Compliance report

Use the Compliance Report to evaluate your asset backup and retention policy implementation to meet compliance requirements. You can use controls to define your compliance requirements. A control is a procedure designed to audit the compliance of a backup requirement for example, backup frequency or backup retention period. You can define one or more controls to evaluate compliance.

The report currently provides the following controls:

Policy control: Evaluates whether a policy has minimum backup and retention periods.
Asset control (Policy coverage): Evaluates whether selected assets are covered by a backup policy.
Asset control (Recoverability): Evaluates whether there are available recovery points (backups) with the required duration (backup retention) for the specified compliance window (look back period).

Your backup policies and assets are audited against these controls.

In addition to the controls, you can further filter the items selected for evaluation. You can filter to do the following:

Select policies and assets from a specific organizational unit (OU).
Select asset types and evaluate policies for the selected asset types.

For example, if a policy is under OU1 and it contains multiple asset types, you select OU1 + S3, then the controls will evaluate only S3 policies under OU1.

You can also select additional filters to apply the controls to assets in specific accounts and optionally regions, and to assets with specific tags.

To create the compliance report, you first need to create a report plan in which you define your compliance requirements using controls and specify a schedule. After you save your report plan, you can generate an on-demand report based on the plan you just created.

An item is in compliance with a control only if all conditions for the control are met. For example, if you define an Asset control for policy coverage and another Asset control for recoverability, the items you select to be evaluated may show up as fully compliant for the policy coverage control but non-compliant for the recoverability control.

If you have data that needs to be backed up every day and retained for 5 weeks, you can define controls as follows:

Policy control: If policies have a minimum backup frequency of 1 days and backup retention is at least 5 weeks.
Asset control (policy coverage): If a set of assets is protected by a backup policy (treat deactivated policy as non-compliant).
Asset control (recoverability): If a set of assets is backed up every 1 days and retained for 5 weeks evaluated over the course of the last 30 days.

Additionally, you can set the organizational unit filter to a child OU and set the asset type filter to EBS volumes and RDS assets.

In this case, Clumio evaluates:

If the selected policies in OU1 are set to back up the selected asset types (EBS and RDS in our example) every day and retain them for 5 weeks to conform to the policy control settings.
If the selected assets are covered by an active protection policy.
If the selected assets are backed up every day and and retained for at least 5 weeks over the last 30 days.

Note

The backup frequency and look back period are always the same unit of time. For example if backup frequency is defined in days, then the look back period is also defined in days, if the backup frequency is in weeks, the look back period is also defined in weeks.

The look back period must be a multiple of the backup frequency.
The look back period and retention period must be longer than the backup frequency period.
The look back period (30 days in the example), must be shorter than the retention period so as to ensure that backups are still available. If the look back period is longer than the retention period, you may not find any backups as they will have expired after the retention period is complete.
To view the details about the look back period, hover over the unit of time.

Create a Compliance report plan

You can create a maximum of 30 report plans.

Note

Report runs are retained for a maximum of 30 days.

On the Reports > Compliance page, click Create report plan.

The Create Compliance report plan wizard appears.
Type a name for the report and an optional description.
Define a report schedule by selecting the report generation frequency and the time at which the report should be generated.
Select the notification check box if you want to email the report. Type the recipient’s email address. Separate multiple email addresses with a space. Click Next.
On the Compliance controls screen, all three controls are selected by default. You can choose to use all the controls, just one control, or a combination of controls per your requirements.

When selecting policy control settings, keep in mind the asset types you want this control to evaluate–different assets have different backup and retention frequencies.

When selecting asset control recoverability settings, the look back period must be shorter than the retention period to ensure that backups are available.
Click Next.
On the Items to evaluate screen, optionally select the OU and/or asset type filters to further refine asset or policy selection, and then click Next.
Review and then confirm or modify your selections on the Review and create screen, and then click Create.

A confirmation dialog box appears.
Click Generate report to create a report immediately, or Done to finish the report plan creation.

A report is generated per the schedule you defined.

Create an on-demand Compliance report plan

You can also generate an on-demand report plan. You can create a maximum of 30 report plans.

Note

Report runs are retained for a maximum of 30 days.

On the Reports > Compliance page, click Create report plan.

The Create Compliance report plan wizard appears.
Enter a name for the report and an optional description.
Select On-demand from the Report schedule options to generate a one-time report.
Select the notification check box if you want to email the report.
Enter the recipient's email address. Enter multiple email addresses by separating them with a space.
Click Next.
On the Compliance controls screen, all three controls are selected by default. You can choose to use all the controls, use only one control, or use a combination of controls per your requirements.

When selecting policy control settings, keep in mind the asset types you want this control to evaluate–different assets have different backup and retention frequencies.

When selecting asset control recoverability settings, the look back period must be shorter than the retention period so as to ensure that backups are available.
Click Next.
On the Items to evaluate screen, optionally select the OU and/or asset type filters to further refine asset and policy selection.
Click Next.
Review and then confirm or modify your selections on the Review and create screen, and then click Create.

A confirmation dialog box appears.
Click Generate report to create a report immediately, or click Done to finish the report plan creation.

Generate an on-demand report from an existing report plan

Note

Report runs are retained for a maximum of 30 days.

On the Compliance report page, select the Action column in the row that contains the report plan you want to generate immediately and then click the Create on-demand report option.

Alternately, click the name of the report for which you want to generate an on-demand report, and then click Create on-demand report.
On the Create on-demand report screen, optionally modify the report name (the default name is the report name with a timestamp appended).
Click Create.
To view an on-demand report generated from an existing report plan, click the report plan name. This displays the report plan details page where you can find the on-demand report you generated from the plan.