How to enforce Minimum and Maximum Retention Periods for AWS Backup Vault Lock using AWS Service Control Policies

4 minute read

Content level: Intermediate

AWS Backup Vault Lock in compliance mode ensures backups cannot be altered or deleted before the retention period expires, providing strong data immutability for compliance. The lock includes a cooling-off grace period during which changes are allowed. After this period, the lock and vault become immutable, preventing any changes even by administrators or AWS. This protects against accidental or malicious deletions and helps meet regulatory requirements.

AWS Backup Vault Lock helps customers meet regulatory requirements by ensuring backups cannot be deleted or modified before the retention period expires. After configuring the lock and completing the grace period, the settings become immutable. This means neither administrators nor AWS Support can change them. In some cases, accidental or intentional misconfiguration by customers can create vaults with accidental long retention periods, resulting in irreversible and costly storage.

Note: These policies and controls only apply to new vault locks created after the policy enforcement. Existing vault locks configured before these policies remain unaffected and cannot be retroactively controlled by the SCP.

Solution: Service Control Policies for Backup Governance

AWS Service Control Policies (SCPs) provide organisation-wide limits on AWS Backup operations. By applying SCPs at the AWS Organisations level, customers can enforce retention limits on backup vault locks before they become immutable, ensuring governance over retention policies and preventing costly misconfiguration.

Implementation Guide

Step 1: Design Your Retention Policy

Before implementing SCPs, define specific minimum and maximum retention periods for the organisation based on regulatory compliance requirements, business continuity needs, and cost optimisation goals.

Step 2: Create the Service Control Policy

Preventing Omitted Parameters with the Null Condition

Ensure that MaxRetentionDays is always specified. Without this parameter, backup vaults could be created with no maximum retention period.

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "DenyMissingMaxRetentionDays",
            "Effect": "Deny",
            "Action": 
                "backup:PutBackupVaultLockConfiguration",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "backup:MaxRetentionDays": "true"
                }
            }
        },
        {
            "Sid": "DenyMissingMinRetentionDays",
            "Effect": "Deny",
            "Action": 
                "backup:PutBackupVaultLockConfiguration",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "backup:MinRetentionDays": "true"
                }
            }
        }
    ]
}

The Conditions block uses the Null operator to check if the MaxRetentionDays parameter is present in the request. The condition evaluates to true when MaxRetentionDays is missing from the API call. This triggers the Deny effect, blocking vault lock creation that omits the required parameter, thereby preventing backup vaults with indefinite retention. The second statement follows the same structure with the Sid "DenyMissingMinRetentionDays", checking for the presence of MinRetentionDays.

This policy enforces that although Maximum retention period and Minimum retention period are optional fields for the AWS API (PutBackupVaultLockConfiguration) they cannot be left blank or omitted when creating a vault lock. Effectively, it makes these fields mandatory through policy enforcement.

The following SCP policy enforces backup vault lock retention limits and ensures required parameters are present:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "DenyMissingMaxRetentionDays",
            "Effect": "Deny",
            "Action": [
                "backup:PutBackupVaultLockConfiguration"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "backup:MaxRetentionDays": "true"
                }
            }
        },
        {
            "Sid": "DenyMissingMinRetentionDays",
            "Effect": "Deny",
            "Action": [
                "backup:PutBackupVaultLockConfiguration"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "backup:MinRetentionDays": "true"
                }
            }
        },
        {
            "Sid": "DenyNon7MinRetentionDays",
            "Effect": "Deny",
            "Action": [
                "backup:PutBackupVaultLockConfiguration",
                "backup:CreateLogicallyAirGappedBackupVault"
            ],
            "Resource": "*",
            "Condition": {
                "NumericNotEquals": {
                    "backup:MinRetentionDays": 7
                }
            }
        },
        {
            "Sid": "DenyNon90MaxRetentionDays",
            "Effect": "Deny",
            "Action": [
                "backup:PutBackupVaultLockConfiguration",
                "backup:CreateLogicallyAirGappedBackupVault"
            ],
            "Resource": "*",
            "Condition": {
                "NumericNotEquals": {
                    "backup:MaxRetentionDays": 90
                }
            }
        }

    ]
}

The above policy enforces that both MaxRetentionDays and MinRetentionDays must be specified when creating a vault lock. It requires the minimum retention period to be exactly 7 days and the maximum retention period to be exactly 90 days, denying access to any vault locks created outside these exact parameters. Although the Maximum retention period and Minimum retention period fields are optional in the AWS API, this policy effectively makes them mandatory by denying any creation requests that leave these fields blank or omit them. This ensures strict governance over retention configurations and prevents backup vaults with undefined or indefinite retention periods.

Service Control Policies provide robust governance for AWS Backup operations. By targeting backup vault lock configurations, you can prevent unauthorised retention periods, control unexpected costs, and ensure compliance consistency. Implement the basic retention limit policy, then customise it to meet your organisation's specific compliance and cost optimisation requirements. For detailed information, refer to the AWS Backup Actions, Resources, and Condition Keys documentation.

Reference:

AWS Backup Vault Lock - https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
PutBackupVaultLockConfiguration - https://docs.aws.amazon.com/aws-backup/latest/devguide/API_PutBackupVaultLockConfiguration.html
IAM JSON policy elements: Condition operators - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

Topics: Storage
Tags: AWS Backup
Language: English

EXPERT

Jamesson Barreto

published 12 days ago91 views

1 Comment

Great article!

EXPERT

Erasmo Fabio Acrani

replied 12 days ago

Relevant content

Configuring Cross-Region Disaster Recovery for Amazon EKS with AWS Backup
EXPERT
Minseo Kim
published 3 months ago
AWS Control Tower Backup Integration: Best Practices Guide
EXPERT
Tyler_P
published 10 months ago
Denying removal of Amazon S3 Object Lock legal hold
EXPERT
Ed Gummett
published a year ago
Clarification: Deleting an AWS Backup Vault with a Backup Vault Lock in Compliance Mode
Mat Werber
asked 2 years ago
AWS Backup Vault Lock
Rob McNees
asked a year ago
Job retention "Forever" in Compliance vault lock
Marwan
asked 2 years ago
How is a legal hold different from AWS Backup Vault Lock?
AWS OFFICIALUpdated 3 years ago
How do I configure an AWS Backup Vault Lock?
AWS OFFICIALUpdated 3 years ago
How do I remove an AWS Backup Vault Lock?
AWS OFFICIALUpdated 3 years ago
How do I migrate an Amazon RDS continuous backup recovery point from a backup vault that's locked in Compliance mode?
AWS OFFICIALUpdated 2 years ago