AWS Backup Report Plan Exists
Overview
This check verifies that at least one AWS Backup report plan exists in your account. Report plans automatically generate reports about your backup jobs, copy jobs, restore jobs, or compliance status and deliver them to an S3 bucket. This provides visibility into whether your backups are running successfully.
Risk
Without an AWS Backup report plan:
- Backup failures may go unnoticed until you need to restore data and discover backups have been failing
- Missed restore windows can lead to SLA breaches and extended downtime during incidents
- Compliance gaps in retention, scheduling, or encryption controls could persist unreported
- No audit trail of backup activity across accounts and regions, weakening governance
- Recovery objectives at risk when backup issues are not detected and resolved promptly
Remediation Steps
Prerequisites
- AWS account access with permissions to create AWS Backup resources
- An S3 bucket to store the generated reports (you can create one during setup)
Required IAM permissions
To create a report plan, your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"backup:CreateReportPlan",
"backup:DescribeReportPlan",
"backup:ListReportPlans"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<your-report-bucket>",
"arn:aws:s3:::<your-report-bucket>/*"
]
}
]
}
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to AWS Backup (search for "Backup" in the services search bar)
- In the left navigation pane, click Reports
- Click Create report plan
- Configure the report plan:
- Report plan name: Enter a descriptive name (e.g.,
backup-jobs-report) - Report plan description: Optional description of the report purpose
- Report template: Select one of:
- Backup jobs report - Track backup job status and details
- Copy jobs report - Track cross-region/cross-account copy jobs
- Restore jobs report - Track restore job activity
- Resource compliance report - Show compliance status against backup policies
- Report plan name: Enter a descriptive name (e.g.,
- Under Report delivery settings:
- S3 bucket name: Select an existing bucket or create a new one
- S3 prefix (optional): Add a folder path like
backup-reports/ - Report formats: Select CSV, JSON, or both
- Optionally, limit the report scope to specific accounts, regions, or frameworks
- Click Create report plan
The report plan will run on a schedule and deliver reports to your S3 bucket.
AWS CLI (optional)
Create a report plan for backup job reports:
aws backup create-report-plan \
--report-plan-name backup-jobs-daily-report \
--report-plan-description "Daily backup job status report" \
--report-delivery-channel '{
"S3BucketName": "<your-report-bucket>",
"S3KeyPrefix": "backup-reports",
"Formats": ["CSV", "JSON"]
}' \
--report-setting '{
"ReportTemplate": "BACKUP_JOB_REPORT"
}' \
--region us-east-1
Available report templates:
BACKUP_JOB_REPORT- Backup job activityCOPY_JOB_REPORT- Copy job activityRESTORE_JOB_REPORT- Restore job activityRESOURCE_COMPLIANCE_REPORT- Compliance against backup policiesCONTROL_COMPLIANCE_REPORT- Compliance against frameworks
For a compliance report covering all regions:
aws backup create-report-plan \
--report-plan-name compliance-report \
--report-plan-description "Resource compliance report across all regions" \
--report-delivery-channel '{
"S3BucketName": "<your-report-bucket>",
"S3KeyPrefix": "compliance-reports",
"Formats": ["CSV"]
}' \
--report-setting '{
"ReportTemplate": "RESOURCE_COMPLIANCE_REPORT",
"Regions": ["*"]
}' \
--region us-east-1
List existing report plans:
aws backup list-report-plans --region us-east-1
CloudFormation (optional)
Deploy a backup report plan using CloudFormation:
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an AWS Backup report plan for backup job monitoring
Parameters:
ReportBucketName:
Type: String
Description: S3 bucket name for storing backup reports
Resources:
BackupJobsReportPlan:
Type: AWS::Backup::ReportPlan
Properties:
ReportPlanName: backup-jobs-report
ReportPlanDescription: Daily report of backup job status
ReportDeliveryChannel:
S3BucketName: !Ref ReportBucketName
S3KeyPrefix: backup-reports
Formats:
- CSV
- JSON
ReportSetting:
ReportTemplate: BACKUP_JOB_REPORT
ReportPlanTags:
- Key: Purpose
Value: BackupMonitoring
Outputs:
ReportPlanArn:
Description: ARN of the created report plan
Value: !GetAtt BackupJobsReportPlan.ReportPlanArn
Deploy the template:
aws cloudformation deploy \
--template-file backup-report-plan.yaml \
--stack-name backup-report-plan-stack \
--parameter-overrides ReportBucketName=<your-report-bucket> \
--region us-east-1
Terraform (optional)
Create a backup report plan using Terraform:
resource "aws_backup_report_plan" "backup_jobs" {
report_plan_name = "backup-jobs-report"
report_plan_description = "Daily report of backup job status"
report_delivery_channel {
s3_bucket_name = var.report_bucket_name
s3_key_prefix = "backup-reports"
formats = ["CSV", "JSON"]
}
report_setting {
report_template = "BACKUP_JOB_REPORT"
}
tags = {
Purpose = "BackupMonitoring"
}
}
variable "report_bucket_name" {
description = "S3 bucket name for storing backup reports"
type = string
}
For a compliance report with specific regions:
resource "aws_backup_report_plan" "compliance" {
report_plan_name = "compliance-report"
report_plan_description = "Resource compliance report"
report_delivery_channel {
s3_bucket_name = var.report_bucket_name
s3_key_prefix = "compliance-reports"
formats = ["CSV"]
}
report_setting {
report_template = "RESOURCE_COMPLIANCE_REPORT"
regions = ["us-east-1", "us-west-2"]
}
tags = {
Purpose = "ComplianceMonitoring"
}
}
Verification
After creating a report plan, verify it is configured correctly:
- Go to AWS Backup > Reports in the AWS Console
- Confirm your report plan appears in the list
- Check the Status column shows the plan is active
- Optionally, click Create on-demand report to generate an immediate report and verify delivery to S3
CLI verification commands
List all report plans:
aws backup list-report-plans --region us-east-1
Expected output:
{
"ReportPlans": [
{
"ReportPlanArn": "arn:aws:backup:us-east-1:123456789012:report-plan:backup-jobs-report",
"ReportPlanName": "backup-jobs-report",
"ReportPlanDescription": "Daily report of backup job status",
"CreationTime": "2024-01-15T10:30:00Z"
}
]
}
Get details about a specific report plan:
aws backup describe-report-plan \
--report-plan-name backup-jobs-report \
--region us-east-1
List recent report jobs to verify reports are being generated:
aws backup list-report-jobs --region us-east-1
Additional Resources
- AWS Backup Report Plans Documentation
- Creating a Report Plan
- AWS Backup Pricing
- AWS Backup Developer Guide
Notes
- Report frequency: Reports run on a schedule determined by AWS (typically daily). You can also create on-demand reports anytime.
- S3 bucket permissions: Ensure the S3 bucket policy allows AWS Backup to write reports. AWS Backup uses service-linked roles for this.
- Cross-account reports: For organizations, you can configure report plans to cover multiple accounts by specifying account IDs or using
ROOTfor all accounts in your organization. - Multiple report plans: Consider creating separate report plans for different report types (jobs vs. compliance) to organize your monitoring.
- Cost considerations: There is no additional charge for report plans. Standard S3 storage charges apply for the generated reports.
- Report retention: Manage report retention in your S3 bucket using lifecycle policies to avoid accumulating old reports.