framework name**, enter a unique name. The framework name must be between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (\$1).
1. (Optional) Enter a **Framework description**.
1. In **Controls**, your active controls will be displayed. By default, all controls eligible for a resource are listed.
To change which controls are active, click **Edit controls**.
1. The first check box indicates if the control is turned on. To turn off a control, uncheck the box.
1. Under **Choose resources to evaluate**, you can select how to choose resources, either by type, by tags, or by a single resource.
The list of [AWS Backup Audit Manager controls](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html) describes the customization options for each control.
1. (Optional) Tag your framework by choosing **Add new tag**. You can use tags to search and filter your frameworks or track your costs.
1. Choose **Create framework**.
AWS Backup Audit Manager might take several minutes to create the framework.
If the error `AlreadyExists` occurs, a framework with the same controls and parameters already exists. To successfully create a new framework, at least one control or parameter must be different from existing frameworks.
# Creating frameworks using the AWS Backup API
The following table contains sample API requests to [CreateFramework](API_CreateFramework.md) for each control, along with sample API responses to the corresponding [DescribeFramework](API_DescribeFramework.md) requests. To work with AWS Backup Audit Manager programmatically, you can refer to these code snippets.
****
| Control | `CreateFramework` request | `DescribeFramework` response |
| --- | --- | --- |
| Backup resources are included in at least one backup plan | {"FrameworkName": "Control1",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["RDS"] // Evaluate only RDS instances
}
}
],
"IdempotencyToken": "Control1",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control1",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control1-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["RDS"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control1",
"FrameworkTags":
{"key1": "foo"}
} |
| Backup plan minimum frequency and minimum retention | {"FrameworkName": "Control2",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"},
{"ParameterName": "requiredFrequencyUnit",
"ParameterValue": "hours"},
{"ParameterName": "requiredFrequencyValue",
"ParameterValue": "24"}
],
"ControlScope":
{
"Tags": {"key1": "prod"} // Evaluate backup plans that tagged with "key1": "prod".
}
}
],
"IdempotencyToken": "Control2",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control2",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control2-de7655ae-1e31-45cb-96a0-4f43d8c1969d",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"},
{"ParameterName": "requiredFrequencyUnit",
"ParameterValue": "hours"},
{"ParameterName": "requiredFrequencyValue",
"ParameterValue": "24"}
],
"ControlScope":
{
"Tags": {"key1": "prod"}
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control2",
"FrameworkTags":
{"key1": "foo"}
} |
| Vaults prevent manual deletion of recovery points | {"FrameworkName": "Control3",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":
[
{"ParameterName": "principalArnList",
"ParameterValue":
"arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess,
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer,
arn:aws:iam::123456789012:role/service-role/QuickSightAction"}
],
"ControlScope":
{"ComplianceResourceIds":["default"],
"ComplianceResourceTypes": ["AWS::Backup::BackupVault"]
}
}
],
"IdempotencyToken": "Control3",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control3",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control2-de7655ae-1e31-45cb-96a0-4f43d8c1969d",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":
[
{"ParameterName": "principalArnList",
"ParameterValue":
"arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess,
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer,
arn:aws:iam::123456789012:role/service-role/QuickSightAction"}
],
"ControlScope":
{"ComplianceResourceIds":["default"],
"ComplianceResourceTypes": ["AWS::Backup::BackupVault"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control3",
"FrameworkTags":
{"key1": "foo"}
} |
| Minimum retention established for recovery point | {"FrameworkName": "Control4",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"}
],
"ControlScope": {} // Default scope (no scope input) sets scope to all recovery points.
}
],
"IdempotencyToken": "Control4",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control4",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control6-6e7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"}
],
"ControlScope": {}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control4",
"FrameworkTags":
{"key1": "foo"}
} |
| Backup recovery points are encrypted | {"FrameworkName": "Control5",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":
[],
"ControlScope": {} // Default scope (no scope input) is all recovery points
}
],
"IdempotencyToken": "Control5",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control5",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control7-7e7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":
[],
"ControlScope": {}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control5",
"FrameworkTags":
{"key1": "foo"}
} |
| Cross-Region backup copy is scheduled | {"FrameworkName": "Control6",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control6",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control6",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control6-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control6",
"FrameworkTags":
{"key1": "foo"}
} |
| Cross-account backup copy is scheduled | {"FrameworkName": "Control7",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control7",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control7",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control7-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control7",
"FrameworkTags":
{"key1": "foo"}
} |
| Resources are in a backup plan with an AWS Backup Vault Lock | {"FrameworkName": "Control8",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control8",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control8",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control8-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control8",
"FrameworkTags":
{"key1": "foo"}
} |
| Last recovery point was created | {"FrameworkName": "Control9",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control9",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control9",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control9-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control9",
"FrameworkTags":
{"key1": "foo"}
} |
| Restore time for resources meet target | {"FrameworkName":"Control10",
"FrameworkDescription":"This is a test framework",
"FrameworkControls":[
{
"ControlName":"RESTORE_TIME_FOR_RESOURCES_MEET_TARGET",
"ControlInputParameters":[
{
"ParameterName":"maxRestoreTime",
"ParameterValue":"720"
}
],
"ControlScope":{
"ComplianceResourceIds":[
],
"ComplianceResourceTypes":[
"DynamoDB" // Evaluates only DynamoDB databases
]
}
}
]"IdempotencyToken":"Control10",
"FrameworkTags":{
"key1":"foo"
}
} | {"FrameworkName": "Control10",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control9-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "RESTORE_TIME_FOR_RESOURCES_MEET_TARGET",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control10",
"FrameworkTags":
{"key1": "foo"}
} |
| RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT | {"FrameworkName":"Control11",
"FrameworkDescription":"This is a test framework",
"FrameworkControls":[
{
"ControlName":"RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT",
"ControlInputParameters":[
{
"ParameterName":"recoveryPointAgeValue",
"ParameterValue":"10"
}
{
"ParameterName":"recoveryPointAgeUnit",
"ParameterValue":"days"
}
],
"ControlScope":{
"ComplianceResourceTypes":[
"EC2"
]
}
}
]"IdempotencyToken":"Control11",
"FrameworkTags":{
"key1":"foo"
}
} | {"FrameworkName": "Control11",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control11-ab1234cd-5e67-89fg-06a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2","EBS"]
}
}
],
"CreationTime": 1726087776.316,
"DeploymentStatus": "COMPLETED",
"FrameworkStatus": "ACTIVE",
"IdempotencyToken": "Control11",
"FrameworkTags":
{"key1": "foo"}
} |
# Viewing framework compliance status
Once you create an audit framework, it appears in your **Frameworks** table. You can view this table by choosing **Frameworks** in the left navigation pane of the AWS Backup console. To view the audit results for your framework, choose its **Framework name**. Doing so takes you to the **Framework detail** page, which has two sections: **Summary** and **Controls**.
The **Summary** section lists the following statuses from left to right:
+ **Compliance status** is your audit framework’s overall compliance status as determined by the compliance status of each of its controls. Each control’s compliance status is determined by the compliance status of each resource it evaluates.
Framework compliance status is `Compliant` only if all resources in the scope of your control evaluations have passed those evaluations. If one or more resources failed a control evaluation, the compliance status will be `Non-Compliant`. For information on how to find your non-compliant resources, see [Finding non-compliant resources](https://docs.aws.amazon.com/aws-backup/latest/devguide/finding-non-compliant-resources.html). For information on how to bring your resources into compliance, see the remediation section of [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
+ **Framework status** refers to whether you have turned on resource tracking for all of your resources. The possible statuses are:
+ `Active` when recording is turned on for all resources the framework evaluates.
+ `Partially active` when recording is turned off for at least one resource the framework evaluates.
+ `Inactive` when recording is turned off for all resources that the framework evaluates.
+ `Unavailable` when AWS Backup Audit Manager is unable to validate recording status at this time.
**To correct a `Partially active` or `Inactive` status**
1. Choose **Frameworks** from the left navigation pane.
1. Choose **Manage resource tracking**.
1. Follow the instructions in the pop-up to enable recording that were previously not enabled for your resource types.
For more information about which resource types require resource tracking based on the controls you included in your frameworks, see the resource component of [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
+ **Deployment status** refers to your framework’s deployment status. This status should most often be `Completed`, but can also be `Create in progress`, `Update in progress`, `Delete in progress`, and `Failed`.
+ A status of `Failed` means the framework didn't deploy correctly. [Delete the framework](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-frameworks.html), then recreate the framework through the [AWS Backup console ](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-console.html)or through [AWS Backup API](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-api.html).
+ **Compliant controls** show a count of framework controls with all evaluations passing.
+ **Non-compliant controls** show a count of framework controls with at least one evaluation not passing.
The **Controls** section shows you the following information:
+ **Control status** refers to each control's compliance status. A control can be `Compliant`, meaning all resources pass that evaluation; `Non-compliant`, meaning that at least one resource did not pass that evaluation, or `Insufficient data`, meaning the control found no resources within the evaluation scope to evaluate.
+ **Evaluation scope** might limit each control to one or more **Resource types**, one **Resource ID**, or one **Tag key** and **Tag value**, based on how you customized your control when creating your audit framework. If all fields are empty (as shown by a dash, "-"), then the control evaluates all applicable resources.
# Finding non-compliant resources
AWS Backup Audit Manager helps you find which resources are non-compliant in two ways.
+ When [Viewing framework compliance status](https://docs.aws.amazon.com/aws-backup/latest/devguide/viewing-frameworks.html), choose the control name in the **Details section**. Doing so takes you to the AWS Config console, where you can view a list of your of your `Non-Compliant` resources.
+ After you [Create a report plan with the resource compliance template](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html) that includes your framework, you can [View your report](https://docs.aws.amazon.com/aws-backup/latest/devguide/view-reports.html) to identify all your `Non-Compliant` resources across all your controls.
Furthermore, your `Resource compliance report` shows the last time AWS Backup Audit Manager last evaluated each of your controls.
# Updating audit frameworks
You can update the description, controls, and parameters of an existing audit framework.
**To update an existing framework**
1. In the AWS Backup console left navigation pane, choose **Frameworks**.
1. Choose the framework you want to edit by its **Framework name**.
1. Choose **Edit**.
# Deleting audit frameworks
**To delete an existing framework**
1. In the AWS Backup console left navigation pane, choose **Frameworks**.
1. Choose the framework you want to delete by its **Framework name**.
1. Choose **Delete**.
1. Type the name of your framework and choose **Delete framework**.
# Working with audit reports
AWS Backup Audit Manager reports are automatically generated evidence of your AWS Backup activity, such as:
+ Which backup jobs finished and when
+ Which resources you backed up
There are two types of reports. When you create a report, you choose which type is created.
One type is a **jobs report**, which shows jobs finished in the last 24 hours and all active jobs with comprehensive context about vault properties, backup plan configurations, and lifecycle settings. Jobs reports do not display a status of `completed with issues`. To find this status, you can filter for `Completed` jobs with one or more status messages. AWS Backup will only include a status message as part of a `Completed` job's status if the message requires attention or action.
The second type of report is a **compliance report**. Compliance reports can monitor resource levels or the different controls that are in effect.
AWS Backup Audit Manager delivers a daily report in to your Amazon S3 bucket. If the report is for the current region and current account, you can choose to receive the report in either CSV or JSON format. Otherwise, the report is available in CSV format. The timing of the daily report might fluctuate over several hours because AWS Backup Audit Manager performs randomization to maintain its performance. You can also run an on-demand report anytime.
All account holders can create cross-Region reports; management and [delegated administrator](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html#backup-delegatedadmin) account holders can also create cross-account reports.
**Tip**
To ensure reports generated by delegated administrator accounts show all member account data, [create frameworks](working-with-audit-frameworks.md) in each of those member accounts.
## Enhanced job report context
AWS Backup Audit Manager job reports now include expanded context to help customers better understand backup operations, especially for delegated administrator accounts monitoring across organizations.
The enhanced reports now include:
+ *Vault information*: Vault type, lock status, and encryption details
+ *Backup plan context*: Plan names, rule names, schedules, and timezones
+ *Lifecycle settings*: Retention periods and cold storage transition settings
+ *Resource details*: Resource names and enhanced job metadata
This expanded context eliminates the need for additional API calls to DescribeBackupVault, DescribeBackupPlan, and DescribeRecoveryPoint, providing comprehensive job information in a single report.
**Note**
The expanded context provides information that previously required separate API calls with additional permissions. Ensure that users with access to these reports have appropriate permissions for the enhanced information being provided.
You can have a maximum of 20 report plans per AWS account.
**Note**
Resources such as RDS that do not have the capability to show incremental bytes of data of a specific backup will display the value `backupSizeInBytes` as 0.
**Note**
[Restore testing validation and deletion status](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing-validation.html) after your restore jobs report has been generated, will be reported in subsequent restore jobs report on completion with the same restore job id.
To allow AWS Backup Audit Manager to create daily or on-demand reports, you must first create a *report plan* from a *report template*.
**Topics**
+ [Enhanced job report context](#expanded-context-reports)
+ [Choosing your report template](choosing-report-template.md)
+ [Creating report plans using the AWS Backup console](create-report-plan-console.md)
+ [Creating report plans using the AWS Backup API](create-report-plan-api.md)
+ [Creating on-demand reports](create-on-demand-reports.md)
+ [Viewing audit reports](view-reports.md)
+ [Updating report plans](update-report-plan.md)
+ [Deleting report plans](delete-report-plan.md)
# Choosing your report template
A report template defines the information that your report plan includes in your report. When you automate your reports using a *report plan*, AWS Backup Audit Manager provides you reports for the previous 24 hours. AWS Backup Audit Manager creates these reports between the hours of 1 and 5 AM UTC. It offers the following report templates.
## Backup report templates
**Backup report templates**. These templates give you daily updates on your backup, restore, or copy jobs with expanded context including vault properties, backup plan details, and lifecycle settings. You can use these reports to monitor your operational posture, understand backup configurations, and identify any failures that might need further action. The following table lists each backup report template name and its sample output.
| Backup report template | Sample report in JSON format |
| --- | --- |
| BACKUP\$1JOB\$1REPORT | {
"reportItems": [
{
"reportTimePeriodStart": "2021-07-14T00:00:00Z",
"reportTimePeriodEnd": "2021-07-15T00:00:00Z",
"accountId": "112233445566",
"region": "us-west-2",
"backupJobId": "FCCB040A-9426-2A49-2EA9-5EAFFAC656AC",
"jobStatus": "COMPLETED",
"resourceType": "EC2",
"resourceArn": "arn:aws:ec2:us-west-2:112233445566:instance/i-0bc877aee7782ba75",
"resourceName": "MyEC2Instance",
"backupPlanArn": "arn:aws:backup:us-west-2:112233445566:backup-plan:349f2247-b489-4301-83ac-4b7dd724db9a",
"backupRuleId": "ab88bbf8-ff4e-4f1b-92e7-e13d3e65dcfb",
"initiationDate": "2021-07-14T23:53:47.229Z",
"backupPlanName": "MyBackupPlan",
"backupRuleName": "DailyBackups",
"backupRuleSchedule": "cron(0 5 ? * * *)",
"backupRuleTimezone": "UTC",
"startWindowEnd": "2021-07-14T23:53:47.229Z",
"backupOptions": {},
"isParentJob": false,
"parentJobId": null,
"creationDate": "2021-07-14T23:53:47.229Z",
"completionDate": "2021-07-15T00:16:07.282Z",
"recoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-030cafb98e5a6dcdf",
"jobRunTime": "00:22:20",
"backupSizeInBytes": 8589934592,
"backupVaultName": "Default",
"backupVaultArn": "arn:aws:backup:us-west-2:112233445566:backup-vault:Default",
"vaultType": "BACKUP_VAULT",
"vaultLockStatus": "UNLOCKED",
"isEncrypted": true,
"encryptionKeyArn": "arn:aws:kms:us-west-2:112233445566:key/12345678-1234-1234-1234-123456789012",
"deleteAfterDays": 30,
"moveToColdAfterDays": 7,
"enableArchive": false,
"iamRoleArn": "arn:aws:iam::112233445566:role/service-role/AWSBackupDefaultServiceRole"
}
]
} The `vaultType` field is not included in the API response in regions where logically air-gapped vaults are not available. |
| COPY\$1JOB\$1REPORT | {
"reportItems": [
{
"reportTimePeriodStart": "2021-07-14T15:48:31Z",
"reportTimePeriodEnd": "2021-07-15T15:48:31Z",
"accountId": "112233445566",
"region": "us-west-2",
"copyJobId": "E0AD48A9-0560-B668-3EF0-941FDC0AD6B1",
"jobStatus": "RUNNING",
"jobRunTime": "2021-07-16T00:00:00.010Z",
"resourceType": "EC2",
"resourceArn": "arn:aws:ec2:us-west-2:112233445566:instance/i-0bc877aee7782ba75",
"resourceName": "string",
"initiationDate": "2021-07-14T15:48:31Z",
"backupPlanName": "string",
"backupRuleName": "string",
"backupRuleSchedule": "string",
"backupRuleTimezone": "string",
"startWindowEnd": "2021-07-14T15:48:31Z",
"backupOptions": {},
"isParentJob": false,
"parentJobId": null,
"creationDate": "2021-07-15T15:42:04.771Z",
"completionDate": "2021-07-16T00:16:07.282Z",
"backupSizeInBytes": 8589934592,
"sourceRecoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-007b3819f25697299",
"sourceBackupVaultArn": "arn:aws:backup:us-west-2:112233445566:backup-vault:Default",
"destinationRecoveryPointArn": "arn:aws:ec2:us-east-2::image/ami-0eba2199a0bcece3c",
"destinationBackupVaultArn": "arn:aws:backup:us-east-2:112233445566:backup-vault:Default",
"vaultType": "BACKUP_VAULT",
"vaultLockStatus": "string",
"isEncrypted": true,
"encryptionKeyArn": "arn:aws:kms:us-west-2:112233445566:key/...",
"deleteAfterDays": 30,
"moveToColdAfterDays": 7,
"enableArchive": false,
"iamRoleArn": "arn:aws:iam::112233445566:role/service-role/AWSBackupDefaultServiceRole"
}
]
} The `vaultType` field is not included in the API response in regions where logically air-gapped vaults are not available. |
| RESTORE\$1JOB\$1REPORT | {
"reportItems": [
{
"reportTimePeriod": "2021-07-14T15:53:30Z - 2021-07-15T15:53:30Z",
"accountId": "112233445566",
"region": "us-west-2",
"restoreJobId": "4CACA67D-4E12-DC05-6C2B-0E97D01FA41E",
"jobStatus": "RUNNING",
"recoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-00201ecb57a5271ae",
"resourceName": "string",
"initiationDate": "2021-07-14T15:53:30Z",
"backupPlanName": "string",
"backupRuleName": "string",
"backupRuleSchedule": "string",
"backupRuleTimezone": "string",
"startWindowEnd": "2021-07-14T15:53:30Z",
"backupOptions": {},
"isParentJob": false,
"parentJobId": null,
"vaultType": "BACKUP_VAULT",
"vaultLockStatus": "string",
"isEncrypted": true,
"encryptionKeyArn": "arn:aws:kms:us-west-2:112233445566:key/...",
"deleteAfterDays": 30,
"moveToColdAfterDays": 7,
"enableArchive": false,
"sourceResourceArn": "arn:aws:ec2:us-west-2:112233445566:instance/i-0bc877aee7782ba75",
"backupVaultArn": "arn:aws:backup:us-west-2:112233445566:backup-vault:Default",
"creationDate": "2021-07-15T15:52:49.797Z",
"backupSizeInBytes": 8589934592,
"percentDone": "0.00%",
"iamRoleArn": "arn:aws:iam::112233445566:role/service-role/AWSBackupDefaultServiceRole"
}
]
} The `vaultType` field is not included in the API response in regions where logically air-gapped vaults are not available. |
## Compliance report templates
**Compliance report templates** give you daily reports on the compliance of your backup activity and resources against the controls you defined in one or more frameworks. If the compliance status of one of your frameworks is `Non-compliant`, review a compliance report to identify the non-compliant resources.
**Types of compliance report templates**
+ `Control compliance report` helps you track the compliance status of the controls you have defined in your frameworks.
+ `Resource compliance report` helps you track the compliance status of your resources against the controls you defined in your frameworks. These reports include detailed evaluation results, including identifying information on non-compliant resources that you can use to identify and correct those resources.
The following table shows sample output from a compliance report.
| Compliance report template | Sample report in JSON format |
| --- | --- |
| CONTROL\$1COMPLIANCE\$1REPORT | {
"reportItems": [
{
"accountId": "112233445566",
"region": "me-south-1",
"frameworkName": "TestFramework7",
"frameworkDescription": "A test framework",
"controlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"controlComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-08-17T03:21:56.002Z",
"numResourcesCompliant": 91,
"numResourcesNonCompliant": 205,
"controlFrequency": "Twelve_Hours",
"controlScope": "",
"controlParameters": ""
},
{
"accountId": "112233445566",
"region": "me-south-1",
"frameworkName": "TestFramework7",
"frameworkDescription": "A test framework",
"controlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"controlComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-08-17T03:21:19.995Z",
"numResourcesCompliant": 0,
"numResourcesNonCompliant": 25,
"controlScope": "{ComplianceResourceTypes: [],}",
"controlParameters": "{\"requiredFrequencyValue\":\"1\",\"requiredRetentionDays\":\"35\",\"requiredFrequencyUnit\":\"hours\"}"
}
]
} |
| RESOURCE\$1COMPLIANCE\$1REPORT | {
"reportItems": [
{
"accountId": "112233445566",
"region": "us-west-2",
"frameworkName": "MyTestFramework",
"frameworkDescription": "",
"controlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"resourceId": "AWS::EFS::FileSystem/fs-63c74e66",
"resourceType": "AWS::EFS::FileSystem",
"resourceComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-07-07T18:55:40.963Z"
},
{
"accountId": "112233445566",
"region": "us-west-2",
"frameworkName": "MyTestFramework",
"frameworkDescription": "",
"controlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"resourceId": "AWS::EFS::FileSystem/fs-b3d7c218",
"resourceType": "AWS::EFS::FileSystem",
"resourceComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-07-07T18:55:40.961Z"
}
]
} |
## Scanning report templates
**Scanning report templates**. These templates give you daily updates on your scanning jobs with expanded context including vault properties, and backup plan details. You can use these reports to monitor your scan job statuses, reports, and identify any failures that might need further action. The following table lists a scanning report template name and its sample output.
| Scanning report template | Sample report in JSON format |
| --- | --- |
| MALWARE\$1JOB\$1REPORT | {
"reportTimePeriodStart": "2025-11-09T00:00:00Z",
"reportTimePeriodEnd": "2025-11-10T00:00:00Z",
"accountId": "025066259999",
"region": "us-east-1",
"scanJobId": "489abba3-0a57-4207-93ff-d3947d85a8d3",
"scanId": "9ddd3144f68ea3ee6e388c66a0b55467",
"malwareScanner": "GUARDDUTY",
"jobStatus": "RUNNING",
"scanResultStatus":"",
"statusMessage": "",
"resourceType": "EBS",
"resourceArn": "arn:aws:ec2:us-east-1:025066259999:volume/vol-0f1c480a6a9b33cb7",
"backupPlanArn": "arn:aws:backup:us-east-1:025066259999:backup-plan:orgs/4232272a-ed54-3a88-b1d0-ace894b6c24c",
"creationDate": "2025-10-28T17:30:50.820Z",
"recoveryPointArn": "arn:aws:ec2:us-east-1::snapshot/snap-03fef858bad24c7a6",
"backupVaultName": "Default",
"backupVaultArn": "arn:aws:backup:us-east-1:025066259999:backup-vault:Default",
"iamRoleArn": "arn:aws:iam::025066259999:role/service-role/AWSBackupDefaultServiceRole",
"scannerRoleArn": "arn:aws:iam::025066259999:role/AWSBackupGuardDutyRolePolicyForScans"
} |
# Creating report plans using the AWS Backup console
There are two types of reports. One type is a **jobs report**, which shows jobs finished in the last 24 hours and all active jobs. The second type of report is a **compliance report**. Compliance reports can monitor resource levels or the different controls that are in effect. When you create a report, you choose which type of report to create.
Depending on your type of account, the console display may vary. Only management accounts will see multi-account functionality.
Similar to a *backup plan*, you create a *report plan* to automate the creation of your reports and define their destination Amazon S3 bucket. A report plan requires that you have an S3 bucket to receive your reports. You can't use a bucket from another account. For instructions on setting up a new S3 bucket, see [Step 1: Create your first S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html#creating-bucket) in the *Amazon Simple Storage Service User Guide*.
**To create your report plan in the AWS Backup console**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Choose **Create report plan**.
1. Choose one of the report templates from the list.
1. Enter a unique **Report plan name**. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (\$1).
1. (Optional) Enter a **Report plan description**.
1. *Compliance report templates for one account only*. Choose one or more frameworks on which to report. You can add a maximum 1,000 frameworks to a report plan.
1. Choose your AWS Region.
1. Choose a framework from that Region.
1. Choose **Add framework**.
1. (Optional) To add tags to your report plan, choose **Add tags to the report plan**.
1. If you are using a management account, you can specify which accounts you want to include in this report plan. You can select **Only my account**, which will generate reports on just the account to which you’re currently logged in. Or, you can select **One or more accounts in my organization** (*available to management and delegated administrator accounts*).
1. (*If you are creating a compliance report for one Region only, skip this step*). You can select which Regions to include in your report. Click the drop down menu to show Regions available to you. Select *All available Regions* or the Regions you prefer.
1. The **Include new Regions when they are incorporated into Backup Audit Manager** check box will trigger new Regions to be included in your reports when they become available.
1. Choose the **File format** of your report. All reports can be exported in CSV format. Additionally, reports for a single Region can be exported in JSON format.
1. For **S3 bucket name**, choose a bucket from your account.
1. (Optional) Enter a bucket prefix.
AWS Backup delivers your *current account, current Region* reports to `s3://amzn-s3-demo-bucket/prefix/Backup/accountID/Region/year/month/day/report-name`.
AWS Backup delivers your *cross-account* reports to `s3://amzn-s3-demo-bucket/prefix/Backup/crossaccount/Region/year/month/day/report-name`
AWS Backup delivers your *cross-Region* reports to `s3://amzn-s3-demo-bucket/prefix/Backup/accountID/crossregion/year/month/day/report-name`
1. Choose **Create report plan**.
Next, you must allow your S3 bucket to receive reports from AWS Backup. After you create a report plan, AWS Backup Audit Manager automatically generates an S3 bucket access policy for you to apply.
If you encrypt your bucket using a customer managed KMS key, the KMS key policy must meet the following requirements:
+ The `Principal` attribute must include the Backup Audit Manager service-linked role [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) ARN.
+ The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum.
The policy [AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) has these permissions.
**To view and apply this access policy to your S3 bucket**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Edit**.
1. Choose **View access policy for S3 bucket**. You can also use the policy at the end of this procedure.
1. Choose **Copy permissions**.
1. Choose **Edit bucket policy**. Note that until the backup report is created the first time, the service-linked role referred to in the S3 bucket policy will not yet exist, resulting in the error "Invalid principal".
1. Copy the permissions to the **Policy**.
**Sample bucket policy**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"
},
"Action":"s3:PutObject",
"Resource":[
"arn:aws:s3:::BucketName/*"
],
"Condition":{
"StringEquals":{
"s3:x-amz-acl":"bucket-owner-full-control"
}
}
}
]
}
```
------
If you use a custom AWS Key Management Service to encrypt your target S3 bucket that stores the reports, include the following actions in your policy:
```
"Action":[
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource":[
"*"
],
```
# Creating report plans using the AWS Backup API
You can also work with report plans programmatically.
There are two types of reports. One type is a **jobs report**, which shows jobs finished in the last 24 hours and all active jobs. The second type of report is a **compliance report**. Compliance reports can monitor resource levels or the different controls that are in effect. When you create a report, you choose which type of report to create.
Similar to a *backup plan*, you create a *report plan* to automate the creation of your reports and define their destination Amazon S3 bucket. A report plan requires that you have an S3 bucket to receive your reports. For instructions on setting up a new S3 bucket, see [Step 1: Create your first S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html#creating-bucket) in the *Amazon Simple Storage Service User Guide*.
If you encrypt your bucket using a custom KMS key, the KMS key policy must meet the following requirements:
+ The `Principal` attribute must include the Backup Audit Manager service-linked role [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) ARN.
+ The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum.
The policy [AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) has these permissions.
For single-account, single-Region reports, use the following syntax to call [CreateReportPlan](API_CreateReportPlan.md).
```
{
"ReportPlanName": "string",
"ReportPlanDescription": "string",
"ReportSetting": {
"ReportTemplate": enum, // Can be RESOURCE_COMPLIANCE_REPORT, CONTROL_COMPLIANCE_REPORT, BACKUP_JOB_REPORT, COPY_JOB_REPORT, or RESTORE_JOB_REPORT. Only include "ReportCoverageList" if your report is a COMPLIANCE_REPORT.
"ReportDeliveryChannel": {
"S3BucketName": "string",
"S3KeyPrefix": "string",
"Formats": [ enum ] // Optional. Can be either CSV, JSON, or both. Default is CSV if left blank.
},
"ReportPlanTags": {
"string" : "string" // Optional.
},
"IdempotencyToken": "string"
}
```
When you call [DescribeReportPlan](API_DescribeReportPlan.md) with the unique name of a report plan, the AWS Backup API responds with the following information.
```
{
"ReportPlanArn": "string",
"ReportPlanName": "string",
"ReportPlanDescription": "string",
"ReportSetting": {
"ReportTemplate": enum,
},
"ReportDeliveryChannel": {
"S3BucketName": "string",
"S3KeyPrefix": "string",
"Formats": [ enum ]
},
"DeploymentStatus": enum
"CreationTime": timestamp,
"LastAttemptExecutionTime": timestamp,
"LastSuccessfulExecutionTime": timestamp
}
```
For multi-account, multi-Region reports, use the following syntax to call [CreateReportPlan](API_CreateReportPlan.md).
```
{
"IdempotencyToken": "string",
"ReportDeliveryChannel": {
"Formats": [ "string" ], *//Organization report only support CSV file*
"S3BucketName": "string",
"S3KeyPrefix": "string"
},
"ReportPlanDescription": "string",
"ReportPlanName": "string",
"ReportPlanTags": {
"string" : "string"
},
"ReportSetting": {
"Accounts": [ "string" ], // Use string value of "ROOT" to include all organizational units
"OrganizationUnits": [ "string" ],
"Regions": ["string"], // Use wildcard value in string to include all Regions
"FrameworkArns": [ "string" ],
"NumberOfFrameworks": number,
"ReportTemplate": "string"
}
}
```
When you call [DescribeReportPlan](API_DescribeReportPlan.md) with the unique name of a report plan, the AWS Backup API responds with the following information for multi-account, multi-Region plans:
```
{
"ReportPlan": {
"CreationTime": number,
"DeploymentStatus": "string",
"LastAttemptedExecutionTime": number,
"LastSuccessfulExecutionTime": number,
"ReportDeliveryChannel": {
"Formats": [ "string" ],
"S3BucketName": "string",
"S3KeyPrefix": "string"
},
"ReportPlanArn": "string",
"ReportPlanDescription": "string",
"ReportPlanName": "string",
"ReportSetting": {
"Accounts":[ "string" ],
"OrganizationUnits":[ "string" ],
"Regions": [ "string" ],
"FrameworkArns": [ "string" ],
"NumberOfFrameworks": number,
"ReportTemplate": "string"
}
}
}
```
# Creating on-demand reports
You can generate new reports at your convenience by creating an on-demand report with the following steps. AWS Backup Audit Manager delivers your on-demand report to the Amazon S3 bucket that you specified in your report plan.
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Create on-demand report**.
You can generate an on-demand report for an existing report plan.
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plans**, select a report plan by clicking on the radio button next to the report plan name.
1. Click **Actions**, then click **Create on-demand report**.
You can do this for multiple reports, even while reports are being generated.
# Viewing audit reports
You can open, view, and analyze AWS Backup Audit Manager reports using the programs that you ordinarily use to work with CSV or JSON files. Note that reports for multiple regions or multiple accounts are only available in CSV format.
Large files are broken up into multiple reports if the total file size exceeds 50 MB. If the resulting files are over 50 MB, AWS Backup Audit Manager will create additional CSV files with the remainder of the report.
**To view a report**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Under **Report jobs**, click on the report link to view the report.
1. If your report's **Report status** has a dotted underline, choose it for information about your report.
1. Choose which report to view by its **Completion time**.
1. Choose the **S3 link**. This opens your destination S3 bucket.
1. Under **Name**, choose the name of the report that you want to view.
1. To save the report to your computer, choose **Download**.
# Updating report plans
You can update an existing report plan's description, its delivery destination, and format. If applicable, you can also add or remove frameworks from the report plan.
**To update an existing report plan**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Edit**.
1. You can edit the report plan details, including the report name and description, as well as which accounts and Regions are included in the report.
# Deleting report plans
You can delete an existing report plan. When you delete a report plan, any reports already created by that report plan will remain in their destination Amazon S3 bucket.
**To delete an existing report plan**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Delete**.
1. Enter the name of your report plan, and then choose **Delete report plan**.
# Using AWS Backup Audit Manager with CloudFormation
We provide the following sample CloudFormation templates for your reference:
**Topics**
+ [Turn on resource tracking](#turning-on-resource-tracking-cfn)
+ [Deploy default controls](#bam-cfn-frameworks-template)
+ [Exempt IAM roles from control evaluation](#bam-cfn-exempt-role-for-manual-delete)
+ [Create a report plan](#bam-cfn-report-plan)
## Turn on resource tracking
The following template turns on resource tracking as described in [Turning on resource tracking](https://docs.aws.amazon.com/aws-backup/latest/devguide/turning-on-resource-tracking.html).
```
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Recorder Configuration
Parameters:
- AllSupported
- IncludeGlobalResourceTypes
- ResourceTypes
- Label:
default: Delivery Channel Configuration
Parameters:
- DeliveryChannelName
- Frequency
- Label:
default: Delivery Notifications
Parameters:
- TopicArn
- NotificationEmail
ParameterLabels:
AllSupported:
default: Support all resource types
IncludeGlobalResourceTypes:
default: Include global resource types
ResourceTypes:
default: List of resource types if not all supported
DeliveryChannelName:
default: Configuration delivery channel name
Frequency:
default: Snapshot delivery frequency
TopicArn:
default: SNS topic name
NotificationEmail:
default: Notification Email (optional)
Parameters:
AllSupported:
Type: String
Default: True
Description: Indicates whether to record all supported resource types.
AllowedValues:
- True
- False
IncludeGlobalResourceTypes:
Type: String
Default: True
Description: Indicates whether AWS Config records all supported global resource types.
AllowedValues:
- True
- False
ResourceTypes:
Type: List
Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
Default:
DeliveryChannelName:
Type: String
Default:
Description: The name of the delivery channel.
Frequency:
Type: String
Default: 24hours
Description: The frequency with which AWS Config delivers configuration snapshots.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
TopicArn:
Type: String
Default:
Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to.
NotificationEmail:
Type: String
Default:
Description: Email address for AWS Config notifications (for new topics).
Conditions:
IsAllSupported: !Equals
- !Ref AllSupported
- True
IsGeneratedDeliveryChannelName: !Equals
- !Ref DeliveryChannelName
-
CreateTopic: !Equals
- !Ref TopicArn
-
CreateSubscription: !And
- !Condition CreateTopic
- !Not
- !Equals
- !Ref NotificationEmail
-
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
Resources:
ConfigBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
- Sid: AWSConfigBucketSecureTransport
Action:
- s3:*
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport:
false
ConfigTopic:
Condition: CreateTopic
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "config-topic-${AWS::AccountId}"
DisplayName: AWS Config Notification Topic
KmsMasterKeyId: "alias/aws/sns"
ConfigTopicPolicy:
Condition: CreateTopic
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref ConfigTopic
PolicyDocument:
Statement:
- Sid: AWSConfigSNSPolicy
Action:
- sns:Publish
Effect: Allow
Resource: !Ref ConfigTopic
Principal:
Service:
- config.amazonaws.com
EmailNotification:
Condition: CreateSubscription
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref ConfigTopic
ConfigRecorderServiceRole:
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: config.amazonaws.com
Description: Service Role for AWS Config
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigBucketPolicy
- ConfigRecorderServiceRole
Properties:
RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
RecordingGroup:
AllSupported: !Ref AllSupported
IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
ResourceTypes: !If
- IsAllSupported
- !Ref AWS::NoValue
- !Ref ResourceTypes
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: !If
- IsGeneratedDeliveryChannelName
- !Ref AWS::NoValue
- !Ref DeliveryChannelName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
S3BucketName: !Ref ConfigBucket
SnsTopicARN: !If
- CreateTopic
- !Ref ConfigTopic
- !Ref TopicArn
```
## Deploy default controls
The following template creates a framework with the default controls described in [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN
- ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
- ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
ControlInputParameters:
- ParameterName: requiredRetentionDays
ParameterValue: '35'
- ParameterName: requiredFrequencyUnit
ParameterValue: 'hours'
- ParameterName: requiredFrequencyValue
ParameterValue: '24'
ControlScope:
Tags:
- Key: customizedKey
Value: customizedValue
- ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION
ControlInputParameters:
- ParameterName: crossRegionList
ParameterValue: 'eu-west-2'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT
ControlInputParameters:
- ParameterName: crossAccountList
ParameterValue: '111122223333'
- ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK
- ControlName: BACKUP_LAST_RECOVERY_POINT_CREATED
- ControlName: RESTORE_TIME_FOR_RESOURCES_MEET_TARGET
ControlInputParameters:
- ParameterName: maxRestoreTime
ParameterValue: '720'
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Exempt IAM roles from control evaluation
The control `BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED` allows you to exempt up to five IAM roles that can still manually delete recovery points. The following template deploys this control and also exempts two IAM roles.
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestFramework:
Type: AWS::Backup::Framework
Properties:
FrameworkControls:
- ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
ControlInputParameters:
- ParameterName: "principalArnList"
ParameterValue: !Sub "arn:aws:iam::${AWS::AccountId}:role/AccAdminRole,arn:aws:iam::${AWS::AccountId}:role/ConfigRole"
Outputs:
FrameworkArn:
Value: !GetAtt TestFramework.FrameworkArn
```
## Create a report plan
The following template creates a report plan.
```
Description: "Basic AWS::Backup::ReportPlan template"
Parameters:
ReportPlanDescription:
Type: String
Default: "SomeReportPlanDescription"
S3BucketName:
Type: String
Default: "some-s3-bucket-name"
S3KeyPrefix:
Type: String
Default: "some-s3-key-prefix"
ReportTemplate:
Type: String
Default: "BACKUP_JOB_REPORT"
Resources:
TestReportPlan:
Type: "AWS::Backup::ReportPlan"
Properties:
ReportPlanDescription: !Ref ReportPlanDescription
ReportDeliveryChannel:
Formats:
- "CSV"
S3BucketName: !Ref S3BucketName
S3KeyPrefix: !Ref S3KeyPrefix
ReportSetting:
ReportTemplate: !Ref ReportTemplate
Regions: ['us-west-2', 'eu-west-1', 'us-east-1']
Accounts: ['123456789098']
OrganizationUnits: ['ou-abcd-1234wxyz']
ReportPlanTags:
- Key: "a"
Value: "1"
- Key: "b"
Value: "2"
Outputs:
ReportPlanArn:
Value: !GetAtt TestReportPlan.ReportPlanArn
```
# Using AWS Backup Audit Manager with AWS Audit Manager
AWS Backup Audit Manager controls map to prebuilt, standard controls in AWS Audit Manager, allowing you to import your AWS Backup Audit Manager compliance findings to your AWS Audit Manager reports. You might want to do so to help a compliance officer, audit manager, or other colleague who reports on backup activity as part of your organization’s overall compliance posture.
You can import the compliance results of your AWS Backup Audit Manager controls to your AWS Audit Manager frameworks. To enable AWS Audit Manager to automatically collect data from your AWS Backup Audit Manager controls, create a custom control in AWS Audit Manager using the instructions for [Customizing an existing control](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-existing.html) in the *AWS Audit Manager User Guide*. As you follow those instructions, note that the **Data source** for AWS Backup controls is **AWS Config**.
For a list of AWS Backup controls, see [Choosing your controls](https://docs.aws.amazon.com/aws-backup/latest/devguide/choosing-controls.html).
# Controls and remediation
This page lists the available controls for AWS Backup Audit Manager. You can choose the right info pane to see a list of controls and jump to a specific control. To quickly compare controls, see the table in [Choosing your controls](https://docs.aws.amazon.com/aws-backup/latest/devguide/choosing-controls.html). To programmatically define controls, see the code snippets in [Creating frameworks using the AWS Backup API](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-api.html).
You can use up to 50 controls per account per Region. Using the same control in two different frameworks counts as using two controls of the 50 control limit.
This page lists each control with the following information:
+ Description. Values in brackets ("[ ]") are the default parameter values.
+ The **resource(s)** the control evaluates.
+ The **parameters** of the control.
+ Occasion when running of control **occurs**.
+ The **scope** of the control, as follows:
+ You can specify **Resources by type** by choosing one or more AWS Backup-supported services.
+ You specify a **Tagged resources** scope with a single tag key and optional value.
+ You can specify a single resource using the **Single resource** dropdown list.
+ Remediation steps to bring applicable resources into compliance.
Note that only active resources will be included when controls evaluate resources for compliance. For example, an Amazon EC2 instance in a running state will be evaluated by the control [ Last recovery point was created](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html#last-recovery-point-created-control). An EC2 instance in a stopped state will not be included in the compliance evaluation.
## Backup resources are included in at least one backup plan
**Description**: Evaluates if resources are included in at least one backup plan.
**Resource**: `AWS Backup: backup selection`
**Parameters**: None
**Occurs**: Automatically every 24 hours
**Scope:**
+ Tagged resources
+ Resources by type (default)
+ Single resource
**Remediation**: Assign the resources to a backup plan. AWS Backup automatically protects your resources after you assign them to a backup plan. For more information, see [Assigning resources to a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html).
## Backup plan minimum frequency and minimum retention
**Description**: Evaluates if backup plans contain at least one backup rule for which the backup frequency is at least [1 day] and retention period is at least [35 days].
**Resource**: `AWS Backup: backup plans`
**Parameters:**
+ Required backup frequency in number of hours or days.
+ Required retention period in number of days, weeks, months, or years. We recommend a warm storage retention of period of at least one week to enable AWS Backup to take incremental backups when possible, avoiding additional charges.
**Occurs**: Configuration changes
**Scope:**
+ Tagged resources
+ Single resource
**Remediation**: [Update a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/updating-a-backup-plan.html) to change either its backup frequency, retention period, or both. Updating your backup plan changes the retention period for recovery points the plan creates after your update.
## Vaults prevent manual deletion of recovery points
**Description**: Evaluates if backup vaults do not allow manual deletion of recovery points except by certain IAM roles.
**Resource**: `AWS Backup: backup vaults`
**Parameters**: The Amazon Resource Names (ARNs) of up to five IAM roles allowed to manually delete recovery points.
**Occurs**: Configuration changes
**Scope:**
+ Tagged resources
+ Single resource
**Remediation**: Create or modify a resource-based access policy on a backup vault. For an example policy and instructions on how to set a backup vault access policy, see [Deny access to delete recovery points in a backup vault](create-a-vault-access-policy.md#deny-access-to-delete-recovery-points).
## Recovery points are encrypted
**Description**: Evaluates if recovery points are encrypted.
**Resource**: `AWS Backup: recovery points`
**Parameters**: None
**Occurs**: Configuration changes
**Scope:**
+ Tagged resources
**Remediation**: Configure encryption for the recovery points. The way you configure encryption for AWS Backup recovery points differs depending on the resource type.
You can configure encryption for resource types that support full AWS Backup management in using AWS Backup. If the resource type does not support full AWS Backup management, you must configure its backup encryption by following that service's instructions, such as [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the *Amazon Elastic Compute Cloud User Guide*. To see the list of resource types that support full AWS Backup management, see the "Full AWS Backup management" section of the [Feature availability by resource](backup-feature-availability.md#features-by-resource) table.
## Minimum retention established for recovery point
**Description**: Evaluates if recovery point retention period is at least [35 days].
**Resource**: `AWS Backup: recovery points`
**Parameters**: Required recovery point retention period in number of days, weeks, months, or years. We recommend a warm storage retention of period of at least one week to enable AWS Backup to take incremental backups when possible, avoiding additional charges.
**Occurs**: Configuration changes
**Scope:**
+ Tagged resources
**Remediation**: Change the retention periods of your recovery points. For more information, see [Editing a backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/editing-a-backup.html).
## Cross-Region backup copy is scheduled
**Description**: Evaluates if a resource is configured to create copies of its backups to another AWS Region.
**Resource**: `AWS Backup: backup selection`
**Parameters:**
+ Select the AWS Region(s) where the backup copy should exist (Optional)
+ Region
**Occurs**: Automatically every 24 hours
**Scope:**
+ Tagged resources
+ Resources by type
+ Single resource
**Remediation**: [Update a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/updating-a-backup-plan.html) to change the AWS Region where backup copy should exist.
## Cross-account backup copy is scheduled
**Description**: Evaluates if a resource is configured to create copies of its backups to another account. You can add up to 5 accounts for the control to evaluate. The destination account must be in the same organization as the source account in AWS Organizations.
**Resource**: `AWS Backup: backup selection`
**Parameters:**
+ Select the AWS account ID(s) where the backup copy should exist (Optional)
+ Account ID
**Occurs**: Automatically every 24 hours
**Scope:**
+ Tagged resources
+ Resources by type
+ Single resource
**Remediation**: [Update a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/updating-a-backup-plan.html) to change or add the AWS account ID(s) where the copy should exist.
## Resources are in a backup plan with an AWS Backup Vault Lock
**Description**: Evaluates if a resource has immutable backups stored in a locked backup vault.
**Resource**: `AWS Backup: backup selection`
**Parameters:**
+ Input the minimum and maximum retention days for AWS Backup Vault Lock (optional)
+ Minimum retention days
+ Maximum retention days
**Occurs**: Automatically every 24 hours
**Scope:**
+ Tagged resources
+ Resources by type
+ Single resource
**Remediation**: [Lock a backup vault](https://docs.aws.amazon.com//aws-backup/latest/devguide/vault-lock.html#lock-backup-vault-cli) to set its name, change either its minimum retention days, maximum retention days, or both. Can also include `ChangeableForDays` for a vault lock in compliance mode.
## Last recovery point was created
**Description**: This control evaluates if a recovery point has been created within the specified time frame (in days or hours).
The control is compliant if the resource has had a recovery point created within the time frame specified. The control is non-compliant if a recovery point was not created within the number of days or hours specified.
**Resource**: `AWS Backup: recovery points`
**Parameters:**
+ Input the specified time frame in whole numbers, either in hours or days.
+ Values of `hours` can range from `1` to `744`.
+ Value of `days` can range from `1` to `31`.
**Occurs**: Automatically every 24 hours
**Scope:**
+ Tagged resources
+ Resources by type
+ Single resource
**Remediation**:
+ [Update a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/updating-a-backup-plan.html) to change the specified time frame of recovery point creation.
+ Additionally, you can create an on-demand backup.
## Restore time for resources meet target
**Description**: Evaluates if restoring protected resources completed within the target restore time.
This control checks if the restore time of a particular resource meets the target duration. The rule is NON\$1COMPLIANT if `LatestRestoreExecutionTimeMinutes` of a resource type is greater than `maxRestoreTime` in minutes.
**Parameters:**
+ `maxRestoreTime` (in minutes)
**Occurs**: Automatically every 24 hours
**Scope:**
+ Tagged resources
+ Resources by type
+ Single resource
**Note**
AWS Backup does not provide any service-level agreements (SLAs) for a restore time. Restore times can vary based upon system load and capacity, even for restores containing the same resources.
## Resources in a logically air-gapped vault
**Description**: This control evaluates if resources have at least one recovery point copied to a logically air-gapped vault within the specified value and time frame. This control is NON\$1COMPLIANT if a recovery point has not been copied to a logically air-gapped vault in the time frame configured for the control.
**Resource**: `AWS Backup: recovery points`
**Parameters:**
+ `recoveryPointAgeValue`
+ `recoveryPointAgeUnit`
Input the time period. Specify the unit in `days` or `hours`. Specify a value for that unit. Values of hours can be within `24` to `2184` inclusive. Values of days can be within `1` to `91` inclusive.
A minimum value of `7` days or `168` hours is recommended. The control value should be no more frequent than the copy creation frequency of your backup plan; otherwise, you may see an unexpected `NON_COMPLIANT` status until your next backup is copied into a logically air-gapped vault and this control is run.
**Occurs**: Automatically every 24 hours
**Scope:**
+ Resources by type
+ Single resource