By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Immutability of AWS Backup

0

Are backups taken via AWS Backup Immutable.

As per - https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-integrity.html#backup-integrity-audit “The content of each AWS Backup backup is immutable, meaning that no one can alter that content. AWS Backup further secures your backups in backup vaults, which separates them safely from their source instances”.

But also here - https://docs.aws.amazon.com/prescriptive-guidance/latest/security-best-practices/safeguard.html AWS Backup Vault Lock ensures immutability and adds an additional layer of defense that protects backups (recovery points) in your backup vaults.

So is it correct to say backups via AWS Backups are immutable (and backup vault lock is additional security) or is it correct to say AWS Backups are by default not immutable and we can achieve it via backup vault lock.

Thanks

3 Answers
1

Hello,

AWS Backups are inherently immutable in terms of their content, meaning the data within a backup cannot be altered once created. The problem here is that backup recovery points from the vault can be deleted if the users have permissions to delete it.

AWS Backup Vault Lock adds an extra layer of security by preventing backups from being deleted or modified during the specified retention period, thereby further enhancing the immutability and protection of the backups.

With Vault lock, you can apply Governance or Compliance mode. When governance mode is selected, only authorized individuals can make modifications to a backup vault and Compliance mode ensures that a vault is retained for the entire duration of the defined retention term. Once a vault in compliance mode is locked, the lock cannot be altered because it is immutable. However, you can specify a grace period, or cooling-off period, before the vault locks and becomes immutable.

profile picture
EXPERT
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
profile picture
EXPERT
reviewed 5 months ago
0

Hi,

Backups are in essence immutable. But, Backup Vault wraps them in additional layer of security to protect them further against ransomware or similar attacks.

It is very well explained in this additional blog post: https://aws.amazon.com/blogs/storage/protecting-data-with-aws-backup-vault-lock/

Best,

Didier

profile pictureAWS
EXPERT
answered 5 months ago
0

An important consideration on top of what others wrote, if you're using KMS encryption with customer-managed KMS keys for your source data, the backups for many resource types, particularly those backed by EBS volumes, use the same KMS key for the backups. If the KMS key is deleted, the backups are lost together with the source data, regardless of the backup recovery points themselves potentially remaining in the backup vault. They'll be useless without the KMS key.

Some resource types support encrypting the backups with different keys as part of creating the backup: https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html. For the resources that don't support it, you can configure the vault's contents to be replicated to another vault automatically: https://docs.aws.amazon.com/aws-backup/latest/devguide/recov-point-create-a-copy.html and in the process, to be re-encrypted under a different KMS key that you would secure separately. You could choose to place those KMS keys and even the AWS Backup vaults in a separate, dedicated backup account.

Of course, you can also choose to rely on IAM policies, KMS key policies, Service Control Policies (from your AWS Organizations org), or other authorisation mechanisms to protect the KMS keys, but whatever way it is done, it's essential that the keys used to encrypt the backup data keys survive independently of the AWS Backup recovery points for any of them to be possible to restore.

EXPERT
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions