Choosing your controls - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Choosing your controls

The following table lists the Amazon Backup Audit Manager controls, their customizable parameters, and their Amazon Config recording resource types. Every control requires the recording resource type Amazon Config: resource compliance because this type records your compliance status.

Available controls
Control name Control description Customizable parameters Amazon Config recording resource type
Backup resources are included in at least one backup plan Evaluates if resources are included in at least one backup plan. None Amazon Backup: backup selection
Backup plan has minimum frequency and minimum retention Evaluates if backup frequency is at least [1 day] and retention period is at least [35 days]. Backup frequency; retention period Amazon Backup: backup plans
Vaults prevent manual deletion of recovery points Evaluates if backup vaults do not allow manual deletion of recovery points except by certain Amazon Identity and Access Management (IAM) roles. By default, there are no IAM role exceptions. There are also no IAM role exceptions when you deploy this control with the Amazon Backup framework. Up to 5 IAM roles that allow manual deletion of recovery points Amazon Backup: backup vaults
Recovery points are encrypted Evaluates if the recovery points are encrypted. None Amazon Backup: recovery points
Minimum retention established for recovery point Evaluates if the recovery point retention period is at least [35 days]. Recovery point retention period Amazon Backup: recovery points
Cross-Region backup copy is scheduled Evaluates if a resource is configured to create copies of its backups to another Amazon Web Services Region. Amazon Web Services Region Amazon Backup: backup selection
Cross-account backup copy is scheduled Evaluates if a resource has a cross-account backup copy configured. Amazon account ID Amazon Backup: backup selection
Backups are protected by Amazon Backup Vault Lock Evaluates if a resource is configured to have backups in locked backup vault. Min Retention Days; Max Retention Days Amazon Backup: backup selection
Last recovery point was created Evaluates if a recovery point was created within specified time frame. Value in hours [1 to 744] or days [1 to 31]. Amazon Backup recovery points
Restore time for resources meet target Evaluates if restore testing job completed within target restore time Value in minutes None
Resources are inside a logically air-gapped vault Evaluates if resources have at least one recovery point copied to a logically air-gapped vault within the specified value and timeframe. Value in minutes, hours, or days Amazon Backup: recovery points

For detailed information about these controls, see Controls and remediation.

For a list of Amazon Backup-supported resources that don't support all controls, see the Amazon Backup Audit Manager section of the Feature availability by resource table.

Note

If you don't want to use any of the preceding controls, you can still use Amazon Backup Audit Manager to create daily reports of your backup, copy, and restore jobs. See Working with audit reports.