AWS Backup Audit Manager controls and remediation - AWS Backup

AWS Backup Audit Manager controls and remediation

This page lists the available controls for AWS Backup Audit Manager. You can choose the right info pane to see a list of controls and jump to a specific control. To quickly compare controls, see the table in Choosing your controls. To programmatically define controls, see the code snippets in Creating frameworks using the AWS Backup API.

You can use up to 50 controls per account per Region. Using the same control in two different frameworks counts as using two controls of the 50 control limit.

This page lists each control with the following information:

  • Description. Values in brackets ("[ ]") are the default parameter values.

  • The resources the control evaluates.

  • The parameters of the control.

  • The scope of the control, as follows:

    • You specify a Tagged resources scope with a single tag key and optional value.

    • You can specify Resources by type by choosing one or more AWS Backup-supported services.

    • You can specify an indvidiual resource using the Individual resources dropdown list.

  • Remediation steps to bring applicable resources into compliance.

Backup resources protected by backup plan

Description: Evaluates if resources are protected by a backup plan.

Resource: AWS Backup: backup selection

Parameters: None

Scope:

  • All resources (default)

  • Tagged resources

  • Resources by type

  • Individual resources

Note

This control does not support Storage Gateway resources, regardless of scope.

Remediation: Assign the resources to a backup plan. AWS Backup automatically protects your resources after you assign them to a backup plan. For more information, see Assigning resources to a backup plan.

Backup plan minimum frequency and minimum retention

Description: Evaluates if backup plans contain at least one backup rule for which the backup frequency is at least [1 day] and retention period is at least [35 days].

Resource: AWS Backup: backup plans

Parameters:

  • Required backup frequency in number of hours or days.

  • Required retention period in number of days, weeks, months, or years. We recommend a warm storage retention of period of at least one week to enable AWS Backup to take incremental backups when possible, avoiding additional charges.

Scope:

  • All resources (default)

  • Tagged resources

  • Individual resources

Remediation: Update a backup plan to change either its backup frequency, retention period, or both. Updating your backup plan changes the retention period for recovery points the plan creates after your update.

Backup prevent recovery point manual deletion

Description: Evaluates if backup vaults do not allow manual deletion of recovery points except by certain IAM roles.

Resource: AWS Backup: backup vaults

Parameters: The Amazon Resource Names (ARNs) of up to five IAM roles allowed to manually delete recovery points.

Scope:

  • All resources (default)

  • Tagged resources

  • Individual resources

Remediation: Create or modify a resource-based access policy on a backup vault. For an example policy and instructions on how to set a backup vault access policy, see Deny access to delete recovery points in a backup vault.

Backup recovery point encrypted

Description: Evaluates if recovery points are encrypted.

Resource: AWS Backup: recovery points

Parameters: None

Scope:

  • All resources (default)

  • Tagged resources

Remediation: Configure encryption for the recovery points. The way you configure encryption for AWS Backup recovery points differs depending on the resource type.

You can configure encryption for resource types that support full AWS Backup management in using AWS Backup. If the resource type does not support full AWS Backup management, you must configure its backup encryption by following that service's instructions, such as Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide. To see the list of resource types that support full AWS Backup management, see the "Full AWS Backup management" section of the Feature availability by resource table.

Backup recovery point minimum retention

Description: Evaluates if recovery point retention period is at least [35 days].

Resource: AWS Backup: recovery points

Parameters: Required recovery point retention period in number of days, weeks, months, or years. We recommend a warm storage retention of period of at least one week to enable AWS Backup to take incremental backups when possible, avoiding additional charges.

Scope:

  • All resources (default)

  • Tagged resources

Remediation: Change the retention periods of your recovery points. For more information, see Editing a backup.