AWS Storage Blog

Automate the delivery of AWS Backup Audit Manager reports via email

Business continuity and disaster recovery plans include having a backup strategy for application workloads, whether on-premises or in Cloud. Furthermore, organizations need efficient methods to actively monitor their data protection posture and detect any failure for remediation while meeting the required recovery time objective (RTO) and recovery point objective (RPO) for the business. One efficient solution is receiving automated reports on the performance of backups through email, often easily accessible.

AWS Backup released a feature called AWS Backup Audit Manager in August 2021, allowing users to audit and report the compliance of data protection policies and generate backup reports to meet compliance and regulatory needs. One of the most popular aspect of this feature is the aggregate reports of backup performance across all protected resources in a user’s backup plan. Users can also run on-demand backup reports to review their current backup state for business reasons. This report (in the CSV or JSON format) is delivered to a specified Amazon Simple Storage Service (Amazon S3) bucket within the same account and AWS Region and can be downloaded for review. However, there are users who want the backup compliance reports delivered to email instead of having to manually download the reports from an S3 bucket.

In this post, we provide a step-by-step guide for the safe delivery of backup and compliance reports to email addresses specified by the user. We walk you through the process of creating a report plan for a single AWS account and multiple AWS accounts within AWS Organizations. This is done by using the AWS Backup management console and creating an AWS Lambda function that downloads the report from the specified S3 bucket, which sends it as an email attachment to the specified email address(es) so that users can audit their backup and disaster recovery strategy in a timely manner. We also provide an optional use case of hourly report delivery through email that provides a list of only failed or partially completed backup jobs for critical workloads. This enables users to take remedial actions to satisfy the RTO and RPO of their business continuity plan.

Solution walkthrough

Here we walk you through the various steps in implementing the solution.

Prerequisites

The following prerequisites are needed for following along with this post:

  1. An AWS Account with Amazon Simple Email Service (Amazon SES) setup. We use the Amazon SES API to send email.
  2. Verified identities (email address or domain) in Amazon SES. If you do not have verified identities, then reference this link to create and verify identities on Amazon SES.
  3. An S3 bucket to store backup and compliance reports.
  4. AWS Backup Job configured and running.

Step 1: AWS CloudFormation stack

The CloudFormation template and source code for the Lambda function are available in GitHub.

The following resources are part of the CloudFormation stack:

To create resources:

  1. Choose the following Launch Stack button to launch your stack in us-east-1 and specify a name for the stack (you can deploy this template in any AWS Region of your choice):

 

  1. Type in the Sender Email Address that you have verified in Amazon SES.
  2. Type in the Recipients Email Addresses.
  3. Type in the name of the S3BucketName where the backup and compliance reports are stored.
  4. Select the I acknowledge that AWS CloudFormation might create IAM resources.
  5. Choose Create stack.

Wait for CloudFormation to create all resources.

AWS CloudFormation creation wizard

Figure 1.0: AWS CloudFormation creation wizard

Step 2: Configure backup report

You can configure a backup report for a single AWS account or multiple AWS accounts within Organizations.

Step 2a: Single AWS Account setup

You can set up a backup report to be delivered to email addresses or distribution lists for an individual AWS account, whether that account is a member of Organizations or not.

  1. Open the AWS Backup Management console and on the left pane, select Reports, which is under the Backup Audit Manager category. Select Create report plan.

AWS Backup report plans page

Figure 2.0: AWS Backup report plans page

2. On the Choose a report template drop-down menu, select Backup jobs report and specify a Report plan name.

3. Select the Regions. You can select your current AWS Region or multiple AWS Regions for cross-Region reports to be delivered to your S3 bucket.

4. Under the Report delivery section, select your desired File formats (CSV and/or JSON) and specify Bucket name and Bucket prefix – optional (bucket prefix is optional).

5. Select Create report plan.

AWS Backup report plan creation wizard

Figure 2.1: AWS Backup report plan creation wizard

6. In the new page, select Copy permission to copy the necessary access policy for Amazon S3.

7. Select Edit bucket policy to apply the S3 bucket policy to the S3 bucket. This action opens the bucket policy section of the S3 bucket where the backup and compliance reports are to be stored in a new browser tab. Paste the policy, select Save changes, and then close the tab / window.

Note that you must create the report plan first before saving the bucket policy so as to avoid an invalid principal error.

Furthermore, when you select more than one AWS Region, the option to select the file format is no longer visible. The file formats CSV and JSON are selected by default.

AWS Backup report plan S3 bucket policy

Figure 2.2: AWS Backup report plan S3 bucket policy

Step 2b: Multi-account setup

You can also set up a backup report for multiple accounts under Organizations and have it delivered to the members of the Organization through email. For the multi-account setup, the report plan must be created on the management account.

  1. On the management account, open the AWS Backup console. On the left pane, select Reports, which is under the Backup Audit Manager category. Select Create report plan.

AWS Backup report plans page for management account

Figure 2.3: AWS Backup report plans page for management account

2. On the Choose a report template drop-down menu, select Backup jobs report, and specify a Report plan name.

3. Under Accounts, select One or more accounts in my organization. Then, add Organizational unites (OUs) & accounts.

4. Select the necessary Regions. You can select All available Regions.

5. Select the check box to Include new Regions when they are incorporated into Backup Audit Manager.

6. Under the Report delivery section, select your desired File formats (CSV and/or JSON) and specify Bucket name and Bucket prefix – optional (Bucket prefix is optional). Then, select Create report plan.

AWS Backup report plan creation wizard for management account

Figure 2.4: AWS Backup report plan creation wizard for management account

7. In the new page, select Copy permission to copy the necessary access policy for Amazon S3.

8. Select Edit bucket policy to apply the S3 bucket policy to the S3 bucket. This action opens the bucket policy section of the S3 bucket where the backup and compliance reports are to be stored in a new browser tab. Paste the policy, select Save changes, and then close the window.

AWS Backup report plan S3 bucket policy

Figure 2.5: AWS Backup report plan S3 bucket policy

Step 3: Configure events on the S3 bucket

The event notification configuration is to trigger the Lambda function to fetch the report and deliver it as an attachment through the specified email addresses.

Open the Amazon S3 console. Select the S3 bucket configured for receipt of the backup report. Select the Properties tab. Scroll down to the Event notifications section, and then select Create event notification and fill in the following information:

1. Open the Amazon S3 console.

2. Select the S3 bucket name.

3. Select the Properties tab.

4. Scroll down to the Event notifications section, and then select Create event notification.

5. Fill in the following and select Save changes:

a. Event name: Specify a name.
b. Prefix – optional (this is optional).
c. Suffix: Specify .csv .json.
d. Event types: Select Put s3:ObjectCreated:Put.

Amazon S3 event notification configuration wizard

Figure 3.0: Amazon S3 event notification configuration wizard

e. Destination: Select Lambda function and select the Lambda function created in Step 1.

S3 event notification configuration wizard continued

Figure 3.1: S3 event notification configuration wizard continued

6. Close the Amazon S3 console.

With this set up, backup reports are delivered to the specified email addresses.

Sample backup report delivered to email inbox

Figure 3.2: Sample backup report delivered to email inbox

Step 4 (Optional): Configure EventBridge Scheduler to run on-demand jobs.

There are users who have a more strict need of a less than 24 hour cadence to have their automated AWS backup reports delivered to their email. For this use case, we use EventBridge Scheduler to run on-demand reports for AWS Backup jobs every hour in AWS Audit Manager.

Open the EventBridge console and on the left pane select Schedules, which is under the Scheduler. Select Create Schedule.

  1. Fill in the following based on your schedule requirements.

a. Enter the schedule name in Schedule name.
b. Assign the schedule to a Schedule group.
c. Select the schedule Occurrence.
d. Select the Schedule type.
e. Set the unit of time in Rate expression.
f. Select the Flexible time window to meet your need.
g. Select the Time zone.
h. Select Next.

Sample EventBridge Scheduler job creation.

Figure 4.1: Sample EventBridge Scheduler job creation.

2. In Select target:

a. Select All APIs.
b. In the search box, type backup to filter for AWS Backup service.
c. Select AWS Backup.

Sample EventBridge Scheduler job AWS API for backup services.

Figure 4.2: Sample EventBridge Scheduler job AWS API for backup services.

d. In the search box, type report to search for report.
e. Select StartReportJob.
f. In the input window, update ReportPlanName from Step 2a or Step 2b.
g. Select Next.

Sample EventBridge Scheduler job AWS API for backup services continued.

Figure 4.3: Sample EventBridge Scheduler job AWS API for backup services continued.

3. On the Permissions page, select the IAM role from dropdown. The IAM role for EventBridge is created as part of the CloudFormation script.

3. On the Permissions page, select the IAM role from dropdown. The IAM role for EventBridge is created as part of the CloudFormation script.

Figure 4.4: Sample EventBridge Scheduler job AWS API for backup services

4. Review and Create schedule.

With all of this set up, backup reports are generated hourly through on-demand API, and they are delivered to the specified email addresses in Figure 3.2.

Cleaning up

To clean up your account after deploying the solution outlined in this post, delete the CloudFormation Stack, the Amazon S3 bucket, the EventBridge Scheduler, and the report plans on AWS Backup.

Conclusion

In this post, we demonstrated how you can extend the capability of the AWS Backup service to deliver backup compliance reports directly to your email boxes in a timely and efficient manner.

The AWS Backup daily backup report feature provides the opportunity to evaluate your backup performance on a daily basis. Getting this report delivered through email provides a convenient option to track your backup performance and review your compliance posture. It also provides the flexibility to include your management or your teams’ distribution list on the current status of your backups across services supported by AWS Backup.

Thanks for reading this post. If you have any comments or questions, then leave them in the comments section. To learn more about AWS Backup, read the AWS Backup documentation.

TAGS: , , , , ,
Ezekiel Oyerinde

Ezekiel Oyerinde

Ezekiel Oyerinde is a Senior Cloud Engineer with AWS and spends most of his time helping customers with their storage and backup solutions in the cloud. He has many years of experience working with Storage and Backup solutions, Unix Systems, Virtualization platforms, and Data Center environment. He is very passionate about technology. Outside of work, he enjoys spending time with his family and exploring new places.

Charles Meruwoma

Charles Meruwoma

Charles Meruwoma is a Solutions Architect with AWS. He focuses on helping global financial services organizations succeed in the cloud.

Sri Gudavalli

Sri Gudavalli

Sri Gudavalli is a Solutions Architect with AWS helping Enterprise customers with their cloud migration and modernization journey. He works with Enterprise customers from the US-East Region to build leading edge cloud applications and services on AWS.