Enhance the security posture of your backups with AWS Backup Vault Lock

When dealing with backups, data managers frequently ask, “how do I prevent my backups from being accidentally or maliciously deleted?” or “what can I do to enhance protection against ransomware?” In highly regulated industries, WORM* (write-once-read-many) compliance is required for backups and archives. WORM compliance means immutability and an immutable backup helps in the recovery from accidental and malicious actions by ensuring that you have a backup copy to recover from no matter what. It is the last line of defense when protecting yourself from malicious action.

AWS Backup is a fully managed service that allows customers to centralize and automate data protection of AWS services across compute, storage, and database. Together with AWS Organizations, AWS Backup enables you to deploy data protection (backup) policies centrally. You can configure, manage, and govern backup activity across AWS Regions and accounts.

On October 8, 2021, AWS Backup announced the availability of AWS Backup Vault Lock. This new AWS Backup feature enhances customers’ ability to protect backups from inadvertent or malicious actions. Customers can use AWS Backup Vault Lock to prevent any user from deleting their backups or making changes to their backup lifecycle settings. AWS Backup Vault Lock improves your security postures and ensures a mechanism for restore, even in a worst-case scenario like total account compromise.

In this blog, I demonstrate how to use AWS Backup Vault Lock to make backup vaults WORM compliant. I also show how you can protect your backups from accidental or malicious deletion by any user or role including “Root.” To begin, I create a new backup vault, then enable Backup Vault Lock on it. Then, I take a backup and then try to delete it. When I am done, I clean up my resources.

Before starting, ensure that you are running the latest version of the AWS CLI. If you need to upgrade, please follow these steps from the AWS CLI documentation page. From your CloudShell CLI, run the following commands.

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

unzip awscliv2.zip

sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update

Using AWS Backup Vault Lock

First, log in to the AWS Management Console. Using the search bar at the top of the console, type ‘AWS Backup’ to find the AWS Backup console. Next, select the AWS Backup console search result in order to navigate to the AWS Backup console.

Now that you are in the AWS Backup console, you create a backup vault to protect your resources. Under the My account section, select Backup Vaults. Then, select Create Backup vault.

Provide a Backup vault name and Encryption key. Then select Create Backup vault.

When your backup vault is successfully created, you will see the following notification.

Once your backup vault is created, you will be in the vault details page. From here, you can initiate an on-demand backup. Select Create on-demand backup.

In this instance, you are protecting an Amazon Relational Database Service (Amazon RDS) instance “database-2.” You also create an on-demand backup with 2 days of retention and store this backup with your newly created backup vault “WORM_vault.” When the backup completes, you go back into the backup vault and modify the retention time from 2 days to 1 day.

At this point, you have not yet enabled Backup Vault Lock. This backup can still have its retention modified or the backup can be deleted from the backup vault. To change the retention period of this backup from 2 days to 1 day, select the recovery point from the Backups section of the Vault.

After selecting Edit, you will be in the recovery point detail page. Select Edit in the Backup summary section.

Next, you will edit the lifecycle of the backup and change its retention from 2 days to 1 day and select Save.

Success!

At this point, you have demonstrated that a backup’s retention can be modified with the correct IAM permissions.

Next, you are going to secure this backup vault with Backup Vault Lock to prevent manual modification of the backups in the backup vault.

From your AWS Management Console, open the CloudShell CLI.

From the CLI shell, you describe the backup vault. You will see that the backup vault Locked status is set to False.

[cloudshell-user@ip-ww-x-yyy-zz ~]$ aws backup describe-backup-vault --backup-vault-name WORM_vault

{

"BackupVaultName": "WORM_vault",

"BackupVaultArn": "arn:aws:backup:us-east-1:1234567890:backup-vault:WORM_vault",

"EncryptionKeyArn": "arn:aws:kms:us-east-1: 1234567890:key/1234567890-4567-7654-0101-0987654321",

"CreationDate": "2021-09-28T04:33:15.518000+00:00",

"CreatorRequestId": "4567-7654-0101-0987654321",

"NumberOfRecoveryPoints": 2,

"Locked": false

}

To enable Backup Vault Lock, use the following CLI command with parameters.

[cloudshell-user@ip-ww-x-yyy-zz ~]$ aws backup put-backup-vault-lock-configuration --backup-vault-name WORM_vault --changeable-for-days 3 --min-retention-days 7 --max-retention-days 30

This enables Backup Vault Lock. You will have 3 days to modify these settings and set min/max retention periods as guard rails. This functionality protects against users accidentally sending 100-year backups to your backup vault.

Next, when you run the describe-backup-vault command, it shows that the backup vault is now locked.

[cloudshell-user@ip-ww-x-yyy-zz ~]$ aws backup describe-backup-vault --backup-vault-name WORM_vault

{

"BackupVaultName": "WORM_vault",

"BackupVaultArn": "arn:aws:backup:us-east-1:1234567890:backup-vault:WORM_vault",

"EncryptionKeyArn": "arn:aws:kms:us-east-1: 1234567890:key/1234567890-4567-7654-0101-0987654321",

"CreationDate": "2021-09-28T04:33:15.518000+00:00",

"CreatorRequestId": "4567-7654-0101-0987654321",

"NumberOfRecoveryPoints": 2,

"Locked": true,

"MinRetentionDays": 7,

"MaxRetentionDays": 30,

"LockDate": "2021-09-28T10:12:38.089000-07:00"

}

Next, return to the backup vault and select your backup that you will attempt to delete.

To delete this backup, select the recovery point from the Backups section of the vault. Then, select the Actions menu and select Delete.

You will see the following warning message. Select Delete.

The backup cannot be deleted and gives the following error.

Test the min/max retention settings by creating a new backup with 35 days of retention. Note that you set your min retention to 7 days and your max retention to 30 days. Select Create on-demand backup.

The backup job cannot be created and fails with the following error.

Only backups with the correct range of retention min 7 days and max 30 days can be stored in this backup vault. This ensures that no one can accidentally send a backup with an unusually long retention period, like 100 years, to this backup vault. Otherwise, that backup would not be deleted until its retention expired.

Backup Vault Lock also protects any modifications to lifecycle of a backup. In this case, I use an Amazon Elastic File System (Amazon EFS) backup and try to modify its lifecycle to cold settings.

When I select Save, I receive the following error.

I demonstrated how to enable AWS Backup Vault Lock on your backup vaults. I reviewed how to validate that backups protected by this feature are truly immutable and cannot be deleted. I also established how backups cannot have their retention or storage lifecycle modified when protected by this new capability.

Cleaning up

To clean up after this demonstration to avoid unintended charges, I remove the backup vault lock setting from the backup vault. I complete this action since I set a 3-day grace period when I created the vault using the flag changeable-for-days 3.

Return to the CloudShell CLI.

To turn off Vault Lock, use the following CLI command with parameters.

[cloudshell-user@ip-ww-x-yyy-zz ~]$ aws backup delete-backup-vault-lock-configuration --backup-vault-name WORM_vault

To validate the configuration re-run:

[cloudshell-user@ip-ww-x-yyy-zz ~]$ aws backup describe-backup-vault --backup-vault-name WORM_vault

{

"BackupVaultName": "WORM_vault",

"BackupVaultArn": "arn:aws:backup:us-east-1:1234567890:backup-vault:WORM_vault",

"EncryptionKeyArn": "arn:aws:kms:us-east-1: 1234567890:key/1234567890-4567-7654-0101-0987654321",

"CreationDate": "2021-09-28T04:33:15.518000+00:00",

"CreatorRequestId": "4567-7654-0101-0987654321",

"NumberOfRecoveryPoints": 2,

"Locked": false

}

I have now disabled Backup Vault Lock within the grace period. After disabling it, you can delete the backups in the backup vault. Once all backups have been removed, you can delete the backup vault ‘WORM_vault’ to complete cleaning up.

Conclusion

In this blog, I reviewed the new AWS Backup Vault Lock feature. I walked through how to configure Backup Vault Lock and how to use it to secure your backups from accidental or malicious action. I demonstrated how to enable this feature from the CloudShell CLI and how to set parameters to create guardrails for authorized retention periods. I also reviewed how to enable a grace period for testing the feature before the vault is locked.

AWS Backup Vault Lock implements safeguards that store your backups using the WORM model, which ensures immutability and a backup to recover from accidents or malicious actions. AWS Backup customers can protect their AWS services using these new capabilities and the same backup policies that you have already configured.

Thank you for reading this blog post on putting AWS Backup Vault Lock into practice. If you have any questions or comments, leave a comment in the comments section.

* The feature has not yet been assessed for compliance with the Securities and Exchange Commission (SEC) rule 17a-4(f) and the Commodity Futures Trading Commission (CFTC) in regulation 17 C.F.R. 1.31(b)-(c).