Turning on resource tracking - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Turning on resource tracking

Before you create your first compliance-related framework, you must turn on resource tracking. Doing so allows Amazon Config to track your Amazon Backup resources. For technical documentation about how to manage resource tracking, see Setting up Amazon Config with the console in the Amazon Config Developer Guide.

Charges apply when you turn on resource tracking. For information about resource tracking pricing and billing for Amazon Backup Audit Manager, see Metering, costs, and billing.

Turning on resource tracking using the console

To turn on resource tracking using the console:
  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. In the left navigation pane, under Audit Manager, choose Frameworks.

  3. Turn on resource tracking by choosing Manage resource tracking.

  4. Choose Go to Amazon Config Settings.

  5. Choose Enable or disable recording.

  6. Choose Enable recording for all of the following resource types, or choose to enable recording for some resource types. Refer to Amazon Backup Audit Manager controls and remediation for which resource types are required for your controls.

    • Amazon Backup: backup plans

    • Amazon Backup: backup vaults

    • Amazon Backup: recovery points

    • Amazon Backup: backup selection

    Note

    Amazon Backup Audit Manager requires Amazon Config: resource compliance for every control.

  7. Choose Close.

  8. Wait for the blue banner with the text Turning on resource tracking to transition to the green banner with the text Resource tracking is on.

You can check whether you have turned on resource tracking and, if so, which resource types you are recording, in two places in the Amazon Backup console. In the left navigation pane, either:

  • Choose Frameworks, then choose the text under Amazon Config recorder status.

  • Choose Settings, then choose the text under Amazon Config recorder status.

Turning on resource tracking using the Amazon Command Line Interface (Amazon CLI)

If you have not yet onboarded to Amazon Config, it might be faster to onboard using the Amazon CLI.

To turn on resource tracking using the Amazon CLI:
  1. Type the following command to determine if you already enabled your Amazon Config recorder.

    $ aws configservice describe-configuration-recorders
    1. If your ConfigurationRecorders list is empty like this:

      { "ConfigurationRecorders": [] }

      Your recorder is not enabled. Continue to step 2 to create your recorder.

    2. If you already enabled recording for all resources, your ConfigurationRecorders output will look like this:

      { "ConfigurationRecorders":[ { "recordingGroup":{ "allSupported":true, "resourceTypes":[ ], "includeGlobalResourceTypes":true }, "roleARN":"arn:aws-cn:iam::[account]:role/[roleName]", "name":"default" } ] }

      Since you enabled all resources you already turned on resource tracking. You do not need to complete the rest of this procedure to use Amazon Backup Audit Manager.

    3. If your ConfigurationRecorders is not empty, but you have not enabled recording for all resources, add backup resources to your existing recorder using the following command. Then skip to step 3.

      $ aws configservice describe-configuration-recorders { "ConfigurationRecorders":[ { "name":"default", "roleARN":"arn:aws-cn:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] }
  2. Create a Amazon Config recorder with the Amazon Backup Audit Manager resource types

    $ aws configservice put-configuration-recorder --configuration-recorder name=default, \ roleARN=roleARN=arn:aws-cn:iam::accountId:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \ --recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \ 'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint','AWS::Config::ResourceCompliance']"
  3. Describe your Amazon Config recorder.

    $ aws configservice describe-configuration-recorders

    Verify that it has the Amazon Backup Audit Manager resource types by comparing your output with the following expected output.

    { "ConfigurationRecorders":[ { "name":"default", "roleARN":"arn:aws-cn:iam::accountId:role/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] }
  4. Create an Amazon S3 bucket as the destination to store the Amazon Config configuration files.

    $ aws s3api create-bucket --bucket my-bucket —region us-east-1
  5. Use policy.json to grant Amazon Config permission to access your bucket. See the following sample policy.json.

    $ aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json
    { "Version":"2012-10-17", "Statement":[ { "Sid":"AWSConfigBucketPermissionsCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:GetBucketAcl", "Resource":"arn:aws:s3:::my-bucket" }, { "Sid":"AWSConfigBucketExistenceCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:ListBucket", "Resource":"arn:aws-cn:s3:::my-bucket" }, { "Sid":"AWSConfigBucketDelivery", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:PutObject", "Resource":"arn:aws-cn:s3:::my-bucket/*" } ] }
  6. Configure your bucket as an Amazon Config delivery channel

    $ aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=my-bucket
  7. Enable Amazon Config recording

    $ aws configservice start-configuration-recorder —configuration-recorder-name default
  8. Verify that "FrameworkStatus":"ACTIVE" in the last line of your DescribeFramework output as follows.

    $ aws backup describe-framework --framework-name test --region us-east-1
    { "FrameworkName":"test", "FrameworkArn":"arn:aws-cn:backup:us-east-1:accountId:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666", "FrameworkDescription":"", "FrameworkControls":[ { "ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredRetentionDays", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredFrequencyUnit", "ParameterValue":"hours" }, { "ParameterName":"requiredRetentionDays", "ParameterValue":"35" }, { "ParameterName":"requiredFrequencyValue", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED", "ControlInputParameters":[ ], "ControlScope":{ } } ], "CreationTime":1633463605.233, "DeploymentStatus":"COMPLETED", "FrameworkStatus":"ACTIVE" }

Turning on resource tracking using a Amazon CloudFormation template

For a Amazon CloudFormation template that turns on resource tracking, see Using Amazon Backup Audit Manager with Amazon CloudFormation.