Creating report plans using the Amazon Backup API
You can also work with report plans programmatically.
There are two types of reports. One type is a jobs report, which shows jobs finished in the last 24 hours and all active jobs. The second type of report is a compliance report. Compliance reports can monitor resource levels or the different controls that are in effect. When you create a report, you choose which type of report to create.
Similar to a backup plan, you create a report plan to automate the creation of your reports and define their destination Amazon S3 bucket. A report plan requires that you have an S3 bucket to receive your reports. For instructions on setting up a new S3 bucket, see Step 1: Create your first S3 bucket in the Amazon Simple Storage Service User Guide.
If you encrypt your bucket using a custom KMS key, the KMS key policy must meet the following requirements:
-
The
Principal
attribute must include the Backup Audit Manager service-linked roleAWSServiceRolePolicyForBackupReports
ARN.
-
The
Action
attribute must includekms:GenerateDataKey
andkms:Decrypt
at minimum.
The policy
AWSServiceRolePolicyForBackupReports
For single-account, single-Region reports, use the following syntax to call CreateReportPlan.
{ "ReportPlanName": "string", "ReportPlanDescription": "string", "ReportSetting": { "ReportTemplate": enum, // Can be RESOURCE_COMPLIANCE_REPORT, CONTROL_COMPLIANCE_REPORT, BACKUP_JOB_REPORT, COPY_JOB_REPORT, or RESTORE_JOB_REPORT. Only include "ReportCoverageList" if your report is a COMPLIANCE_REPORT. "ReportDeliveryChannel": { "S3BucketName": "string", "S3KeyPrefix": "string", "Formats": [ enum ] // Optional. Can be either CSV, JSON, or both. Default is CSV if left blank. }, "ReportPlanTags": { "string" : "string" // Optional. }, "IdempotencyToken": "string" }
When you call DescribeReportPlan with the unique name of a report plan, the Amazon Backup API responds with the following information.
{ "ReportPlanArn": "string", "ReportPlanName": "string", "ReportPlanDescription": "string", "ReportSetting": { "ReportTemplate": enum, }, "ReportDeliveryChannel": { "S3BucketName": "string", "S3KeyPrefix": "string", "Formats": [ enum ] }, "DeploymentStatus": enum "CreationTime": timestamp, "LastAttemptExecutionTime": timestamp, "LastSuccessfulExecutionTime": timestamp }
For multi-account, multi-Region reports, use the following syntax to call CreateReportPlan.
{ "IdempotencyToken": "string", "ReportDeliveryChannel": { "Formats": [ "string" ], *//Organization report only support CSV file* "S3BucketName": "string", "S3KeyPrefix": "string" }, "ReportPlanDescription": "string", "ReportPlanName": "string", "ReportPlanTags": { "string" : "string" }, "ReportSetting": { "Accounts": [ "string" ], // Use string value of "ROOT" to include all organizational units "OrganizationUnits": [ "string" ], "Regions": ["string"], // Use wildcard value in string to include all Regions "FrameworkArns": [ "string" ], "NumberOfFrameworks": number, "ReportTemplate": "string" } }
When you call DescribeReportPlan with the unique name of a report plan, the Amazon Backup API responds with the following information for multi-account, multi-Region plans:
{ "ReportPlan": { "CreationTime": number, "DeploymentStatus": "string", "LastAttemptedExecutionTime": number, "LastSuccessfulExecutionTime": number, "ReportDeliveryChannel": { "Formats": [ "string" ], "S3BucketName": "string", "S3KeyPrefix": "string" }, "ReportPlanArn": "string", "ReportPlanDescription": "string", "ReportPlanName": "string", "ReportSetting": { "Accounts":[ "string" ], "OrganizationUnits":[ "string" ], "Regions": [ "string" ], "FrameworkArns": [ "string" ], "NumberOfFrameworks": number, "ReportTemplate": "string" } } }