AWS Storage Blog
Automate visibility of backup findings using AWS Backup and AWS Security Hub
Centralizing and automating data protection helps you support your business continuity and regulatory compliance goals. Backup compliance includes the ability to define and enforce backup policies to encrypt your backups, protect them from manual deletion, prevent changes to your backup lifecycle settings, and audit and report on backup activity from a centralized console.
A common ask from customers to enhance their cloud security posture in AWS is to aggregate, organize and prioritizes security alerts (also called findings) across multiple AWS services and partner solutions while performing continuous compliance checks and identifying risks associated with their AWS workloads.
AWS Backup Audit Manager, a feature within the AWS Backup service, allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs. AWS Backup Audit Manager provides built-in compliance controls that perform continuous compliance checks while allowing you to customize those controls to define your own data protection policies. It is designed to automatically detect violations of your defined data protection policies and prompt you to take corrective actions. You can also generate audit reports that can help you demonstrate compliance with regulatory requirements.
AWS Security Hub is designed to give you a comprehensive view of your security posture across your AWS accounts. With Security Hub, you have a single service that aggregates, organizes, and prioritizes your security alerts or findings from multiple AWS services.
In this blog post, I implement a solution that integrates Backup Audit Manager with Security Hub. The solution is deployed with 1-click automation using AWS CloudFormation. On deployment, the solution enables visibility, triaging, and security posture management in Security Hub based on Backup Audit Manager defined data protection policies in AWS. Once your Backup Audit Manager finding is visible in Security Hub, then Security Hub can provide that comprehensive view of your security alerts and security posture for backup related findings in conjunction with findings from other AWS services. You can then also use Security Hub to create insights or remediate these findings thus accelerating your mean time to resolution and enhancing compliance.
- Ensure that you enable resource tracking for AWS Backup Audit Manager. Doing so allows AWS Config to track your AWS Backup resources.
- You must have Security Hub enabled in the AWS Region where you deploy this solution. Follow the steps documented here to enable AWS Security Hub in your AWS account or in your AWS Organization.
Backup Audit Manager provides built-in customizable controls that you can use to audit the compliance of your data protection policies such as backup frequency or backup retention period. This table provides the full list of Backup Audit Manager controls, their customizable parameters and associated AWS Config recording resource types.
A Backup Audit Manager framework is a collection of controls. You can create custom frameworks where you can select the controls that you want to add to your framework, along with control parameters and scope.
The solution in this blog post leverages the recently announced support for CloudFormation in Backup Audit Manager that enables automated provisioning of these frameworks. It provisions an AWS Backup Audit Manager framework with five default controls.
As shown in the architecture in Figure 1, the solution provisions an Amazon CloudWatch Events (EventBridge) rule. This rule gets triggered whenever there’s a change in the compliance status of a Backup Audit Manager control. The target for the CloudWatch Events (EventBridge) Rule is an AWS Lambda function that then translates the AWS Config evaluation into an AWS Security Finding Format for Security Hub.
Figure 1: Automate visibility of backup findings using AWS Backup and AWS Security Hub
You can download the solution from here. AWS CloudFormation fully automates the setup for this solution in 1 step.
Navigate to the CloudFormation console in your AWS account and launch the aws-backupauditmanager-securityhub.yaml template. The template takes no parameters.
The following components are provisioned by this template:
- AWS Backup Audit Manager framework with five default controls.
- Amazon CloudWatch Events (EventBridge) rule:
- The CloudWatch Events rule is triggered based on a compliance status change of a backup control.
- AWS Lambda as a target for the CloudWatch Events rule:
- Obtains event details from the AWS Config recording resource type.
- Converts event to a finding in Security Hub via ASFF.
Note that you can also configure finding aggregation in Security Hub that will send findings from your current account in which you are deploying this solution and aggregate them into an administrator account in the Region. You can follow these steps to configure finding aggregation in Security Hub for standalone accounts and administrator accounts.
Our solution has now deployed a framework with these five Backup controls in your AWS environment. You can edit the CloudFormation template and add additional frameworks to the template.
Let’s test our solution by triggering a sample finding. We will launch an Amazon Aurora MySQL cluster that is not protected by a backup plan and validate that a backup compliance related finding is created for this instance in Security Hub. This tests the evaluation of the BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN control from our solution that checks if AWS resources are protected by a backup plan. This control is associated with the AWS Backup: backup selection AWS Config recording resource type.
- Log in to the Amazon RDS console of your AWS account and follow the steps here to launch an Amazon Aurora MySQL cluster. In the Choose a database creation method option choose Easy create and accept all default settings.
- Navigate to the AWS Backup console, select Backup plans from the left panel. Verify that there are no existing backup plans already configured in your account for your newly provisioned Aurora database by clicking on Resource assignments for each configured backup plan.
- After a few minutes, navigate to the AWS Config console and you should see an AWS Config rule with a prefix “AURORA-RESOURCES_PROTECTED_BY_BACKUP_PLAN-“– that has been provisioned in your environment. Click on the rule and scroll down to Resources in scope and select Noncompliant from the toggle bar. You will see your Aurora database listed there.
The following figure shows the noncompliant evaluation based on this Backup Audit Manager generated AWS Config rule for your Aurora database cluster.
Figure 2: AWS Config rule evaluates Backup control
The AWS Config recording resource type associated with the Backup control has recorded your Aurora database cluster’s backup configuration and then evaluated it as non-compliant based on the rule in the backup control.
- Navigate to the Security Hub console. As shown in Figure 3, you should now see a finding that corresponds to this backup control noncompliance. Now, that the finding is visible in Security Hub, you can create custom insights to for searching, correlating, and aggregating related findings in Security Hub. You can also remediate them, or send them to ticketing systems with Security Hub’s integration with EventBridge.
Figure 3: Backup related finding gets generated in Security Hub
To clean up your account after deploying the solution outlined in this blog post simply delete the CloudFormation stack for aws-backupauditmanager-securityhub.yaml template.
In this blog post, I have demonstrated a cloud native solution in AWS that integrates Backup Audit Manager with Security Hub. The solution provisions back up related data protection controls based on Backup Audit Manager’s support for CloudFormation and records changes in the compliance status of these backup controls as findings in Security Hub. With this solution, you now have a single place where you can aggregate, organize, and prioritize your findings from Backup Audit Manager along with other AWS services and partner solutions. You can also now create custom insights as well as custom remediation actions for these findings. With these capabilities, you can simplify data protection management and help ensure business continuity and regulatory compliance, keeping your business safe and operational.
Thanks for reading this blog post! If you have any comments or questions, don’t hesitate to leave them in the comments section. To learn more about AWS Backup Audit Manager, read our documentation.