Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon Elastic Block Store (EBS) volumes are protected by a backup plan, which typically involves regularly scheduled EBS snapshots. Snapshots provide data redundancy and disaster recovery capabilities, allowing for the restoration of volumes in case of failure, accidental deletion, or data corruption. Implementing a backup strategy ensures business continuity and compliance with regulatory requirements for data protection. 

Rationale:

EBS volumes often contain critical data for applications, databases, or system configurations. Without a proper backup plan, the data on these volumes is vulnerable to loss or corruption. Regular snapshots and automated backup strategies ensure that data can be recovered in the event of hardware failure, user error, or disaster. This practice aligns with industry standards and regulatory frameworks like CIS, ISO 27001, SOC 2, and NIST 800-53. 

Impact:

  • Positive Impact: Enhances data durability and availability by ensuring that critical EBS data is backed up regularly and can be restored if needed.

  • Negative Impact: Backups may incur additional costs for storage, especially if snapshots are retained for long periods. 

Default Value:

By default, AWS does not automatically create backups for EBS volumes, and snapshot schedules must be set up manually or via automated tools. 

Pre-Requisite:

  • IAM permissions required: ec2:CreateSnapshot, ec2:DescribeSnapshots, ec2:DeleteSnapshot, ec2:CreateVolumeFromSnapshot.
  • AWS Backup or other backup solutions should be configured for automatic snapshot creation and retention policies.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Volumes.
  3. For each EBS volume, check the Snapshots tab to see if automated snapshots are being created.
  4. Ensure that there are regular snapshots for each volume, especially for critical production environments.
  5. If any critical volumes lack snapshots or are not included in an automated backup plan, they are non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Volumes.

  2. Identify critical EBS volumes that do not have backup snapshots or protection in place.

  3. Set up a backup plan using AWS Backup or AWS Lambda for automated snapshot creation:

    • Navigate to AWS Backup → Backup plans → Create a backup plan.

    • Define the backup schedule (e.g., daily, weekly) and retention period.

    • Add EBS volumes as the resource type for backups.

  4. For each unprotected volume, either manually create an initial snapshot or schedule a snapshot as part of the backup plan.

  5. Verify that all EBS volumes are backed up regularly and are protected by a clear retention policy for the snapshots.

  6. Implement CloudWatch or SNS notifications to alert administrators if snapshots fail or are missed during the scheduled backup.

Backout Plan:

Using AWS Console:

  1. If a volume’s backup plan or snapshot configuration causes disruptions, temporarily disable the backup schedule and revert to manual snapshot creation until a stable configuration is achieved.
  2. Review and adjust the backup retention policy to balance cost versus data protection requirements.

References: