Logically air-gapped vault - AWS Backup

Logically air-gapped vault

Overview of logically air gapped vaults

AWS Backup offers a secondary type of vault which can store copies of backups in a container with additional security features. A logically air-gapped vault is a specialized vault which provides increased security beyond a standard backup vault, as well as the ability to share vault access to other accounts so that recovery time objectives (RTOs) can be faster and more flexible in case of an incident that requires rapid restoration of resources.

Logically air-gapped vaults come equipped with additional protection features; each vault is encrypted with an AWS owned key, and each vault is equipped with AWS Backup Vault Lock's compliance mode.

You can choose to integrate with AWS Resource Access Manager (RAM) to share a logically air-gapped vault with other AWS accounts (including accounts in other organizations) so that the backups stored within the vault can be restored from an account with which the vault is shared, if needed for data loss recovery or restore testing.

You can view the storage pricing for backups of supported services in a logically air-gapped vault on the AWS Backup pricing page.

See Feature availability by resource for resource types you can copy to a logically air-gapped vault.

Use case for logically air-gapped vaults

A logically air-gapped vault is a secondary vault that serves as part of a data protection strategy. This vault can help enhance your organization's retention strategy and recovery when you desire a vault for your backups that

  • Is automatically set with a vault lock in compliance mode

  • Comes encrypted with an AWS owned key

  • Contains backups which, through AWS RAM, can be shared with and restored from a different account than the one that created the backup

Considerations and limitations

  • Cross-Region copy to or from a logically air-gapped vault is not currently available for backups that contain Amazon Aurora, Amazon DocumentDB, and Amazon Neptune.

  • A backup containing one or more Amazon EBS volumes that is copied into a logically air-gapped vault must be smaller than 16 TB; backups for this resource type that are greater in size are not supported.

  • Amazon S3 support for logically air-gapped vaults is only available Regions that do not require opt-in.

  • The ARN (Amazon Resource Name) of a recovery point stored in a logically air-gapped vault will have backup in place of the underlying resource type. For example, if the original ARN begins with arn:aws:ec2:region::image/ami-* , then the ARN of the recovery point in the logically air-gapped vault will be arn:aws:backup:region:account-id:recovery-point:*.

    You can use the CLI command list-recovery-points-by-backup-vault to determine the ARN.

Compare and contrast with a standard backup vault

A backup vault is the primary and standard type of vault used in AWS Backup. Each backup is stored in a backup vault when the backup is created. You can assign resource-based policies to manage backups stored in the vault, such as the lifecycle of backups stored within the vault.

A logically air-gapped vault is a specialized vault with additional security and flexible sharing for faster recovery time (RTO). This vault stores copies of backups that were initially created and stored within a standard backup vault.

Backup vaults can be encrypted with a key, a security mechanism that limits access to intended users. These keys can be customer managed or AWS managed. Additionally, a backup vault can have additional security through a vault lock; logically air-gapped vaults come equipped by a vault lock in compliance mode.

For resource types fully managed by AWS Backup, a backup cannot be copied into a logically air-gapped vault if the AWS KMS key was not manually changed or set as a KMS key at the time the initial resource was created.

Feature Backup vault Logically air-gapped vault
AWS Backup Audit Manager You can use AWS Backup Audit Manager Controls and remediation to monitor your backup vaults. Ensure a copy of a backup of a specific resource has been copied to at least one logically air-gapped vault on a schedule you determine, in addition to controls available to standard vaults.

Backup creation

When a backup is created, it is stored as a recovery point.

Backups are not stored in this vault upon creation.

Backup storage

Can store initial backups of resources and copies of backups

Can store copies of backups from other vaults

Billing

Storage and data transfer charges for resources fully managed by AWS Backup occur under "AWS Backup". Other resource type storage and data transfer charges will occur under their respective services.

For example, Amazon EBS backups will show under "Amazon EBS"; Amazon S3 backups will show under "AWS Backup".

All billing charges from these vaults (storage or data transfer) occur under "AWS Backup".

Regions

Available in all Regions in which AWS Backup operates

Available in most Regions supported by AWS Backup. Not currently available in Asia Pacific (Malaysia), Canada West (Calgary), China (Beijing), China (Ningxia), AWS GovCloud (US-East), or AWS GovCloud (US-West).

Resources

Can store copies of backups for most resource types that support cross-account copy.

Amazon RDS and Amazon FSx backup copies cannot currently be stored in these vaults.

Restore

Backups can be restored by the same account to which the vault belongs.

Backups can be restored by a different account than the one to which the vault belongs if the vault is shared with that separate account.

Security

Can optionally be encrypted with a key (customer managed or AWS managed)

Can optionally use a vault lock in compliance or governance mode

Is encrypted with an AWS owned key

Is always locked with a vault lock in compliance mode

Sharing

Access can be managed through policies and AWS Organizations

Not compatible with AWS RAM

Can optionally be shared across accounts using AWS RAM

Create a logically air-gapped vault

You can create a logically air-gapped vault either through the AWS Backup console or through a combination of AWS Backup and AWS RAM CLI commands.

Each logically air-gapped comes equipped with a vault lock in compliance mode. See AWS Backup Vault Lock to help determine the retention period values most appropriate for your operation

Console
Create a logically air-gapped vault from the console
  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In the navigation pane, select Vaults.

  3. Both types of vaults will be displayed. Select Create new vault.

  4. Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it FinancialBackups.

  5. Select the radio button for Logically air-gapped vault.

  6. Set the Minimum retention period.

    This value (in days, months, or years) is the shortest amount of time a backup can be retained in this vault. Backups with retention periods shorter than this value cannot be copied to this vault.

    The minimum value allowed is 7 days. Values for months and years meet this minimum.

  7. Set the Maximum retention period.

    This value (in days, months, or years) is the longest amount of time a backup can be retained in this vault. Backups with retention periods greater than this value cannot be copied to this vault.

  8. (Optional) Add tags that will help you search for and identify your logically air-gapped vault. For example, you could add a BackupType:Financial tag.

  9. Select Create vault.

  10. Review the settings. If all settings show as you intended, select Create logically air-gapped vault.

  11. The console will take you to the details page of your new vault. Verify the vault details are as expected.

  12. Select Vaults to view vaults in your account. Your logically air-gapped vault will be displayed. The KMS key will be available approximately 1 to 3 minutes after the vault creation. Refresh the page to see the associated key. Once the key is visible, the vault is in an available state and can be used.

AWS CLI

Create a logically air-gapped vault from CLI

You can use AWS CLI to programmatically carry out operations for logically air-gapped vaults. Each CLI is specific to the AWS service in which it originates. Commands related to sharing are prepended with aws ram; all other commands should be prepended with aws backup.

Use the CLI command create-logically-air-gapped-backup-vault, modified with the following parameters:

aws backup create-logically-air-gapped-backup-vault --region us-east-1 // optional --backup-vault-name sampleName // required --min-retention-days 7 // required Value must be an integer 7 or greater --max-retention-days 35 // required --creator-request-id 123456789012-34567-8901 // optional

Example CLI command to create a logically air-gapped vault:

aws backup create-logically-air-gapped-backup-vault --region us-east-1 --backup-vault-name sampleName --min-retention-days 7 --max-retention-days 35 --creator-request-id 123456789012-34567-8901 // optional

See CreateLogicallyAirGappedBackupVault API response elements for information after the create operation. If the operation was successful, the new logically air-gapped vault will have the VaultState of CREATING.

Once the creation is complete and the KMS encrypted key has been assigned, the VaultState will transition to AVAILABLE. Once available, the vault can be used. VaultState can be retrieved by calling DescribeBackupVault or ListBackupVaults.

View logically air-gapped vault details

You can see the vault details such as summary, the recovery points, the protected resources, account sharing, access policy, and tags through the AWS Backup console or the AWS Backup CLI.

Console
  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. Select Vaults from the left-hand navigation.

  3. Below the descriptions of vaults will be two lists, Vaults owned by this account and Vaults shared with this account. Select the desired tab to view the vaults.

  4. Under Vault name, click on the name of the vault to open the details page. You can see the summary, the recovery points, the protected resources, account sharing, access policy, and tag details.

    Details display depending on account type: Accounts which own a vault can view account sharing; accounts which do not own a vault will not be able to view account sharing.

AWS CLI

View details of a logically air-gapped vault through CLI

The CLI command describe-backup-vault can be used to obtain details about a vault. Parameter backup-vault-name is required; region is optional.

aws backup describe-backup-vault --region us-east-1 --backup-vault-name testvaultname

Example of response:

{ "BackupVaultName": "LOG-AIR-GAP-VAULT-TEST", "BackupVaultArn": "arn:aws:backup:us-east-1:234567890123:backup-vault:IAD-LAGV-01", "VaultType": "LOGICALLY_AIR_GAPPED_BACKUP_VAULT", "CreationDate": "2024-07-25T16:05:23.554000-07:00", "NumberOfRecoveryPoints": 0, "Locked": true, "MinRetentionDays": 8, "MaxRetentionDays": 30, "LockDate": "2024-07-25T16:05:23.554000-07:00" }

Copy to a logically air-gapped vault

Logically air-gapped vaults can only be a copy job destination target in a backup plan or a target for an on-demand copy job.

Compatible encryption

A successful copy job from a backup vault to a logically air-gapped vault requires an encryption key that is determined by the resource type being copied.

When you copy a backup of a fully managed resource type, the source backup in the (standard backup vault) can be encrypted by a customer managed key or by an AWS managed key.

When you copy a backup of other resource types (ones not fully managed), both the backup and the resource it backed up must be encrypted with a customer managed key. AWS managed keys for the resource types are not supported for copies.

Copy to a logically air-gapped vault through a backup plan

You can copy a backup (recovery point) from a standard backup vault to a logically air-gapped vault by creating a new backup plan or updating an existing one in the AWS Backup console or through the AWS CLI commands create-backup-plan and update-backup-plan.

You can copy a backup from one logically air-gapped vault to another logically air-gapped vault on-demand (this type of backup cannot be scheduled in a backup plan). You can copy a backup from a logically air-gapped vault to a standard backup vault as long as the copy is encrypted with a customer managed key.

On-demand backup copy to a logically air-gapped vault

To create a one-time on-demand copy of a backup to a logically air-gapped vault, you can copy from a standard backup vault. Cross-Region or cross-account copies are available if the resource type supports the copy type.

Copy availability

A copy of a backup can be created from the account to which the vault belongs. Accounts with which the vault has been shared have the ability to view or a restore a backup, but not to create a copy.

Only resource types that support cross-Region or cross-account copy can be included.

Console
  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. Select Vaults from the left-hand navigation.

  3. In the vault detail page, all recovery points within that vault are displayed. Place a check mark next to the recovery point you wish to copy.

  4. Select Actions, and then select Copy from the drop-down menu.

  5. On the next screen, input the details of the destination.

    1. Specify the destination Region.

    2. Destination backup vault drop-down menu displays eligible destination vaults. Select one with the type logically air-gapped vault

  6. Select Copy once all details are set to your preferences.

On the Jobs page in the console, you can select Copy jobs to see current copy jobs.

AWS CLI

Use start-copy-job to copy an existing backup in a backup vault to a logically air-gapped vault.

Sample CLI input:

aws backup start-copy-job --region us-east-1 --recovery-point-arn arn:aws:resourcetype:region::snapshot/snap-12345678901234567 --source-backup-vault-name sourcevaultname --destination-backup-vault-arn arn:aws:backup:us-east-1:123456789012:backup-vault:destinationvaultname --iam-role-arn arn:aws:iam::123456789012:role/service-role/servicerole

For more information, see Copying a backup, cross-Region backup, and Cross-account backup.

Share a logically air-gapped vault

You can use AWS Resource Access Manager (RAM) to share a logically air-gapped vault with other accounts you designate.

A vault can be shared with an account in its organization or with an account in another organization. The vault cannot be shared with an entire organization, only with accounts within the organization.

Only accounts with specific IAM privileges can share and manage the sharing of accounts.

To share using AWS RAM, ensure you have the following:

  • Two or more accounts that can access AWS Backup

  • Vault-owning account that intends to share has necessary RAM permissions. The permission ram:CreateResourceShare is necessary for this procedure. The policy AWSResourceAccessManagerFullAccess contains all needed RAM-related permissions:

    • backup:DescribeBackupVault

    • backup:DescribeRecoveryPoint

    • backup:GetRecoveryPointRestoreMetadata

    • backup:ListProtectedResourcesByBackupVault

    • backup:ListRecoveryPointsByBackupVault

    • backup:ListTags

    • backup:StartRestoreJob

  • At least one logically air-gapped vault

Console
  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. Select Vaults from the left-hand navigation.

  3. Below the descriptions of vaults will be two lists, Vaults owned by this account and Vaults shared with this account. Vaults owned by the account are eligible to be shared.

  4. Under Vault name, select the name of the logically air-gapped vault to open the details page.

  5. The Account sharing pane shows with which accounts the vault is being shared.

  6. To begin sharing with another account or to edit accounts already being shared, select Manage sharing.

  7. The AWS RAM console opens when Manage sharing is selected. For steps to share a resource using AWS RAM, see Creating a resource share in AWS RAM in the AWS RAM User Guide.

  8. The account invited to accept an invitation to receive a share has 12 hours to accept the invitation. See Accepting and rejecting resource share invitations in the AWS RAM User Guide.

  9. If the sharing steps are completed and accepted, the vault summary page will show under Account sharing = “Shared - see account sharing table below”.

AWS CLI

AWS RAM uses the CLI command create-resource-share. The access to this command is only available to accounts with sufficient permissions. See Creating a resource share in AWS RAM for CLI steps.

Steps 1 through 4 are conducted with the account that owns the logically air-gapped vault. Steps 5 through 8 are conducted with the account with which the logically air-gapped vault will be shared.

  1. Log into the owning account OR request a user at your organization with sufficient credentials for accessing the source account completes these steps.

    1. If a resource share was previously created and you wish to add an additional resource to it, use CLI associate-resource-share instead with the ARN of the new vault.

  2. Fetch credentials of a role with sufficient permissions to share via RAM. Input these into the CLI.

    1. The permission ram:CreateResourceShare is necessary for this procedure. The policy AWSResourceAccessManagerFullAccess contains all RAM-related permissions.

  3. Use create-resource-share.

    1. Include the ARN of the logically air-gapped vault.

    2. Example input:

      aws ram create-resource-share --name MyLogicallyAirGappedVault --resource-arns arn:aws:backup:us-east-1:123456789012:backup-vault:test-vault-1 --principals 123456789012 --region us-east-1
    3. Example output:

      { "resourceShare":{ "resourceShareArn":"arn:aws:ram:us-east-1:123456789012:resource-share/12345678-abcd-09876543", "name":"MyLogicallyAirGappedVault", "owningAccountId":"123456789012", "allowExternalPrincipals":true, "status":"ACTIVE", "creationTime":"2021-09-14T20:42:40.266000-07:00", "lastUpdatedTime":"2021-09-14T20:42:40.266000-07:00" } }
  4. Copy the resource share ARN in the output (which is needed for subsequent steps). Give the ARN to the operator of account you are inviting to receive the share.

  5. Obtain the resource share ARN

    1. If you did not perform steps 1 through 4, obtain the resourceShareArn from whomever did.

    2. Example: arn:aws:ram:us-east-1:123456789012:resource-share/12345678-abcd-09876543

  6. In the CLI, assume credentials of the recipient account.

  7. Get resource share invitation with get-resource-share-invitations. For more information, see Accepting and rejecting invitations in the AWS RAM User Guide.

  8. Accept the invitation in destination (recovery) account.

    1. Use accept-resource-share-invitation (can also reject-resource-share-invitation).

You can use AWS RAM CLI commands to view shared items:

  • Resources you have shared:

    aws ram list-resources --resource-owner SELF --resource-type backup:backup-vault --region us-east-1

  • Show the principal:

    aws ram get-resource-share-associations --association-type PRINCIPAL --region us-east-1

  • Resources shared by other accounts:

    aws ram list-resources --resource-owner OTHER-ACCOUNTS --resource-type backup:backup-vault --region us-east-1

Restore a backup from a logically air-gapped vault

You can restore a backup stored in a logically air-gapped vault from either the account that owns the vault or from any account with which the vault is shared.

See Restoring a backup for information on how to restore a recovery point through the AWS Backup console.

Once a backup has been shared from a logically air-gapped vault to your account, you can use start-restore-job to restore the backup.

A sample CLI input can include the following command and parameters:

aws backup start-restore-job --recovery-point-arn arn:aws:backup:us-east-1:accountnumber:recovery-point:RecoveryPointID --metadata {\"availabilityzone\":\"us-east-1d\"} --idempotency-token TokenNumber --resource-type ResourceType --iam-role arn:aws:iam::number:role/service-role/servicerole --region us-east-1

Delete a logically air-gapped vault

See delete a backup vault to delete a vault. Vaults cannot be deleted if they still contain backups (recovery points). Ensure the vault is empty of backups before you initiate a delete operation.

Deletion of a vault also deletes the key associated with the vault seven days after the vault is deleted in accordance with key deletion policy.

The following sample CLI command delete-backup-vault can be used to delete a vault.

aws backup delete-backup-vault --region us-east-1 --backup-vault-name testvaultname

Additional programmatic options for logically air-gapped vaults

The CLI command list-backup-vaults can be modified to list all the vaults owned by and present in the account:

aws backup list-backup-vaults --region us-east-1

To list just the logically air-gapped vaults, add the parameter

--by-vault-type LOGICALLY_AIR_GAPPED_BACKUP_VAULT

Include the parameter by-shared to filter the returned list of vaults to show only shared logically air-gapped vaults.

aws backup list-backup-vaults --region us-east-1 --by-shared

Troubleshoot a logically air-gapped vault issue

If you encounter errors during your workflow, consult the following example errors and suggested resolutions:

AccessDeniedException

Error: An error occured (AccessDeniedException) when calling the [command] operation: Insufficient privileges to perform this action."

Possible cause: The parameter --backup-vault-account-id was not included when one of the following requests was run on a vault shared by RAM:

  • describe-backup-vault

  • describe-recovery-point

  • get-recovery-point-restore-metadata

  • list-protected-resources-by-backup-vault

  • list-recovery-points-by-backup-vault

Resolution: Retry the command that returned the error, but include the parameter --backup-vault-account-id that specifies the account that owns the vault.

OperationNotPermittedException

Error: OperationNotPermittedException is returned after a CreateResourceShare call.

Possible cause: If you attempted to share a resource, such as a logically air-gapped vault, with another organization, you may get this exception. A vault can be shared with an account in another organization, but it cannot be shared with the other organization itself.

Resolution: Retry the operation, but specify an account as the value for principals instead of an organization or OU.