WORM backups for RDS?

I don't believe that a WORMable backup (which doesn't exist) would solve the problem you are worried about. WORM is great for making sure that objects aren't changed, but it typically does not prevent them from being deleted. And if it could, how would you ever delete them when no longer needed?

The generally recommended way to address the scenario you bring up is with the cross-account snapshot copy feature. What you do is set up a separate account for compromise protection and schedule periodic copies of important snapshots from your main account to the compromise protection account. Access to the credentials for the compromise protection account are than severely restricted, to reduce the chance of a disgruntled employee having access. Yes, disgruntled employees have done exactly what you fear. So require two employees be involved to access the credentials for the compromise protection account.

You should also be protecting both your main account and your compromise protection account with Multi-Factor Authentication.

Thanks for the tip, that does sound like a good workaround!

Regarding the WORM backups, maybe I'm getting the terminology wrong, but in S3 you can make a bucket with a policy that anything you write to it can't be deleted or altered for X number of days, and then you can make an automatic lifecycle policy to delete it after that. That'd be more convenient since it would only need one account, and wouldn't need to set up the automatic daily transfer to the other account, and probably most importantly you would retain the ability to do point in time restores, instead of only being able to restore to your last daily backup.

Edited by: Mohamed Hafez on May 6, 2020 9:21 AM

I don't believe RDS supports that S3 capability. It is likely not practical to implement for automated backups, but could be implemented for manual snapshots. I don't know where that sits as a priority for the RDS team or even if it is on the backlog. What the RDS team did implement is the ability to export a snapshot's data to S3 (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ExportSnapshot.html), which you could then apply the WORM capabilities against. That would satisfy the kind of legal requirements that WORM is generally intended for, but is not ideal for your scenario.

Any way you slice it though you don't get point-in-time recovery. That applies to an instance, not to a snapshot. RDS does PITR by taking the last automated snapshot and applying the log backups to it. But a snapshot alone, particularly a manual snapshot, would not have the log information available to it.

One other point, if your root account is compromised it can be deleted. If the account is deleted I don't know what happens to those S3 WORM buckets. The separate account model protects against a far larger set of compromise scenarios than a snapshot delete. For example you could put the second account in a separate region. That means it provides both account compromise protection and disaster recovery capabilities.

Edited by: HalTemp on May 6, 2020 9:48 PM

I belive what you are looking for is Vault Lock in AWS Backups. When active, backups can't be deleted by anyone prior to the retention period ending and you can store continous backups allowing for point-in-time recovery of up to 35 days.