Profile Applicability:

  •  Level 1

Description:
AWS Backup provides backup and recovery services for AWS resources and ensures that recovery points (the saved backup data) are protected through encryption at rest. Encryption at rest ensures that backup data is securely encrypted when stored, preventing unauthorized access. By default, AWS Backup uses AWS Key Management Service (KMS) to encrypt recovery points. It's important to ensure that all recovery points created by AWS Backup are encrypted at rest, using either the default AWS-managed KMS key or a custom KMS key.

Rationale:
Encrypting backup recovery points at rest is a critical security measure to protect sensitive data from unauthorized access, ensuring that backup data remains confidential and compliant with regulatory and privacy standards. Encryption at rest also helps meet compliance requirements, such as GDPR, HIPAA, and SOC 2, by ensuring that backup data is secure while stored.

Impact:
 Pros:

  • Protects backup data from unauthorized access by encrypting it at rest.

  • Helps meet compliance and regulatory requirements for data protection.

  • Enhances the overall security posture of the organization by securing backup data.

  • Allows users to choose between AWS-managed or customer-managed KMS keys for encryption.

Cons:

  • May incur additional costs for using custom KMS keys.

  • Requires careful management of encryption keys to ensure that only authorized users can decrypt backup data.

Default Value:
By default, AWS Backup automatically encrypts recovery points using the AWS-managed KMS key (aws/backups) unless a custom KMS key is specified.

Pre-requisites:

  • AWS IAM permissions to manage KMS and AWS Backup configurations:
     backup:DescribeRecoveryPoint
     backup:ListRecoveryPointsByBackupVault
     kms:DescribeKey

  • Access to the AWS Backup service and KMS keys.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Backup.

  3. In the left-hand menu, select Backup Vaults.

  4. Select the desired Backup Vault where recovery points are stored.

  5. Under the Recovery Points tab, review the list of recovery points for the vault.

  6. Check the Encryption column to ensure that recovery points are encrypted at rest. If encryption is not enabled, recovery points will not be listed as encrypted.

  7. If recovery points are not encrypted, ensure that the backup plan associated with the recovery points specifies encryption settings.

Using AWS CLI:

  1. List all backup vaults:

    aws backup list-backup-vaults

  2. For each backup vault, list the recovery points:

    aws backup list-recovery-points-by-backup-vault --backup-vault-name <BACKUP_VAULT_NAME>

  3. Review the recovery points and check for the EncryptionKeyArn field. If the EncryptionKeyArn field is present, the recovery point is encrypted, and the field will contain the ARN of the encryption key used (either a KMS key or the AWS-managed key).

  4. If no encryption key is listed or the recovery point is not encrypted, verify the backup plan and ensure encryption is enabled during the backup process.

Implementation Plan:

Using AWS Console:

  1. Open the AWS Backup Console and navigate to Backup Vaults.

  2. Select the desired backup vault and click on the Recovery Points tab.

  3. Ensure that all recovery points in the vault have encryption enabled.

  4. If recovery points are not encrypted, update the Backup Plan associated with these recovery points to specify KMS encryption.

    • Choose to either use the AWS-managed KMS key or a custom KMS key.

Using AWS CLI:

  1. To verify recovery points' encryption, use the following command:

    aws backup list-recovery-points-by-backup-vault --backup-vault-name <BACKUP_VAULT_NAME>

  2. Review the recovery points and ensure that the EncryptionKeyArn is specified.

  3. To enable encryption for recovery points, ensure that your backup plan uses the appropriate KMS key for encryption:

    aws backup create-backup-plan --backup-plan file://backup_plan_with_encryption.json

Backout Plan:

Using AWS Console:

  1. If enabling encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Backup, select the Backup vault, and go to the Encryption settings.

  3. Disable encryption or change the encryption key if necessary.

  4. Save the changes and verify that the recovery points are no longer encrypted, or they are encrypted with the correct key.

Using AWS CLI:

  1. To disable encryption or switch to another encryption key, run:

    aws backup update-backup-vault --backup-vault-name <VAULT_NAME> --encryption-key <NEW_KMS_KEY_ARN>

  2. Verify that the recovery points are now encrypted with the updated key:

    aws backup describe-recovery-point --backup-vault-name <VAULT_NAME> --recovery-point-arn <RECOVERY_POINT

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that recovery points are encrypted at rest using AWS KMS keys to protect sensitive data.

7.1

8.1

Enable encryption for AWS Backup recovery points using customer-managed or AWS-managed KMS keys.