AWS Backup is a fully managed data protection service that enables you to automate and centralise backup of the data from multiple AWS services. AWS Backup supports cross-region and cross-account backups, incremental and continuous backups and lifecycle management for some supported resources.
AWS Backup can be turned on number of AWS Resources such as RDS, Dynamo DB table, S3 buckets, EBS, Redshift, CloudFormation - here is the list of supported services. The advantage of using AWS Backup beyond data protection include reduced operational overhead, centralised monitoring and simplified compliance monitoring.
Centralised, Cross-account Backup and Monitoring
You can set up AWS Backup in your workload account, however backing up data cross-account improves resilience and reduces blast radius if your account gets compromised.
In the presented pattern the resource being backed up resides in production workload account, the backup policy is created and managed in Organisation management account and the actual backup vaults and backup plan with the backed-up data would be created in a dedicated Backup account.
This way if any if the workload account gets compromised, the backup plan continues as usual and all the Backup recovery points would remain secure in Backup account. Additionally, you can implement IAM policies and SCP (Service Control Policies) to prevent unauthorised deletion of backups, even by administrators in the workload accounts.
Key benefits of cross-account backup:
- Blast radius reduction - compromised workload account cannot affect backups
- Separation of duties - different teams manage workloads vs backups
- Centralised compliance - single pane of glass for audit
- Cost optimisation - centralised lifecycle policies and storage tiers (where applicable) -> see backup feature availability
Vault Lock and Logically Air Gapped Vault
With the pattern above AWS Backup vault, policies and plan all stay within AWS Organisation and Backup account. In addition to storing backups in a separate account we can add another layer of protection, by creating logically air-gapped vault or enabling vault lock.
Vault lock
Vault Lock is a feature available on any vault as additional security. There is two modes to choose from:
Governance mode - allows users with specific IAM permissions to remove the vault lock and modify retention settings.
Compliance mode - provides immutable backups where the vault cannot be deleted if any recovery points exist, and the retention period cannot be shortened even by the root user. Once the grace period expires (which is usually 72 hours), the lock becomes permanent and cannot be removed
Using vault locks enforces the retention period set by Backup policy for the resource, protecting against ransomware, accidental deletion.
Logically Air Gapped (LAG)
LAG Vault offers additional layer of protection and security compared to a standard AWS Backup vault. With LAG vault:
- AWS-managed encryption - the KMS key used to encrypt backups is owned and managed by AWS, preventing key deletion and modification
- Compliance vault lock by default - automatically configured with compliance mode for immutable backups.
- Isolated from source account - backups are logically isolated, meaning they cannot be accessed or deleted from the source account
- RAM sharing for recovery- uses Resource Access Management (RAM) to share backups with specific accounts - this means that you can setup Backups to be shared for a quick recovery, reducing RTO.
- Multi-party approval - optional integration requiring multiple authorises users (approval team, min 3 in a team)created in AWS Organisations to approve access to backups - which can also be obtain even in the event of Backup or management account being compromised .
Use case for LAG vault vs Standard vault:
Use LAG Vault when:
- You need to meet strict compliance requirements
- Protecting critical production data or financial/sensitive records
- You need protection against sophisticated ransomware attacks
- You require immutable backups with multi-party approval
Use standard Vault:
- You are backing up dev or test workloads
- You need flexibility to modify retention policies frequently
- Cost optimisation is a priority as LAG vault has slightly higher cost
- Your compliance requirements don't mandate immutability
Backup Audit Manager and Notification
Backup Audit Manager
Backup Audit Manager is a compliance tool that allows you to audit existing Backup against chosen controls and requirements:
- Monitoring - You can view compliant and non-compliant resources and this way prioritise remediation
- Auditing and Compliance - create customised frameworks that are aligned with your compliance requirements and monitor whether existing backup meets internal policies
- Reporting -automatically or on demand generate a report delivered to S3 for audit trails.
- Build-In controls - includes pre-configured controls for common requirements like backup frequency, retention periods, encryption and cross-region rpelication
Backup Notifications:
You can configure AWS Backup notifications via Amazon SNS for backup job events such as:
- Backup job started, completed ot failed
- Restore job started, completed or failed
- Copy job completed (i.e. to another account)
- Recovery point lifecycle transitions
Best Practices for AWS Backup:
- Utilise tags - leverage AWS tags to include/exclude resources that need to be backed up.
- Implement lifecycle policies - where possible (not all resources support cold storage) utilise cold storage to reduce cost.
- Enable cross-account and cross region copy - to protect against regional failure, copy over at least periodically
- Use Vault Lock - either in compliance or in governance mode
- Monitor - set up notifications for failed Backups/Copy
- Document recovery procedures - create and maintain runbooks for different disaster recovery scenarios.
Resources:
Top comments (0)