Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

How to store copies of AWS backups that are not accessible from AWS organisation root account

0

For historical reasons, I have an AWS organisation where AWS Backups are created for critical workloads in the organisation root account. I currently replicate these backups to another dedicated AWS account for backups (using AWS Backup copy function). I would like to protect these backup copies against a compromise of the organisation root account (e.g. if the root account is compromised, there should be no way for the attacker to delete both the original backup and the copy in the child account).

Is that even feasible?

  • My organisations has all features enabled, and it seems we can't go back and disable that once enabled.
  • I thus cannot delete the AWSServiceRoleForOrganizations role in the backup account, nor the AWSServiceRoleForSSO role, which in particular allow to easily gain access to the backup account through SSO.
  • I also tried removing my backup account from the organisation but the AWS Backup copy job no longer works in that case.

Any guidance would be greatly appreciated

Argomenti
Sicurezza, identità e conformitàArchiviazioneGestione e amministrazione
Tag
Gestione identità e accesso AWSAWS BackupOrganizzazioni AWSGestore account AWS
Lingua
English
Gregory Vander Schueren
posta un anno fa255 visualizzazioni
1 Risposta
0

One option is to use Glacier Vault Lock. It allows you to apply compliance policies on the backed up data: https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

profile pictureAWS
jurajfox
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente