AWS Storage Blog

Protecting data with AWS Backup Vault Lock

With ransomware a top concern for customers, backups are essential to data recovery and business continuity. Customers want a simple method, preferably in a user console, for enabling immutability for backup vaults holding the encrypted data copy. The write-once, read-many (WORM) model applied to backup data provides immutability to recover from accidental or malicious deletions.

AWS Backup Vault Lock stores backups using WORM and already helps provide immutability for backup data through retention policies configured with the AWS Backup API. Now, AWS Backup Vault Lock can be configured in console, providing a user-friendly interface to enable immutability.

In this post, I use the AWS Backup console to configure immutable backups by applying AWS Backup Vault Lock on an existing backup vault. Afterward, I remove the vault lock to prevent any unintentional backup retention.

AWS Backup Vault Lock basics

AWS Backup Vault Lock is an optional backup vault feature that provides more security and control over your backup vaults. AWS Backup Vault Lock lets you apply governance mode or compliance mode to your vaults, providing your vault’s retention policies with additional flexibility and several levels of security depending on your data retention requirements in Figure 1.

AWS Backup Vault Lock diagram

Figure 1: AWS Backup Vault Lock diagram

AWS Backup Vault Lock is a valuable tool for protecting your data backup assets and making sure that your backup vault meets strict governance requirements. As part of the AWS Shared Responsibility Security model, customers must properly classify their backup and determine the appropriate retention policies that should be applied to them. Once a vault is locked in compliance mode, the backups in that vault can’t be deleted before the retention period expires. And no one, including the customer or AWS, can change the locked retention period settings.

Governance or Compliance mode

Governance mode is designed to restrict vault management access to people as defined by AWS Identity and Access Management (IAM) privileges. When governance mode is selected, only authorized individuals can make modifications to a backup vault.

Compliance mode is designed to retain a vault for the duration of the defined retention term. When a vault in compliance mode is locked, the lock can’t be changed because it’s immutable. However, you can define a grace period, also known as a cooling-off period, before the vault locks and becomes immutable. The AWS Backup console interface provides reporting across all locked vaults, showing the vault lock status of backups vaults.

Prerequisites

To get started with this setup, you must have:

  1. An AWS Backup vault that is already created. In this post, I use an existing backup vault called “Worm_Vault_Console.” To create a new backup vault, refer to the documentation on creating a backup vault.
  2. An IAM identity with the requisite permissions to secure the backup vault. Only users with the proper permissions can add or modify vault locks. The IAM user must have the following permissions to create the vault lock via the AWS Management Console.

In this JSON the IAM policy grants the IAM identity the ability to Add, Remove, and List the AWS Backup Vault Lock configuration on any vault.

{
"Sid": "VaultLockConfiguration",
"Effect": "Allow",
"Action": [
"backup:DeleteBackupVaultLockConfiguration",
"backup:PutBackupVaultLockConfiguration"
],
"Resource": "arn:aws:backup:<region>:<account-id>:backup-vault:*"
},
{
"Sid": "ConsoleVaultLockViewVault",
"Effect": "Allow",
"Action": "backup:ListBackupVaults",
"Resource": "*"
}

Note that it will give an Access Denied error when attempting to conduct any additional activities like trying to List backup plans, like in Figure 2.

Example of restricted AWS Backup IAM policy

Figure 2: Example of restricted AWS Backup IAM policy

Walkthrough

Once you have the backup vault and an IAM identity to let us put the vault lock, I can show you how to configure AWS Backup Vault Lock on an existing backup vault.

1. Navigate to the AWS Backup console, select Backup Vault Lock, and then choose Create vault lock to get started with the feature as shown in Figure 3. Verify that you’re in the correct Region before continuing.

AWS Backup Management Console to create Vault Lock

Figure 3: AWS Backup Management Console to create Vault Lock

 2. Next, select the Backup Vault. I select ‘Worm_Vault_Console’ in Figure 4.

Create Vault Lock AWS Backup Management Console

Figure 4: Create Vault Lock AWS Backup Management Console

3. Choose the Vault lock mode. If you chose Compliance mode, then a section called Compliance mode start date (“grace time”) is visible in Figure 5.

Details of Compliance Vault Lock mode configuration including creation date, grace time, and retention period

Figure 5: Details of Compliance Vault Lock mode configuration including creation date, grace time, and retention period

You can omit the step to set up grace time if you choose Governance mode in Figure 6.

Details of Governance Vault Lock mode including creation date and retention period

Figure 6: Details of Governance Vault Lock mode including creation date and retention period

4. Next, set the Retention period. Choose the minimum and maximum retention lengths (Maximum retention period is optional). The retention windows must be used for backup jobs to be successful. Backup and copy jobs to this vault that have lifecycle retention periods lower than the required minimum retention period will fail.

For this walkthrough, I chose Compliance mode as the AWS Backup Vault lock mode, with a Minimum retention period of five weeks and a Maximum retention period of seven weeks. Any new backup or copy jobs created inside the vault with retention periods less than five weeks or longer than seven weeks will fail.

5. A vault lock in compliance mode has a cooling-off period. Choose the cooling-off period for compliance mode. A cooling-off period is the time that it’s created until the vault and its lock become irreversible and immutable. You decide how long this grace period will be, but it must be at least three days or 72 hours. I selected seven days as my cooling-off period in Figure 7.

Note: that the vault and its lock are immutable after the grace period (or cooling-off period) has passed. There is no way for AWS or any other user to alter or remove it.

Backup Vault Lock setting configuration

Figure 7: Backup Vault Lock setting configuration

6. A confirmation pop-up opens as soon as you select Create vault lock, as shown in Figure 8. Check the box to indicate that you concur that the configuration is accurate after typing confirm in the text box to confirm that you wish to establish this lock in the chosen mode.

Pop-up to confirm Create Vault Lock

Figure 8: Pop-up to confirm Create Vault Lock

View vault lock status

Once the vault lock is created it is visible under Backup Vault lock. You can hover your cursor over the Vault lock status on the vault lock list page in Figure 9 to view the vital information about a compliance lock.

Backup Vault lock details

Figure 9: Backup Vault lock details

If you have more than one vault lock in grace time, a banner to filter all vault locks and only display the ones in grace time is displayed on the vault lock list page in Figure 10.

Vaults with Vault Lock in grace time

Figure 10: Vaults with Vault Lock in grace time

Additionally, you can also view the vault lock status of each vault by navigating to the Backup Vault tab in the navigation bar, as see in Figure 11.

Vault Lock Status for each Backup Vault

Figure 11: Vault Lock Status for each Backup Vault

Then, select the vault to view the backup vault summary page for additional information about the lock configuration, as seen in Figure 12.

Backup Vault Lock details including creation date, grace time, and retention period

Figure 12: Backup Vault Lock details including creation date, grace time, and retention period

Cleaning up

If you created a vault lock hold for testing purposes to assess your environment, then remember to delete the vault lock setting to avoid unintended retention of recovery points.

To delete the backup vault lock setting from the backup vault, navigate to Manage Vault Lock, and select Delete Vault lock in Figure 13.

Manage Vault Lock Page to Delete Vault Lock if in Grace time period.

Figure 13: Manage Vault Lock Page to Delete Vault Lock if in Grace time period.

Type confirm to delete the vault lock like in Figure 14.

Type confirm to delete vault lock.

Figure 14: Type confirm to delete vault lock.

From the AWS Backup Vault or AWS Backup vault lock page, you can access the Manage Vault Lock page. The grace period was set to seven days so the backup vault lock can be deleted within that time frame.

Note that the vault lock may be deleted in Compliance mode if it’s in the grace period. Once the vault is locked in compliance mode, no one, including the root user or AWS, can manage or remove it. The only method to remove the lock is to terminate the account. However, doing so also deletes all previous backups.

Conclusion

In this post, I demonstrated how to enable immutability to protect your backup data from ransomware or accidental deletions. The AWS Backup Vault Lock feature can now be configured from the AWS Backup console, simplifying the process to apply the WORM model on backup data. I also reviewed how to delete the vault lock if you are testing the feature.

AWS Backup Vault Lock works in conjunction with other capabilities that AWS Backup offers. For more information about AWS Backup, refer to the AWS Backup documentation.

Thank you for reading this post. If you have any questions or comments, leave a comment in the comments section.

Prachi Gupta

Prachi Gupta

Prachi is a Cloud Engineer at AWS, spending most of her time helping customers with their storage and backup solutions in the cloud. She is an animal lover and helps street dogs find food and shelter. In her spare time, she likes to draw, play video games, and explore new places.