Resources created for AWS Backup

The tables on this page show resources that are created in AWS Control Tower accounts when you enable AWS Backup.

The following table shows the resources that AWS Control Tower creates in the AWS Control Tower Central Backup account when you enable AWS Backup for the landing zone organization.

Description	Resources for the Central Backup account
Which OU contains the account?	Security OU
What action created the resource?	Landing zone Create or Update
What resources are created?	Central Backup vault—`aws-controltower-central-backupvault-*`
What Regions are included?	All governed Regions
What controls are related to these resources?	`CT.BACKUP.PV.3`

The following table shows the resources that AWS Control Tower creates in the AWS Control Tower Backup Administrator account when you enable AWS Backup for the landing zone organization.

Description	Resources for the Backup Administrator account: This is the delegated administrator account for AWS Backup
Which OU contains the account?	Security OU
What action created the resource?	Landing zone Create or Update
What resources are created?	Backup Audit Manager (BAM) `aws_controltower_copy_report` `aws_controltower_backup_report` `aws_controltower_restore_report` Amazon S3 bucket for storing BAM logs—`aws-controltower-backup-reports-{accountId}-` Amazon S3 access logging bucket—`aws-controltower-backup-reports-log-{accountId}-`
What Regions are included?	Home Region
What controls are related to these resources?	`CT.BACKUP.PV.2` `CT.S3.PV.1` `CT.S3.PV.1`

The following table shows the resources that AWS Control Tower creates in the AWS Control Tower Audit account and in the AWS Control Tower Log Archive account when you enable AWS Backup for the Security OU.

Description	Resources for Audit and Log Archive accounts
Which OU contains the account?	Security OU
What action created the resource?	Enabling the `BackupBaseline`
What resources are created?	Local Backup vault—`aws-controltower-local-backupvault-*` Local Backup role—`aws-controltower-BackupRole` Four local Backup plans (hourly, weekly, monthly, daily) `aws-controltower-hourly-backup-plan` `aws-controltower-daily-backup-plan` `aws-controltower-weekly-backup-plan` `aws-controltower-monthly-backup-plan` An IAM role—`aws-controltower-backup-role`
What Regions are included?	All governed Regions
What controls are related to these resources?	`CT.BACKUP.PV.3` `CT.IAM.PV.1` `CT.BACKUP.PV.3` `CT.BACKUP.PV.1`

Note

When you apply the BackupBaseline to the Security OU, all member accounts in that OU receive the AWS Backup resources, not just the Audit and Log Archive accounts.

The following table shows the resources that AWS Control Tower creates in the AWS Control Tower OU member accounts when you enable AWS Backup on a target OU.

Description	Resources for member accounts in other OUs
Which OU contains the account?	Any OU other than the Security OU
What action created the resource?	Enabling the `BackupBaseline`
What resources are created?	Local Backup vault—`aws-controltower-local-backupvault-*` Local Backup role—`aws-controltower-BackupRole` Four local Backup plans (hourly, weekly, monthly, daily) `aws-controltower-hourly-backup-plan` `aws-controltower-daily-backup-plan` `aws-controltower-weekly-backup-plan` `aws-controltower-monthly-backup-plan` An IAM role—`aws-controltower-backup-role`
What Regions are included?	All governed Regions
What controls are related to these resources?	`CT.BACKUP.PV.3` `CT.IAM.PV.1` `CT.BACKUP.PV.3` `CT.BACKUP.PV.1`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Backup drift

Controls for AWS Backup