20 October 2023

The Double-Edged Sword of AWS Backup Vault Lock: Guarding Against Ransom Attacks but at What Cost?

Introduction: AWS Backup Vault Lock as a Shield Against Ransom Attacks

In the digital age, cybersecurity threats like ransom attacks are a constant worry for businesses. With malevolent actors aiming to lock access to critical data and demanding ransom for its release, ensuring data safety has never been more of prime importance. One tool in the arsenal against such threats is AWS Backup Vault Lock. It offers a solid defense mechanism by making your backups immutable, ensuring that even if malefactors manage to infiltrate your system, your backup data remains untouched and unrestrained.

The Hidden Danger: Neglecting Retention Time on Vault Lock

While the AWS Backup Vault Lock promises unwavering protection, there’s a potential pitfall that could render its advantages moot - the omission of setting MaxRetentionDays.

Failing to set a maximum retention time on the Backup Vault means it can accept backups with unlimited retention. Consequently, if one specifies an extended retention period on the backup itself, spanning several years, locked up backups can accumulate nearly indefinitely. As the data snowballs, so does its associated cost. For businesses, especially those with expansive and complex systems, this can mean storage costs spiraling out of control. At some juncture, backups even lose their value but in this case will still continue draining resources.

A hypothetical scenario: Let’s say the uncontrolled backups, over a period, lead to costs surpassing half a million dollars annually. It might sound far-fetched, but for extensive enterprise systems, this is a looming reality.

The Unpleasant Dilemma: Growing Costs or Painful Migration

With an ever-bloating backup system, businesses face a dilemma. One option is to swallow the rising and daily recurring costs, a financial sinkhole with no end in sight. The second, equally unappealing, is account deletion, because yes, that’s the only other way out.

Account deletion is not a straightforward “reset button”. Before this drastic measure, everything within the account must be migrated elsewhere. For large-scale operations, this migration can bear a price tag running into millions. Beyond the financial ramifications, there’s the operational nightmare. Redirecting resources to manage this migration can derail business roadmaps for years, stalling growth and innovation.

Conclusion: Treading with Caution

The AWS Backup Vault Lock, while being a formidable defense against ransom attacks, requires careful configuration. By setting MaxRetentionDays, businesses can harness its protective benefits while sidestepping the trap of uncontrolled costs. As with many advanced tools, it’s crucial to understand their full implications to ensure they serve as solutions, not stumbling blocks.

Subscribe to our newsletter

We'll keep you updated with more interesting articles from our team.

(about once a month)