Profile Applicability:
 • Level 2

Description:

AWS Storage Backups is a managed AWS service that enables you to create and automate backups of supported AWS services and on-premises data, improving data durability and aiding disaster recovery. These backups are stored in AWS Backup Vaults and managed via AWS Backup.

Rationale:

Implementing storage backups ensures that critical data can be restored in case of accidental deletion, data corruption, or malicious attacks such as ransomware. AWS Backup provides centralized backup management, enabling organizations to define backup policies and automate the backup process across services, ensuring regulatory compliance and business continuity.

Impact:

Pros:

  • Ensures data durability and availability

  • Facilitates compliance with disaster recovery and data retention regulations

  • Automates and centralizes backup management

Cons:

  • Additional cost for storage and backup operations

  • Misconfigurations may result in incomplete backups or policy gaps

  • Requires proper IAM role and permission management

Default Value:

AWS Backup is not enabled by default. Backups must be explicitly configured and assigned to resources or resource tags.

Pre-requisites:

  • IAM role with appropriate AWS Backup and KMS permissions

  • Defined backup vault

  • Optional: resource tagging strategy to simplify assignments

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to AWS Backup

  3. Check if backup plans are created

  4. Confirm that resources are assigned to backup plans
    Verify vault encryption settings and backup retention policies

  5. Validate recovery points exist in the vault

Using AWS CLI:

  1. List backup plans:

     aws backup list-backup-plans

  2. List recovery points in the vault:

     aws backup list-recovery-points-by-backup-vault --backup-vault-name <vault-name>

  3. Check if resources are assigned to plans:

     aws backup list-backup-selections --backup-plan-id <backup-plan-id>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to AWS Backup

  3. Click Create Backup Plan

  4. Choose to build a new plan or use a template

  5. Set backup frequency, lifecycle, and destination vault

  6. Assign resources via tags or direct selection

  7. Enable continuous backup if required

  8. Save the configuration

Using AWS CLI:

  1. Create a backup vault:

     aws backup create-backup-vault --backup-vault-name <vault-name>

  2. Create a backup plan file backup-plan.json and run:

     aws backup create-backup-plan --backup-plan file://backup-plan.json

  3. Create a selection JSON file selection.json and run:

    aws backup create-backup-selection --backup-plan-id <plan-id> --backup-selection file://selection.json

Backout Plan:

Using AWS Console:

  1. Navigate to AWS Backup

  2. Select the Backup Plan to delete

  3. Remove assigned resources under Resource Assignments

  4. Delete the Backup Plan and optionally the Vault

Using AWS CLI:

  1. Delete backup selection:

     aws backup delete-backup-selection --backup-plan-id <plan-id> --selection-id <selection-id>

  2. Delete backup plan:

     aws backup delete-backup-plan --backup-plan-id <plan-id>

  3. Delete backup vault:

     aws backup delete-backup-vault --backup-vault-name <vault-name>

References: