Backup drift in AWS Control Tower

Drift is not reported for AWS Backup configurations in AWS Control Tower. For more information about drift in AWS Control Tower, see Detect and resolve drift in AWS Control Tower.

If you delete or modify the AWS Backup plan, your plan can enter a state of drift. Here are some modifications to avoid.

Do not move the Backup Administrator account from the Security OU.
Do not move the Central Backup account from the Security OU.
Do not remove the Backup Administrator account from the organization.
Do not remove the Central Backup account from the organization.
Do not detach, attach, or update the AWS Backup SCP that is applied to the Security OU.
Do not detach, attach, or update the AWS Backup SCP that is applied to other OUs.
Do not remove the Backup Administrator account's permission for AWS Backup.
Do not update your cross-account backup settings to turn off cross-account backups. For more information about cross-account backups, see UpdateGlobalSettings in the AWS Backup API Reference.
Do not delete your AWS KMS key.
Do not modify your AWS KMS key policy after it is set.
Do not disable the service's trusted access for AWS Backup.

Drift is reported regarding the status of the SCP-based controls that protect AWS Backup resources in AWS Control Tower.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Moved accounts

Backup resources