Very recently, AWS announced Vault Lock for AWS backup. This new feature enables the protection of backups from accidental or malicious actions. Behind the scenes, this extra safeguard is made possible by storing backups using a Write-Once-Read-Many (WORM) model. Additionally, using a simple setting, you can now also prevent users from deleting backups or changing their retention periods, providing an additional layer of data protection!
The main reason to rehash this? Unique features like this seem to stay under the radar way too often. Secondly, if you already use AWS Backup, then enabling this extra protection is almost effortless.
Here’s an example of AWS Backup Vault using Locks in CloudFormation:
SomeBackupVault:
Type: AWS::Backup::BackupVault
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BackupVaultName: SomeBackupVault
Notifications:
BackupVaultEvents:
- BACKUP_JOB_FAILED
- BACKUP_JOB_EXPIRED
SNSTopicArn: !Ref AlertSnsTopic
LockConfiguration:
ChangeableForDays: 3
MaxRetentionDays: 180
MinRetentionDays: 14
SomeBackupPlan:
Type: AWS::Backup::BackupPlan
Properties:
BackupPlan:
BackupPlanName: SomeBackupPlan
BackupPlanRule:
- RuleName: Daily14DaysRetention
TargetBackupVault: !Ref SomeBackupVault
ScheduleExpression: "cron(0 2 * * ? *)"
StartWindowMinutes: 60
Lifecycle:
DeleteAfterDays: 14
TagBasedBackupSelection:
Type: AWS::Backup::BackupSelection
Properties:
BackupSelection:
SelectionName: TagBasedBackupSelection
IamRoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSBackupDefaultServiceRole
ListOfTags:
- ConditionType: STRINGEQUALS
ConditionKey: backup
ConditionValue: daily
BackupPlanId: !Ref SomeBackupPlan
The new properties to enable a Vault lock are under the LockConfiguration
key of the AWS::Backup::BackupVault
resource:
- ChangeableForDays: specifies the number of days before the lock date. For example, setting ChangeableForDays to 30 on Jan. 1, 2022 at 8pm UTC will set the lock date to Jan. 31, 2022 at 8pm UTC. AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable. Therefore, you must set ChangeableForDays to 3 or greater.
- MaxRetentionDays: specifies the maximum retention period that the vault retains its recovery points.
- MinRetentionDays: specifies the minimum retention period that the vault retains its recovery points.
From: AWS::Backup::BackupVault LockConfigurationType
If you want to go more in-depth on this feature, check out: Enhance the security posture of your backups with AWS Backup Vault Lock. You also find a step-by-step walkthrough to enable this feature using the AWS Web Console on that post.
Enjoy an until next time!