Description:
Elastic Block Store (EBS) is an easy-to-use, high-performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction-intensive workloads at any scale. The policy checks if the EBS storage service has controlled access and its backup schedules are configured.
Rational:
Even cloud servers aren’t safe from failure. EBS volumes, which all AWS EC2 instances run on, are not entirely redundant. This means that if your server experiences a drive failure, you could lose your data. The EBS snapshot and the AMI are stored on Amazon Simple Storage Service (S3) which is known for being high durability and highly reliable.
Impact:
Not enabling the scheduled backup may lead to losing the data in the Instance.
Default Value:
By default, Schedule backup is not enabled for EBS.
Pre-Requisite:
Log in as an admin or IAM user with the required permissions
Ensure you have at At least one EC2 Instance running.
IAM roles to be created according to AWS Backup or else you can use the default role - AWSBackupDefaultRole.
Remediation:
Test plan:
Sign to the AWS console
Go to Amazon EC2 console https://console.aws.amazon.com/ec2/home
Select Lifecycle manager, in the Elastic Block Store section, on the left navigation pane
Check whether there is any Lifecycle policy exist or not
5. If there is no policy created it means backups are not scheduled, follow the implementation steps
Using AWS CLI:
aws dlm get-lifecycle-policies
Implementation Steps:
1. Go to Amazon EC2 console https://console.aws.amazon.com/ec2/home
2. Select Lifecycle manager, in the Elastic Block Store section, on the left navigation pane.
3 You will see Data Lifecycle Manager, Select the policy type as EBS snapshot policy
4. Choose resource type as Volume and target volumes with tags
5. Give the description of the policy and choose the IAM role, select the policy status whether you need to enable(start immediately) or not enabled(need to start it manually in future)
6. Click on next and schedule the details for backup, like schedule name, the frequency of the backup
7. Time interval for the backup
8. Starting time of the backup after creating lifecycle manager
9. And the retention type
Using AWS CLI:
Login into your CLI using Credentials
aws ec2 create-tags --region select your region --resources vol-0abcdabcdd --tags Key=Environment,Value=Production
aws dlm create-lifecycle-policy
--region select your region
--execution-role-arn arn:aws:iam::12344412:role/service-role/AWSDataLifecycleManagerDefaultRole
--description "Snapshot lifecycle policy for production EBS volumes"
--state ENABLED
--policy-details file://lifecycle-policy-config.json
Backout Plan:
Sign the AWS console
Go to Amazon EC2 console https://console.aws.amazon.com/ec2/home
On the left side Pane select EBS and select Lifecycle Manager
You will see a list of policies select the desired policy, click on Actions and click on Delete Snapshot Lifecycle Policy
Note:
With AWS DLM service, you can manage the lifecycle of your EBS volume snapshots.
Reference:
https://aws.amazon.com/blogs/compute/recovering-files-from-an-amazon-ebs-volume-backup/
https://aws.amazon.com/premiumsupport/knowledge-center/back-up-instance-store-ebs/
dlm — AWS CLI 1.22.63 Command Reference (amazon.com)