# Working with audit frameworks
A *framework* is a collection of controls that helps you to evaluate your backup practices. You can use pre-built, customizable controls to define your policies and evaluate whether your backup practices comply with your policies. You can also set up automatic daily reports to gain insights into the compliance status of your frameworks.
Each framework applies to a single account and AWS Region. You can deploy a maximum of 15 frameworks per account per Region. You cannot deploy duplicate frameworks (frameworks that contain the same controls and parameters).
There are two different types of frameworks:
+ The **AWS Backup framework** (recommended) – Use the AWS Backup framework to deploy all available controls to monitor your backup activity, coverage, and resources against the best practices that we recommend.
+ A **custom framework** that you define – Use a custom framework to choose one or more specific controls and to customize control parameters.
**Topics**
+ [Choosing your controls](choosing-controls.md)
+ [Turning on resource tracking](turning-on-resource-tracking.md)
+ [Creating frameworks using the AWS Backup console](creating-frameworks-console.md)
+ [Creating frameworks using the AWS Backup API](creating-frameworks-api.md)
+ [Viewing framework compliance status](viewing-frameworks.md)
+ [Finding non-compliant resources](finding-non-compliant-resources.md)
+ [Updating audit frameworks](updating-frameworks.md)
+ [Deleting audit frameworks](deleting-frameworks.md)
# Choosing your controls
The following table lists the AWS Backup Audit Manager controls, their customizable parameters, and their AWS Config recording resource types.
**Available controls**
| Control name | Control description | Customizable parameters | AWS Config recording resource type |
| --- | --- | --- | --- |
| Backup resources are included in at least one backup plan | Evaluates if resources are included in at least one backup plan. | None | AWS Backup: backup selection |
| Backup plan has minimum frequency and minimum retention | Evaluates if backup frequency is at least [1 day] and retention period is at least [35 days]. | Backup frequency; retention period | AWS Backup: backup plans |
| Vaults prevent manual deletion of recovery points | Evaluates if backup vaults do not allow manual deletion of recovery points except by certain AWS Identity and Access Management (IAM) roles. By default, there are no IAM role exceptions. There are also no IAM role exceptions when you deploy this control with the AWS Backup framework. | Up to 5 IAM roles that allow manual deletion of recovery points | AWS Backup: backup vaults |
| Recovery points are encrypted | Evaluates if the recovery points are encrypted. | None | AWS Backup: recovery points |
| Minimum retention established for recovery point | Evaluates if the recovery point retention period is at least [35 days]. | Recovery point retention period | AWS Backup: recovery points |
| Cross-Region backup copy is scheduled | Evaluates if a resource is configured to create copies of its backups to another AWS Region. | AWS Region | AWS Backup: backup selection |
| Cross-account backup copy is scheduled | Evaluates if a resource has a cross-account backup copy configured. | AWS account ID | AWS Backup: backup selection |
| Resources are in a backup plan with an AWS Backup Vault Lock | Evaluates if a resource has a backup plan configured to store backups in a locked backup vault. | Min Retention Days; Max Retention Days | AWS Backup: backup selection |
| Last recovery point was created | Evaluates if a recovery point was created within specified time frame. | Value in hours [1 to 744] or days [1 to 31]. | AWS Backup recovery points |
| Restore time for resources meet target | Evaluates if restore testing job completed within target restore time | Value in minutes | None |
| Resources are inside a logically air-gapped vault | Evaluates if resources have at least one recovery point copied to a logically air-gapped vault within the specified value and timeframe. | Value in minutes, hours, or days | AWS Backup: recovery points |
For detailed information about these controls, see [Controls and remediation](controls-and-remediation.md).
For a list of AWS Backup-supported resources that don't support all controls, see the AWS Backup Audit Manager section of the [Feature availability by resource](backup-feature-availability.md#features-by-resource) table.
**Note**
If you don't want to use any of the preceding controls, you can still use AWS Backup Audit Manager to create daily reports of your backup, copy, and restore jobs. See [Working with audit reports](https://docs.aws.amazon.com/aws-backup/latest/devguide/working-with-audit-reports.html).
# Turning on resource tracking
Before you create your first compliance-related framework, you must turn on resource tracking. Doing so allows AWS Config to track your AWS Backup resources. For technical documentation about how to manage resource tracking, see [Setting up AWS Config with the console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) in the *AWS Config Developer Guide*.
Charges apply when you turn on resource tracking. For information about resource tracking pricing and billing for AWS Backup Audit Manager, see [Metering, costs, and billing](https://docs.aws.amazon.com/aws-backup/latest/devguide/metering-and-billing.html).
**Topics**
+ [Turning on resource tracking using the console](#turning-on-resource-tracking-console)
+ [Turning on resource tracking using the AWS Command Line Interface (AWS CLI)](#turning-on-resource-tracking-cli)
+ [Turning on resource tracking using a CloudFormation template](#turning-on-resource-tracking-cfn)
## Turning on resource tracking using the console
**To turn on resource tracking using the console:**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, under **Audit Manager**, choose **Frameworks**.
1. Turn on resource tracking by choosing **Manage resource tracking**.
1. Choose **Go to AWS Config Settings**.
1. Choose **Enable or disable recording**.
1. Choose **Enable** recording for all of the following resource types, or choose to enable recording for some resource types. Refer to [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html) for which resource types are required for your controls.
+ `AWS Backup: backup plans`
+ `AWS Backup: backup vaults`
+ `AWS Backup: recovery points`
+ `AWS Backup: backup selection`
1. Choose **Close**.
1. Wait for the blue banner with the text **Turning on resource tracking** to transition to the green banner with the text **Resource tracking is on**.
You can check whether you have turned on resource tracking and, if so, which resource types you are recording, in two places in the AWS Backup console. In the left navigation pane, either:
+ Choose **Frameworks**, then choose the text under **AWS Config recorder status**.
+ Choose **Settings**, then choose the text under **AWS Config recorder status**.
## Turning on resource tracking using the AWS Command Line Interface (AWS CLI)
If you have not yet onboarded to AWS Config, it might be faster to onboard using the AWS CLI.
**To turn on resource tracking using the AWS CLI:**
1. Type the following command to determine if you already enabled your AWS Config recorder.
```
$ aws configservice describe-configuration-recorders
```
1. If your `ConfigurationRecorders` list is empty like this:
```
{
"ConfigurationRecorders": []
}
```
Your recorder is not enabled. Continue to step 2 to create your recorder.
1. If you already enabled recording for all resources, your `ConfigurationRecorders` output will look like this:
```
{
"ConfigurationRecorders":[
{
"recordingGroup":{
"allSupported":true,
"resourceTypes":[
],
"includeGlobalResourceTypes":true
},
"roleARN":"arn:aws:iam::[account]:role/[roleName]",
"name":"default"
}
]
}
```
Because you enabled all resources you already turned on resource tracking. You do not need to complete the rest of this procedure to use AWS Backup Audit Manager.
1. Create a AWS Config recorder with the AWS Backup Audit Manager resource types
```
$ aws configservice put-configuration-recorder --configuration-recorder name=default, \
roleARN=arn:aws:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \
'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint']"
```
1. Describe your AWS Config recorder.
```
$ aws configservice describe-configuration-recorders
```
Verify that it has the AWS Backup Audit Manager resource types by comparing your output with the following expected output.
```
{
"ConfigurationRecorders":[
{
"name":"default",
"roleARN":"arn:aws:iam::accountId:role/AWSServiceRoleForConfig",
"recordingGroup":{
"allSupported":false,
"includeGlobalResourceTypes":false,
"resourceTypes":[
"AWS::Backup::BackupPlan",
"AWS::Backup::BackupSelection",
"AWS::Backup::BackupVault",
"AWS::Backup::RecoveryPoint"
]
}
}
]
}
```
1. Create an Amazon S3 bucket as the destination to store the AWS Config configuration files.
```
$ aws s3api create-bucket --bucket amzn-s3-demo-bucket —region us-east-1
```
1. Use *policy.json* to grant AWS Config permission to access your bucket. See the following sample *policy.json*.
```
$ aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json
```
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AWSConfigBucketPermissionsCheck",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:GetBucketAcl",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid":"AWSConfigBucketExistenceCheck",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid":"AWSConfigBucketDelivery",
"Effect":"Allow",
"Principal":{
"Service":"config.amazonaws.com"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*"
}
]
}
```
------
1. Configure your bucket as an AWS Config delivery channel
```
$ aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=amzn-s3-demo-bucket
```
1. Enable AWS Config recording
```
$ aws configservice start-configuration-recorder --configuration-recorder-name default
```
1. Verify that `"FrameworkStatus":"ACTIVE"` in the last line of your `DescribeFramework` output as follows.
```
$ aws backup describe-framework --framework-name test --region us-east-1
```
```
{
"FrameworkName":"test",
"FrameworkArn":"arn:aws:backup:us-east-1:accountId:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666",
"FrameworkDescription":"",
"FrameworkControls":[
{
"ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":[
{
"ParameterName":"requiredRetentionDays",
"ParameterValue":"1"
}
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":[
{
"ParameterName":"requiredFrequencyUnit",
"ParameterValue":"hours"
},
{
"ParameterName":"requiredRetentionDays",
"ParameterValue":"35"
},
{
"ParameterName":"requiredFrequencyValue",
"ParameterValue":"1"
}
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":[
],
"ControlScope":{
}
},
{
"ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":[
],
"ControlScope":{
}
}
],
"CreationTime":1633463605.233,
"DeploymentStatus":"COMPLETED",
"FrameworkStatus":"ACTIVE"
}
```
## Turning on resource tracking using a CloudFormation template
For a CloudFormation template that turns on resource tracking, see [ Using AWS Backup Audit Manager with CloudFormation](https://docs.aws.amazon.com/aws-backup/latest/devguide/bam-cfn-integration.html).
# Creating frameworks using the AWS Backup console
After turning on resource tracking, create a framework using the following steps.
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Frameworks**.
1. Choose **Create Framework**.
1. For **Framework name**, enter a unique name. The framework name must be between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (\$1).
1. (Optional) Enter a **Framework description**.
1. In **Controls**, your active controls will be displayed. By default, all controls eligible for a resource are listed.
To change which controls are active, click **Edit controls**.
1. The first check box indicates if the control is turned on. To turn off a control, uncheck the box.
1. Under **Choose resources to evaluate**, you can select how to choose resources, either by type, by tags, or by a single resource.
The list of [AWS Backup Audit Manager controls](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html) describes the customization options for each control.
1. (Optional) Tag your framework by choosing **Add new tag**. You can use tags to search and filter your frameworks or track your costs.
1. Choose **Create framework**.
AWS Backup Audit Manager might take several minutes to create the framework.
If the error `AlreadyExists` occurs, a framework with the same controls and parameters already exists. To successfully create a new framework, at least one control or parameter must be different from existing frameworks.
# Creating frameworks using the AWS Backup API
The following table contains sample API requests to [CreateFramework](API_CreateFramework.md) for each control, along with sample API responses to the corresponding [DescribeFramework](API_DescribeFramework.md) requests. To work with AWS Backup Audit Manager programmatically, you can refer to these code snippets.
****
| Control | `CreateFramework` request | `DescribeFramework` response |
| --- | --- | --- |
| Backup resources are included in at least one backup plan | {"FrameworkName": "Control1",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["RDS"] // Evaluate only RDS instances
}
}
],
"IdempotencyToken": "Control1",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control1",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control1-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["RDS"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control1",
"FrameworkTags":
{"key1": "foo"}
} |
| Backup plan minimum frequency and minimum retention | {"FrameworkName": "Control2",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"},
{"ParameterName": "requiredFrequencyUnit",
"ParameterValue": "hours"},
{"ParameterName": "requiredFrequencyValue",
"ParameterValue": "24"}
],
"ControlScope":
{
"Tags": {"key1": "prod"} // Evaluate backup plans that tagged with "key1": "prod".
}
}
],
"IdempotencyToken": "Control2",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control2",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control2-de7655ae-1e31-45cb-96a0-4f43d8c1969d",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"},
{"ParameterName": "requiredFrequencyUnit",
"ParameterValue": "hours"},
{"ParameterName": "requiredFrequencyValue",
"ParameterValue": "24"}
],
"ControlScope":
{
"Tags": {"key1": "prod"}
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control2",
"FrameworkTags":
{"key1": "foo"}
} |
| Vaults prevent manual deletion of recovery points | {"FrameworkName": "Control3",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":
[
{"ParameterName": "principalArnList",
"ParameterValue":
"arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess,
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer,
arn:aws:iam::123456789012:role/service-role/QuickSightAction"}
],
"ControlScope":
{"ComplianceResourceIds":["default"],
"ComplianceResourceTypes": ["AWS::Backup::BackupVault"]
}
}
],
"IdempotencyToken": "Control3",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control3",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control2-de7655ae-1e31-45cb-96a0-4f43d8c1969d",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED",
"ControlInputParameters":
[
{"ParameterName": "principalArnList",
"ParameterValue":
"arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess,
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer,
arn:aws:iam::123456789012:role/service-role/QuickSightAction"}
],
"ControlScope":
{"ComplianceResourceIds":["default"],
"ComplianceResourceTypes": ["AWS::Backup::BackupVault"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control3",
"FrameworkTags":
{"key1": "foo"}
} |
| Minimum retention established for recovery point | {"FrameworkName": "Control4",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"}
],
"ControlScope": {} // Default scope (no scope input) sets scope to all recovery points.
}
],
"IdempotencyToken": "Control4",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control4",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control6-6e7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK",
"ControlInputParameters":
[
{"ParameterName": "requiredRetentionDays",
"ParameterValue": "35"}
],
"ControlScope": {}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control4",
"FrameworkTags":
{"key1": "foo"}
} |
| Backup recovery points are encrypted | {"FrameworkName": "Control5",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":
[],
"ControlScope": {} // Default scope (no scope input) is all recovery points
}
],
"IdempotencyToken": "Control5",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control5",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control7-7e7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RECOVERY_POINT_ENCRYPTED",
"ControlInputParameters":
[],
"ControlScope": {}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control5",
"FrameworkTags":
{"key1": "foo"}
} |
| Cross-Region backup copy is scheduled | {"FrameworkName": "Control6",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control6",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control6",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control6-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_REGION",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control6",
"FrameworkTags":
{"key1": "foo"}
} |
| Cross-account backup copy is scheduled | {"FrameworkName": "Control7",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control7",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control7",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control7-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_CROSS_ACCOUNT",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control7",
"FrameworkTags":
{"key1": "foo"}
} |
| Resources are in a backup plan with an AWS Backup Vault Lock | {"FrameworkName": "Control8",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control8",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control8",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control8-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control8",
"FrameworkTags":
{"key1": "foo"}
} |
| Last recovery point was created | {"FrameworkName": "Control9",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"] // Evaluate only EC2 instances
}
}
],
"IdempotencyToken": "Control9",
"FrameworkTags":
{"key1": "foo"}
} | {"FrameworkName": "Control9",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control9-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control9",
"FrameworkTags":
{"key1": "foo"}
} |
| Restore time for resources meet target | {"FrameworkName":"Control10",
"FrameworkDescription":"This is a test framework",
"FrameworkControls":[
{
"ControlName":"RESTORE_TIME_FOR_RESOURCES_MEET_TARGET",
"ControlInputParameters":[
{
"ParameterName":"maxRestoreTime",
"ParameterValue":"720"
}
],
"ControlScope":{
"ComplianceResourceIds":[
],
"ComplianceResourceTypes":[
"DynamoDB" // Evaluates only DynamoDB databases
]
}
}
]"IdempotencyToken":"Control10",
"FrameworkTags":{
"key1":"foo"
}
} | {"FrameworkName": "Control10",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control9-ce7655ae-1e31-45cb-96a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "RESTORE_TIME_FOR_RESOURCES_MEET_TARGET",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2"]
}
}
],
"CreationTime": 1516925490,
"DeploymentStatus": "Active",
"FrameworkStatus": "Completed",
"IdempotencyToken": "Control10",
"FrameworkTags":
{"key1": "foo"}
} |
| RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT | {"FrameworkName":"Control11",
"FrameworkDescription":"This is a test framework",
"FrameworkControls":[
{
"ControlName":"RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT",
"ControlInputParameters":[
{
"ParameterName":"recoveryPointAgeValue",
"ParameterValue":"10"
}
{
"ParameterName":"recoveryPointAgeUnit",
"ParameterValue":"days"
}
],
"ControlScope":{
"ComplianceResourceTypes":[
"EC2"
]
}
}
]"IdempotencyToken":"Control11",
"FrameworkTags":{
"key1":"foo"
}
} | {"FrameworkName": "Control11",
"FrameworkArn": "arn:aws:backup:us-east-1:123456789012:framework/Control11-ab1234cd-5e67-89fg-06a0-4f43d8c19642",
"FrameworkDescription": "This is a test framework",
"FrameworkControls":
[
{"ControlName": "",
"ControlInputParameters":[],
"ControlScope":
{"ComplianceResourceTypes":
["EC2","EBS"]
}
}
],
"CreationTime": 1726087776.316,
"DeploymentStatus": "COMPLETED",
"FrameworkStatus": "ACTIVE",
"IdempotencyToken": "Control11",
"FrameworkTags":
{"key1": "foo"}
} |
# Viewing framework compliance status
Once you create an audit framework, it appears in your **Frameworks** table. You can view this table by choosing **Frameworks** in the left navigation pane of the AWS Backup console. To view the audit results for your framework, choose its **Framework name**. Doing so takes you to the **Framework detail** page, which has two sections: **Summary** and **Controls**.
The **Summary** section lists the following statuses from left to right:
+ **Compliance status** is your audit framework’s overall compliance status as determined by the compliance status of each of its controls. Each control’s compliance status is determined by the compliance status of each resource it evaluates.
Framework compliance status is `Compliant` only if all resources in the scope of your control evaluations have passed those evaluations. If one or more resources failed a control evaluation, the compliance status will be `Non-Compliant`. For information on how to find your non-compliant resources, see [Finding non-compliant resources](https://docs.aws.amazon.com/aws-backup/latest/devguide/finding-non-compliant-resources.html). For information on how to bring your resources into compliance, see the remediation section of [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
+ **Framework status** refers to whether you have turned on resource tracking for all of your resources. The possible statuses are:
+ `Active` when recording is turned on for all resources the framework evaluates.
+ `Partially active` when recording is turned off for at least one resource the framework evaluates.
+ `Inactive` when recording is turned off for all resources that the framework evaluates.
+ `Unavailable` when AWS Backup Audit Manager is unable to validate recording status at this time.
**To correct a `Partially active` or `Inactive` status**
1. Choose **Frameworks** from the left navigation pane.
1. Choose **Manage resource tracking**.
1. Follow the instructions in the pop-up to enable recording that were previously not enabled for your resource types.
For more information about which resource types require resource tracking based on the controls you included in your frameworks, see the resource component of [AWS Backup Audit Manager controls and remediation](https://docs.aws.amazon.com/aws-backup/latest/devguide/controls-and-remediation.html).
+ **Deployment status** refers to your framework’s deployment status. This status should most often be `Completed`, but can also be `Create in progress`, `Update in progress`, `Delete in progress`, and `Failed`.
+ A status of `Failed` means the framework didn't deploy correctly. [Delete the framework](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-frameworks.html), then recreate the framework through the [AWS Backup console ](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-console.html)or through [AWS Backup API](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-frameworks-api.html).
+ **Compliant controls** show a count of framework controls with all evaluations passing.
+ **Non-compliant controls** show a count of framework controls with at least one evaluation not passing.
The **Controls** section shows you the following information:
+ **Control status** refers to each control's compliance status. A control can be `Compliant`, meaning all resources pass that evaluation; `Non-compliant`, meaning that at least one resource did not pass that evaluation, or `Insufficient data`, meaning the control found no resources within the evaluation scope to evaluate.
+ **Evaluation scope** might limit each control to one or more **Resource types**, one **Resource ID**, or one **Tag key** and **Tag value**, based on how you customized your control when creating your audit framework. If all fields are empty (as shown by a dash, "-"), then the control evaluates all applicable resources.
# Finding non-compliant resources
AWS Backup Audit Manager helps you find which resources are non-compliant in two ways.
+ When [Viewing framework compliance status](https://docs.aws.amazon.com/aws-backup/latest/devguide/viewing-frameworks.html), choose the control name in the **Details section**. Doing so takes you to the AWS Config console, where you can view a list of your of your `Non-Compliant` resources.
+ After you [Create a report plan with the resource compliance template](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html) that includes your framework, you can [View your report](https://docs.aws.amazon.com/aws-backup/latest/devguide/view-reports.html) to identify all your `Non-Compliant` resources across all your controls.
Furthermore, your `Resource compliance report` shows the last time AWS Backup Audit Manager last evaluated each of your controls.
# Updating audit frameworks
You can update the description, controls, and parameters of an existing audit framework.
**To update an existing framework**
1. In the AWS Backup console left navigation pane, choose **Frameworks**.
1. Choose the framework you want to edit by its **Framework name**.
1. Choose **Edit**.
# Deleting audit frameworks
**To delete an existing framework**
1. In the AWS Backup console left navigation pane, choose **Frameworks**.
1. Choose the framework you want to delete by its **Framework name**.
1. Choose **Delete**.
1. Type the name of your framework and choose **Delete framework**.