5 November 2021

Ransomware Mitigation: The New Vault Lock for AWS Backup

Very recently, AWS announced Vault Lock for AWS backup. This new feature enables the protection of backups from accidental or malicious actions. Behind the scenes, this extra safeguard is made possible by storing backups using a Write-Once-Read-Many (WORM) model.
Additionally, using a simple setting, you can now also prevent users from deleting backups or changing their retention periods, providing an additional layer of data protection!

The main reason to rehash this? Unique features like this seem to stay under the radar way too often. Secondly, if you already use AWS Backup, then enabling this extra protection is almost effortless.

Here’s an example of AWS Backup Vault using Locks in CloudFormation:

  SomeBackupVault:
    Type: AWS::Backup::BackupVault
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BackupVaultName: SomeBackupVault
      Notifications:
        BackupVaultEvents:
          - BACKUP_JOB_FAILED
          - BACKUP_JOB_EXPIRED
        SNSTopicArn: !Ref AlertSnsTopic
      LockConfiguration:
        ChangeableForDays: 3
        MaxRetentionDays: 180
        MinRetentionDays: 14

  SomeBackupPlan:
    Type: AWS::Backup::BackupPlan
    Properties:
      BackupPlan:
        BackupPlanName: SomeBackupPlan
        BackupPlanRule:
          - RuleName: Daily14DaysRetention
            TargetBackupVault: !Ref SomeBackupVault
            ScheduleExpression: "cron(0 2 * * ? *)"
            StartWindowMinutes: 60
            Lifecycle:
              DeleteAfterDays: 14

  TagBasedBackupSelection:
    Type: AWS::Backup::BackupSelection
    Properties:
      BackupSelection:
        SelectionName: TagBasedBackupSelection
        IamRoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSBackupDefaultServiceRole
        ListOfTags:
         - ConditionType: STRINGEQUALS
           ConditionKey: backup
           ConditionValue: daily
      BackupPlanId: !Ref SomeBackupPlan

The new properties to enable a Vault lock are under the LockConfiguration key of the AWS::Backup::BackupVault resource:

  • ChangeableForDays: specifies the number of days before the lock date. For example, setting ChangeableForDays to 30 on Jan. 1, 2022 at 8pm UTC will set the lock date to Jan. 31, 2022 at 8pm UTC. AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable. Therefore, you must set ChangeableForDays to 3 or greater.
  • MaxRetentionDays: specifies the maximum retention period that the vault retains its recovery points.
  • MinRetentionDays: specifies the minimum retention period that the vault retains its recovery points.

From: AWS::Backup::BackupVault LockConfigurationType

If you want to go more in-depth on this feature, check out: Enhance the security posture of your backups with AWS Backup Vault Lock. You also find a step-by-step walkthrough to enable this feature using the AWS Web Console on that post.

Enjoy an until next time!