AWS for Industries

FSI Services Spotlight: AWS Backup

Welcome back to the Financial Services Industry (FSI) Service Spotlight monthly blog series. Each month we look at five key considerations that FSI customers should focus on to help streamline cloud service approval for one particular service. Each of the five key considerations includes specific guidance, suggested reference architectures, and technical code that can be used to streamline service approval for the featured service. This guidance should be adapted to suit your specific use case and environment.

This month we’re covering AWS Backup. AWS Backup is a fully managed backup service that simplifies data protection by providing a policy-based service to automate the backup of data across multiple AWS services and on-premises environments. AWS Backup Vault Lock makes sure of immutability and adds an additional layer of defense that protects backups (recovery points) in your backup vaults. Customers can monitor the status of their backups using the AWS Backup console, and they can demonstrate compliance with regulatory requirements using audit logging and integration with AWS Config. AWS Backup lets customers centralize and automate the backup of their data, simplify the backup process, and reduce the risk of errors while making sure that data is protected from accidental or malicious data loss.

AWS Backup is an ideal solution for implementing standard backup plans for your AWS resources across your AWS accounts and Regions. AWS Backup also makes it easier to maintain and implement a backup strategy for workloads using multiple AWS resources that must be backed up collectively. Furthermore, AWS Backup lets you collectively monitor a backup and restore operation that involves multiple AWS resources.

AWS Backup can help you build cost-optimized backup solutions for different use cases in the FSI. AWS Backup automates and consolidates backup tasks previously performed service-by-service. This removes the need to create custom scripts and manual processes. With just a few clicks in the AWS Backup console, you can create backup policies that automate backup schedules and retention management. AWS Backup doesn’t govern backups that you take in your AWS environment outside of AWS Backup. Therefore, you can start using AWS Backup today to achieve a centralized, end-to-end solution for business and regulatory compliance requirements.

Overview of AWS Backup

Figure 1: AWS Backup

AWS Backup use cases in the FSI

Wise, formerly TransferWise, makes sending money abroad easier and far less expensive than working with traditional banks. This creates money without borders – instant, convenient, transparent, and eventually free. Wise is an international money account used by over 10 million people who live, work, travel, and do business worldwide. AWS Backup gives Wise a way to centrally manage data protection policies for on-premises backups written to Storage Gateway, databases that are backed up to Amazon Elastic File System (Amazon EFS), and Amazon Relational Database Services (RDS) databases. By tagging and templating their policies, Wise was able to scale to meet backup needs across their global cloud enterprise.

AWS Backup is extremely easy to set up and use. It’s much easier than any backup product we’ve used in the past and enables us to show our auditors what they need to see for maintaining compliance. We spun up our AWS Backup plans really quickly and set up templates and tags, so any team can automatically have their new resources protected by the right backup plan.”

Thomas Hewer, Technology Lead – Wise

Achieving compliance with AWS Backup

AWS Backup is an AWS managed service, and third-party auditors regularly assess its security and compliance as part of multiple AWS compliance programs. As part of the AWS shared responsibility model, AWS Backup is in the scope of the following compliance programs.

  • SOC 1,2,3
  • PCI
  • CSA STAR CCM v4.0
  • ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v4.0
  • ISMAP
  • FedRAMP (Moderate and High)
  • DoD CC SRG (IL2-IL5)
  • HIPAA
  • IRAP
  • MTCS (Regions: US-East, US-West, Singapore, Seoul)
  • C5
  • K-ISMS
  • ENS High (only Amazon S3 Glacier is in scope)
  • OSPAR
  • HITRUST CSF
  • FINMA
  • GSMA (Regions: US-East (Ohio) and Europe (Paris))
  • PiTuKri
  • CCCS Medium
  • GNS National Restricted Certification

Through AWS Artifact, you can obtain corresponding compliance reports under an AWS non-disclosure agreement (NDA). You must understand that AWS Backup compliance status doesn’t automatically apply to applications that you run in the AWS Cloud. You must make sure that your use of AWS services complies with the standards.

AWS Backup also lets you create legal holds on your protected data beyond your defined retention policies, for legal and auditing purposes. Together with AWS Backup Vault Lock, this new capability has been assessed by Cohasset Associates for use in environments that are subject to SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31. A copy of the Cohasset Associates Assessment report can be downloaded from the Backup Vault Lock technical documentation.

Your scope of the shared responsibility model when using AWS Backup is determined by the sensitivity of your data, your organization’s compliance objectives, and applicable laws and regulations. If your use of AWS Backup is subject to compliance with standards like HIPAA, PCI, or FedRAMP, then AWS provides resources to help.

Data protection with AWS Backup

AWS Backup conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. Enterprises use AWS Backup to centralize and automate data protection and retention across AWS resources in the cloud and on-premises. You can centrally configure backup policies and monitor backup activity for AWS resources. AWS Backup also provides a set of backup APIs and the AWS Command Line Interface (AWS CLI) to manage backups across the AWS services used by your applications. With AWS Backup, you can centrally manage backup policies that meet your backup requirements. Then, you can apply them to your AWS resources across AWS services and accounts. This enables you to back up your application data in a consistent and compliant manner. The AWS Backup centralized backup console offers a consolidated view of your backups and backup activity logs, making it easier to audit your backups and make sure of compliance in your organization.

Backup encryption

You can configure encryption for resource types that support full AWS Backup management when using AWS Backup. If the resource type doesn’t support full AWS Backup management, then you must configure its backup encryption by following that service’s instructions.

When you use AWS Backup to copy your backups across accounts or Regions, AWS Backup automatically encrypts those copies, even if the original backup is unencrypted. AWS Backup encrypts your copy using the target vault’s AWS Key Management Service (AWS KMS) key. If AWS Backup independently encrypts a backup, then it uses the industry-standard AES-256 encryption algorithm.

Virtual machine hypervisor credential encryption

AWS Backup provides encryption for hypervisor credentials to protect sensitive customer login information using AWS owned encryption keys. You also have the option of using customer managed keys instead.

By default, the keys used to encrypt credentials in your hypervisor are AWS-owned keys. AWS Backup uses these keys to encrypt hypervisor credentials automatically. You can neither view, manage, nor use AWS owned keys. You also cannot audit their use.

Legal hold

To comply with legal and regulatory obligations in the face of potential litigation or investigations, customers in regulated industries implement a legal hold or litigation hold process to preserve all pertinent information and data. AWS Backup offers an administrative tool that simplifies the creation and management of legal holds, providing backup protections and preventing accidental deletions. By utilizing this tool, FSIs can more efficiently preserve data in a defensible manner. Backups that are under a legal hold can’t be deleted, and any lifecycle policies that would change their status, such as transitioning to a “Deleted” state, are postponed until the hold is lifted. A backup can have more than one legal hold.

Legal holds are applied to one or more backups (also known as recovery points). When a legal hold is created, it can consider specific filtering criteria, such as tags, resource types, and IDs. Additionally, you can define the creation date range of backups that you wish to include in a legal hold. Legal holds and backups have a many relationships. This means that a backup can have more than one legal hold and a legal hold can include more than one backup.

Legal holds apply only to the original backup on which they are placed. When a backup is copied across Regions or accounts (if the resource supports it), it doesn’t retain or carry its legal hold. A legal hold, like other resources, has a unique Amazon Resource Name (ARN) associated with it. This post has additional information on data preservation with AWS Backup legal holds.

Ransomware protection

Ransomware refers to a business model and a wide range of associated technologies that bad actors use to extort money from entities. AWS offers resources to help protect critical systems and sensitive data from ransomware. In the traditional encrypt-in-place ransomware-attempt, typically the malicious threat actor or malware will attempt to make the data inaccessible until a ransom is paid. Paying ransom doesn’t guarantee that the data will be recovered. If ransomware strikes, then the first thing to do is to protect your account and make sure that you can recover your data, regardless of how it was made inaccessible.

AWS makes this process significantly easier with AWS Backup solution. This lets you centrally manage and protect data through regular automated backups and restore data from the backup as needed. To prevent ransomware from reaching the backup, some of the best practices to follow are listed here:

  • Control access to the backup vault: Vaults are configurable to support permissions via AWS Identity and Access Management (IAM) using resource-based policies. Add resource policies
    • To prevent deletion of the backup vault.
    • To prevent copying from the vault to AWS accounts outside of your AWS organization or other systems.
  • Encrypt the backup vault separately: Use a customer-managed key or a service specific default key for each vault.
    • Encrypt the vault with a different AWS KMS key than the backed up resources. This is important, as this will limit the access to the backup vault to a different principal than the principal with access to your resource (such as an RDS instance).
    • For the vault KMS key, create an AWS KMS resource policy to limit access to the AWS Backup service and only to the specific principal that would need access for restore purposes.
  • Protect the vault against deletion: Use a service control policy to prevent vault deletion, tampering with the vault resource policy, and tampering with the vault AWS KMS policy. Refer to this post to learn more about ways to manage access to backups using service control policies.
  • Cross account backup: If you place the backup or replication into a separate account dedicated just for the backup, then this also helps reduce the likelihood that a threat actor could destroy or tamper with the backup. AWS Backup now natively supports this cross-account capability, which makes the backup process even more accessible.

In addition, this post provides more details on ransomware mitigation.

Environment isolation

As a managed service, AWS Backup is protected by the AWS global network security procedures described in the security pillar of the AWS WAF. To access AWS Backup via the network, clients must support Transport Layer Security (TLS) 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems, such as Java 7 and later, support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. You can also use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.

AWS PrivateLink lets you establish a private connection between your Amazon Virtual Private Cloud (Amazon VPC) and AWS Backup endpoints by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that lets you privately access AWS Backup APIs by restricting all network traffic between your VPC and AWS Backup to the Amazon network.

AWS PrivateLink lets you privately access AWS Backup operations without an Internet Gateway (IGW), NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don’t need public IP addresses to communicate with AWS Backup API endpoints. Furthermore, you instances don’t need public IP addresses to use available AWS Backup API and Backup gateway API operations. Traffic between your VPC and AWS Backup doesn’t leave the Amazon network.

Reporting and compliance

AWS Backup Audit Manager lets you audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs. AWS Backup Audit Manager provides built-in compliance controls and lets you customize these controls to define your data protection policies (e.g., backup frequency or retention period). It’s designed to automatically detect violations of your defined data protection policies, and it will prompt you to take corrective actions. With AWS Backup Audit Manager, you can continuously evaluate backup activity and generate audit reports that can help demonstrate compliance with regulatory requirements.

There are different ways to gain insights into AWS Backup activity in your AWS accounts. With AWS Backup cross account management, you can centrally manage backup policies and monitor your backup, restore, and copy jobs across AWS accounts in AWS Organizations. Now you can delegate the administration of backup policies and cross-account monitoring to member accounts in your Organizations. You won’t need to use your management account to perform daily data protection tasks. Moreover, you can start delegating AWS Backup administration by using the AWS Backup and Organizations consoles, API, or AWS CLI.

You can use AWS Backup Audit Manager to audit the compliance of your AWS Backup policies against the controls that you define. A control is a procedure designed to audit the compliance of a backup requirement, such as the backup frequency or the backup retention period. You can also integrate with AWS Security Hub to enable visibility, triaging, and security posture management based on Backup Audit Manager defined data protection policies in AWS.

A framework is a collection of controls that helps you evaluate your backup practices. You can use pre-built, customizable controls to define your policies and evaluate whether your backup practices comply with your policies. Furthermore, you can set up automatic daily reports to gain insights into the compliance status of your frameworks.

AWS Backup Audit Manager reports are automatically generated evidence of your AWS Backup activity, such as:

  • Which backup jobs were finished, and when
  • Which resources you backed up

All account holders can create cross-Region reports. In addition, management account holders can also create cross-account reports. AWS Backup lets FSI customers can create compliance insights across regions and accounts.

Operational access and security with AWS Backup

Operational access is the ability of a user or a system to perform the necessary operational tasks with sufficient freedom to accomplish the task. In the context of AWS Backup, this includes creating a backup of resources or performing recovery.

With AWS Backup, solution creation of backups can be automated at an organization level. Even creating a centralized backup solution can be automated by using a cross-account backup. This eliminates the need for manual intervention and the likelihood of manual errors. You can go through this post that explains how to use AWS Backup and continuous integration/continuous development (CI/CD) tools to automate a centralized backup across AWS services.

With the AWS Backup solution, restoring a backup creates a new resource with the backup that you’re restoring. This protects your existing resources from being destroyed by your restore activity. Backup recovery is an operational task that may be done less frequently. Whether this is done manually or automated, it’s best to limit the permissions of this principal and the associated IAM policy.

Here are a few things to consider:

  • Follow the principle of least privilege, and limit the permissions to restore only and not to perform backup operations or to modify backup policies.
  • Limit the IAM Policy permission for this principal to only decrypt the backup vault.
  • Limit the vault KMS key resource policy only to allow decrypt for this principal.
  • Choose a different KMS Key to encrypt the new resource.

AWS Backup is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Backup. CloudTrail captures all API calls for AWS Backup as events. The calls captured include calls from the AWS Backup console and code calls to the AWS Backup API operations. If you create a trail, then you can enable continuous delivery of CloudTrail events to an Amazon Simple Storage Service (Amazon S3) bucket, including events for AWS Backup. Using the information collected by CloudTrail, you can determine the request that was made to AWS Backup, the IP address from which the request was made, who made the request, when it was made, and additional details. This information is useful for tracking and auditing operational access to your backup data.

Conclusion

In this post, we reviewed AWS Backup and highlighted key information that can help FSI customers accelerate the approval of the service within these five categories: achieving compliance, data protection, isolation of compute environments, automating audits with APIs, and operational access and security. Although this guidance not a one-size-fits-all approach, it can be adapted to meet your organization’s security and compliance requirements and provide a consolidated list of key areas for AWS Backup.

In the meantime, make sure to visit our AWS Financial Services Industry blog channel and stay tuned for more FSI news and best practices.

Faisal Fareed

Faisal Fareed

Faisal Fareed is a Principal Solutions Architect with AWS supporting enterprise financial services customers. He has over 20 years of experience developing innovative, secure, and scalable solutions for the financial industry, always focused on achieving impactful business outcomes.

Haider Naqvi

Haider Naqvi

Haider Naqvi is a Solutions Architect at AWS. He has extensive Software Development and Enterprise Architecture experience. He focuses on enabling customers re:Invent and achieve business outcome with AWS. He is based out of New York.

Sushmitha Srinivasa Murthy

Sushmitha Srinivasa Murthy

Sushmitha Srinivasa Murthy is a Senior Solutions Architect with AWS. She is a builder at heart, with a passion for Cloud Governance and Security. She has over a decade of experience building secure, scalable and resilient workloads in highly regulated financial sector.