Logically air-gapped vaults (preview) - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Logically air-gapped vaults (preview)

Note

Starting August 9, 2023, Amazon Backup is offering a preview to use a logically air-gapped vault. To enroll in this preview, send a request via email to .

Features may change or be adjusted during and after the preview period. When the service becomes Generally Available (GA), the data and configurations provided during the preview will no longer be available. Amazon recommends using test data instead of production data with the preview.

Overview

Amazon Backup is previewing a secondary type of vault which can store copies of backups in other vaults . A logically air-gapped vault is a specialized vault which offers increased security features in addition to those of a backup vault as well as the ability to share vault access to other accounts and organizations so that recovery time (RTO) can be faster and more flexible in case of an incident that requires rapid restoration of resources.

Logically air-gapped vaults come equipped with additional protection features: each of these vaults is encrypted with an Amazon owned key, and each vault has a vault lock set in compliance mode.

You can choose to share a logically air-gapped vault across organizations and accounts so that the backups stored within can be restored from an account with which the vault is shared, if needed.

There are no additional charges for storage in logically air-gapped vaults during the preview period. Backups in standard backup vaults and cross-Region copies will still be charged at published rates (see pricing) even though any copies of those backups in logically air-gapped vaults are not charged.

Use case

A logically air-gapped vault is a secondary vault that serves as part of a data protection strategy. This vault can help enhance your organizational retention and recovery when you desire a vault for your backups that

  • Is automatically set with a vault lock in compliance mode

  • Contains backups which can be shared with and restored from a different account than the one that created the backup

  • Comes encrypted with an Amazon owned key

Resources supported in a logically air-gapped vault include

  • Amazon EC2

  • Amazon EBS

  • Amazon S3

  • Amazon EFS

  • Amazon RDS

This preview of logically air-gapped vaults is only available in US East (N. Virginia) Region. Because this feature is currently only in one Region, cross-Region copy is not supported during this preview period.

Compare and contrast with a standard backup vault

A backup vault is the primary and standard type of vault used in Amazon Backup. Each backup is stored in a backup vault when the backup is created. You can assign resource-based policies to manage backups stored in the vault, such as the lifecycle of backups stored within the vault.

A logically air-gapped vault is a specialized vault with additional security and flexible sharing for faster recovery time (RTO). This vault stores copies of backups that were initially created and stored within a standard backup vault.

Backup vaults can be encrypted with a key, a security mechanism that limits access to intended users. These keys can be customer managed or Amazon managed. Additionally, a backup vault can be even more secured by a vault lock; logically air-gapped vaults come equipped by a vault lock in compliance mode.

If the Amazon KMS key was not manually changed or set as a customer managed key (CMK) at the time the initial resource was created, a backup cannot be copied into a logically air-gapped vault.

Feature Backup vault Logically air-gapped vault (preview)

Backup creation

When a backup is created, it is stored as a recovery point

Backups are not stored in this vault upon creation

Backup storage

Can store initial backups of resources and copies of backups

Can store copies of backups from other vaults

Security

Can optionally be encrypted with a key (customer managed or Amazon managed)

Can optionally be locked with a vault lock

Is encrypted with an Amazon owned key

Is always locked with a vault lock in compliance mode

Sharability

Access can be managed through policies and Amazon Organizations

Not compatible with Amazon Resource Access Manager

Can optionally be shared across accounts using Amazon RAM

Restoration

Backups can be restored by the same account that owns the vault

Backups can be restored by a different account than the one which owns the backup if the vault is shared with that separate account

Regionality

Available in all Regions in which Amazon Backup operates

Available in US East (N. Virginia) Region during preview

Resources

Can store backups that contain all Amazon Backup supported resources

Can store backups that contain Amazon EC2, Amazon EBS, Amazon EFS, Amazon S3, or Amazon RDS data

Create a logically air-gapped vault from the console

Important

Once the vault is created, the vault name, the vault type, and the minimum and maximum retention periods cannot be changed; additionally, the vault lock cannot be removed.

When the service becomes Generally Available, the data and configurations provided during the preview will no longer be available. Amazon recommends using test data instead of production data with the preview.

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. In the navigation pane, select Vaults.

  3. Both types of vaults will be displayed. Select Create new vault.

  4. Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it FinancialBackups.

  5. Select the radio button for logically air-gapped vault.

  6. Set the Minimum retention period.

    This value (in days, months, or years) is the shortest amount of time a backup can be retained in this vault. Backups with retention periods shorter than this value cannot be copied to this vault.

  7. Set the Maximum retention period.

    This value (in days, months, or years) is the longest amount of time a backup can be retained in this vault. Backups with retention periods greater than this value cannot be copied to this vault.

  8. (Optional) Add tags that will help you search for and identify your logically air-gapped vault. For example, you could add a BackupType:Financial tag.

  9. Select Create vault.

  10. Review the settings. If all settings show as you intended, select Create logically air-gapped vault.

  11. The console will take you to the details page of your new vault. Verify the vault details are as expected.

View logically air-gapped vault details in the console

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. Select Vaults from the left-hand navigation.

  3. Below the descriptions of vaults will be two lists, Vaults owned by this account and Vaults shared with this account. Select the desired tab to view the vaults.

  4. Under Vault name, click on the name of the vault to open the details page. You can see the summary, the recovery points, the protected resources, account sharing, access policy, and tag details.

Copy from a standard backup vault to a logically air-gapped vault in the console

Logically air-gapped vaults can only be a copy job destination target in a backup plan or a target for an on-demand copy job.

To initiate a copy job, you must have

  • A backup vault

  • A logically air-gapped vault

  • A backup containing Amazon EC2, Amazon EBS, Amazon RDS, Amazon S3, or Amazon EFS data

  • The permission kms:CreateGrant for the role being used to create the copy.

  • No backups encrypted with an Amazon managed key as part of your copy job to the logically air-gapped vault

Once you confirm the above,

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. Select Vaults from the left-hand navigation.

  3. In the vault detail page, all recovery points within that vault are displayed. Place a check mark next to the recovery point you wish to copy.

  4. Select Actions, and then select Copy from the drop-down menu.

  5. On the next screen, input the details of the destination.

    1. Region must be set to US East (N. Virginia)

    2. Destination backup vault drop-down menu displays eligible destination vaults. Select one with the type logically air-gapped vault

  6. Select Copy once all details are set to your preferences.

On the Jobs page in the console, you can select Copy jobs to see current copy jobs.

For more information, see Copying a backup, cross-Region backup, and Cross-account backup.

Share a logically air-gapped vault from the console

Note

Only accounts with certain IAM privileges can share and manage sharing of accounts.

You can use Amazon RAM to share a logically air-gapped vault with other accounts you designate. To share using Amazon RAM, ensure you have the following:

  • Two or more accounts that can access Amazon Backup

  • An account that intends to share has necessary RAM permissions. The permission ram:CreateResourceShare is necessary for this procedure. The policy AWSResourceAccessManagerFullAccess contains all needed RAM-related permissions.

  • At least one logically air-gapped vault

To share a logically air-gapped vault,

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. Select Vaults from the left-hand navigation.

  3. Below the descriptions of vaults will be two lists, Vaults owned by this account and Vaults shared with this account.Select the desired list to view the vaults.

  4. Under Vault name, select the name of the logically air-gapped vault to open the details page.

  5. The account sharing pane shows with which accounts the vault is being shared.

  6. To begin sharing with another account or to edit accounts already being shared, select Manage sharing.

Amazon RAM console opens when Manage sharing is selected. For steps to share a resource using Amazon RAM, see Creating a resource share in Amazon RAM.

Ensure you have appropriate permissions. Backup Administrator IAM Policy [AWSBackupFullAccess] and Backup Operator IAM Policy [AWSBackupOperatorAccess] contain the required permission to view shared accounts; however, the role you use to share needs Resource Access Manager write permissions to share the account from RAM, such as ram:CreateResourceShare.

The account invited to accept an invitation to receive a share has 12 hours to accept the invitation. See Accepting and rejecting resource share invitations in the Amazon RAM User Guide.

If the sharing steps are completed and accepted, the vault summary page will show under Account sharing = “Shared - see account sharing table below”.

Restore a backup from a logically air-gapped vault using the console

You can restore a backup stored in a logically air-gapped vault from either the account that owns the vault or from any accounts with which the vault is shared.

See Restoring a backup for information on how to restore a recovery point.

Delete a logically air-gapped vault using the console

Important

When the service becomes Generally Available, the data and configurations provided during the preview will no longer be available. Amazon recommends using test data instead of production data with the preview.

See delete a backup vault to delete a vault. Vaults cannot be deleted if they still contain backups (recovery points). Ensure the vault is empty of backups before you initiate a delete operation.

Logically air-gapped vaults through CLI/API

You can use Amazon CLI to programmatically carry out operations for logically air-gapped vaults. Each CLI is specific to the Amazon service in which it originates. Commands related to sharing are prepended with aws ram; all other commands should be prepended with aws backup.

Create

The following sample CLI command CreateLogicallyAirGappedBackupVault can be modified to create a logically air-gapped backup vault:

aws backup create-logically-air-gapped-backup-vault \ --region us-east-1 \ --logically-air-gapped-backup-vault-name sampleName \ --min-retention-days 1 \ --max-retention-days 7 \ --creator-request-id 123456789012-34567-8901 (optional)

View details

The following sample CLI command DescribeBackupVault can be modified to obtain details about a vault:

aws backup describe-backup-vault \ --region us-east-1 \ --backup-vault-name testvaultname

Share

Note

Only accounts with sufficient IAM permissions can share and manage sharing of accounts.

You can share a logically air-gapped vault through Amazon Resource Access Manager (RAM), a service that helps users share resources.

Amazon RAM uses the CLI command create-resource-share. The access to this command is only available to admin accounts with sufficient permissions. See Creating a resource share in Amazon RAM for CLI steps.

Steps 1 through 4 are conducted with the account that owns the logically air-gapped vault. Steps 5 through 8 are conducted with the account with which the logically air-gapped vault will be shared.

  1. Log into the owning account OR request a user at your organization with sufficient credentials for accessing the source account completes these steps.

    1. If a resource share was previously created and you wish to add an additional resource to it, use CLI associate-resource-share instead with the ARN of the new vault.

  2. Fetch credentials of a role with sufficient permissions to share via RAM. Input these into the CLI.

    1. The permission ram:CreateResourceShare is necessary for this procedure. The policy AWSResourceAccessManagerFullAccess contains all RAM-related permissions.

  3. Use create-resource-share.

    1. Include the ARN of the logically air-gapped vault.

    2. Example input:

      aws ram create-resource-share \ --name MyLogicallyAirGappedVault \ --resource-arns arn:aws:backup:us-east-1:123456789012:backup-vault:test-vault-1 \ --principals 123456789012 \ --region us-east-1

      Example output:

      { "resourceShare":{ "resourceShareArn":"arn:aws:ram:us-east-1:123456789012:resource-share/12345678-abcd-09876543", "name":"MyLogicallyAirGappedVault", "owningAccountId":"123456789012", "allowExternalPrincipals":true, "status":"ACTIVE", "creationTime":"2021-09-14T20:42:40.266000-07:00", "lastUpdatedTime":"2021-09-14T20:42:40.266000-07:00" } }
  4. Copy the resource share ARN in the output (which is needed for subsequent steps). Give the ARN to the operator of account you are inviting to receive the share.

  5. Obtain the resource share ARN

    1. If you did not perform steps 1 through 4, obtain the resourceShareArn from whomever did.

    2. Example: arn:aws:ram:us-east-1:123456789012:resource-share/12345678-abcd-09876543

  6. In the CLI, assume credentials of the recipient account.

  7. Get resource share invitation with get-resource-share-invitations. For more information, see Accepting and rejecting invitations in the Amazon RAM User Guide.

  8. Accept the invitation in destination (recovery) account.

    1. Use accept-resource-share-invitation (can also reject-resource-share-invitation).

List

The CLI command ListBackupVaults can be modified to list all the vaults owned by and present in the account:

aws backup list-backup-vaults \ --region us-east-1

To list just the logically air-gapped vaults, add the parameter

--by-vault-type LOGICALLY_AIR_GAPPED_BACKUP_VAULT

To list vaults shared with the account, use

aws backup list-backup-vaults \ --region us-east-1 \ --by-shared

Copy

A logically air-gapped vault can only be a target for a copy job of a backup, not the target of an initial backup job. Use StartCopyJob to copy an existing backup in a backup vault to a logically air-gapped vault.

The role which is being used to create the copy job to the logically air-gapped vault must contain the permission kms:CreateGrant.

Sample CLI input:

aws backup start-copy-job \ --region us-east-1 \ --recovery-point-arn arn:aws:resourcetype:region::snapshot/snap-12345678901234567 \ --source-backup-vault-name sourcevaultname \ --destination-backup-vault-arn arn:aws:backup:us-east-1:123456789012:backup-vault:destinationvaultname \ --iam-role-arn arn:aws:iam::123456789012:role/service-role/servicerole

Restore

Once a backup has been shared from a logically air-gapped vault to your, account, you can use StartRestoreJob to restore the backup. Sample CLI input:

aws backup start-restore-job \ --recovery-point-arn arn:aws:backup:us-east-1:accountnumber:recovery-point:RecoveryPointID \ --metadata {\"availabilityzone\":\"us-east-1d\"} \ --idempotency-token TokenNumber \ --resource-type ResourceType \ --iam-role arn:aws:iam::number:role/service-role/servicerole \ --region us-east-1

Delete

The following sample CLI command DeleteBackupVault can be used to delete a vault. A vault can only be deleted if there are no backups (recovery points) inside the vault.

aws backup delete-backup-vault --region us-east-1 --backup-vault-name testvaultname

Other programmatic options available include: