AWS Backup Vault Lock - AWS Backup

AWS Backup Vault Lock

Note

AWS Backup Vault Lock has yet to receive a third-party assessment for SEC 17a-4(f) and CFTC.

Do not confuse AWS Backup Vault Lock with S3 Glacier Vault Lock, which is a different feature for a different AWS service.

AWS Backup Vault Lock enforces a write-once, read-many (WORM) setting for all the backups you store and create in a backup vault.

With AWS Backup Vault Lock, you can add an additional layer of defense that protects backups (recovery points) in your backup vaults from inadvertent or malicious:

  • Delete operations and

  • Updates that shorten or otherwise alter their retention period

AWS Backup Vault Lock helps you can enforce retention periods, prevent early deletions by privileged users (including the AWS account root user), and meet your organization’s data protection policies and procedures.

Note

You can configure AWS Backup Vault Lock using the AWS Backup API, CLI, or SDK. Currently, you cannot configure AWS Backup Vault Lock using the AWS Backup console.

Important

AWS Backup Vault Lock takes effect immediately. It gives you a minimum three-day (72-hour) cooling-off period to delete or update its configuration before it permanently locks your vault. You can optionally extend the duration of this cooling-off period. Use this cooling-off period to test AWS Backup Vault Lock against your workloads and use cases.

After your cooling-off period expires, you cannot delete or otherwise alter AWS Backup Vault Lock using the AWS Backup console, API, CLI, or SDK.

Locking a backup vault

To configure AWS Backup Vault Lock, use PutBackupVaultLockConfiguration like this CLI example:

aws backup put-backup-vault-lock-configuration \ --backup-vault-name my_vault_to_lock \ --changeable-for-days 3 \ --min-retention-days 7 \ --max-retention-days 30

You can configure four options:

  1. BackupVaultName (required)

    The name of the vault to lock.

  2. ChangeableForDays (optional)

    The cooling-off period in days before AWS Backup Vault Lock cannot be deleted. For example, setting ChangeableForDays to 30 on Jan. 1, 2022 at 8pm UTC will set the lock date to Jan. 31, 2022 at 8pm UTC.

    You must set ChangeableForDays to 3 or greater because AWS Backup enforces a minimum 72-hour cooling-off period before AWS Backup Vault Lock takes effect and becomes immutable.

    Before the lock date, you can delete AWS Backup Vault Lock from the vault using DeleteBackupVaultLockConfiguration or change the AWS Backup Vault Lock configuration using PutBackupVaultLockConfiguration. On and after the lock date, AWS Backup Vault Lock becomes immutable and cannot be changed or deleted.

    If not specified, you can use DeleteBackupVaultLockConfiguration or PutBackupVaultLockConfiguration any time.

  3. MaxRetentionDays (optional)

    The maximum retention period that the vault retains its recovery points. This setting can be useful if, for example, you must destroy certain data after retaining it for four years (1460 days).

    If not specified, AWS Backup Vault Lock will not enforce a maximum retention period.

    If specified, backup and copy jobs to this vault with lifecycle retention periods longer than the maximum retention period will fail. Recovery points already saved in the vault prior to AWS Backup Vault Lock are not affected.

  4. MinRetentionDays (optional)

    The minimum retention period that the vault retains its recovery points. This setting can be useful if, for example, you must retain certain data for at least seven years (2555 days).

    If not specified, AWS Backup Vault Lock will not enforce a minimum retention period.

    If specified, backup and copy jobs to this vault with lifecycle retention periods shorter than the minimum retention period will fail. Recovery points already saved in the vault prior to AWS Backup Vault Lock are not affected.

Reviewing a backup vault for its AWS Backup Vault Lock configuration

You can review AWS Backup Vault Lock status on a vault anytime by calling DescribeBackupVault or ListBackupVaults.

To determine whether you applied AWS Backup Vault Lock to a backup vault, call DescribeBackupVault and check the Locked property. If "Locked":true, like the following example, you have applied AWS Backup Vault Lock to your backup vault.

{ "BackupVaultName": "my_vault_to_lock", "BackupVaultArn": "arn:aws:backup:us-east-1:555500000000:backup-vault:my_vault_to_lock", "EncryptionKeyArn": "arn:aws:kms:us-east-1:555500000000:key/00000000-1111-2222-3333-000000000000", "CreationDate": "2021-09-24T12:25:43.030000-07:00", "CreatorRequestId": "ac6ce255-0456-4f84-bbc4-eec919f50709", "NumberOfRecoveryPoints": 1, "Locked": true, "MinRetentionDays": 7, "MaxRetentionDays": 30, "LockDate": "2021-09-30T10:12:38.089000-07:00" }

The preceding output confirms the following options:

  1. Locked is a Boolean that indicates whether you have applied AWS Backup Vault Lock to this backup vault. True means that AWS Backup Vault Lock causes delete or update operations to the recovery points stored in the vault to fail (regardless of whether you are still in the cooling-off period).

  2. LockDate is the UTC date and time when your cooling-off period ends. After this time, you cannot delete or change your AWS Backup Vault Lock on this vault. Use any publicly-available time converters to convert this string to your local time.

  3. MaxRetentionDays and MinRetentionDays are previously described.

If "Locked":false, like the following example, you have not applied Vault Lock (or deleted it).

{ "BackupVaultName": "my_vault_to_lock", "BackupVaultArn": "arn:aws:backup:us-east-1:555500000000:backup-vault:my_vault_to_lock", "EncryptionKeyArn": "arn:aws:kms:us-east-1:555500000000:key/00000000-1111-2222-3333-000000000000", "CreationDate": "2021-09-24T12:25:43.030000-07:00", "CreatorRequestId": "ac6ce255-0456-4f84-bbc4-eec919f50709", "NumberOfRecoveryPoints": 3, "Locked": false }

Deleting AWS Backup Vault Lock during the cooling-off period

To delete your AWS Backup Vault Lock during your cooling-off period (and before your LockDate), use DeleteBackupVaultLockConfiguration like this CLI example:

aws backup delete-backup-vault-lock-configuration \ --backup-vault-name my_vault_to_lock

Achieving defense in depth with AWS Backup Vault Lock and other AWS Backup security features

AWS Backup Vault Lock adds an additional layer of security to your data protection defense in depth. Additional layers that you can use to strengthen your security posture include: