REL09-BP02 Secure and encrypt backups

Control and detect access to backups using authentication and authorization. Prevent and detect if data integrity of backups is compromised using encryption.

Implement security controls to prevent unauthorized access to backup data. Encrypt backups to protect the confidentiality and integrity of your data.

Common anti-patterns:

• Having the same access to the backups and restoration automation as you do to the data.

• Not encrypting your backups.

• Not implementing immutability for protection against deletion or tampering.

• Using the same security domain for production and backup systems.

• Not validating backup integrity through regular testing.

Benefits of establishing this best practice:

• Securing your backups prevents tampering with the data, and encryption of the data prevents access to that data if it is accidentally exposed.

• Enhanced protection against ransomware and other cyber threats that target backup infrastructure.

• Reduced recovery time following a cyber incident through validated recovery processes.

• Improved business continuity capabilities during security incidents.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Control and detect access to backups using authentication and authorization, such as AWS Identity and Access Management (IAM). Prevent and detect if data integrity of backups is compromised using encryption.

Amazon S3 supports several methods of encryption of your data at rest. Using server-side encryption, Amazon S3 accepts your objects as unencrypted data, and then encrypts them as they are stored. Using client-side encryption, your workload application is responsible for encrypting the data before it is sent to Amazon S3. Both methods allow you to use AWS Key Management Service (AWS KMS) to create and store the data key, or you can provide your own key, which you are then responsible for. Using AWS KMS, you can set policies using IAM on who can and cannot access your data keys and decrypted data.

For Amazon RDS, if you have chosen to encrypt your databases, then your backups are encrypted also. DynamoDB backups are always encrypted. When using AWS Elastic Disaster Recovery, all data in transit and at rest is encrypted. With Elastic Disaster Recovery, data at rest can be encrypted using either the default Amazon EBS encryption Volume Encryption Key or a custom customer-managed key.

Cyber resilience considerations

To enhance backup security against cyber threats, consider implementing these additional controls besides encryption:

• Implement immutability using AWS Backup Vault Lock or Amazon S3 Object Lock to prevent backup data from being altered or deleted during its retention period, protecting against ransomware and malicious deletion.

• Establish logical isolation between production and backup environments with AWS Backup logically air-gapped vault for critical systems, creating separation that helps prevent compromise of both environments simultaneously.

• Validate backup integrity regularly using AWS Backup restore testing to verify that backups are not corrupted and can be successfully restored following a cyber incident.

• Implement multi-party approval for critical recovery operations using AWS Backup multi-party approval to prevent unauthorized or malicious recovery attempts by requiring authorization from multiple designated approvers.

Implementation steps

1. Use encryption on each of your data stores. If your source data is encrypted, then the backup will also be encrypted.

   • Use encryption in Amazon RDS.. You can configure encryption at rest using AWS Key Management Service when you create an RDS instance.

   • Use encryption on Amazon EBS volumes.. You can configure default encryption or specify a unique key upon volume creation.

   • Use the required Amazon DynamoDB encryption. DynamoDB encrypts all data at rest. You can either use an AWS owned AWS KMS key or an AWS managed KMS key, specifying a key that is stored in your account.

   • Encrypt your data stored in Amazon EFS. Configure the encryption when you create your file system.

   • Configure the encryption in the source and destination Regions. You can configure encryption at rest in Amazon S3 using keys stored in KMS, but the keys are Region-specific. You can specify the destination keys when you configure the replication.

   • Choose whether to use the default or custom Amazon EBS encryption for Elastic Disaster Recovery. This option will encrypt your replicated data at rest on the Staging Area Subnet disks and the replicated disks.

2. Implement least privilege permissions to access your backups. Follow best practices to limit the access to the backups, snapshots, and replicas in accordance with security best practices.

3. Configure immutability for critical backups. For critical data, implement AWS Backup Vault Lock or S3 Object Lock to prevent deletion or alteration during the specified retention period. For implementation details, see AWS Backup Vault Lock.

4. Create logical separation for backup environments. Implement AWS Backup logically air-gapped vault for critical systems requiring enhanced protection from cyber threats. For implementation guidance, see Building cyber resiliency with AWS Backup logically air-gapped vault.

5. Implement backup validation processes. Configure AWS Backup restore testing to regularly verify that backups are not corrupted and can be successfully restored following a cyber incident. For more information, see Validate recovery readiness with AWS Backup restore testing.

6. Configure multi-party approval for sensitive recovery operations. For critical systems, implement AWS Backup multi-party approval to require authorization from multiple designated approvers before recovery can proceed. For implementation details, see Improve recovery resilience with AWS Backup support for Multi-party approval.

Resources

Related documents:

• AWS Marketplace: products that can be used for backup

• Amazon EBS Encryption

• Amazon S3: Protecting Data Using Encryption

• CRR Additional Configuration: Replicating Objects Created with Server-Side Encryption (SSE) Using Encryption Keys stored in AWS KMS

• DynamoDB Encryption at Rest

• Encrypting Amazon RDS Resources

• Encrypting Data and Metadata in Amazon EFS

• Encryption for Backups in AWS

• Managing Encrypted Tables

• Security Pillar - AWS Well-Architected Framework

• What is AWS Elastic Disaster Recovery?

• FSISEC11: How are you protecting against ransomware?

• Ransomware Risk Management on AWS Using the NIST Cyber Security Framework

• Building cyber resiliency with AWS Backup logically air-gapped vault

• Validate recovery readiness with AWS Backup restore testing

• Improve recovery resilience with AWS Backup support for Multi-party approval

Related examples:

• Implementing Bi-Directional Cross-Region Replication (CRR) for Amazon S3