How do I generate audit reports in AWS Backup?

Short description

You can use AWS Backup Audit Manager reports to receive information about the status of backup, restore, and copy jobs. AWS Backup Audit Manager has two types of audit reports, backup and compliance. Backup reports monitor your account's backup activity, and then report any failures that you must address. Compliance reports provide information about how your backup activities and resources comply with the controls that you set in frameworks.

To create an audit report, complete the following steps:

1. Choose a report template.
2. Create report plans.
3. Allow AWS Backup Audit Manager to deliver daily reports, or create an on-demand report.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Choose a report template

A report template describes the information that's included in reports by report plans. You can choose between using a backup report template or a compliance report template.

Create a report plan

To create report plans, use either the AWS Backup console or the CreateReportPlan API call.

Report plans are similar to backup plans because you can automate the creation of audit reports. To do this, allocate an Amazon Simple Storage Service (Amazon S3) bucket in the AWS account where the report plan is configured. Then, use the Amazon S3 bucket for the delivery of your reports.

To use the AWS Backup console to create a report plan, complete the following steps:

1. Open the AWS Backup console.
2. In the navigation pane, under Backup Audit Manager, choose Reports.
3. Choose Create report plan.
4. Under Report Template, choose one of the report templates from the dropdown list.
5. Enter a Report plan name and a Report plan description. (Optional) Choose Add tags to the report plan to add tags to your plan.
6. To generate reports only for the account that you're currently logged in on, then under Accounts, choose Only my account. If you're using a management account, then you can include multiple accounts in the report plan. To do this, choose One or more accounts in my organization. This option is available only to management accounts.
   Note: If you choose One or more accounts in my organization, then AWS Backup creates reports for all existing frameworks in the specified accounts. If there are no frameworks in an account or Region, then AWS Backup generates an empty report.
7. From the dropdown list, choose your AWS Region and the corresponding framework from that Region. Then, choose Add framework. If you chose to use a Backup report template, or if you used the One or more accounts in my organization option, then skip this step. For more information on adding frameworks, see Working with audit frameworks. 
   Note: You can select multiple Regions to include in your report. Choose the dropdown list to show the available Regions, or choose All available Regions.
8. Choose the File format for your report. You can export all reports as a .csv file. You can also export reports for one Region and one account in JSON format.
9. Under Choose an Amazon S3 bucket for report delivery, choose the S3 bucket name that you want to deliver the reports to. (Optional) you can also choose a prefix in the S3 bucket.
10. Choose Create report plan.

After you create the report plan, AWS Backup Audit Manager automatically generates an S3 bucket access policy for you to apply. See the following example S3 bucket access policy:

{  "Version":"2012-10-17",  "Statement":[    {      "Effect":"Allow",      "Principal":{        "AWS":"arn:aws:iam::11111111:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"      },      "Action":"s3:PutObject",      "Resource":[        "arn:aws:s3:::BucketName/*"      ],      "Condition":{        "StringEquals":{          "s3:x-amz-acl":"bucket-owner-full-control"        }      }    }  ]}

Your S3 bucket might be encrypted using a custom AWS Key Management Service (AWS KMS) key. In this case, make sure that the key policy includes AWS Backup as a user. See the following example CMK policy that allows AWS Backup as a user to an encrypted S3 bucket:

{  "Version":"2012-10-17",  "Statement":[    {      "Effect":"Allow",      "Principal":{        "AWS":"arn:aws:iam::11111111:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"      },      "Action":[                "kms:GenerateDataKey",                "kms:Encrypt"            ],      "Resource":[        "*"      ]    }  ]}

Allow AWS Backup Audit Manager to deliver daily reports, or create an on-demand report

AWS Backup Audit Manager delivers a daily report to the S3 bucket that you configured. The report delivery time can vary because AWS Backup Audit Manager randomizes the delivery process to maintain its performance.

To create an on-demand report, complete the following steps:

1. Open the AWS Backup console.
2. In the navigation pane, under Backup Audit Manager, choose Reports.
3. Under Report plan name, choose a report plan.
4. Choose Create on-demand report.

Note: There isn't a native option to generate backup reports between specific dates. You can use the AWS Backup console to view jobs for the last 30 days. However, you can't export this data as a report. Instead, run the following AWS CLI command to list and gather backup jobs as a .csv file:

aws backup list-backup-jobs --by-created-before 2023-02-02 --by-created-after 2023-03-01 --max-results 1000 --output text > sample-report.csv

To filter the data, include additional parameters, such as —by-state.