Profile Applicability:
• Level 2
Description:
This control ensures that AWS Backup configurations are securely managed by applying access restrictions, enabling logging and monitoring, using encryption, and aligning with organizational recovery and compliance policies.
Rationale:
Securing backups is critical to ensure data integrity, prevent unauthorized restoration or deletion, and meet regulatory and organizational data protection requirements. Mismanaged backup access or insufficient monitoring can expose sensitive data and compromise disaster recovery plans.
Impact:
Pros:
Prevents unauthorized access to backup data
Supports audit and compliance with data protection regulations
Enables secure and traceable backup and restore operations
Cons:
Requires careful configuration of IAM roles, logging, and encryption
Improper policies may block legitimate access or restoration
Added complexity in multi-account or cross-region scenarios
Default Value:
AWS Backup supports security controls, but they are not enabled or enforced by default. Manual configuration is required.
Pre-requisites:
IAM permissions to configure AWS Backup and CloudWatch
AWS KMS keys for encryption
An active backup vault and plan
Optional: SNS topic and CloudTrail for notifications and auditing
Remediation:
Test Plan:
Using AWS Console:
Navigate to AWS Backup
Review backup plan configuration
Verify that IAM roles used follow least privilege principle
Confirm backups are stored in encrypted vaults
Check if logging is enabled via CloudWatch or CloudTrail
Confirm event notifications are set up using SNS
Using AWS CLI:
List backup plans:
aws backup list-backup-plans
Check backup vault encryption:
aws backup describe-backup-vault --backup-vault-name <vault-name>
Validate IAM role policies:
aws iam list-attached-role-policies --role-name <role-name>
Check CloudWatch log groups:
aws logs describe-log-groups
Verify CloudTrail trail exists:
aws cloudtrail describe-trails
Implementation Plan:
Using AWS Console:
Go to AWS Backup
Select or create a Backup Vault, and ensure encryption is enabled using AWS-managed or customer-managed KMS key
Assign IAM roles with least privilege to backup operations
Enable AWS Backup Audit Manager to continuously evaluate backup activity
Create or update a CloudTrail trail to track backup activity
Integrate CloudWatch and SNS for event notifications
Document all backup and restore roles and assign responsibility
Using AWS CLI:
Encrypt a new backup vault using a KMS key:
aws backup create-backup-vault --backup-vault-name <vault-name> --encryption-key-arn <kms-key-arn>
Attach least privilege IAM policy to the role:
aws iam attach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForBackup
Enable AWS Backup Audit Manager framework:
aws backupauditmanager create-framework --framework-name <framework-name> --framework-controls <controls-json>
Enable CloudTrail for backup actions:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name>
Create an SNS topic and subscribe your email:
aws sns create-topic --name <topic-name> aws sns subscribe --topic-arn <topic-arn> --protocol email --notification-endpoint <your-email>
Backout Plan:
Using AWS Console:
Navigate to AWS Backup
Select the Backup Vault and delete if needed
Revoke IAM roles or policies that were added
Delete associated CloudTrail trails or CloudWatch log groups if no longer needed
Unsubscribe and delete SNS topics related to backup alerts
Using AWS CLI:
Delete backup vault:
aws backup delete-backup-vault --backup-vault-name <vault-name>
Detach IAM policy:
aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForBackup
Delete CloudTrail trail:
aws cloudtrail delete-trail --name <trail-name>
Delete SNS topic:
aws sns delete-topic --topic-arn <topic-arn>