Profile Applicability:

  • Level 2

Description:
AWS Backup provides a centralized backup service to automate the backup of data across AWS services. One of the key features of AWS Backup is the ability to generate Backup Reports for compliance, auditing, and monitoring purposes. A Backup Report Plan allows users to configure regular reporting on backup activities, success rates, and issues across AWS services. It is essential to ensure that at least one AWS Backup report plan is configured to monitor the backup processes and ensure compliance with backup and recovery objectives.

Rationale:
Enabling Backup Report Plans helps organizations track and audit backup activities across their AWS resources. These reports provide critical information on the health and status of backups, making it easier to verify that backup policies are being followed, identify any failures, and ensure that backups are being performed in a timely manner. By having an active Backup Report Plan, you can ensure the integrity of backup operations and meet compliance requirements for data protection and disaster recovery.

Impact:
 Pros:

  • Provides visibility into the status and success of backup operations.

  • Improves auditing and reporting for compliance with data protection and disaster recovery standards.

  • Helps monitor and address backup failures, ensuring that critical data is backed up and protected.

  • Simplifies monitoring and troubleshooting backup-related issues.

Cons:

  • Can generate a large volume of reports, which may require additional storage or management.

  • Requires configuration and regular monitoring to ensure that the backup plan is actively generating reports and meeting compliance requirements.

Default Value:
By default, AWS Backup does not create report plans automatically. You must manually configure report plans to begin generating reports.

Pre-requisites:

  • AWS IAM permissions to manage AWS Backup configurations:
         backup:CreateBackupPlan
     backup:DescribeBackupPlans
     backup:CreateBackupReportPlan
     backup:DescribeBackupReportPlans

  • Access to the AWS Backup console or CLI to configure report plans.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Backup.

  3. Under Backup, click on Backup Report Plans.

  4. Check if there is at least one configured Backup Report Plan. If no report plans are available, proceed to create a new one.

  5. If a report plan is missing, click Create backup report plan.

  6. Define the report frequency, such as daily, weekly, or monthly, and specify which backup plans or resources need to be included in the report.

  7. Specify the destination for storing the report, such as an S3 bucket, and select any additional options, such as enabling email notifications for failed backups.

  8. Save the report plan and ensure that it is generating the desired reports.

Using AWS CLI:

  1. List all backup report plans:

    aws backup list-backup-report-plans

  2. If no report plans are configured, create one by running the following command:

    aws backup create-backup-report-plan --backup-report-plan-name <REPORT_PLAN_NAME> \
--report-delivery-channel "s3BucketName=<BUCKET_NAME>,s3KeyPrefix=<KEY_PREFIX>" \
--report-setting "ReportTemplate=BACKUP_JOB_SUMMARY,ReportScope=ALL_BACKUP_PLANS"

  1. Replace <REPORT_PLAN_NAME>, <BUCKET_NAME>, and <KEY_PREFIX> with appropriate values.

  2. Verify the newly created report plan:

    aws backup describe-backup-report-plan --backup-report-plan-name <REPORT_PLAN_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the AWS Backup Console and navigate to Backup Report Plans.

  2. Click Create backup report plan to set up a new report plan.

  3. Define the frequency, scope, and destination for the reports, such as including all backup plans and delivering the reports to an S3 bucket.

  4. Save the report plan and verify that it is active and generating reports as expected.

Using AWS CLI:

  1. To create a Backup Report Plan via CLI, run:

    aws backup create-backup-report-plan --backup-report-plan-name <REPORT_PLAN_NAME> \
--report-delivery-channel "s3BucketName=<BUCKET_NAME>,s3KeyPrefix=<KEY_PREFIX>" \
--report-setting "ReportTemplate=BACKUP_JOB_SUMMARY,ReportScope=ALL_BACKUP_PLANS"

  1. Verify that the report plan is correctly set up:

    aws backup describe-backup-report-plan --backup-report-plan-name <REPORT_PLAN_NAME>

Backout Plan:

Using AWS Console:

  1. If the Backup report plan is causing issues, sign in to the AWS Management Console.

  2. Navigate to AWS Backup, select Backup report plans, and delete the problematic report plan.

  3. Verify that no backup reports are being generated for the deleted plan.

Using AWS CLI:

  1. To delete a Backup report plan, run:

    aws backup delete-backup-report-plan --report-plan-name <REPORT_PLAN_NAME>


  1. Verify that the report plan has been deleted:

    aws backup list-backup-report-plans

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure AWS Backup report plans are configured to track backup activities and ensure compliance.

7.1

8.1

Enable AWS Backup report plans for regular backup status monitoring, auditing, and troubleshooting.