Using AWS Backup Audit Manager to Audit your backup RPOs
The new control in AWS Backup Audit Manager – Last Recovery Point Control. This allows customers to identify and report on the last available backup recovery point to ensure compliance with their organization’s recovery point (RPO) requirements. This new control extends the visibility, continuous compliance monitoring, and reporting provided by AWS Backup Audit Manager so you can easily validate compliance across multiple resources.
Using AWS Backup Audit Manager and using the recommended AWS Backup Audit Manager framework or a custom framework does not automatically enable this new control. To enable it, select a framework in the Frameworks section of the Backup Audit Manager section. Then select Edit.
AWS Backup Console – Backup Audit Manager Frameworks
Scroll down to see the new control:
After the control is active, configuration options are set, which include, defining the period we want our framework to check to make sure we have an available recovery point within the specified timeframe. For hours, select a value between 1 to 744 hours. For days, select a value between from 1 to 31 days. Once the frequency is selected, we need to determine if we want to evaluate all or some resources.
Last Recovery Point Control configuration options
After defining the settings as desired, select Save changes. The existing framework is then redeployed and re-evaluated with the new controls. The framework will then run again every 24 hours.
This process can take minutes to hours, depending on the number of resources in your account. On my part, I configured the new control to check for compliance with all supported resources, with a backup frequency of 1 hour.
It looks like I have some homework to do as I only see one compliant resource (Amazon EFS). According to the check, my other resources are not compliant. As a result, we know that we cannot meet our RPO targets for all resources, as shown in the chart below.
AWS Backup Audit Manager Resource Evaluations
Click Amazon EBS to see non-compliant volumes. This will take you to your AWS Config dashboard where you can see all non-compliant Amazon EBS volumes and assessment parameters.
Resources in scope
Ultimately, information from this new control is included in the next compliance report generated by AWS Backup Audit Manager. Here’s my example:
AWS Backup Audit Manager Compliance Report