How to store copies of AWS backups that are not accessible from AWS organisation root account

0

For historical reasons, I have an AWS organisation where AWS Backups are created for critical workloads in the organisation root account. I currently replicate these backups to another dedicated AWS account for backups (using AWS Backup copy function). I would like to protect these backup copies against a compromise of the organisation root account (e.g. if the root account is compromised, there should be no way for the attacker to delete both the original backup and the copy in the child account).

Is that even feasible?

  • My organisations has all features enabled, and it seems we can't go back and disable that once enabled.
  • I thus cannot delete the AWSServiceRoleForOrganizations role in the backup account, nor the AWSServiceRoleForSSO role, which in particular allow to easily gain access to the backup account through SSO.
  • I also tried removing my backup account from the organisation but the AWS Backup copy job no longer works in that case.

Any guidance would be greatly appreciated

1개 답변
0

One option is to use Glacier Vault Lock. It allows you to apply compliance policies on the backed up data: https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

profile pictureAWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠