AWS Storage Blog

Data preservation with AWS Backup legal holds

Customers globally, especially in regulated industries, require centralized protection and demonstrable compliance for their application data. Auditors often require customers such as broker-dealers, securities exchanges, and stock brokerage firms, to prove compliance with SEC, FINRA, and CFTC requirements by providing an assessment report from an industry-recognized entity with additional disclosure that they have capabilities to retain backups beyond standard retention policies, for legal hold purpose.

Today, we are excited to announce that AWS Backup now offers the ability to create Legal holds on data to address regulatory data preservation needs. With legal hold, customers can suspend the normal disposition of data backups regardless of the expiration date set in backup lifecycle policy. These holds offer customers immutable data storage, retention, and preservation until the holds are released. With this new feature, customers can use AWS Backup legal hold to help them fulfill data retention responsibilities in highly regulated industries.

Enterprises use AWS Backup to centralize and automate data protection and retention across AWS resources in the cloud and on premises. With capabilities such as AWS Backup Audit Manager and AWS Backup Vault Lock, customers are able to configure, manage, and govern backup activity across AWS regions and accounts. AWS Backup helps customers implement safeguards that ensure they are storing their backups as immutable copies using a Write-Once-Read-Many (WORM) model. Legal holds are an extension of AWS Backup Vault Lock that enhances customers’ ability to protect backups from accidental or unauthorized deletion or alteration. Intentional deletion occurs as part of backup lifecycle when the recovery point reaches its scheduled expiration date as defined in the backup policy. Legal holds, if applied, will prevent this deletion.

In this blog, we demonstrate how enterprises can apply legal hold on recovery points.

Legal holds

Let’s review this in more detail – legal hold adds a persistent hold/lock on the backup a.k.a. recovery point. Unlike AWS Vault Lock, legal hold is applied at the recovery point level. This means that it is essential to have recovery points already created. In case you do not have recovery points created or are new to AWS Backup, please refer to Getting Started with AWS Backup. Additionally, a legal hold remains active until an authorized user explicitly removes it.

With legal holds applied on a recovery point:

  • Deletion of recovery point, using console, command-line interface (CLI) or API, will be blocked.
  • Lifecycle transitions to cold storage will proceed as expected but transition to deletion will be blocked.
  • Alteration or modification of recovery points will not have any effect while under legal hold until the hold is released.
  • Prevent the option to disassociate a recovery point from AWS Backup and release control to the source service such as Amazon RDS since this would result in losing control over deletion.

Prerequisites

Before you start trying this out, you will need the following prerequisites:

  1. Backup vaults that already exist, with at least 1 recovery point against which you can apply the legal hold.
  2. IAM permissions
    • For common read operations such as get and list
      • backup: GetLegalHold
      • backup: ListLegalHolds
      • backup: ListRecoveryPointsByLegalHold
    • To create legal hold
      • backup: CreateLegalHold
    • To clean up and release the legal hold
      • backup: CancelLegalHold

Creating a legal hold

  1. Log in to AWS Console, search for AWS Backup, and select AWS Backup from the drop down menu as shown in Figure 1.

AWS Console Search Screen with a lookup for AWS Backup Service, displaying AWS Backup Service in the result

Figure 1: AWS console search screen looking for AWS Backup service

  1. Once the AWS Backup screen loads, select the Legal holds Button on the left panel as shown in Figure 2.

AWS Backup Screen showing Legal holds Button

Figure 2: AWS Backup Screen showing Legal holds Button

  1. Afterward, the Legal holds page loads as shown in Figure 3. Now select the Add legal hold button.

AWS Backup Screen showing Legal holds Button, the Legal holds button is highlighted and the focus is on the Add legal hold button

Figure 3: AWS Backup Screen showing Add legal hold

  1. This loads the Add legal hold page as shown in Figure 4, allowing you to configure the recovery points in scope and filter through your recovery points by specifying a date range (dates are inclusive). You can select recovery points to which the hold will apply by specific resource type or by selecting backup vaults in your account. Additionally, each legal hold can have one or more tags added for easy reference. To add a tag, enter a key, enter a corresponding value, then click Add new tag. Once you have entered these details then select the Add legal hold button as shown in Figure 4 to create a legal hold. In case there are a large number of recovery points, legal hold creation can take time, and the hold will remain in CREATING state for a while. Note that delete protection applies once the legal hold is in ACTIVE state. During CREATING and CANCELLING state, the deletes may still go through as the recovery points are processed sequentially.

AWS console screen with the Add legal hold page loaded

Figure 4: Add legal hold page

  1. Once the legal hold is created, you will see the created legal hold and the recovery points in scope for the hold as shown in Figure 5.

AWS console screen showing the newly created Legal hold for Amazon DynamoDB resource with a red arrow highlighting the recovery point

Figure 5: Legal hold created for Amazon DynamoDB resource

  1. You can view the list of legal holds that are in Active or Released state on the legal holds page in Figure 6.

AWS console screen showing existing legal holds in the account and Region

Figure 6: Existing legal holds in the account and Region

  1. Now, you can go to the Backup Vaults section and try deleting the recovery point. You will get an error message as shown in Figure 7.

AWS console screen showing Legal hold preventing the deletion of a recovery point

Figure 7: Legal hold preventing the deletion of a recovery point

Cleaning up

If you created a legal hold for testing purposes to assess your environment, please remember to release the legal hold to avoid indefinite retention of recovery points.

Conclusion

In this blog post, we’ve shown you how to create a legal hold in AWS Backup, helping you with data preservation requirements across protected resources. For highly regulated industries, this means that you can now preserve your data until the hold is released. We hope you’ve enjoyed this brief walkthrough of the newest feature available in AWS Backup. For more information about AWS Backup and legal holds, you can refer AWS Backup documentation.

Thanks for reading this blog post! If you have any questions or feedback about this post, leave a comment in the comments section.

Sushmitha Srinivasa Murthy

Sushmitha Srinivasa Murthy

Sushmitha Srinivasa Murthy is a Senior Solutions Architect with AWS. She is a builder at heart, with a passion for Cloud Governance and Security. She has over a decade of experience building secure, scalable and resilient workloads in highly regulated financial sector.