Data loss events from ransomware or account compromise remain a top concern for customers. One customer need during a service restore is sharing recovery points stored in AWS Backup with other accounts, including cross organization, for faster direct restore. Additionally, customers need to maintain access to the original AWS Key Management Service (AWS KMS) Customer Managed Key (CMK) used to encrypt the recovery point. Today, we are excited to announce the public preview of AWS Backup logically air-gapped vault, a new type of vault that can be shared for recovery with other accounts using AWS Resource Access Manager (RAM).
Customers use AWS Backup to help secure backup data storage and for efficient management of their cloud data backups. As a fully managed backup service, customers benefit from an organizational framework that simplifies backup administration and facilitates the implementation of access control policies across accounts and Regions.
In this blog, I will walk through setting up and using a logically air-gapped vault, which stores immutable backup copies that are locked by default and isolated with encryption using AWS owned keys, to help improve your recovery time and defense in depth posture.
How AWS Backup logically air-gapped vault works
To address ransomware concerns and enhance data security, AWS Backup introduces logically air-gapped vault in preview. With this new capability, the immutable backup copies are locked by default and further protected through encryption using AWS-owned keys. Employing an AWS Backup owned KMS key to encrypt recovery points helps customers with accidental or unwanted deletions of customer managed keys.
Furthermore, the logically air-gapped vault simplifies the process of sharing its backup data with other accounts for restore purposes. Leveraging AWS Resource Access Manager (RAM), customers can share the vault data with specific accounts, including cross organization, for faster direct restore. Once the vault is shared, backups can be directly restored, removing the step where backups are copied into the destination account first. This reduces the operational overhead, time to recover from a data loss event, and cost of extra copies.
Getting started with AWS Backup logically air-gapped vault
This section will cover the steps required to use a logically air-gapped vault and the steps required to share the logically air-gapped vault contents with another account as well as using them in a restore operation.
Note: Please make sure you read and understand the conditions associated with this public preview using the Learn more link in the banner.
You can create a new logically air-gapped vault from the Vaults menu on AWS Backup console. Select Create logically air-gapped vaults to create a new vault.
On the Create vault page, along with the Vault name and Vault type selection (as Logically air-gapped vault), you are required to enter the Minimum retention period and Maximum retention period values that will define the default vault lock parameters.
Select Create vault to complete the logically air-gapped vault creation process.
You should then be able to view the newly created logically air-gapped vault under the Vaults owned by this account section using the Search by vault name filter.
Once logically air-gapped vault has been created, you can then find a recovery point to be copied into this new vault or use the new vault as a copy destination in a backup plan. From the list of recovery points of an existing AWS Backup Vault, select a recovery point to launch the details page.
Launch a new copy job by selecting the Copy button. With the same AWS Region selected, choose the previously created logically air-gapped vault as the destination vault. Initiate the copy by selecting the Copy button.
Once the Copy job completes, you will be able to find details of the copied recovery point using the Destination Recovery point ARN.
Using logically air-gapped vault in a backup plan
The logically air-gapped vault can be set up as the destination of a Copy operation using an AWS Backup plan rule, allowing users to setup automated data protection strategies to store recovery points directly inside a logically air-gapped vault. Select the Copy to destination – optional section to define a new copy operation. This also lists all logically-air gapped vaults in the selected destination.
Viewing logically air-gapped vault contents
The AWS Backup vault details page has a new Protected resources tab along with the Recovery points details. The details page also shows the vault lock maximum and minimum retention periods.
Sharing recovery point(s)
The contents of the new logically air-gapped vault can be share with accounts in the same or different AWS Organizations using AWS Resource Access Manager (RAM). The accounts with which the vault contents are shared can be managed by choosing the Manage sharing option.
This takes you to the AWS Resource Access Manager console. You can create a new share using the Create resource share option. The detailed instructions are available in the AWS Resource Access Manager User Guide.
Access Recovery Points from shared vaults
You will be able to access recovery points from a shared vault under the Vaults shared with this account tab in the Vaults console.
By selecting the logically air-gapped vault that is shared with the current account, you can access the contents of the vault. After selecting an appropriate recovery point, you can initiate a restore by clicking on the Restore option in the Actions menu.
Things to know
All recovery points stored in the logically air-gapped vault during the preview will be automatically deleted when the feature becomes generally available. For that reason, AWS recommends using test data instead of production data with the preview. There are no additional charges for backups stored in logically air-gapped vault during preview. However, the primary backups, which are stored in backup vaults, will still be charged at published rates (see AWS Backup pricing page). Please ensure that any test resources that were provisioned as part of the testing process is also removed to avoid any unwanted charges.
In this blog, I showed how to get started using AWS Backup logically air-gapped vault to store immutable backup copies that are locked by default and isolated with encryption using an AWS owned key.
AWS Backup logically air-gapped vault (preview) is available in US East (Virginia) Region. It currently supports backup and restore of Amazon Simple Storage Service (Amazon S3), Amazon Elastic File System (Amazon EFS), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS). For more information on this preview, visit the AWS Backup product page and documentation. To enroll in this preview, send an email to firstname.lastname@example.org with your AWS account ID.
We recommend that you explore the capabilities of the logically air-gapped vault and understand how existing data protection strategies implemented using AWS Backup could enhance your data protection and resilience. We welcome your feedback and questions about logically air-gapped vault preview in the comment section.