AWS Storage Blog

Building cyber resiliency with AWS Backup logically air-gapped vault

Enterprise users use AWS Backup for centralized data protection as part of a defense-in-depth architecture. Its features generally fulfill users’ data security and regulatory requirements, but there is demand for additional resiliency against ransomware incidents. Meeting the recovery objectives often involves creating multiple copies of data backups, developing and maintaining custom code for backup processes, and managing multiple encryption keys. To address these challenges, AWS Backup announces the general availability of logically air-gapped vault, a new type of AWS Backup vault that allows secure sharing of backups across accounts and organizations, supporting direct restore to help reduce recovery time from a data loss event.

AWS Backup logically air-gapped vault serves as a secondary vault, providing logical isolation of backup storage for users’ organizational retention and recovery needs. The key features of the logically air-gapped vault are:

In this post, we explore how the logically air-gapped vault can help improve recovery time, reduce operational overhead, and streamline recovery testing for your most sensitive workloads.

How the logically air-gapped vault works

Before we dive into the details, let’s understand how the logically air-gapped vault works.

With the logically air-gapped vault, the immutable backup copies are locked by default and further protected through encryption using AWS-owned keys. Encrypting recovery points with an AWS Backup-owned AWS Key Management Service (AWS KMS) key not only safeguards against accidental or unwanted deletions of user-managed keys, but also reduces operational overhead and key management costs for users.

The logically air-gapped vault simplifies sharing backups for restore purposes across accounts using AWS RAM. This capability is crucial for enterprises that need to share vaults not only within the same AWS Organizations but also across accounts in different Organizations. By using AWS RAM, users can share vault data with specific accounts, thus enabling faster direct restores. Fine-grained access control can be applied to AWS RAM shares using a combination of Service Control Policies (SCPs) and AWS Backup vault access policies.

Once the vault is shared, backups can be directly restored in the destination account. This eliminates the need to copy backups first. Furthermore, this reduces the operational overhead, time to recover from a data loss event, and cost of extra copies.

Solution overview

The architecture in the Figure 1 shows a typical architectural pattern that users would employ when using a logically air-gapped vault. This design pattern uses AWS Backup to protect data across AWS services, AWS RAM to share the logically air-gapped vault across various accounts, AWS KMS to create, manage, and control cryptographic keys used to encrypt backup data, AWS Lambda to automate restore operation, and Organizations to organize workloads and functions in separate AWS Accounts, as described in the following:

  • Workload Account: Comprises the user workload that includes AWS Backup supported resources. The account contains the primary AWS Backup vault and the backup plan.
  • Data Bunker Account: The logically air-gapped vault is defined in this account, into which the data is copied from the Workload Account vault. The logically air-gapped vault can also be setup in the Workload Account, but a further logical isolation increases the defense. This logically air-gapped vault is shared using AWS RAM with the recovery account and the forensics account.
  • Recovery Account: This is used to restore recovery points (also known as backups) in the event of a disaster or a cyber security incident in the workload account. The logically air-gapped vault is shared with this account using AWS RAM.
  • Forensics Account: This is used for regular testing of restore or for additional security investigation that may be needed. If the restore is not successful, then events can be triggered to AWS Security Hub for alerting.

Typical logically air-gapped vault architecture showing the four key AWS accounts.

Figure 1: Typical architecture for the logically air-gapped vault

In the following section, we describe the attributes and criteria for highly sensitive workloads, and how the logically air-gapped vault’s capabilities can help.

Reduce recovery time

Today the recovery process requires creating a copy of the recovery point in the recovery account and then, triggering the restore operation. The copy creation and restore operation can take a significant amount of time depending on the size of the recovery point. However, in the case of a cyber incident, there may not be enough time to execute these operations.

Using a backup plan, users can configure automatic copying of the recovery points into a logically air-gapped vault. In the event of data loss, users can share this vault with the recovery account and initiate a restore. Since the resource is shared rather than copied, the size of the recovery point doesn’t impact the process, thus reducing restore time. This approach is beneficially for highly sensitive workloads that need a quick recovery across accounts and organizations.

Reduce operational overhead

The logically air-gapped vault helps reduce the overall operational overhead by allowing for the configuration of a copy through the backup rule in the backup plan. This offloads the sharing of vault contents to AWS RAM and removes the need to manage additional encryption keys.

With the logically air-gapped vault, users now need to update the backup plan and provide a copy configuration (highlighted in Figure 2) that copies the data into the logically air-gapped vault. This is a one-time step. After this initial step, the data is automatically copied from the primary vault in the workload account to the logically air-gapped vault, either within the same account or in a different account. Then, the logically air-gapped vault can be shared with the recovery account without needing custom code to manage copy operations to the recovery account.

AWS Backup console backup rule page, with the copy configuration section showing logically air-gapped vault named ‘Central_LAG_Vault’ outlined in red as the destination backup vault. There is also a red text comment indicating that rule defines that the current vault will be copied to the logically air gapped vault named ‘Central_LAG_Vault’

Figure 2: Backup plan to copy to the logically air-gapped vault

Additionally, when you create a new logically air-gapped vault, the AWS encryption key that it uses is managed by AWS. This reduces the additional overhead involved with creating, maintaining, and protecting the key.

Enhance protection

For sensitive workloads that need enhanced protection and the need to maintain additional immutable copies of data, a logically air-gapped vault provides advanced security capabilities. It safeguards against the risk of losing encryption keys, making sure the data remains secure and accessible. The logically air-gapped vault is locked in compliance mode by default, which means the recovery points cannot be manually deleted from this vault. Additionally, the use of service-owned encryption keys prevents accidental or malicious deletion of the key, further enhancing security.

In Figure 1, the data is being copied over to the data bunker account and these copies are always immutable. Therefore, the threat actor is unable to modify the contents of the logically air-gapped vault, or even delete the encryption keys, during a cyber security incident.

This solution is recommended for highly sensitive workloads that need a high level of data protection and preservation. Additionally, the use of SCPs with AWS Backup as well as the recommendations shared for data protection for AWS backups applies to the logically air-gapped vault.

Simplify sharing and recovery testing

For AWS Backup users, it is highly recommended to perform regular end-to-end testing of the backup and restore workflow. The logically air-gapped vault’s sharing model, facilitated by AWS RAM, allows you to validate your recovery procedures without disrupting production environments. This practice helps make sure that your disaster recovery (DR) plan is robust and can be executed efficiently when needed.

In Figure 1, the logically air-gapped vault is shared with the recovery account. Once sharing is accepted the vault becomes visible in the shared account and the recovery points become visible in the shared account. Figure 3 shows the logically air-gapped vault being shared using AWS RAM.

AWS Backup console vault page, with the tab named ‘Vaults shared with this account’ as the selected tab. This selected tab has one vault named ‘Central_LAG_Vault’ that is shared with this AWS account.

Figure 3: The logically air-gapped vault shared using AWS RAM

Figure 4 shows the shared logically air-gapped vault’s recovery points that can be restored using the Restore button in the Actions pull-down menu.

AWS Backup console vault page showing a detailed view of a logically air-gapped vault named ‘Central_LAG_Vault’. It has a summary section wihich provides more details, and the Account sharing label is outlined indicating that this logically air-gapped vault is currently being shared with this AWS account ’. There is another section in this page which has ‘Recovery points’ tab selected that is showing a list of recovery points. One recovery point is selected, and the restore button under actions button is outlined, indicating that the selected recovery point can be restored.

Figure 4: AWS Backup shared logically air-gapped vault showing recovery points that can be restored using the Restore Action button.

Cleaning up

After you’ve created your logically air-gapped vault, you can clean up any resources to avoid unnecessary charges by following the steps in the Clean up resources section of the AWS Backup user guide.

Conclusion

In this post, we demonstrated the key benefits of using an AWS Backup logically air-gapped vault. First, how a logically air-gapped vault can significantly decrease recovery time and operational overhead, as well as streamline recovery testing by providing the ability to share the vault across organizations and accounts. Second, how the logically air-gapped vault offers heightened protection by automatically locking the vault in compliance mode and preventing accidental deletion of encryption keys by encrypting the vault using an AWS-owned key. These benefits are especially relevant as ransomware remains top of mind and can be used for highly sensitive workloads.

Thank you for reading this post. Get started with using logically air-gapped vaults by using the AWS Backup console, API, or CLI. For more information, visit the AWS Backup product page, documentation.

TAGS: , , , , ,
Sushmitha Srinivasa Murthy

Sushmitha Srinivasa Murthy

Sushmitha Srinivasa Murthy is a Senior Solutions Architect with AWS. She is a builder at heart, with a passion for Cloud Governance and Security. She has over a decade of experience building secure, scalable and resilient workloads in highly regulated financial sector.

Sabith Venkitachalapathy

Sabith Venkitachalapathy

Sabith Venkitachalapathy is an Enterprise Solutions Architect at AWS, where he helps customers architect and manage regulated multi-account environments on AWS to solve a range of business needs. He specializes in the Financial Services industry. Outside of work, he enjoys cooking, traveling, and spending time with his family.