Profile Applicability:
- Level 1
Description:
AWS Backup Vaults are essential components of AWS Backup, providing a secure and centralized location to store backup data. Backup vaults help manage, organize, and protect backup data by enforcing access controls and encryption policies. It is critical to ensure that AWS Backup vaults are configured and exist for managing backup data, as they help ensure the integrity and security of backup operations. These vaults provide a reliable means for storing, monitoring, and auditing backup data across AWS resources.
Rationale:
Ensuring that AWS Backup vaults exist is crucial for organizing backup data in a secure and compliant manner. Backup vaults provide encryption, access control, and retention policies that help meet compliance requirements (e.g., GDPR, HIPAA) and improve data protection practices. Without backup vaults, managing, auditing, and restoring backup data would be less structured and less secure.
Impact:
Pros:
Provides a centralized, secure location for storing backup data.
Improves backup management, auditing, and compliance.
Ensures data encryption and access control for backup data.
Supports retention policies to ensure backups are retained according to regulatory requirements.
Cons:
If not configured properly, backup vaults can become a bottleneck in backup management.
Requires regular monitoring and maintenance to ensure they are functioning properly.
Default Value:
By default, AWS Backup vaults are not automatically created. Vaults must be manually configured when creating backup plans.
Pre-requisites:
AWS IAM permissions to manage AWS Backup vaults:
backup:CreateBackupVault
backup:ListBackupVaults
backup:DescribeBackupVaultAccess to the AWS Backup configuration.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Backup.
In the left-hand menu, select Backup vaults.
Ensure that at least one backup vault exists. If no vaults exist, create a new one by clicking Create backup vault.
Verify that the vaults are properly configured with encryption, access control, and retention policies as per your organization's requirements.
Using AWS CLI:
List all AWS Backup vaults:
aws backup list-backup-vaults
This will return a list of backup vaults within your AWS account.
If no vaults exist, create a backup vault using:
aws backup create-backup-vault --backup-vault-name <VAULT_NAME> --encryption-key <KMS_KEY_ID>
Replace <VAULT_NAME> with the desired vault name and <KMS_KEY_ID> with the KMS key used for encryption (you can use the default AWS KMS key or create your own).
Verify that the backup vault was created:
aws backup describe-backup-vault --backup-vault-name <VAULT_NAME>
Implementation Plan:
Using AWS Console:
Open the AWS Backup Console and select Backup vaults.
If no backup vaults exist, click Create backup vault.
Choose a name for the backup vault, select an encryption key (either the default or a custom KMS key), and configure any additional settings such as access controls and retention policies.
Save the configuration and ensure that the vault is created and visible in the list of backup vaults.
Using AWS CLI:
To create a backup vault via CLI, run the following command:
aws backup create-backup-vault --backup-vault-name <VAULT_NAME> --encryption-key <KMS_KEY_ID>
Verify that the vault has been created:
aws backup describe-backup-vault --backup-vault-name <VAULT_NAME>
Backout Plan:
Using AWS Console:
If the creation of a Backup vault causes issues, sign in to the AWS Management Console.
Navigate to AWS Backup, select the Backup vault, and click Delete.
Confirm the deletion and monitor to ensure that the vault is removed and backup operations are no longer using it.
Using AWS CLI:
To delete a Backup vault, run the following command:
aws backup delete-backup-vault --backup-vault-name <VAULT_NAME>
Verify that the vault has been deleted:
aws backup list-backup-vaults
Reference:
CIS Controls: