Profile Applicability:

  • Level 1 

Description:
Amazon EC2 instances can be configured to automatically create snapshots of their associated Elastic Block Store (EBS) volumes at regular intervals. These snapshots are useful for backup, recovery, and disaster recovery purposes. Automated snapshots ensure that data is consistently backed up without manual intervention. It's essential to ensure that automated snapshots are enabled to protect the integrity and availability of your EC2 instances and their data.

Rationale:
Enabling automated snapshots helps ensure that your EC2 instance volumes are regularly backed up, allowing for easy recovery in case of failure, accidental deletion, or corruption. Regular snapshots reduce the risk of data loss and ensure compliance with business continuity plans, improving overall system resilience.

Impact:
 Pros:

  • Provides automatic, consistent backups of EC2 instance volumes.

  • Reduces the risk of data loss by enabling regular, automated backups.

  • Simplifies disaster recovery and business continuity planning.

  • Enhances security and compliance by ensuring data is regularly backed up.

Cons:

  • Adds additional storage costs for the EBS snapshots.

  • May require careful management of snapshot retention policies to avoid excessive storage use.

  • Can introduce performance overhead when snapshots are being taken, especially on high-traffic systems.

Default Value:
 By default, EC2 instances do not have automated snapshots enabled. Snapshots need to be manually configured or automated using Amazon Data Lifecycle Manager (DLM) or other tools.

Pre-requisites:

  • AWS IAM permissions:
        ec2:CreateSnapshot
        ec2:DescribeSnapshots
        ec2:DescribeVolumes

  • Appropriate configuration of Amazon Data Lifecycle Manager (DLM) or snapshot automation scripts.

  • Access to the AWS Console or CLI to manage snapshots.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 and select Snapshots from the left-hand menu.

  3. Review the list of snapshots to verify if automated snapshots are being created regularly.

  4. If no automated snapshots are present, navigate to Lifecycle Manager (under Elastic Block Store) and check if an Automated Snapshot Policy exists.

  5. If no policy is configured, create a new policy by selecting Create lifecycle policy to enable automatic snapshots at regular intervals.

Using AWS CLI:

  1. List the snapshots to verify if they are automated:

    aws ec2 describe-snapshots --query "Snapshots[*].{ID:SnapshotId,VolumeID:VolumeId,StartTime:StartTime}"

  2. Check for patterns in the snapshots' StartTime to identify if they were created at regular intervals.

  3. If automated snapshots are not found, create an automated snapshot policy using the following command with Amazon Data Lifecycle Manager (DLM):

    aws dlm create-lifecycle-policy --execution-role-arn arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME> --description "Automated Snapshot Policy" --state ENABLED --policy-details '{"ResourceTypes":["VOLUME"],"Schedule":{"Interval":12,"IntervalUnit":"HOURS","TimeOfDay":"00:00"}}'

Implementation Plan:

Using AWS Console:

  1. Open the EC2 Dashboard and select Lifecycle Manager under Elastic Block Store.

  2. Click Create lifecycle policy to set up automated snapshot creation.

  3. Define the snapshot frequency (e.g., hourly, daily) and specify retention rules (e.g., retain the last 7 snapshots).

  4. Attach the policy to the relevant EBS volumes to automate the snapshot process.

  5. Save the policy and verify that snapshots are created according to the defined schedule.

Using AWS CLI:

  1. Create an automated snapshot policy with Amazon Data Lifecycle Manager (DLM) by specifying the interval and retention rules:

    aws dlm create-lifecycle-policy --execution-role-arn arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME> --description "Automated Snapshot Policy" --state ENABLED --policy-details '{"ResourceTypes":["VOLUME"],"Schedule":{"Interval":12,"IntervalUnit":"HOURS","TimeOfDay":"00:00"}}'

  2. Verify that snapshots are created automatically by listing the snapshots:

    aws ec2 describe-snapshots --query "Snapshots[*].{ID:SnapshotId,VolumeID:VolumeId,StartTime:StartTime}"

Backout Plan: 

Using AWS Console:

  1. If automated snapshots cause issues, you can delete the lifecycle policy by navigating to Data Lifecycle Manager in the EC2 Console.

  2. Select the lifecycle policy and click Delete to stop automated snapshot creation.

  3. Monitor the EC2 instance to ensure that no further snapshots are created.

Using AWS CLI:

  1. To delete the lifecycle policy and stop automated snapshots, run the following command:

    aws dlm delete-lifecycle-policy --policy-id <POLICY_ID>

  2. Verify that the policy has been deleted:

    aws dlm describe-lifecycle-policies


Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure regular, automated snapshots are taken for critical EC2 instances to enable backup and disaster recovery.

7.1

8.1

Automate the creation of backups and snapshots to ensure data recovery in case of failures or incidents.