# Working with audit reports
AWS Backup Audit Manager reports are automatically generated evidence of your AWS Backup activity, such as:
+ Which backup jobs finished and when
+ Which resources you backed up
There are two types of reports. When you create a report, you choose which type is created.
One type is a **jobs report**, which shows jobs finished in the last 24 hours and all active jobs with comprehensive context about vault properties, backup plan configurations, and lifecycle settings. Jobs reports do not display a status of `completed with issues`. To find this status, you can filter for `Completed` jobs with one or more status messages. AWS Backup will only include a status message as part of a `Completed` job's status if the message requires attention or action.
The second type of report is a **compliance report**. Compliance reports can monitor resource levels or the different controls that are in effect.
AWS Backup Audit Manager delivers a daily report in to your Amazon S3 bucket. If the report is for the current region and current account, you can choose to receive the report in either CSV or JSON format. Otherwise, the report is available in CSV format. The timing of the daily report might fluctuate over several hours because AWS Backup Audit Manager performs randomization to maintain its performance. You can also run an on-demand report anytime.
All account holders can create cross-Region reports; management and [delegated administrator](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html#backup-delegatedadmin) account holders can also create cross-account reports.
**Tip**
To ensure reports generated by delegated administrator accounts show all member account data, [create frameworks](working-with-audit-frameworks.md) in each of those member accounts.
## Enhanced job report context
AWS Backup Audit Manager job reports now include expanded context to help customers better understand backup operations, especially for delegated administrator accounts monitoring across organizations.
The enhanced reports now include:
+ *Vault information*: Vault type, lock status, and encryption details
+ *Backup plan context*: Plan names, rule names, schedules, and timezones
+ *Lifecycle settings*: Retention periods and cold storage transition settings
+ *Resource details*: Resource names and enhanced job metadata
This expanded context eliminates the need for additional API calls to DescribeBackupVault, DescribeBackupPlan, and DescribeRecoveryPoint, providing comprehensive job information in a single report.
**Note**
The expanded context provides information that previously required separate API calls with additional permissions. Ensure that users with access to these reports have appropriate permissions for the enhanced information being provided.
You can have a maximum of 20 report plans per AWS account.
**Note**
Resources such as RDS that do not have the capability to show incremental bytes of data of a specific backup will display the value `backupSizeInBytes` as 0.
**Note**
[Restore testing validation and deletion status](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing-validation.html) after your restore jobs report has been generated, will be reported in subsequent restore jobs report on completion with the same restore job id.
To allow AWS Backup Audit Manager to create daily or on-demand reports, you must first create a *report plan* from a *report template*.
**Topics**
+ [Enhanced job report context](#expanded-context-reports)
+ [Choosing your report template](choosing-report-template.md)
+ [Creating report plans using the AWS Backup console](create-report-plan-console.md)
+ [Creating report plans using the AWS Backup API](create-report-plan-api.md)
+ [Creating on-demand reports](create-on-demand-reports.md)
+ [Viewing audit reports](view-reports.md)
+ [Updating report plans](update-report-plan.md)
+ [Deleting report plans](delete-report-plan.md)
# Choosing your report template
A report template defines the information that your report plan includes in your report. When you automate your reports using a *report plan*, AWS Backup Audit Manager provides you reports for the previous 24 hours. AWS Backup Audit Manager creates these reports between the hours of 1 and 5 AM UTC. It offers the following report templates.
## Backup report templates
**Backup report templates**. These templates give you daily updates on your backup, restore, or copy jobs with expanded context including vault properties, backup plan details, and lifecycle settings. You can use these reports to monitor your operational posture, understand backup configurations, and identify any failures that might need further action. The following table lists each backup report template name and its sample output.
| Backup report template | Sample report in JSON format |
| --- | --- |
| BACKUP\$1JOB\$1REPORT | {
"reportItems": [
{
"reportTimePeriodStart": "2021-07-14T00:00:00Z",
"reportTimePeriodEnd": "2021-07-15T00:00:00Z",
"accountId": "112233445566",
"region": "us-west-2",
"backupJobId": "FCCB040A-9426-2A49-2EA9-5EAFFAC656AC",
"jobStatus": "COMPLETED",
"resourceType": "EC2",
"resourceArn": "arn:aws:ec2:us-west-2:112233445566:instance/i-0bc877aee7782ba75",
"resourceName": "MyEC2Instance",
"backupPlanArn": "arn:aws:backup:us-west-2:112233445566:backup-plan:349f2247-b489-4301-83ac-4b7dd724db9a",
"backupRuleId": "ab88bbf8-ff4e-4f1b-92e7-e13d3e65dcfb",
"initiationDate": "2021-07-14T23:53:47.229Z",
"backupPlanName": "MyBackupPlan",
"backupRuleName": "DailyBackups",
"backupRuleSchedule": "cron(0 5 ? * * *)",
"backupRuleTimezone": "UTC",
"startWindowEnd": "2021-07-14T23:53:47.229Z",
"backupOptions": {},
"isParentJob": false,
"parentJobId": null,
"creationDate": "2021-07-14T23:53:47.229Z",
"completionDate": "2021-07-15T00:16:07.282Z",
"recoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-030cafb98e5a6dcdf",
"jobRunTime": "00:22:20",
"backupSizeInBytes": 8589934592,
"backupVaultName": "Default",
"backupVaultArn": "arn:aws:backup:us-west-2:112233445566:backup-vault:Default",
"vaultType": "BACKUP_VAULT",
"vaultLockStatus": "UNLOCKED",
"isEncrypted": true,
"encryptionKeyArn": "arn:aws:kms:us-west-2:112233445566:key/12345678-1234-1234-1234-123456789012",
"deleteAfterDays": 30,
"moveToColdAfterDays": 7,
"enableArchive": false,
"iamRoleArn": "arn:aws:iam::112233445566:role/service-role/AWSBackupDefaultServiceRole"
}
]
} The `vaultType` field is not included in the API response in regions where logically air-gapped vaults are not available. |
| COPY\$1JOB\$1REPORT | {
"reportItems": [
{
"reportTimePeriodStart": "2021-07-14T15:48:31Z",
"reportTimePeriodEnd": "2021-07-15T15:48:31Z",
"accountId": "112233445566",
"region": "us-west-2",
"copyJobId": "E0AD48A9-0560-B668-3EF0-941FDC0AD6B1",
"jobStatus": "RUNNING",
"jobRunTime": "2021-07-16T00:00:00.010Z",
"resourceType": "EC2",
"resourceArn": "arn:aws:ec2:us-west-2:112233445566:instance/i-0bc877aee7782ba75",
"resourceName": "string",
"initiationDate": "2021-07-14T15:48:31Z",
"backupPlanName": "string",
"backupRuleName": "string",
"backupRuleSchedule": "string",
"backupRuleTimezone": "string",
"startWindowEnd": "2021-07-14T15:48:31Z",
"backupOptions": {},
"isParentJob": false,
"parentJobId": null,
"creationDate": "2021-07-15T15:42:04.771Z",
"completionDate": "2021-07-16T00:16:07.282Z",
"backupSizeInBytes": 8589934592,
"sourceRecoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-007b3819f25697299",
"sourceBackupVaultArn": "arn:aws:backup:us-west-2:112233445566:backup-vault:Default",
"destinationRecoveryPointArn": "arn:aws:ec2:us-east-2::image/ami-0eba2199a0bcece3c",
"destinationBackupVaultArn": "arn:aws:backup:us-east-2:112233445566:backup-vault:Default",
"vaultType": "BACKUP_VAULT",
"vaultLockStatus": "string",
"isEncrypted": true,
"encryptionKeyArn": "arn:aws:kms:us-west-2:112233445566:key/...",
"deleteAfterDays": 30,
"moveToColdAfterDays": 7,
"enableArchive": false,
"iamRoleArn": "arn:aws:iam::112233445566:role/service-role/AWSBackupDefaultServiceRole"
}
]
} The `vaultType` field is not included in the API response in regions where logically air-gapped vaults are not available. |
| RESTORE\$1JOB\$1REPORT | {
"reportItems": [
{
"reportTimePeriod": "2021-07-14T15:53:30Z - 2021-07-15T15:53:30Z",
"accountId": "112233445566",
"region": "us-west-2",
"restoreJobId": "4CACA67D-4E12-DC05-6C2B-0E97D01FA41E",
"jobStatus": "RUNNING",
"recoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-00201ecb57a5271ae",
"resourceName": "string",
"initiationDate": "2021-07-14T15:53:30Z",
"backupPlanName": "string",
"backupRuleName": "string",
"backupRuleSchedule": "string",
"backupRuleTimezone": "string",
"startWindowEnd": "2021-07-14T15:53:30Z",
"backupOptions": {},
"isParentJob": false,
"parentJobId": null,
"vaultType": "BACKUP_VAULT",
"vaultLockStatus": "string",
"isEncrypted": true,
"encryptionKeyArn": "arn:aws:kms:us-west-2:112233445566:key/...",
"deleteAfterDays": 30,
"moveToColdAfterDays": 7,
"enableArchive": false,
"sourceResourceArn": "arn:aws:ec2:us-west-2:112233445566:instance/i-0bc877aee7782ba75",
"backupVaultArn": "arn:aws:backup:us-west-2:112233445566:backup-vault:Default",
"creationDate": "2021-07-15T15:52:49.797Z",
"backupSizeInBytes": 8589934592,
"percentDone": "0.00%",
"iamRoleArn": "arn:aws:iam::112233445566:role/service-role/AWSBackupDefaultServiceRole"
}
]
} The `vaultType` field is not included in the API response in regions where logically air-gapped vaults are not available. |
## Compliance report templates
**Compliance report templates** give you daily reports on the compliance of your backup activity and resources against the controls you defined in one or more frameworks. If the compliance status of one of your frameworks is `Non-compliant`, review a compliance report to identify the non-compliant resources.
**Types of compliance report templates**
+ `Control compliance report` helps you track the compliance status of the controls you have defined in your frameworks.
+ `Resource compliance report` helps you track the compliance status of your resources against the controls you defined in your frameworks. These reports include detailed evaluation results, including identifying information on non-compliant resources that you can use to identify and correct those resources.
The following table shows sample output from a compliance report.
| Compliance report template | Sample report in JSON format |
| --- | --- |
| CONTROL\$1COMPLIANCE\$1REPORT | {
"reportItems": [
{
"accountId": "112233445566",
"region": "me-south-1",
"frameworkName": "TestFramework7",
"frameworkDescription": "A test framework",
"controlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
"controlComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-08-17T03:21:56.002Z",
"numResourcesCompliant": 91,
"numResourcesNonCompliant": 205,
"controlFrequency": "Twelve_Hours",
"controlScope": "",
"controlParameters": ""
},
{
"accountId": "112233445566",
"region": "me-south-1",
"frameworkName": "TestFramework7",
"frameworkDescription": "A test framework",
"controlName": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK",
"controlComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-08-17T03:21:19.995Z",
"numResourcesCompliant": 0,
"numResourcesNonCompliant": 25,
"controlScope": "{ComplianceResourceTypes: [],}",
"controlParameters": "{\"requiredFrequencyValue\":\"1\",\"requiredRetentionDays\":\"35\",\"requiredFrequencyUnit\":\"hours\"}"
}
]
} |
| RESOURCE\$1COMPLIANCE\$1REPORT | {
"reportItems": [
{
"accountId": "112233445566",
"region": "us-west-2",
"frameworkName": "MyTestFramework",
"frameworkDescription": "",
"controlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"resourceId": "AWS::EFS::FileSystem/fs-63c74e66",
"resourceType": "AWS::EFS::FileSystem",
"resourceComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-07-07T18:55:40.963Z"
},
{
"accountId": "112233445566",
"region": "us-west-2",
"frameworkName": "MyTestFramework",
"frameworkDescription": "",
"controlName": "BACKUP_LAST_RECOVERY_POINT_CREATED",
"resourceId": "AWS::EFS::FileSystem/fs-b3d7c218",
"resourceType": "AWS::EFS::FileSystem",
"resourceComplianceStatus": "NON_COMPLIANT",
"lastEvaluationTime": "2021-07-07T18:55:40.961Z"
}
]
} |
## Scanning report templates
**Scanning report templates**. These templates give you daily updates on your scanning jobs with expanded context including vault properties, and backup plan details. You can use these reports to monitor your scan job statuses, reports, and identify any failures that might need further action. The following table lists a scanning report template name and its sample output.
| Scanning report template | Sample report in JSON format |
| --- | --- |
| MALWARE\$1JOB\$1REPORT | {
"reportTimePeriodStart": "2025-11-09T00:00:00Z",
"reportTimePeriodEnd": "2025-11-10T00:00:00Z",
"accountId": "025066259999",
"region": "us-east-1",
"scanJobId": "489abba3-0a57-4207-93ff-d3947d85a8d3",
"scanId": "9ddd3144f68ea3ee6e388c66a0b55467",
"malwareScanner": "GUARDDUTY",
"jobStatus": "RUNNING",
"scanResultStatus":"",
"statusMessage": "",
"resourceType": "EBS",
"resourceArn": "arn:aws:ec2:us-east-1:025066259999:volume/vol-0f1c480a6a9b33cb7",
"backupPlanArn": "arn:aws:backup:us-east-1:025066259999:backup-plan:orgs/4232272a-ed54-3a88-b1d0-ace894b6c24c",
"creationDate": "2025-10-28T17:30:50.820Z",
"recoveryPointArn": "arn:aws:ec2:us-east-1::snapshot/snap-03fef858bad24c7a6",
"backupVaultName": "Default",
"backupVaultArn": "arn:aws:backup:us-east-1:025066259999:backup-vault:Default",
"iamRoleArn": "arn:aws:iam::025066259999:role/service-role/AWSBackupDefaultServiceRole",
"scannerRoleArn": "arn:aws:iam::025066259999:role/AWSBackupGuardDutyRolePolicyForScans"
} |
# Creating report plans using the AWS Backup console
There are two types of reports. One type is a **jobs report**, which shows jobs finished in the last 24 hours and all active jobs. The second type of report is a **compliance report**. Compliance reports can monitor resource levels or the different controls that are in effect. When you create a report, you choose which type of report to create.
Depending on your type of account, the console display may vary. Only management accounts will see multi-account functionality.
Similar to a *backup plan*, you create a *report plan* to automate the creation of your reports and define their destination Amazon S3 bucket. A report plan requires that you have an S3 bucket to receive your reports. You can't use a bucket from another account. For instructions on setting up a new S3 bucket, see [Step 1: Create your first S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html#creating-bucket) in the *Amazon Simple Storage Service User Guide*.
**To create your report plan in the AWS Backup console**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Choose **Create report plan**.
1. Choose one of the report templates from the list.
1. Enter a unique **Report plan name**. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (\$1).
1. (Optional) Enter a **Report plan description**.
1. *Compliance report templates for one account only*. Choose one or more frameworks on which to report. You can add a maximum 1,000 frameworks to a report plan.
1. Choose your AWS Region.
1. Choose a framework from that Region.
1. Choose **Add framework**.
1. (Optional) To add tags to your report plan, choose **Add tags to the report plan**.
1. If you are using a management account, you can specify which accounts you want to include in this report plan. You can select **Only my account**, which will generate reports on just the account to which you’re currently logged in. Or, you can select **One or more accounts in my organization** (*available to management and delegated administrator accounts*).
1. (*If you are creating a compliance report for one Region only, skip this step*). You can select which Regions to include in your report. Click the drop down menu to show Regions available to you. Select *All available Regions* or the Regions you prefer.
1. The **Include new Regions when they are incorporated into Backup Audit Manager** check box will trigger new Regions to be included in your reports when they become available.
1. Choose the **File format** of your report. All reports can be exported in CSV format. Additionally, reports for a single Region can be exported in JSON format.
1. For **S3 bucket name**, choose a bucket from your account.
1. (Optional) Enter a bucket prefix.
AWS Backup delivers your *current account, current Region* reports to `s3://amzn-s3-demo-bucket/prefix/Backup/accountID/Region/year/month/day/report-name`.
AWS Backup delivers your *cross-account* reports to `s3://amzn-s3-demo-bucket/prefix/Backup/crossaccount/Region/year/month/day/report-name`
AWS Backup delivers your *cross-Region* reports to `s3://amzn-s3-demo-bucket/prefix/Backup/accountID/crossregion/year/month/day/report-name`
1. Choose **Create report plan**.
Next, you must allow your S3 bucket to receive reports from AWS Backup. After you create a report plan, AWS Backup Audit Manager automatically generates an S3 bucket access policy for you to apply.
If you encrypt your bucket using a customer managed KMS key, the KMS key policy must meet the following requirements:
+ The `Principal` attribute must include the Backup Audit Manager service-linked role [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) ARN.
+ The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum.
The policy [AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) has these permissions.
**To view and apply this access policy to your S3 bucket**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Edit**.
1. Choose **View access policy for S3 bucket**. You can also use the policy at the end of this procedure.
1. Choose **Copy permissions**.
1. Choose **Edit bucket policy**. Note that until the backup report is created the first time, the service-linked role referred to in the S3 bucket policy will not yet exist, resulting in the error "Invalid principal".
1. Copy the permissions to the **Policy**.
**Sample bucket policy**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"
},
"Action":"s3:PutObject",
"Resource":[
"arn:aws:s3:::BucketName/*"
],
"Condition":{
"StringEquals":{
"s3:x-amz-acl":"bucket-owner-full-control"
}
}
}
]
}
```
------
If you use a custom AWS Key Management Service to encrypt your target S3 bucket that stores the reports, include the following actions in your policy:
```
"Action":[
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource":[
"*"
],
```
# Creating report plans using the AWS Backup API
You can also work with report plans programmatically.
There are two types of reports. One type is a **jobs report**, which shows jobs finished in the last 24 hours and all active jobs. The second type of report is a **compliance report**. Compliance reports can monitor resource levels or the different controls that are in effect. When you create a report, you choose which type of report to create.
Similar to a *backup plan*, you create a *report plan* to automate the creation of your reports and define their destination Amazon S3 bucket. A report plan requires that you have an S3 bucket to receive your reports. For instructions on setting up a new S3 bucket, see [Step 1: Create your first S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html#creating-bucket) in the *Amazon Simple Storage Service User Guide*.
If you encrypt your bucket using a custom KMS key, the KMS key policy must meet the following requirements:
+ The `Principal` attribute must include the Backup Audit Manager service-linked role [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) ARN.
+ The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum.
The policy [AWSServiceRolePolicyForBackupReports](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports) has these permissions.
For single-account, single-Region reports, use the following syntax to call [CreateReportPlan](API_CreateReportPlan.md).
```
{
"ReportPlanName": "string",
"ReportPlanDescription": "string",
"ReportSetting": {
"ReportTemplate": enum, // Can be RESOURCE_COMPLIANCE_REPORT, CONTROL_COMPLIANCE_REPORT, BACKUP_JOB_REPORT, COPY_JOB_REPORT, or RESTORE_JOB_REPORT. Only include "ReportCoverageList" if your report is a COMPLIANCE_REPORT.
"ReportDeliveryChannel": {
"S3BucketName": "string",
"S3KeyPrefix": "string",
"Formats": [ enum ] // Optional. Can be either CSV, JSON, or both. Default is CSV if left blank.
},
"ReportPlanTags": {
"string" : "string" // Optional.
},
"IdempotencyToken": "string"
}
```
When you call [DescribeReportPlan](API_DescribeReportPlan.md) with the unique name of a report plan, the AWS Backup API responds with the following information.
```
{
"ReportPlanArn": "string",
"ReportPlanName": "string",
"ReportPlanDescription": "string",
"ReportSetting": {
"ReportTemplate": enum,
},
"ReportDeliveryChannel": {
"S3BucketName": "string",
"S3KeyPrefix": "string",
"Formats": [ enum ]
},
"DeploymentStatus": enum
"CreationTime": timestamp,
"LastAttemptExecutionTime": timestamp,
"LastSuccessfulExecutionTime": timestamp
}
```
For multi-account, multi-Region reports, use the following syntax to call [CreateReportPlan](API_CreateReportPlan.md).
```
{
"IdempotencyToken": "string",
"ReportDeliveryChannel": {
"Formats": [ "string" ], *//Organization report only support CSV file*
"S3BucketName": "string",
"S3KeyPrefix": "string"
},
"ReportPlanDescription": "string",
"ReportPlanName": "string",
"ReportPlanTags": {
"string" : "string"
},
"ReportSetting": {
"Accounts": [ "string" ], // Use string value of "ROOT" to include all organizational units
"OrganizationUnits": [ "string" ],
"Regions": ["string"], // Use wildcard value in string to include all Regions
"FrameworkArns": [ "string" ],
"NumberOfFrameworks": number,
"ReportTemplate": "string"
}
}
```
When you call [DescribeReportPlan](API_DescribeReportPlan.md) with the unique name of a report plan, the AWS Backup API responds with the following information for multi-account, multi-Region plans:
```
{
"ReportPlan": {
"CreationTime": number,
"DeploymentStatus": "string",
"LastAttemptedExecutionTime": number,
"LastSuccessfulExecutionTime": number,
"ReportDeliveryChannel": {
"Formats": [ "string" ],
"S3BucketName": "string",
"S3KeyPrefix": "string"
},
"ReportPlanArn": "string",
"ReportPlanDescription": "string",
"ReportPlanName": "string",
"ReportSetting": {
"Accounts":[ "string" ],
"OrganizationUnits":[ "string" ],
"Regions": [ "string" ],
"FrameworkArns": [ "string" ],
"NumberOfFrameworks": number,
"ReportTemplate": "string"
}
}
}
```
# Creating on-demand reports
You can generate new reports at your convenience by creating an on-demand report with the following steps. AWS Backup Audit Manager delivers your on-demand report to the Amazon S3 bucket that you specified in your report plan.
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Create on-demand report**.
You can generate an on-demand report for an existing report plan.
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plans**, select a report plan by clicking on the radio button next to the report plan name.
1. Click **Actions**, then click **Create on-demand report**.
You can do this for multiple reports, even while reports are being generated.
# Viewing audit reports
You can open, view, and analyze AWS Backup Audit Manager reports using the programs that you ordinarily use to work with CSV or JSON files. Note that reports for multiple regions or multiple accounts are only available in CSV format.
Large files are broken up into multiple reports if the total file size exceeds 50 MB. If the resulting files are over 50 MB, AWS Backup Audit Manager will create additional CSV files with the remainder of the report.
**To view a report**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Under **Report jobs**, click on the report link to view the report.
1. If your report's **Report status** has a dotted underline, choose it for information about your report.
1. Choose which report to view by its **Completion time**.
1. Choose the **S3 link**. This opens your destination S3 bucket.
1. Under **Name**, choose the name of the report that you want to view.
1. To save the report to your computer, choose **Download**.
# Updating report plans
You can update an existing report plan's description, its delivery destination, and format. If applicable, you can also add or remove frameworks from the report plan.
**To update an existing report plan**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Edit**.
1. You can edit the report plan details, including the report name and description, as well as which accounts and Regions are included in the report.
# Deleting report plans
You can delete an existing report plan. When you delete a report plan, any reports already created by that report plan will remain in their destination Amazon S3 bucket.
**To delete an existing report plan**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the left navigation pane, choose **Reports**.
1. Under **Report plan name**, select a report plan by choosing its name.
1. Choose **Delete**.
1. Enter the name of your report plan, and then choose **Delete report plan**.