Logically air-gapped vault
Overview of logically air gapped vaults
AWS Backup offers a secondary type of vault which can store copies of backups in a container with additional security features. A logically air-gapped vault is a specialized vault which provides increased security beyond a standard backup vault, as well as the ability to share vault access to other accounts so that recovery time objectives (RTOs) can be faster and more flexible in case of an incident that requires rapid restoration of resources.
Logically air-gapped vaults come equipped with additional protection features; each vault is encrypted with an AWS owned key, and each vault is equipped with AWS Backup Vault Lock's compliance mode.
You can choose to integrate with AWS Resource Access Manager (RAM) to share a logically air-gapped vault with other AWS accounts (including accounts in other organizations) so that the backups stored within the vault can be restored from an account with which the vault is shared, if needed for data loss recovery or restore testing.
You can view the storage pricing for backups of supported services in a logically
air-gapped vault on the AWS Backup pricing
See Feature availability by resource for resource types you can copy to a logically air-gapped vault.
Topics
- Use case for logically air-gapped vaults
- Compare and contrast with a standard backup vault
- Create a logically air-gapped vault
- View logically air-gapped vault details
- Copy to a logically air-gapped vault
- Share a logically air-gapped vault
- Restore a backup from a logically air-gapped vault
- Delete a logically air-gapped vault
- Additional programmatic options for logically air-gapped vaults
- Troubleshoot a logically air-gapped vault issue
Use case for logically air-gapped vaults
A logically air-gapped vault is a secondary vault that serves as part of a data protection strategy. This vault can help enhance your organization's retention strategy and recovery when you desire a vault for your backups that
-
Is automatically set with a vault lock in compliance mode
-
Comes encrypted with an AWS owned key
-
Contains backups which, through AWS RAM, can be shared with and restored from a different account than the one that created the backup
Considerations and limitations
-
Cross-Region copy to or from a logically air-gapped vault is not currently available for backups that contain Amazon Aurora, Amazon DocumentDB, and Amazon Neptune.
-
A backup containing one or more Amazon EBS volumes that is copied into a logically air-gapped vault must be smaller than 16 TB; backups for this resource type that are greater in size are not supported.
-
Amazon S3 support for logically air-gapped vaults is only available Regions that do not require opt-in.
-
The ARN (Amazon Resource Name) of a recovery point stored in a logically air-gapped vault will have
backup
in place of the underlying resource type. For example, if the original ARN begins witharn:aws:ec2:
, then the ARN of the recovery point in the logically air-gapped vault will beregion
::image/ami-*arn:aws:backup:
.region
:account-id
:recovery-point:*You can use the CLI command
list-recovery-points-by-backup-vault
to determine the ARN.
Compare and contrast with a standard backup vault
A backup vault is the primary and standard type of vault used in AWS Backup. Each backup is stored in a backup vault when the backup is created. You can assign resource-based policies to manage backups stored in the vault, such as the lifecycle of backups stored within the vault.
A logically air-gapped vault is a specialized vault with additional security and flexible sharing for faster recovery time (RTO). This vault stores copies of backups that were initially created and stored within a standard backup vault.
Backup vaults can be encrypted with a key, a security mechanism that limits access to intended users. These keys can be customer managed or AWS managed. Additionally, a backup vault can have additional security through a vault lock; logically air-gapped vaults come equipped by a vault lock in compliance mode.
For resource types fully managed by AWS Backup, a backup cannot be copied into a logically air-gapped vault if the AWS KMS key was not manually changed or set as a KMS key at the time the initial resource was created.
Feature | Backup vault | Logically air-gapped vault |
---|---|---|
AWS Backup Audit Manager | You can use AWS Backup Audit Manager Controls and remediation to monitor your backup vaults. | Ensure a copy of a backup of a specific resource has been copied to at least one logically air-gapped vault on a schedule you determine, in addition to controls available to standard vaults. |
When a backup is created, it is stored as a recovery point. |
Backups are not stored in this vault upon creation. |
|
Can store initial backups of resources and copies of backups |
Can store copies of backups from other vaults |
|
Billing |
Storage and data transfer charges for resources fully managed by AWS Backup occur under "AWS Backup". Other resource type storage and data transfer charges will occur under their respective services. For example, Amazon EBS backups will show under "Amazon EBS"; Amazon S3 backups will show under "AWS Backup". |
All billing charges from these vaults (storage or data transfer) occur under "AWS Backup". |
Available in all Regions in which AWS Backup operates |
Available in most Regions supported by AWS Backup. Not currently available in Asia Pacific (Malaysia), Canada West (Calgary), China (Beijing), China (Ningxia), AWS GovCloud (US-East), or AWS GovCloud (US-West). |
|
Can store copies of backups for most resource types that support cross-account copy. |
Amazon RDS and Amazon FSx backup copies cannot currently be stored in these vaults. |
|
Backups can be restored by the same account to which the vault belongs. |
Backups can be restored by a different account than the one to which the vault belongs if the vault is shared with that separate account. |
|
Can optionally be encrypted with a key (customer managed or AWS managed) Can optionally use a vault lock in compliance or governance mode |
Is encrypted with an AWS owned key Is always locked with a vault lock in compliance mode |
|
Access can be managed through policies and AWS Organizations Not compatible with AWS RAM |
Can optionally be shared across accounts using AWS RAM |
Create a logically air-gapped vault
You can create a logically air-gapped vault either through the AWS Backup console or through a combination of AWS Backup and AWS RAM CLI commands.
Each logically air-gapped comes equipped with a vault lock in compliance mode. See AWS Backup Vault Lock to help determine the retention period values most appropriate for your operation
View logically air-gapped vault details
You can see the vault details such as summary, the recovery points, the protected resources, account sharing, access policy, and tags through the AWS Backup console or the AWS Backup CLI.
Copy to a logically air-gapped vault
Logically air-gapped vaults can only be a copy job destination target in a backup plan or a target for an on-demand copy job.
Compatible encryption
A successful copy job from a backup vault to a logically air-gapped vault requires an encryption key that is determined by the resource type being copied.
When you copy a backup of a fully managed resource type, the source backup in the (standard backup vault) can be encrypted by a customer managed key or by an AWS managed key.
When you copy a backup of other resource types (ones not fully managed), both the backup and the resource it backed up must be encrypted with a customer managed key. AWS managed keys for the resource types are not supported for copies.
Copy to a logically air-gapped vault through a backup plan
You can copy a backup (recovery point) from a standard backup vault to a logically
air-gapped vault by creating a new backup plan
or updating an existing one in the AWS Backup
console or through the AWS CLI commands create-backup-plan
update-backup-plan
You can copy a backup from one logically air-gapped vault to another logically air-gapped vault on-demand (this type of backup cannot be scheduled in a backup plan). You can copy a backup from a logically air-gapped vault to a standard backup vault as long as the copy is encrypted with a customer managed key.
On-demand backup copy to a logically air-gapped vault
To create a one-time on-demand copy of a backup to a logically air-gapped vault, you can copy from a standard backup vault. Cross-Region or cross-account copies are available if the resource type supports the copy type.
Copy availability
A copy of a backup can be created from the account to which the vault belongs. Accounts with which the vault has been shared have the ability to view or a restore a backup, but not to create a copy.
Only resource types that support cross-Region or cross-account copy can be included.
For more information, see Copying a backup, cross-Region backup, and Cross-account backup.
Share a logically air-gapped vault
You can use AWS Resource Access Manager (RAM) to share a logically air-gapped vault with other accounts you designate.
A vault can be shared with an account in its organization or with an account in another organization. The vault cannot be shared with an entire organization, only with accounts within the organization.
Only accounts with specific IAM privileges can share and manage the sharing of accounts.
To share using AWS RAM, ensure you have the following:
-
Two or more accounts that can access AWS Backup
-
Vault-owning account that intends to share has necessary RAM permissions. The permission
ram:CreateResourceShare
is necessary for this procedure. The policyAWSResourceAccessManagerFullAccess
contains all needed RAM-related permissions:-
backup:DescribeBackupVault
-
backup:DescribeRecoveryPoint
-
backup:GetRecoveryPointRestoreMetadata
-
backup:ListProtectedResourcesByBackupVault
-
backup:ListRecoveryPointsByBackupVault
-
backup:ListTags
-
backup:StartRestoreJob
-
-
At least one logically air-gapped vault
Restore a backup from a logically air-gapped vault
You can restore a backup stored in a logically air-gapped vault from either the account that owns the vault or from any account with which the vault is shared.
See Restoring a backup for information on how to restore a recovery point through the AWS Backup console.
Once a backup has been shared from a logically air-gapped vault to your account, you
can use start-restore-job
A sample CLI input can include the following command and parameters:
aws backup start-restore-job --recovery-point-arn
arn:aws:backup:us-east-1:accountnumber:recovery-point:RecoveryPointID
--metadata {\"availabilityzone\":\"us-east-1d\"} --idempotency-token TokenNumber --resource-type ResourceType --iam-role arn:aws:iam::number:role/service-role/servicerole --region us-east-1
Delete a logically air-gapped vault
See delete a backup vault to delete a vault. Vaults cannot be deleted if they still contain backups (recovery points). Ensure the vault is empty of backups before you initiate a delete operation.
Deletion of a vault also deletes the key associated with the vault seven days after the vault is deleted in accordance with key deletion policy.
The following sample CLI command delete-backup-vault
aws backup delete-backup-vault --region us-east-1 --backup-vault-name
testvaultname
Additional programmatic options for logically air-gapped vaults
The CLI command list-backup-vaults
can be modified to list all the vaults owned by and
present in the account:
aws backup list-backup-vaults --region us-east-1
To list just the logically air-gapped vaults, add the parameter
--by-vault-type LOGICALLY_AIR_GAPPED_BACKUP_VAULT
Include the parameter by-shared
to
filter the returned list of vaults to show only shared logically air-gapped vaults.
aws backup list-backup-vaults --region us-east-1 --by-shared
Troubleshoot a logically air-gapped vault issue
If you encounter errors during your workflow, consult the following example errors and suggested resolutions:
AccessDeniedException
Error: An error occured (AccessDeniedException) when calling
the [command] operation: Insufficient privileges to perform this action."
Possible cause: The parameter --backup-vault-account-id
was not included when one of the following requests was run on a vault shared by RAM:
describe-backup-vault
describe-recovery-point
get-recovery-point-restore-metadata
list-protected-resources-by-backup-vault
list-recovery-points-by-backup-vault
Resolution: Retry the command that returned the error, but include
the parameter --backup-vault-account-id
that specifies the account that owns
the vault.
OperationNotPermittedException
Error: OperationNotPermittedException
is returned
after a CreateResourceShare
call.
Possible cause: If you attempted to share a resource, such as a logically air-gapped vault, with another organization, you may get this exception. A vault can be shared with an account in another organization, but it cannot be shared with the other organization itself.
Resolution: Retry the operation, but specify an
account as the value for principals
instead of an organization
or OU.