For historical reasons, I have an AWS organisation where AWS Backups are created for critical workloads in the organisation root account.
I currently replicate these backups to another dedicated AWS account for backups (using AWS Backup copy function).
I would like to protect these backup copies against a compromise of the organisation root account (e.g. if the root account is compromised, there should be no way for the attacker to delete both the original backup and the copy in the child account).
Is that even feasible?
- My organisations has all features enabled, and it seems we can't go back and disable that once enabled.
- I thus cannot delete the AWSServiceRoleForOrganizations role in the backup account, nor the AWSServiceRoleForSSO role, which in particular allow to easily gain access to the backup account through SSO.
- I also tried removing my backup account from the organisation but the AWS Backup copy job no longer works in that case.
Any guidance would be greatly appreciated
AWS 官方已更新 1 年前