Profile Applicability:

  • Level 1

Description:

Amazon Elastic Block Store (EBS) provides persistent block storage volumes for Amazon EC2 instancesEBS snapshots are point-in-time backups of EBS volumes, allowing you to protect your data by enabling data recovery and disaster recovery scenarios.

Snapshot lifecycle policies help automate the creation, retention, and deletion of EBS snapshots. Defining EBS Snapshot Lifecycle Policies allows for automated snapshot management to ensure that old, unnecessary snapshots are deleted, minimizing storage costs and meeting regulatory requirements for data retention and protection.

Rationale:

Defining EBS Snapshot Lifecycle Policies is critical for:

  • Cost Management: Automatically deleting old snapshots that are no longer required can reduce costs associated with storing snapshots.

  • Regulatory Compliance: Helps ensure that you are retaining snapshots for the required time frame to meet compliance standards, and automating the deletion of expired data.

  • Operational Efficiency: Automation reduces manual intervention for snapshot management and minimizes human error.

  • Data Protection: Ensures timely backups and safe deletion of outdated snapshots, allowing for disaster recovery and data protection.

Impact:

Pros:

  • Cost Efficiency: By automatically removing obsolete snapshots, you can reduce unnecessary storage costs.

  • Regulatory Compliance: Helps maintain compliance with data retention policies by automating the creation and deletion of snapshots.

  • Time Savings: Automates manual snapshot management tasks, reducing administrative overhead.

  • Improved Data Management: Enhances consistency and reliability in managing snapshots and their retention.

Cons:

  • Risk of Deletion: Improper configuration of the lifecycle policy may result in the premature deletion of necessary snapshots.

  • Initial Setup Complexity: Requires careful configuration of lifecycle policies to ensure that snapshots are managed properly.

  • Retention Management: Overly aggressive policies could result in the loss of data if snapshots are deleted too early.

Default Value:

By default, EBS Snapshot Lifecycle Policies are not defined. You must manually configure and define lifecycle policies for managing EBS snapshots.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeSnapshots

    • ec2:CreateSnapshot

    • ec2:DeleteSnapshot

    • ec2:ModifySnapshotAttribute

    • ec2:CreateTags

  • AWS CLI installed and configured.

  • Amazon EC2 and Amazon EBS should be properly set up and running.

  • AWS Backup or Lifecycle Policies feature available in the region.

  • Understanding of Amazon EBS snapshots and lifecycle management.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the Snapshots section, verify if Snapshot Lifecycle Policies have been defined:

    • Go to Lifecycle Manager under Elastic Block Store.

    • Check for any defined Snapshot Lifecycle Policies.

  4. If no policies are defined, click Create lifecycle policy to define a policy:

    • Define the frequency of snapshots (e.g., daily, weekly).

    • Set retention rules for how long snapshots should be kept before they are deleted.

    • Apply tags to manage and filter the snapshots.

  5. Verify that the Snapshot Lifecycle Policies apply to the desired EBS volumes or instances.

Using AWS CLI:

To list all EBS snapshot lifecycle policies in your account, use:

aws ec2 describe-snapshot-lifecycle-policies

To create a new snapshot lifecycle policy, run the following:

aws backup create-backup-plan --backup-plan "{
  \"BackupPlanName\": \"MyBackupPlan\",
  \"Rules\": [
    {
      \"RuleName\": \"DailySnapshot\",
      \"TargetBackupVaultName\": \"Default\",
      \"ScheduleExpression\": \"cron(0 12 * * ? *)\",
      \"Lifecycle\": {
        \"MoveToColdStorageAfterDays\": 30,
        \"DeleteAfterDays\": 60
      }
    }
  ]
}"

Verify the newly created snapshot lifecycle policy by running:

aws backup describe-backup-plan --backup-plan-id <backup-plan-id>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 and click on Lifecycle Manager in the left-hand navigation.

  3. Click Create lifecycle policy.

  4. Fill in the policy details, including:

    • Policy Name: Define the policy name.

    • Policy Type: Choose EBS Snapshot Management.

    • Schedule: Set the frequency of snapshots (e.g., daily, weekly).

    • Retention: Define how long to retain snapshots before deletion.

  5. Select the EBS volumes or instances for which the policy applies.

  6. Click Create Policy to finalize the configuration.

  7. Verify that the policy is applied by checking the Snapshots section and ensuring that snapshots are automatically created and deleted according to the policy.

Using AWS CLI:

To create a snapshot lifecycle policy, run the following command:

aws ec2 create-snapshot-lifecycle-policy --policy-name <policy-name> --schedule-expression "cron(0 0 * * ? *)" --retention-period-days 30 --volume-id <volume-id>

To list the snapshot policies, use:

aws ec2 describe-snapshot-lifecycle-policies

To confirm the policy has been applied, check the snapshots:

aws ec2 describe-snapshots --filters "Name=tag:Name,Values=<policy-name>"

Backout Plan:

Console Process

  1. Go to the Amazon EC2 Console:

    • Open the EC2 Management Console.

  2. Navigate to Lifecycle Manager:

    • Under Elastic Block Store, click on Lifecycle Manager.

  3. Create a New Policy:

    • Click Create Lifecycle Policy.

    • Select the policy type as EBS Snapshot Management.

  4. Define Policy Details:

    • Specify:

      • Target volumes (e.g., based on tags like Environment=Production).

      • Schedule for taking snapshots.

      • Retention rules (e.g., keep snapshots for 30 days).

    • Save the policy.

CLI Process

Create a Lifecycle Policy:

aws dlm create-lifecycle-policy \
--execution-role-arn <role-arn> \
--description "EBS Snapshot Lifecycle Policy" \
--state ENABLED \
--policy-details file://policy-details.json

Define Policy in a JSON File (e.g., policy-details.json):

json
{
    "ResourceTypes": ["VOLUME"],
    "TargetTags": [
        {
            "Key": "Environment",
            "Value": "Production"
        }
    ],
    "Schedules": [
        {
            "Name": "DailySnapshots",
            "CreateRule": {
                "Interval": 24,
                "IntervalUnit": "HOURS"
            },
            "RetainRule": {
                "Count": 30
            }
        }
    ]
}
  1. Verify the Policy:

    aws dlm get-lifecycle-policies

Note:

  • Monitoring: Set up CloudWatch metrics and SNS notifications to alert you when snapshots are created, deleted, or fail to be created as per the defined lifecycle policy.

  • Automation: Consider using AWS Backup or other automation tools to back up not only EBS snapshots but also other critical AWS resources.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.