Turning on resource tracking
Before you create your first compliance-related framework, you must turn on resource tracking. Doing so allows Amazon Config to track your Amazon Backup resources. For technical documentation about how to manage resource tracking, see Setting up Amazon Config with the console in the Amazon Config Developer Guide.
Charges apply when you turn on resource tracking. For information about resource tracking pricing and billing for Amazon Backup Audit Manager, see Metering, costs, and billing.
Topics
Turning on resource tracking using the console
To turn on resource tracking using the console:
Open the Amazon Backup console at https://console.amazonaws.cn/backup
. -
In the left navigation pane, under Audit Manager, choose Frameworks.
-
Turn on resource tracking by choosing Manage resource tracking.
-
Choose Go to Amazon Config Settings.
-
Choose Enable or disable recording.
-
Choose Enable recording for all of the following resource types, or choose to enable recording for some resource types. Refer to Amazon Backup Audit Manager controls and remediation for which resource types are required for your controls.
-
Amazon Backup: backup plans
-
Amazon Backup: backup vaults
-
Amazon Backup: recovery points
-
Amazon Backup: backup selection
Note
Amazon Backup Audit Manager requires
Amazon Config: resource compliance
for every control. -
-
Choose Close.
-
Wait for the blue banner with the text Turning on resource tracking to transition to the green banner with the text Resource tracking is on.
You can check whether you have turned on resource tracking and, if so, which resource types you are recording, in two places in the Amazon Backup console. In the left navigation pane, either:
-
Choose Frameworks, then choose the text under Amazon Config recorder status.
-
Choose Settings, then choose the text under Amazon Config recorder status.
Turning on resource tracking using the Amazon Command Line Interface (Amazon CLI)
If you have not yet onboarded to Amazon Config, it might be faster to onboard using the Amazon CLI.
To turn on resource tracking using the Amazon CLI:
-
Type the following command to determine if you already enabled your Amazon Config recorder.
$ aws configservice describe-configuration-recorders
-
If your
ConfigurationRecorders
list is empty like this:{ "ConfigurationRecorders": [] }
Your recorder is not enabled. Continue to step 2 to create your recorder.
-
If you already enabled recording for all resources, your
ConfigurationRecorders
output will look like this:{ "ConfigurationRecorders":[ { "recordingGroup":{ "allSupported":true, "resourceTypes":[ ], "includeGlobalResourceTypes":true }, "roleARN":"arn:aws-cn:iam::[account]:role/[roleName]", "name":"default" } ] }
Since you enabled all resources you already turned on resource tracking. You do not need to complete the rest of this procedure to use Amazon Backup Audit Manager.
-
If your
ConfigurationRecorders
is not empty, but you have not enabled recording for all resources, add backup resources to your existing recorder using the following command. Then skip to step 3.$ aws configservice describe-configuration-recorders { "ConfigurationRecorders":[ { "name":"default", "roleARN":"arn:aws-cn:iam::
accountId
:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] }
-
-
Create a Amazon Config recorder with the Amazon Backup Audit Manager resource types
$ aws configservice put-configuration-recorder --configuration-recorder name=
default
, \ roleARN=arn:aws-cn:iam::accountId
:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \ --recording-group resourceTypes="['AWS::Backup::BackupPlan','AWS::Backup::BackupSelection', \ 'AWS::Backup::BackupVault','AWS::Backup::RecoveryPoint','AWS::Config::ResourceCompliance']" -
Describe your Amazon Config recorder.
$ aws configservice describe-configuration-recorders
Verify that it has the Amazon Backup Audit Manager resource types by comparing your output with the following expected output.
{ "ConfigurationRecorders":[ { "name":"
default
", "roleARN":"arn:aws-cn:iam::accountId
:role/AWSServiceRoleForConfig", "recordingGroup":{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::Backup::BackupPlan", "AWS::Backup::BackupSelection", "AWS::Backup::BackupVault", "AWS::Backup::RecoveryPoint", "AWS::Config::ResourceCompliance" ] } } ] } -
Create an Amazon S3 bucket as the destination to store the Amazon Config configuration files.
$ aws s3api create-bucket --bucket
amzn-s3-demo-bucket
—regionus-east-1
-
Use
policy.json
to grant Amazon Config permission to access your bucket. See the following samplepolicy.json
.$ aws s3api put-bucket-policy --bucket
amzn-s3-demo-bucket
--policyfile://policy.json
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AWSConfigBucketPermissionsCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:GetBucketAcl", "Resource":"arn:aws:s3:::
amzn-s3-demo-bucket
" }, { "Sid":"AWSConfigBucketExistenceCheck", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:ListBucket", "Resource":"arn:aws-cn:s3:::amzn-s3-demo-bucket
" }, { "Sid":"AWSConfigBucketDelivery", "Effect":"Allow", "Principal":{ "Service":"config.amazonaws.com" }, "Action":"s3:PutObject", "Resource":"arn:aws-cn:s3:::amzn-s3-demo-bucket
/*" } ] } -
Configure your bucket as an Amazon Config delivery channel
$ aws configservice put-delivery-channel --delivery-channel name=
default
,s3BucketName=amzn-s3-demo-bucket
-
Enable Amazon Config recording
$ aws configservice start-configuration-recorder --configuration-recorder-name
default
-
Verify that
"FrameworkStatus":"ACTIVE"
in the last line of yourDescribeFramework
output as follows.$ aws backup describe-framework --framework-name
test
--regionus-east-1
{ "FrameworkName":"test", "FrameworkArn":"arn:aws-cn:backup:us-east-1:
accountId
:framework:test-f0001b0a-0000-1111-ad3d-4444f5cc6666
", "FrameworkDescription":"", "FrameworkControls":[ { "ControlName":"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredRetentionDays", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK", "ControlInputParameters":[ { "ParameterName":"requiredFrequencyUnit", "ParameterValue":"hours" }, { "ParameterName":"requiredRetentionDays", "ParameterValue":"35" }, { "ParameterName":"requiredFrequencyValue", "ParameterValue":"1" } ], "ControlScope":{ } }, { "ControlName":"BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_ENCRYPTED", "ControlInputParameters":[ ], "ControlScope":{ } }, { "ControlName":"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED", "ControlInputParameters":[ ], "ControlScope":{ } } ], "CreationTime":1633463605.233, "DeploymentStatus":"COMPLETED", "FrameworkStatus":"ACTIVE" }
Turning on resource tracking using a Amazon CloudFormation template
For a Amazon CloudFormation template that turns on resource tracking, see Using Amazon Backup Audit Manager with Amazon CloudFormation.