Streamline and automate compliance monitoring and reporting with AWS Backup Audit Manager

Organizations meet business and regulatory requirements by having visibility and control over backup environments. You want a streamlined solution to continuously monitor, detect, and track policy drifts across your backup deployments at scale. This need is driven by the growing complexity of AWS environments, the proliferation of data across diverse AWS services and regions, and the increasing regulatory scrutiny on data protection practices. Without a centralized, automated solution to oversee backup policies, organizations risk exposing sensitive data, facing compliance violations, and losing critical information in the event of a disaster or ransomware attack. Maintaining an up-to-date, compliant backup strategy is a best practice, and often a legal and fiduciary requirement for businesses operating in highly regulated industries such as healthcare, finance, and government.

Organizations use AWS Backup Audit Manager, a native capability of AWS Backup, to automate the detection of deviations in AWS Backup data protection policies. AWS Backup Audit Manager provides built-in compliance controls that continuously check for drifts while allowing you to customize those controls to define your AWS Backup data protection policies. It is designed to automatically detect violations of the defined policies, prompt corrective actions, and generate comprehensive audit ready reports. With AWS Backup Audit Manager, you can answer critical questions such as: Are my tagged resources protected? Do all my backup plans have the right frequencies and retention? Are all my backups encrypted at rest?

Previously, organizations would need to manually deploy AWS Backup Audit Manager controls on a per-account, per-Region basis, and then create custom scripts to summarize their findings. In this post, we show you how to solve these issues with one-click automation using AWS CloudFormation. You will learn how to deploy AWS Backup Audit Manager across the member accounts in your organization, and how to summarize AWS Backup Audit Manager findings in Amazon QuickSight dashboards. An additional output from this post is organization wide compliance reports that can help you demonstrate compliance with regulatory requirements.

AWS Backup Audit Manager Frameworks

AWS Backup Audit Manager offers frameworks to evaluate and enforce your data protection strategies by providing reports on compliance and non-compliance. You can select from the pre-built, customizable controls to define your data protection requirements and assess if your data protection strategies adheres to them. These controls span key aspects such as making sure resources are protected using a backup plan and recovery points are encrypted.

Each Framework can be deployed across a single AWS account and Region, with a maximum of 15 Frameworks per-account per-Region. You can choose between the recommended AWS Backup Framework or create a custom Framework tailored to your specific control needs.

Deploying AWS Backup Audit Manager Frameworks

Today, AWS Backup Audit Manager controls are deployed on a per-account, per-Region basis using the AWS Management Console. However, using the automation provided through CloudFormation, you can now efficiently deploy your required AWS Backup Audit Manager controls to a single account using CloudFormation Stacks or across hundreds of accounts using CloudFormation StackSets, as shown in the Figure 1.

Figure 1: High-level architecture diagram showcasing the holistic AWS Backup Audit Manager solution deployment.

Prerequisites

Make sure that you enable resource tracking for Backup Audit Manager in the member accounts that you want to audit. This allows AWS Config to track your AWS resources.

Deployment

To get started deploying an AWS Backup Audit Manager Framework to a single account, select the Launch Stack button.

This takes you to the CloudFormation console, where you will log in and configure the parameters for the AWS Backup Audit Manager Framework CloudFormation stack deployment.

When launching the CloudFormation stack, there are two important parameter sections that allow granular configuration of how the controls in each Framework are setup. The AWS Backup Audit Manager – Control Parameters section allows you to select the values as part of each control.

The AWS Backup Audit Manager – Control Scope Parameters section allows you to select the AWS Resource Type, Backup Plan, Backup Vault, and Recovery Points scope selection as part of each control. The details of each control and their parameter options are explained in the AWS Backup documentation.

AWS Backup Audit Manager Reports

The AWS Backup Audit Manager Reports also provide you with more visibility into your backup activities, helping you monitor your operational posture and identify failures that may need further action demonstrating compliance with regulatory requirements.

The report template defines the content included in the automatically generated daily reports, which cover the previous 24-hour period. For this post, the focus is on compliance report templates.

Compliance report templates offer two types of reports:

• Control Compliance Report: Tracks the compliance status of the controls defined within your Frameworks.
• Resource Compliance Report: Tracks the compliance status of your resources against the Framework controls. These reports include detailed evaluation results, showing non-compliant resources for corrective action.

These compliance reports enhance operational oversight and help make sure your backup policies and resources adhere to the established requirements.

Deploying AWS Backup Audit Manager Reports

The AWS Backup Audit Manager cross-account, cross-Region reporting capability allows you to centrally track the compliance status of backups across your AWS Organization using your management or delegated administrator account.

For each cross-account, cross-Region report, you can select multiple accounts and AWS Regions within your Organizations to generate a consolidated compliance summary. We demonstrate how to automate the creation of these compliance reports based on the accounts and AWS Regions configured in your AWS Backup Audit Manager Frameworks.

Prerequisites

1. Make sure that you are logged in to the management or delegated administrator account in an Organization.
2. Make sure that you have access to Amazon Athena.

Deployment

To get started deploying the AWS Backup Audit Manager reports to a delegated admin account, select the following Launch Stack button.

This takes you to the CloudFormation console, where you will log in and configure the parameters for the AWS Backup Audit Manager reporting CloudFormation stack deployment.

When launching the CloudFormation stack, The AWS Backup Audit Manager – Framework Configuration section parameters can be used to define the scope of the report generation. By using values ROOT and * you can create reports for the entire Organization including all AWS Regions.

The AWS Backup Audit Manager – Framework Configuration section captures the details of the Amazon Simple Storage Service (S3) bucket to which the report data is output. This S3 bucket must follow your organization’s security best practices and data retention policies with AWS Backup access.

The solution deploys Athena tables that are used by the QuickSight dashboard deployed in the next section. You can also use the tables deployed as part of this solution to build custom visualizations using Athena Connectors.

Compliance dashboards

AWS Backup Audit Manager Reports contain valuable insights about backup activities and compliance. A common need is to transform these reports into actionable monitoring solutions.

Implementing a monitoring system to analyze the compliance findings in these reports offers several benefits:

• Improved visibility: Evaluating the report data is crucial to making sure that data protection requirements are met. Dashboards provide a consolidated view of organizational compliance, making it easier to identify policy drifts.
• Streamlined internal reporting: Transforming compliance reports into dashboards allows you to create customized views tailored to your organization’s needs. This facilitates easy reporting to internal stakeholders and auditors.
• Better decision-making: Dashboards enable data visualization, revealing patterns, trends, and areas requiring attention. This insight empowers more informed decisions to optimize backup processes and maintain compliance.

By using the rich data in AWS Backup Audit Manager Reports and transforming it into a monitoring solution, organizations can enhance visibility, streamline reporting, and make more strategic decisions regarding their backup environment.

Deploying compliance dashboards

In this section, we automate the transformation of AWS Backup Audit Manager compliance reports into QuickSight dashboards, as shown in the following figure.

Figure 2: High-level architecture diagram illustrating the AWS Backup Audit Manager reporting and dashboard components deployed.

Prerequisites

1. The dashboard function uses the report data generated in the previous section. Therefore, the QuickSight subscription and dashboard function must be deployed in the same Region and account where it can access the S3 bucket with the report data.
2. The account to which the dashboard is deployed should have access to the S3 bucket to which AWS Backup Audit Manager Reports are output.

Deployment

To get started deploying the Compliance Dashboard solution to a reporting account, select the following Launch Stack button.

This takes you to the CloudFormation console, where you will log in and configure the parameters for the AWS Backup Audit Manager Compliance Dashboard CloudFormation stack deployment.

When launching the CloudFormation stack, the Log Location details section captures the details of the S3 bucket to which the report data is output as configured in the previous section.

The QuickSight Setup information section captures the details of the QuickSight setup including the Region and user details. To find your QuickSight username and region:

• Open a new tab or window and navigate to the QuickSight console
• Find your username and the region from the person icon in the top right corner

If you have AWS LakeFormation permission model in place and the AWS CloudFormation deployment credentials have administrative rights on AWS LakeFormation, then you need to set the LakeFormationEnabled parameter as true.

Figures 3 and 4 show examples of AWS Backup Audit Manager’s compliance dashboards.

Figures 3 and 4: AWS Backup Audit Manager sample compliance dashboards

Cleaning up

To avoid incurring future charges, you can delete the resources deployed by each of the parts of this solution by deleting the CloudFormation Stacks from the CloudFormation console. The S3 bucket used in the solution is pre-created and must be emptied or deleted based on your data retention requirements.

Conclusion

In this blog post, we walked through using AWS Backup Audit Manager to automate detection of drifts in AWS Backup data protection policies, and provide organization wide cross-account, cross-Region reporting. We also provided AWS CloudFormation templates to help you deploy AWS Backup Audit Manager at scale, and consume your organization’s compliance findings in Amazon Quicksight. You can now benefit from monitoring your organization’s compliance data via interactive dashboards to enhance visibility and make more informed decisions about your AWS Backup environment.

Thanks for reading this post. To learn more about AWS Backup Audit Manager, visit the AWS Backup Developer Guide. If you have questions or comments, please leave them in the comment section.