Choosing your controls
The following table lists the Amazon Backup Audit Manager controls, their customizable
parameters, and their Amazon Config recording resource types. Every control requires the recording
resource type Amazon Config: resource compliance
because this type records your
compliance status.
Control name | Control description | Customizable parameters | Amazon Config recording resource type |
---|---|---|---|
Backup resources are included in at least one backup plan | Evaluates if resources are included in at least one backup plan. | None | Amazon Backup: backup selection |
Backup plan has minimum frequency and minimum retention | Evaluates if backup frequency is at least [1 day] and retention period is at least [35 days]. | Backup frequency; retention period | Amazon Backup: backup plans |
Vaults prevent manual deletion of recovery points | Evaluates if backup vaults do not allow manual deletion of recovery points except by certain Amazon Identity and Access Management (IAM) roles. By default, there are no IAM role exceptions. There are also no IAM role exceptions when you deploy this control with the Amazon Backup framework. | Up to 5 IAM roles that allow manual deletion of recovery points | Amazon Backup: backup vaults |
Recovery points are encrypted | Evaluates if the recovery points are encrypted. | None | Amazon Backup: recovery points |
Minimum retention established for recovery point | Evaluates if the recovery point retention period is at least [35 days]. | Recovery point retention period | Amazon Backup: recovery points |
Cross-Region backup copy is scheduled | Evaluates if a resource is configured to create copies of its backups to another Amazon Web Services Region. | Amazon Web Services Region | Amazon Backup: backup selection |
Cross-account backup copy is scheduled | Evaluates if a resource has a cross-account backup copy configured. | Amazon account ID | Amazon Backup: backup selection |
Backups are protected by Amazon Backup Vault Lock | Evaluates if a resource is configured to have backups in locked backup vault. | Min Retention Days; Max Retention Days | Amazon Backup: backup selection |
Last recovery point was created | Evaluates if a recovery point was created within specified time frame. | Value in hours [1 to 744 ] or days [1
to 31 ]. |
Amazon Backup recovery points |
Restore time for resources meet target | Evaluates if restore testing job completed within target restore time | Value in minutes | None |
Resources are inside a logically air-gapped vault | Evaluates if resources have at least one recovery point copied to a logically air-gapped vault within the specified value and timeframe. | Value in minutes, hours, or days | Amazon Backup: recovery points |
For detailed information about these controls, see Controls and remediation.
For a list of Amazon Backup-supported resources that don't support all controls, see the Amazon Backup Audit Manager section of the Feature availability by resource table.
Note
If you don't want to use any of the preceding controls, you can still use Amazon Backup Audit Manager to create daily reports of your backup, copy, and restore jobs. See Working with audit reports.