Data Bunker | Rescue Zone| Ransomware Recovery | Immutable Backup Solution Leveraging AWS Backup Vault Lock

In today's ever-evolving cloud & cybersecurity landscape, organizations are increasingly concerned about protecting their data from both external threats and internal misconfigurations. Ransomware attacks, insider threats, and accidental deletions are rising, highlighting the need for resilient data protection strategies. This is where AWS Backup and the concept of a logically air-gapped vault come into play, offering organizations a powerful mechanism to bolster their cyber resilience.

What is AWS Backup?

AWS Backup is a fully managed service that centralizes and automates the backup of data across AWS services and on-premises environments. It simplifies backup management by allowing users to define backup policies, automate backup schedules, and ensure compliance with organizational and regulatory standards.

AWS Backup integrates with several AWS services, including:

• Amazon EBS (Elastic Block Store)
• Amazon RDS (Relational Database Service)
• Amazon DynamoDB
• Amazon EFS (Elastic File System)
• Amazon S3
• VMware workloads in on-premises environments

The Importance of Cyber Resilience

Cyber resilience is the ability of an organization to prepare for, respond to, and recover from cyberattacks. This goes beyond traditional security, as it involves creating a fail-safe mechanism to ensure data availability and integrity even in the face of severe attacks, such as ransomware. One of the most effective ways to achieve this is by implementing backups that are difficult for attackers to access or corrupt, even if they manage to infiltrate the system.

This is where logically air-gapped backups come in.

Understanding Logically Air-Gapped Vaults

An air-gapped backup traditionally refers to storing data in a system that is physically isolated from the network. This ensures that even if an attacker gains access to the network, the backups remain untouched. However, creating and maintaining physical air gaps can be complex, costly, and inefficient in today's cloud environments.

Instead, AWS provides a logically air-gapped solution through AWS Backup Vault Lock. This mechanism allows you to create secure backups that are immutable and isolated from unauthorized access, all within the cloud. Although not physically disconnected from the network, these backups are logically separated, reducing the risk of deletion, tampering, or corruption.

Key Features of Logically Air-Gapped Vaults with AWS Backup Vault Lock

1. Immutability: Once a backup policy is applied with AWS Backup Vault Lock, you can enforce retention periods and make the data undeletable, ensuring that critical backups cannot be altered or removed, even by AWS administrators.
2. WORM (Write Once, Read Many) Compliance: Vault Lock enables compliance with regulatory requirements by enforcing write-once, read-many (WORM) policies, which is particularly important for industries such as finance and healthcare.
3. Cross-account Backup Isolation: AWS Backup supports cross-account backup capabilities, which means you can store your backups in different AWS accounts from the one where your workloads reside. This cross-account storage adds another layer of logical separation, protecting your backups from threats in one account.
4. Granular Access Controls: AWS Backup integrates with AWS Identity and Access Management (IAM) to offer detailed access controls. This ensures that only authorized users and roles can perform backup or restore operations, further reducing the risk of malicious actions.
5. Automatic Backup Policies: AWS Backup Vault Lock allows you to create backup policies that are automatically applied to your workloads, ensuring that new resources are always protected without manual intervention.
6. Audit Logs: AWS CloudTrail integration enables detailed logging and auditing of all backup operations. This helps in monitoring and validating the integrity of your backup processes, ensuring compliance and transparency.

AWS Backup Vault Lock and Ransomware Protection

Ransomware attacks often target backups, as they offer a quick route for attackers to lock down an organization’s critical data. In this context, a logically air-gapped backup solution provides significant protection. Here’s how AWS Backup Vault Lock mitigates ransomware threats:

• Preventing Backup Tampering: The immutability feature ensures that ransomware cannot alter or delete your backups, preserving clean copies of your data for recovery.
• Isolation from Compromised Accounts: The ability to store backups in separate AWS accounts reduces the risk of backup data being compromised along with production systems, effectively creating a logical air gap.
• Immediate Data Recovery: With immutable backups stored securely, organizations can recover quickly from ransomware attacks by restoring uncorrupted data from the logically air-gapped vault.

Architecture Flow:

The architecture depicted in below figure illustrates a typical pattern for utilizing a logically air-gapped vault. This design leverages AWS Backup to secure data across AWS services, AWS RAM to share the logically air-gapped vault among various accounts, AWS KMS to manage cryptographic keys for encrypting backup data, AWS Lambda to automate restore operations, and AWS Organizations to structure workloads and functions across separate AWS accounts. The architecture is detailed as follows:

• Workload Account: Contains the user workload, including AWS Backup-supported resources, the primary AWS Backup vault, and the backup plan.
• Data Bunker Account: Houses the logically air-gapped vault where data from the Workload Account vault is copied. While this vault can also be set up in the Workload Account, additional logical isolation enhances security. This vault is shared with the Recovery and Forensics accounts via AWS RAM.
• Recovery Account: Used to restore recovery points (backups) in case of a disaster or cybersecurity incident in the Workload Account. The logically air-gapped vault is shared with this account using AWS RAM.
• Forensics Account: Utilized for regular restore testing or additional security investigations. If a restore fails, events can be triggered to AWS Security Hub for alerting.

This architecture ensures robust data protection and enhances overall security and resilience.

1. Workloads in the Prod Workload Account (e.g., EC2 instances, RDS databases) create backups using AWS Backup. These backups are stored in a Backup Vault within the Prod Workload Account.
2. A cross-account backup policy replicates these backups into a Backup Vault in the Data Bunker Account.
3. Vault Lock is enabled in both the Prod Workload Account and the Data Bunker Account, ensuring that the backups are immutable and protected in both accounts.

This process establishes a double layer of security:

• If the Prod Workload Account is compromised, the Data Bunker Account still retains secure backups.
• If an attacker attempts to delete or modify backups, Vault Lock prevents such actions in both accounts.

Implementing AWS Backup Logically Air-Gapped Vault

Following are the steps along with the necessary AWS CLI and AWS SDK (Python - Boto3) scripts to implement AWS Backup with a logically air-gapped vault using AWS Backup Vault Lock and cross-account replication.

Pre-requisites

1. AWS CLI: Ensure you have the AWS CLI installed and configured.
2. Boto3 SDK: If you’re using Python, make sure the Boto3 library is installed.

pip install boto3        

3. IAM Permissions: You need appropriate permissions to create backup plans, backup vaults, and apply vault locks. The permissions include backup:* and iam:* for creating roles and policies.

Step 1: Create a Backup Vault

We will create a backup vault to store backups. This vault will later be locked with AWS Vault Lock to make it immutable.

• The user or admin creates a Backup Plan that specifies the frequency, retention period, and backup vault.
• The Backup Plan is associated with specific AWS resources (e.g., EC2, RDS, DynamoDB tables).

AWS CLI:

aws backup create-backup-vault \
    --backup-vault-name MyBackupVault \
    --region us-west-2 \
    --encryption-key arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id        

• backup-vault-name: Name of the backup vault.
• region: AWS region where the vault will be created.
• encryption-key: Optionally, specify a KMS encryption key to encrypt backups.

Python (Boto3):

import boto3

client = boto3.client('backup', region_name='us-west-2')

response = client.create_backup_vault(
    BackupVaultName='MyBackupVault',
    EncryptionKeyArn='arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id'
)

print("Backup Vault Created:", response['BackupVaultArn'])        

Step 2: Create a Backup Plan

Next, create a backup plan that defines how often backups are taken, how long they are retained, and where they are stored (in the backup vault you just created).

• AWS Backup automatically starts backups based on the schedule in the Backup Plan.
• The Backup Data is transferred to the Backup Vault within the same region or cross-region, depending on the setup.

AWS CLI:

aws backup create-backup-plan \
    --backup-plan '{
      "BackupPlanName": "MyBackupPlan",
      "Rules": [
        {
          "RuleName": "DailyBackup",
          "TargetBackupVaultName": "MyBackupVault",
          "ScheduleExpression": "cron(0 12 * * ? *)",
          "StartWindowMinutes": 60,
          "CompletionWindowMinutes": 180,
          "Lifecycle": {
            "MoveToColdStorageAfterDays": 30,
            "DeleteAfterDays": 365
          }
        }
      ]
    }'        

• TargetBackupVaultName: The vault where backups will be stored.
• ScheduleExpression: A CRON expression that determines when backups are taken.
• Lifecycle: Optionally move data to cold storage after a set number of days and delete it after a specified period.

Python (Boto3):

backup_client = boto3.client('backup', region_name='us-west-2')

backup_plan = {
    "BackupPlanName": "MyBackupPlan",
    "Rules": [
        {
            "RuleName": "DailyBackup",
            "TargetBackupVaultName": "MyBackupVault",
            "ScheduleExpression": "cron(0 12 * * ? *)",
            "StartWindowMinutes": 60,
            "CompletionWindowMinutes": 180,
            "Lifecycle": {
                "MoveToColdStorageAfterDays": 30,
                "DeleteAfterDays": 365
            }
        }
    ]
}

response = backup_client.create_backup_plan(BackupPlan=backup_plan)

print("Backup Plan Created:", response['BackupPlanId'])        

Step 3: Apply AWS Backup Vault Lock

Once the backup vault is created, apply Vault Lock to enforce immutability and prevent deletions.

• AWS Vault Lock is applied to the Backup Vault, ensuring the backup data is immutable.
• Once the WORM Policy and retention rules are in place, they cannot be altered.

AWS CLI:

aws backup put-backup-vault-lock-configuration \
    --backup-vault-name MyBackupVault \
    --max-retention-days 365 \
    --min-retention-days 30 \
    --changeable-for-days 7        

• max-retention-days: Maximum number of days that backups can be retained in the vault.
• min-retention-days: Minimum retention period during which backups cannot be deleted.
• changeable-for-days: After this period, the vault lock configuration becomes immutable.

Python (Boto3):

response = backup_client.put_backup_vault_lock_configuration(
    BackupVaultName='MyBackupVault',
    MaxRetentionDays=365,
    MinRetentionDays=30,
    ChangeableForDays=7
)

print("Vault Lock Applied:", response)        

Step 4: Create a Cross-Account Backup Role

To enable cross-account backups, you need to create an IAM role in the source AWS account (Account A) that trusts the destination AWS account (Account B).

• For added resiliency, AWS Backup automatically replicates backups across regions or AWS accounts.

AWS CLI:

aws iam create-role \
    --role-name CrossAccountBackupRole \
    --assume-role-policy-document '{
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::DESTINATION_ACCOUNT_ID:root"
        },
        "Action": "sts:AssumeRole"
      }
    }'        

• Replace DESTINATION_ACCOUNT_ID with the ID of the account where backups will be copied.

Python (Boto3):

iam_client = boto3.client('iam')

trust_policy = {
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::DESTINATION_ACCOUNT_ID:root"
        },
        "Action": "sts:AssumeRole"
    }
}

response = iam_client.create_role(
    RoleName='CrossAccountBackupRole',
    AssumeRolePolicyDocument=json.dumps(trust_policy)
)

print("Role Created:", response['Role']['Arn'])        

Python (Boto3):

backup_policy = {
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "backup:StartBackupJob",
            "backup:CopyBackupJob",
            "backup:CreateBackupVault"
        ],
        "Resource": "*"
    }
}

response = iam_client.put_role_policy(
    RoleName='CrossAccountBackupRole',
    PolicyName='BackupPolicy',
    PolicyDocument=json.dumps(backup_policy)
)

print("Policy Attached")        

Step 6: Enable Cross-Account Backup (Source Account)

In the source account (Account A), configure AWS Backup to copy backups to the destination account (Account B).

In the secondary account (or region), the backups are stored in another Backup Vault with Vault Lock enabled, ensuring immutability.

AWS CLI:

aws backup start-backup-job \
    --resource-arn arn:aws:ec2:us-west-2:123456789012:volume/vol-0abcdef1234567890 \
    --iam-role-arn arn:aws:iam::123456789012:role/CrossAccountBackupRole \
    --backup-vault-name MyBackupVault \
    --copy-to-destination-vault Arn-of-destination-backup-vault \
    --idempotency-token my-token        

Python (Boto3):

response = backup_client.start_backup_job(
    ResourceArn='arn:aws:ec2:us-west-2:123456789012:volume/vol-0abcdef1234567890',
    IamRoleArn='arn:aws:iam::123456789012:role/CrossAccountBackupRole',
    BackupVaultName='MyBackupVault',
    IdempotencyToken='my-token',
    CopyToDestinationVaultArn='arn-of-destination-backup-vault'
)

print("Cross Account Backup Job Started:", response['BackupJobId'])        

Step 7: Monitor Backup Jobs

You can monitor the backup job status through the AWS CLI or Boto3 to ensure it has successfully completed.

AWS CLI:

aws backup describe-backup-job --backup-job-id YOUR_BACKUP_JOB_ID        

Python (Boto3):

response = backup_client.describe_backup_job(
    BackupJobId='YOUR_BACKUP_JOB_ID'
)

print("Backup Job Status:", response['State'])        

Step 8: Set Up Backup Vault Monitoring (Optional)

You can use AWS CloudWatch or AWS Config to set up monitoring and alerts for backup jobs.

• Using CloudTrail and AWS Config, administrators can track and audit all actions related to backups.
• If any unauthorized attempts to delete or alter backups occur, CloudTrail will log these actions for investigation.

Conclusion

Building a resilient data protection strategy in the cloud is essential for any organization facing today's advanced cyber threats. AWS Backup, combined with logically air-gapped vaults through AWS Backup Vault Lock, provides a robust solution for ensuring the security, integrity, and availability of your critical data.

With immutable backups, WORM compliance, cross-account isolation, and strict access controls, organizations can significantly reduce their risk of data loss or tampering. Whether it's ransomware, insider threats, or accidental deletions, AWS Backup's logically air-gapped vaults offer peace of mind, ensuring your backups are always there when you need them.

By implementing AWS Backup Vault Lock, you are taking a proactive step towards cyber resilience—ensuring your organization’s data is safe, recoverable, and compliant, no matter what challenges come your way.

-- Alok Saraswat

--Reference - AWS Web Services Documentation