- Newest
- Most votes
- Most comments
Hello,
AWS Backups are inherently immutable in terms of their content, meaning the data within a backup cannot be altered once created. The problem here is that backup recovery points from the vault can be deleted if the users have permissions to delete it.
AWS Backup Vault Lock adds an extra layer of security by preventing backups from being deleted or modified during the specified retention period, thereby further enhancing the immutability and protection of the backups.
With Vault lock, you can apply Governance or Compliance mode. When governance mode is selected, only authorized individuals can make modifications to a backup vault and Compliance mode ensures that a vault is retained for the entire duration of the defined retention term. Once a vault in compliance mode is locked, the lock cannot be altered because it is immutable. However, you can specify a grace period, or cooling-off period, before the vault locks and becomes immutable.
Hi,
Backups are in essence immutable. But, Backup Vault wraps them in additional layer of security to protect them further against ransomware or similar attacks.
It is very well explained in this additional blog post: https://aws.amazon.com/blogs/storage/protecting-data-with-aws-backup-vault-lock/
Best,
Didier
An important consideration on top of what others wrote, if you're using KMS encryption with customer-managed KMS keys for your source data, the backups for many resource types, particularly those backed by EBS volumes, use the same KMS key for the backups. If the KMS key is deleted, the backups are lost together with the source data, regardless of the backup recovery points themselves potentially remaining in the backup vault. They'll be useless without the KMS key.
Some resource types support encrypting the backups with different keys as part of creating the backup: https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html. For the resources that don't support it, you can configure the vault's contents to be replicated to another vault automatically: https://docs.aws.amazon.com/aws-backup/latest/devguide/recov-point-create-a-copy.html and in the process, to be re-encrypted under a different KMS key that you would secure separately. You could choose to place those KMS keys and even the AWS Backup vaults in a separate, dedicated backup account.
Of course, you can also choose to rely on IAM policies, KMS key policies, Service Control Policies (from your AWS Organizations org), or other authorisation mechanisms to protect the KMS keys, but whatever way it is done, it's essential that the keys used to encrypt the backup data keys survive independently of the AWS Backup recovery points for any of them to be possible to restore.
Relevant content
- asked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago