Profile Applicability:

  • Level 1

Description:
AWS Backup allows users to define Backup Plans that automate backup schedules and retention policies for AWS resources. A Backup Plan defines how, when, and where backups should be taken, as well as how long they should be retained. It is essential to ensure that at least one AWS Backup plan is configured, as it ensures that critical resources are regularly backed up, and retention policies are enforced, reducing the risk of data loss.

Rationale:
Having a defined Backup Plan ensures that your AWS resources are protected against accidental data loss, corruption, or disaster. A properly configured backup plan can help meet compliance and business continuity requirements by ensuring that data is regularly backed up and stored securely. Ensuring that at least one backup plan exists allows for the automation of backup processes, reducing manual intervention and the risk of missed backups.

Impact:
 Pros:

  • Automates the backup process, ensuring that critical data is regularly backed up.

  • Ensures compliance with data retention and backup policies.

  • Reduces the risk of data loss due to human error or system failure.

  • Enables disaster recovery by ensuring data is protected and can be restored if needed.

Cons:

  • If improperly configured, backup plans can lead to excessive backup costs or unnecessary backups.

  • Requires careful management of backup schedules and retention periods to avoid over-accumulating backup data.

Default Value:
By default, AWS Backup does not automatically create backup plans. You need to manually configure backup plans to begin automating the backup process for AWS resources.

Pre-requisites:

  • AWS IAM permissions to manage AWS Backup plans:
     backup:CreateBackupPlan
     backup:ListBackupPlans
     backup:DescribeBackupPlan

  • Access to the AWS Backup service to create and configure backup plans.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Backup.

  3. In the left-hand menu, click on Backup plans.

  4. Check if there is at least one backup plan listed. If no backup plans exist, proceed to create a new one.

  5. If no backup plans exist, click Create a backup plan.

  6. Follow the wizard to define your backup plan. Specify the frequency (e.g., daily, weekly), retention periods, and backup vault where the backups will be stored.

  7. Once the backup plan is created, verify that it is listed and active in the Backup plans section.

Using AWS CLI:

  1. List all backup plans:

    aws backup list-backup-plans

  2. This will return a list of backup plans for your account. If no plans exist, it will return an empty list.

  3. If no backup plans exist, create a new backup plan by running:

    aws backup create-backup-plan --backup-plan file://backup_plan.json

  4. Example 

     

 backup_plan.json:
{
  "BackupPlanName": "DailyBackupPlan",
  "Rules": [
    {
      "RuleName": "DailyBackups",
      "TargetBackupVault": "<BACKUP_VAULT_NAME>",
      "Schedule": "cron(0 12 * * ? *)",
      "StartWindowMinutes": 60,
      "CompletionWindowMinutes": 10080,
      "Lifecycle": {
        "Delete": {
          "Days": 30
        }
      }
    }
  ]
}

  1. Replace <BACKUP_VAULT_NAME> with the appropriate backup vault name.

  2. Verify that the backup plan was created:

    aws backup describe-backup-plan --backup-plan-id <BACKUP_PLAN_ID>

Implementation Plan:

Using AWS Console:

  1. Open the AWS Backup Console and select Backup plans from the left-hand menu.

  2. Click Create a backup plan to configure a new plan.

  3. Define the backup schedule, retention policies, and the backup vault to store the backups.

  4. Review the backup plan configuration and click Create to finalize the setup.

  5. Once the plan is created, ensure that it appears in the Backup plans section and is correctly configured.

Using AWS CLI:

  1. To create a backup plan via CLI, run the following command with a configuration file:

    aws backup create-backup-plan --backup-plan file://backup_plan.json

  2. Verify the backup plan:

    aws backup describe-backup-plan --backup-plan-id <BACKUP_PLAN_ID>

Backout Plan:

Using AWS Console:

  1. If the Backup plan is causing issues, sign in to the AWS Management Console.

  2. Navigate to AWS Backup, select the Backup plan, and click Delete.

  3. Confirm the deletion and ensure that no backups are scheduled under that plan.

Using AWS CLI:

  1. To delete a Backup plan, run:

    aws backup delete-backup-plan --backup-plan-id <BACKUP_PLAN_ID>

  2. Verify that the plan has been deleted:

    aws backup list-backup-plans

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that at least one AWS Backup plan exists to automate backup operations and ensure data protection.

7.1

8.1

Create and maintain AWS Backup plans to automate backup processes and ensure regular backups of critical data.