Profile Applicability:
- Level 1
Description:
AWS Directory Service allows you to create manual snapshots of your directories for backup and recovery purposes. These snapshots can be used to restore your directory to a specific point in time. AWS imposes limits on the number of manual snapshots that can be stored per directory. When this limit is reached, further snapshots cannot be created unless existing snapshots are deleted.
This check verifies whether any AWS Directory Service directories have reached the maximum number of allowed manual snapshots.
Rationale:
Continuity of Backups: Prevents the failure of scheduled or ad-hoc backups due to snapshot limits.
Disaster Recovery: Ensures the ability to take new snapshots, maintaining up-to-date recovery points.
Cost Management: Helps manage storage costs by controlling the number of stored snapshots.
Compliance: Supports backup policies required by compliance standards such as CIS, SOC 2, HIPAA, and PCI-DSS.
Impact:
Pros:
Ensures backup continuity.
Mitigates risks associated with snapshot failures.
Helps maintain recovery readiness.
Cons:
Requires regular snapshot management.
Potential data loss if old snapshots are deleted without proper review.
Manual oversight needed to avoid unintended snapshot deletions.
Default Value:
AWS allows a maximum of 5 manual snapshots per AWS Directory Service instance.
This limit can vary by region and directory type.
Pre-Requisites:
IAM Permissions:
ds:DescribeDirectories
ds:DescribeSnapshots
ds:DeleteSnapshot
ds:CreateSnapshot
AWS CLI installed and configured.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Directory Service → Directories.
Select the directory you want to audit.
In the left-hand menu, choose Snapshots.
Review the list of manual snapshots.
If the number of snapshots is 5 or more, the directory has reached its limit.
Verify the snapshot creation dates and delete older snapshots if necessary.
Using AWS CLI:
List All Directories:
aws ds describe-directories --query 'DirectoryDescriptions[*].{DirectoryId:DirectoryId,Name:Name,Type:Type}'List Snapshots for Each Directory:
aws ds describe-snapshots --directory-id <directory-id> --query 'Snapshots[*].{SnapshotId:SnapshotId,Type:Type,Status:Status,CreatedDateTime:StartTime}Expected Output:
[
{
"SnapshotId": "s-1234567890abcdef",
"Type": "Manual",
"Status": "Completed",
"CreatedDateTime": "2023-10-15T12:34:56Z"
},
{
"SnapshotId": "s-0987654321fedcba",
"Type": "Manual",
"Status": "Completed",
"CreatedDateTime": "2023-09-10T09:45:12Z"
}
]Pass Criteria:
Fewer than 5 manual snapshots exist per directory.
Older snapshots are rotated/deleted as needed.
Implementation Steps:
Using AWS Console:
Delete Old Snapshots:
Navigate to AWS Directory Service → Snapshots.
Identify older manual snapshots.
Select the snapshot(s) to delete.
Click Actions → Delete Snapshot.
Confirm deletion.
Create New Manual Snapshot:
Go to AWS Directory Service → Directories.
Select the desired directory.
Click Actions → Create Snapshot.
Enter a snapshot name and confirm.
Using AWS CLI:
Delete an Old Manual Snapshot:
aws ds delete-snapshot --snapshot-id s-1234567890abcdef
Create a New Manual Snapshot
aws ds create-snapshot --directory-id <directory-id> --name "manual-backup-2023-11-01"
Verify Snapshot Creation:
aws ds describe-snapshots --directory-id <directory-id> --query 'Snapshots[*].{SnapshotId:SnapshotId,Status:Status}'Backout Plan:
If an Important Snapshot Was Deleted:
Restore from the latest available snapshot using:
aws ds restore-from-snapshot --snapshot-id <snapshot-id>
If Snapshot Creation Fails:
Verify IAM permissions.
Check directory health.
Review AWS service limits.