Profile Applicability:

  • Level 1

Description:
AWS Backup vaults are storage containers used to organize and protect backup data. It is crucial to ensure that all AWS Backup vaults are encrypted with AWS KMS (Key Management Service) to protect the confidentiality and integrity of backup data. By default, AWS Backup uses AWS KMS-managed keys for encryption, but it is also possible to use customer-managed KMS keys for more granular control over encryption and key management.

Encryption with KMS ensures that backup data stored in these vaults is protected at rest, and only authorized users or services with the appropriate permissions can access the encryption keys.

Rationale:
Encrypting AWS Backup vaults with KMS ensures that backup data remains confidential and meets security and compliance requirements. Using KMS-managed or customer-managed keys enables organizations to implement strong access controls and encryption policies, ensuring compliance with standards such as GDPR, HIPAA, SOC 2, and PCI-DSS. It also ensures that backup data is protected from unauthorized access and tampering.

Impact:
 Pros:

  • Provides encryption for backup data at rest, ensuring data security.

  • Supports both AWS-managed and customer-managed KMS keys for encryption.

  • Enhances compliance with regulatory standards requiring data encryption.

  • Allows for centralized key management using AWS KMS.

Cons:

  • Requires management of encryption keys if customer-managed keys are used.

  • May incur additional costs for using customer-managed KMS keys.

  • Incorrectly configured KMS permissions can prevent backup operations.

Default Value:
By default, AWS Backup vaults are encrypted using AWS-managed KMS keys (aws/backups). However, organizations can specify their own customer-managed KMS keys for encryption if they need more control over key management.

Pre-requisites:

  • AWS IAM permissions to manage AWS Backup and KMS:
     backup:CreateBackupVault
     backup:DescribeBackupVault
     kms:DescribeKey

  • Access to the AWS Backup console and KMS to configure encryption.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Backup.

  3. In the left-hand menu, select Backup vaults.

  4. Choose the Backup Vault to verify its encryption settings.

  5. Under the Vault settings, check if the Encryption key is listed as AWS KMS and review the encryption key used (AWS-managed or customer-managed KMS key).

  6. If the vault is not encrypted or is using an incorrect encryption key, click Edit and select the appropriate encryption key (AWS KMS-managed or customer-managed key).

  7. Save the settings and ensure that the vault is encrypted with KMS.

Using AWS CLI:

  1. List all AWS Backup vaults:

    aws backup list-backup-vaults

  2. For each vault, check the EncryptionKeyArn to confirm if it is encrypted using AWS KMS:

    aws backup describe-backup-vault --backup-vault-name <BACKUP_VAULT_NAME>

  3. The output will include the EncryptionKeyArn, which specifies the KMS key used for encryption. If the key is listed as the AWS-managed key (aws/backups), it is encrypted with AWS KMS.

  4. If the vault is not encrypted or is using an incorrect encryption key, update it to use the correct KMS key by running:

    aws backup update-backup-vault --backup-vault-name <BACKUP_VAULT_NAME> --encryption-key <KMS_KEY_ARN>

  5. Replace <KMS_KEY_ARN> with the ARN of the desired KMS key (either an AWS-managed key or a customer-managed KMS key).

  6. Verify the updated encryption settings:

    aws backup describe-backup-vault --backup-vault-name <BACKUP_VAULT_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the AWS Backup Console and navigate to Backup Vaults.

  2. Select the backup vault and click on Edit to update the encryption settings.

  3. Ensure that the Encryption key is set to either the default AWS KMS-managed key or a customer-managed KMS key.

  4. Save the updated settings and verify that the vault is now encrypted with the correct KMS key.

Using AWS CLI:

  1. To update the backup vault's encryption key, run the following command:

    aws backup update-backup-vault --backup-vault-name <BACKUP_VAULT_NAME> --encryption-key <KMS_KEY_ARN>

  2. Verify that the vault's encryption has been updated:

    aws backup describe-backup-vault --backup-vault-name <BACKUP_VAULT_NAME>

Backout Plan:

Using AWS Console:

  1. If enabling KMS encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Backup, select the Backup vault, and go to the Vault settings.

  3. Change the encryption to another KMS key or revert to the default AWS-managed key if necessary.

  4. Save the changes and monitor the vault to ensure it functions correctly.

Using AWS CLI:

  1. To change or remove KMS encryption, run the following command:

    aws backup update-backup-vault --backup-vault-name <VAULT_NAME> --encryption-key <NEW_KMS_KEY_ARN>

  2. Verify that the KMS encryption has been updated or removed:

    aws backup describe-backup-vault --backup-vault-name <VAULT_NAME>


Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that AWS Backup vaults are encrypted with AWS KMS to protect sensitive backup data.

7.1

8.1

Enable AWS KMS encryption for AWS Backup vaults to ensure compliance and data protection.