Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controls and remediation

This page lists the available controls for Amazon Backup Audit Manager. You can choose the right info pane to see a list of controls and jump to a specific control. To quickly compare controls, see the table in Choosing your controls. To programmatically define controls, see the code snippets in Creating frameworks using the Amazon Backup API.

You can use up to 50 controls per account per Region. Using the same control in two different frameworks counts as using two controls of the 50 control limit.

This page lists each control with the following information:

Note that only active resources will be included when controls evaluate resources for compliance. For example, an Amazon EC2 instance in a running state will be evaluated by the control Last recovery point was created. An EC2 instance in a stopped state will not be included in the compliance evaluation.

Backup resources are protected by a backup plan

Description: Evaluates if resources are protected by a backup plan.

Resource: Amazon Backup: backup selection

Parameters: None

Occurs: Automatically every 24 hours

Remediation: Assign the resources to a backup plan. Amazon Backup automatically protects your resources after you assign them to a backup plan. For more information, see Assigning resources to a backup plan.

Backup plan minimum frequency and minimum retention

Description: Evaluates if backup plans contain at least one backup rule for which the backup frequency is at least [1 day] and retention period is at least [35 days].

Resource: Amazon Backup: backup plans

Occurs: Configuration changes

Remediation: Update a backup plan to change either its backup frequency, retention period, or both. Updating your backup plan changes the retention period for recovery points the plan creates after your update.

Vaults prevent manual deletion of recovery points

Description: Evaluates if backup vaults do not allow manual deletion of recovery points except by certain IAM roles.

Resource: Amazon Backup: backup vaults

Parameters: The Amazon Resource Names (ARNs) of up to five IAM roles allowed to manually delete recovery points.

Occurs: Configuration changes

Remediation: Create or modify a resource-based access policy on a backup vault. For an example policy and instructions on how to set a backup vault access policy, see Deny access to delete recovery points in a backup vault.

Recovery points are encrypted

Description: Evaluates if recovery points are encrypted.

Resource: Amazon Backup: recovery points

Parameters: None

Occurs: Configuration changes

Remediation: Configure encryption for the recovery points. The way you configure encryption for Amazon Backup recovery points differs depending on the resource type.

You can configure encryption for resource types that support full Amazon Backup management in using Amazon Backup. If the resource type does not support full Amazon Backup management, you must configure its backup encryption by following that service's instructions, such as Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide. To see the list of resource types that support full Amazon Backup management, see the "Full Amazon Backup management" section of the Feature availability by resource table.

Minimum retention established for recovery point

Description: Evaluates if recovery point retention period is at least [35 days].

Resource: Amazon Backup: recovery points

Parameters: Required recovery point retention period in number of days, weeks, months, or years. We recommend a warm storage retention of period of at least one week to enable Amazon Backup to take incremental backups when possible, avoiding additional charges.

Occurs: Configuration changes

Remediation: Change the retention periods of your recovery points. For more information, see Editing a backup.

Cross-Region backup copy is scheduled

Description: Evaluates if a resource is configured to create copies of its backups to another Amazon Region.

Resource: Amazon Backup: backup selection

Occurs: Automatically every 24 hours

Remediation: Update a backup plan to change the Amazon Web Services Region where backup copy should exist.

Cross-account backup copy is scheduled

Description: Evaluates if a resource is configured to create copies of its backups to another account. You can add up to 5 accounts for the control to evaluate. The destination account must be in the same organization as the source account in Amazon Organizations.

Resource: Amazon Backup: backup selection

Occurs: Automatically every 24 hours

Remediation: Update a backup plan to change or add the Amazon account ID(s) where the copy should exist.

Backups are protected by Amazon Backup Vault Lock

Description: Evaluates if a resource has immutable backups stored in a locked backup vault.

Resource: Amazon Backup: backup selection

Occurs: Automatically every 24 hours

Remediation: Lock a backup vault to set its name, change either its minimum retention days, maximum retention days, or both. Can also include ChangeableForDays for a vault lock in compliance mode.

Last recovery point was created

Description: This control evaluates if a recovery point has been created within the specified time frame (in days or hours).

The control is compliant if the resource has had a recovery point created within the time frame specified. The control is non-compliant if a recovery point was not created within the number of days or hours specified.

Resource: Amazon Backup: recovery points

Occurs: Automatically every 24 hours

Remediation:

Restore time for resources meet target

Description: Evaluates if restoring protected resources completed within the target restore time.

This control checks if the restore time of a particular resource meets the target duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of a resource type is greater than maxRestoreTime in minutes.

Occurs: Automatically every 24 hours