Choosing your controls
The following table lists the AWS Backup Audit Manager controls, their customizable
parameters, and their AWS Config recording resource types. Every control requires the recording
resource type AWS Config: resource compliance because this type records your
compliance status.
| Control name | Control description | Customizable parameters | AWS Config recording resource type |
|---|---|---|---|
| Backup resources are included in at least one backup plan | Evaluates if resources are included in at least one backup plan. | None | AWS Backup: backup selection |
| Backup plan has minimum frequency and minimum retention | Evaluates if backup frequency is at least [1 day] and retention period is at least [35 days]. | Backup frequency; retention period | AWS Backup: backup plans |
| Vaults prevent manual deletion of recovery points | Evaluates if backup vaults do not allow manual deletion of recovery points except by certain AWS Identity and Access Management (IAM) roles. By default, there are no IAM role exceptions. There are also no IAM role exceptions when you deploy this control with the AWS Backup framework. | Up to 5 IAM roles that allow manual deletion of recovery points | AWS Backup: backup vaults |
| Recovery points are encrypted | Evaluates if the recovery points are encrypted. | None | AWS Backup: recovery points |
| Minimum retention established for recovery point | Evaluates if the recovery point retention period is at least [35 days]. | Recovery point retention period | AWS Backup: recovery points |
| Cross-Region backup copy is scheduled | Evaluates if a resource is configured to create copies of its backups to another AWS Region. | AWS Region | AWS Backup: backup selection |
| Cross-account backup copy is scheduled | Evaluates if a resource has a cross-account backup copy configured. | AWS account ID | AWS Backup: backup selection |
| Backups are protected by AWS Backup Vault Lock | Evaluates if a resource is configured to have backups in locked backup vault. | Min Retention Days; Max Retention Days | AWS Backup: backup selection |
| Last recovery point was created | Evaluates if a recovery point was created within specified time frame. | Value in hours [1 to 744] or days [1
to 31]. |
AWS Backup recovery points |
| Restore time for resources meet target | Evaluates if restore testing job completed within target restore time | Value in minutes | None |
| Resources are inside a logically air-gapped vault | Evaluates if resources have at least one recovery point copied to a logically air-gapped vault within the specified value and timeframe. | Value in minutes, hours, or days | AWS Backup: recovery points |
For detailed information about these controls, see Controls and remediation.
For a list of AWS Backup-supported resources that don't support all controls, see the AWS Backup Audit Manager section of the Feature availability by resource table.
Note
If you don't want to use any of the preceding controls, you can still use AWS Backup Audit Manager to create daily reports of your backup, copy, and restore jobs. See Working with audit reports.
