Logically air-gapped vaults (preview)
Note
Starting August 9, 2023, Amazon Backup is offering a preview to use a logically
air-gapped vault. To enroll in this preview, send a request via email to
<aws-backup-vault-preview@amazon.com>
.
Features may change or be adjusted during and after the preview period. When the service becomes Generally Available (GA), the data and configurations provided during the preview will no longer be available. Amazon recommends using test data instead of production data with the preview.
Overview
Amazon Backup is previewing a secondary type of vault which can store copies of backups in other vaults . A logically air-gapped vault is a specialized vault which offers increased security features in addition to those of a backup vault as well as the ability to share vault access to other accounts and organizations so that recovery time (RTO) can be faster and more flexible in case of an incident that requires rapid restoration of resources.
Logically air-gapped vaults come equipped with additional protection features: each of these vaults is encrypted with an Amazon owned key, and each vault has a vault lock set in compliance mode.
You can choose to share a logically air-gapped vault across organizations and accounts so that the backups stored within can be restored from an account with which the vault is shared, if needed.
There are no additional charges for storage in logically air-gapped vaults during
the preview period. Backups in standard backup vaults and cross-Region copies will still be
charged at published rates
(see pricing
Use case
A logically air-gapped vault is a secondary vault that serves as part of a data protection strategy. This vault can help enhance your organizational retention and recovery when you desire a vault for your backups that
Is automatically set with a vault lock in compliance mode
-
Contains backups which can be shared with and restored from a different account than the one that created the backup
Comes encrypted with an Amazon owned key
Resources supported in a logically air-gapped vault include
Amazon EC2
Amazon EBS
Amazon S3
Amazon EFS
Amazon RDS
This preview of logically air-gapped vaults is only available in US East (N. Virginia) Region. Because this feature is currently only in one Region, cross-Region copy is not supported during this preview period.
Compare and contrast with a standard backup vault
A backup vault is the primary and standard type of vault used in Amazon Backup. Each backup is stored in a backup vault when the backup is created. You can assign resource-based policies to manage backups stored in the vault, such as the lifecycle of backups stored within the vault.
A logically air-gapped vault is a specialized vault with additional security and flexible sharing for faster recovery time (RTO). This vault stores copies of backups that were initially created and stored within a standard backup vault.
Backup vaults can be encrypted with a key, a security mechanism that limits access to intended users. These keys can be customer managed or Amazon managed. Additionally, a backup vault can be even more secured by a vault lock; logically air-gapped vaults come equipped by a vault lock in compliance mode.
If the Amazon KMS key was not manually changed or set as a customer managed key (CMK) at the time the initial resource was created, a backup cannot be copied into a logically air-gapped vault.
Feature | Backup vault | Logically air-gapped vault (preview) |
---|---|---|
When a backup is created, it is stored as a recovery point |
Backups are not stored in this vault upon creation |
|
Can store initial backups of resources and copies of backups |
Can store copies of backups from other vaults |
|
Can optionally be encrypted with a key (customer managed or Amazon managed) Can optionally be locked with a vault lock |
Is encrypted with an Amazon owned key Is always locked with a vault lock in compliance mode |
|
Sharability |
Access can be managed through policies and Amazon Organizations Not compatible with Amazon Resource Access Manager |
Can optionally be shared across accounts using Amazon RAM |
Backups can be restored by the same account that owns the vault |
Backups can be restored by a different account than the one which owns the backup if the vault is shared with that separate account |
|
Available in all Regions in which Amazon Backup operates |
Available in US East (N. Virginia) Region during preview |
|
Can store backups that contain all Amazon Backup supported resources |
Can store backups that contain Amazon EC2, Amazon EBS, Amazon EFS, Amazon S3, or Amazon RDS data |
Create a logically air-gapped vault from the console
Important
Once the vault is created, the vault name, the vault type, and the minimum and maximum retention periods cannot be changed; additionally, the vault lock cannot be removed.
When the service becomes Generally Available, the data and configurations provided during the preview will no longer be available. Amazon recommends using test data instead of production data with the preview.
Open the Amazon Backup console at https://console.amazonaws.cn/backup
. In the navigation pane, select Vaults.
Both types of vaults will be displayed. Select Create new vault.
-
Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it
FinancialBackups
. Select the radio button for logically air-gapped vault.
-
Set the Minimum retention period.
This value (in days, months, or years) is the shortest amount of time a backup can be retained in this vault. Backups with retention periods shorter than this value cannot be copied to this vault.
-
Set the Maximum retention period.
This value (in days, months, or years) is the longest amount of time a backup can be retained in this vault. Backups with retention periods greater than this value cannot be copied to this vault.
(Optional) Add tags that will help you search for and identify your logically air-gapped vault. For example, you could add a
BackupType:Financial
tag.Select Create vault.
Review the settings. If all settings show as you intended, select Create logically air-gapped vault.
The console will take you to the details page of your new vault. Verify the vault details are as expected.
View logically air-gapped vault details in the console
Open the Amazon Backup console at https://console.amazonaws.cn/backup
. Select Vaults from the left-hand navigation.
-
Below the descriptions of vaults will be two lists, Vaults owned by this account and Vaults shared with this account. Select the desired tab to view the vaults.
-
Under Vault name, click on the name of the vault to open the details page. You can see the summary, the recovery points, the protected resources, account sharing, access policy, and tag details.
Copy from a standard backup vault to a logically air-gapped vault in the console
Logically air-gapped vaults can only be a copy job destination target in a backup plan or a target for an on-demand copy job.
To initiate a copy job, you must have
A backup vault
A logically air-gapped vault
A backup containing Amazon EC2, Amazon EBS, Amazon RDS, Amazon S3, or Amazon EFS data
-
The permission
kms:CreateGrant
for the role being used to create the copy. No backups encrypted with an Amazon managed key as part of your copy job to the logically air-gapped vault
Once you confirm the above,
Open the Amazon Backup console at https://console.amazonaws.cn/backup
. Select Vaults from the left-hand navigation.
-
In the vault detail page, all recovery points within that vault are displayed. Place a check mark next to the recovery point you wish to copy.
Select Actions, and then select Copy from the drop-down menu.
On the next screen, input the details of the destination.
Region must be set to US East (N. Virginia)
-
Destination backup vault drop-down menu displays eligible destination vaults. Select one with the type
logically air-gapped vault
Select Copy once all details are set to your preferences.
On the Jobs page in the console, you can select Copy jobs to see current copy jobs.
For more information, see Copying a backup, cross-Region backup, and Cross-account backup.
Share a logically air-gapped vault from the console
Note
Only accounts with certain IAM privileges can share and manage sharing of accounts.
You can use Amazon RAM to share a logically air-gapped vault with other accounts you designate. To share using Amazon RAM, ensure you have the following:
Two or more accounts that can access Amazon Backup
-
An account that intends to share has necessary RAM permissions. The permission
ram:CreateResourceShare
is necessary for this procedure. The policyAWSResourceAccessManagerFullAccess
contains all needed RAM-related permissions. At least one logically air-gapped vault
To share a logically air-gapped vault,
Open the Amazon Backup console at https://console.amazonaws.cn/backup
. Select Vaults from the left-hand navigation.
-
Below the descriptions of vaults will be two lists, Vaults owned by this account and Vaults shared with this account.Select the desired list to view the vaults.
Under Vault name, select the name of the logically air-gapped vault to open the details page.
The account sharing pane shows with which accounts the vault is being shared.
To begin sharing with another account or to edit accounts already being shared, select Manage sharing.
Amazon RAM console opens when Manage sharing is selected. For steps to share a resource using Amazon RAM, see Creating a resource share in Amazon RAM.
Ensure you have appropriate permissions. Backup Administrator IAM Policy
[AWSBackupFullAccessram:CreateResourceShare
.
The account invited to accept an invitation to receive a share has 12 hours to accept the invitation. See Accepting and rejecting resource share invitations in the Amazon RAM User Guide.
If the sharing steps are completed and accepted, the vault summary page will show under Account sharing = “Shared - see account sharing table below”.
Restore a backup from a logically air-gapped vault using the console
You can restore a backup stored in a logically air-gapped vault from either the account that owns the vault or from any accounts with which the vault is shared.
See Restoring a backup for information on how to restore a recovery point.
Delete a logically air-gapped vault using the console
Important
When the service becomes Generally Available, the data and configurations provided during the preview will no longer be available. Amazon recommends using test data instead of production data with the preview.
See delete a backup vault to delete a vault. Vaults cannot be deleted if they still contain backups (recovery points). Ensure the vault is empty of backups before you initiate a delete operation.
Logically air-gapped vaults through CLI/API
You can use Amazon CLI to programmatically carry out operations for
logically air-gapped vaults. Each CLI is specific to the Amazon service in which it originates.
Commands related to sharing are prepended with aws ram
; all other commands should be
prepended with aws backup
.
Create
The following sample CLI command CreateLogicallyAirGappedBackupVault
can be modified to create a logically air-gapped backup vault:
aws backup create-logically-air-gapped-backup-vault \ --region us-east-1 \ --backup-vault-name
sampleName
\ --min-retention-days7
\ --max-retention-days35
\ --creator-request-id123456789012-34567-8901
// optional
View details
The following sample CLI command DescribeBackupVault
can be modified to
obtain details about a vault:
aws backup describe-backup-vault \ --region us-east-1 \ --backup-vault-name
testvaultname
Share
Note
Only accounts with sufficient IAM permissions can share and manage sharing of accounts.
You can share a logically air-gapped vault through Amazon Resource Access Manager (RAM), a service that helps users share resources.
Amazon RAM uses the CLI command create-resource-share
. The access to this
command is only available to admin accounts with sufficient permissions. See
Creating a resource share in Amazon RAM for CLI steps.
Steps 1 through 4 are conducted with the account that owns the logically air-gapped vault. Steps 5 through 8 are conducted with the account with which the logically air-gapped vault will be shared.
-
Log into the owning account OR request a user at your organization with sufficient credentials for accessing the source account completes these steps.
-
If a resource share was previously created and you wish to add an additional resource to it, use CLI
associate-resource-share
instead with the ARN of the new vault.
-
-
Fetch credentials of a role with sufficient permissions to share via RAM. Input these into the CLI.
-
The permission
ram:CreateResourceShare
is necessary for this procedure. The policy AWSResourceAccessManagerFullAccesscontains all RAM-related permissions.
-
-
Include the ARN of the logically air-gapped vault.
-
Example input:
aws ram create-resource-share \ --name
MyLogicallyAirGappedVault
\ --resource-arns arn:aws:backup:us-east-1:123456789012
:backup-vault:test-vault-1
\ --principals123456789012
\ --region us-east-1Example output:
{ "resourceShare":{ "resourceShareArn":"arn:aws:ram:us-east-1:123456789012:resource-share/12345678-abcd-09876543", "name":"MyLogicallyAirGappedVault", "owningAccountId":"123456789012", "allowExternalPrincipals":true, "status":"ACTIVE", "creationTime":"2021-09-14T20:42:40.266000-07:00", "lastUpdatedTime":"2021-09-14T20:42:40.266000-07:00" } }
-
Copy the resource share ARN in the output (which is needed for subsequent steps). Give the ARN to the operator of account you are inviting to receive the share.
-
Obtain the resource share ARN
-
If you did not perform steps 1 through 4, obtain the resourceShareArn from whomever did.
-
Example:
arn:aws:ram:us-east-1:
123456789012
:resource-share/12345678-abcd-09876543
-
In the CLI, assume credentials of the recipient account.
-
Get resource share invitation with
get-resource-share-invitations
. For more information, see Accepting and rejecting invitations in the Amazon RAM User Guide. -
Accept the invitation in destination (recovery) account.
Use
accept-resource-share-invitation
(can alsoreject-resource-share-invitation
).
List
The CLI command
ListBackupVaults
can be modified to list all the vaults owned by and present in the account:
aws backup list-backup-vaults \ --region us-east-1
To list just the logically air-gapped vaults, add the parameter
--by-vault-type LOGICALLY_AIR_GAPPED_BACKUP_VAULT
To list vaults shared with the account, use
aws backup list-backup-vaults \ --region us-east-1 \ --by-shared
Copy
A logically air-gapped vault can only be a target for a copy job of a backup, not the
target of an initial backup job. Use
StartCopyJob
to copy an existing backup in a backup
vault to a logically air-gapped vault.
The role which is being used to create the copy job to the
logically air-gapped vault must contain the permission kms:CreateGrant
.
Sample CLI input:
aws backup start-copy-job \ --region us-east-1 \ --recovery-point-arn arn:aws:
resourcetype
:region
::snapshot/snap-12345678901234567
\ --source-backup-vault-namesourcevaultname
\ --destination-backup-vault-arn arn:aws:backup:us-east-1:123456789012
:backup-vault:destinationvaultname
\ --iam-role-arn arn:aws:iam::123456789012
:role/service-role/servicerole
Restore
Once a backup has been shared from a logically air-gapped vault to your, account, you
can use StartRestoreJob
to restore the backup. Sample CLI input:
aws backup start-restore-job \ --recovery-point-arn arn:aws:backup:us-east-1:
accountnumber
:recovery-point:RecoveryPointID
\ --metadata {\"availabilityzone\":\"us-east-1d\"} \ --idempotency-tokenTokenNumber
\ --resource-typeResourceType
\ --iam-role arn:aws:iam::number
:role/service-role/servicerole
\ --region us-east-1
Delete
The following sample CLI command DeleteBackupVault
can be used to delete a vault. A vault
can only be deleted if there are no backups (recovery points) inside the
vault.
aws backup delete-backup-vault --region us-east-1 --backup-vault-name
testvaultname
Other programmatic options available include: