Amazon Backup Vault Lock
Note
Amazon Backup Vault Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations. For more information about how Amazon Backup Vault Lock relates to these regulations, see the Cohasset Associates Compliance Assessment.
Amazon Backup Vault Lock is an optional feature of a backup vault, which can be helpful in giving you additional security and control over your backup vaults. When a lock is active in Compliance mode and the grace time is over, the vault configuration cannot be altered or deleted by a customer, account/data owner, or Amazon. Each vault can have one vault lock in place.
Amazon Backup ensures that your backups are available for you until they reach the expiration of their retention periods. If any user (including the root user) attempts to delete a backup or change the lifecycle properties in a locked vault, Amazon Backup will deny the operation.
Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions.
Vaults locked in compliance mode cannot be deleted once the cooling-off period ("grace time") expires. During grace time, you can still remove the vault lock and change the lock configuration.
Vault lock modes
When you create a vault lock, you have a choice of two modes: Governance mode or Compliance mode. Governance mode is intended to allow a vault to be managed only by users with sufficient IAM privileges. Governance mode helps an organization meet governance requirements, ensuring only designated personnel can make changes to a backup vault. Compliance mode is intended for backup vaults in which the vault (and by extension, its contents) is expected to never be deleted or altered until the data retention period is complete. Once a vault in compliance mode is locked, it is immutable, meaning the lock cannot be removed.
A vault locked in Governance mode can be managed or deleted by users who have the appropriate IAM permissions.
A vault lock in Compliance mode cannot be altered or deleted by any user or by Amazon. A vault lock in compliance mode has a grace time period you set before it locks and becomes immutable.
Vault lock benefits
Amazon Backup Vault Lock provides several benefits, including:
WORM (write-once, read-many) configuration for all the backups you store and create in a backup vault.
An additional layer of defense that protects backups (recovery points) in your backup vaults from inadvertent or malicious deletions.
Enforcement of retention periods, which prevent early deletions by privileged users (including the Amazon Web Services account root user), and meet your organization’s data protection policies and procedures.
Lock a backup vault using the console
You can add a vault lock to your Amazon Backup Vault using the Backup console.
To add a vault lock to your backup vault:
Sign in to the Amazon Web Services Management Console, and open the Amazon Backup console at https://console.amazonaws.cn/backup
. In the navigation pane, find Backup vaults. Click the link nested under Backup vaults called Vault locks.
Under How vault locks work or Vault locks, click + Create vault lock.
In the pane Vault lock details, choose which vault to which you want your lock applied.
Under Vault lock mode choose in which mode you want your vault locked. For more information on choosing your modes, see Vault lock modes earlier on this page.
For the Retention period, choose the minimum and maximum retention periods (retention periods are optional). New backup and copy jobs created in the vault will fail if they do not conform to the retention periods you set; these periods will not apply to recovery points that already in the vault.
If you chose compliance mode, a section called Vault lock start date is shown. If you chose Governance mode, this will not be displayed, and this step can be skipped.
In compliance mode, a vault lock has a cooling-off period from the creation of the vault lock until the vault and its lock becomes immutable and unchangeable. You choose the duration of this period (called grace time), though it must be at least 3 days (72 hours).
Important
Once the grace time is expired, the vault and its lock are immutable. It cannot be changed or deleted by any user or by Amazon.
When you are satisfied with the configuration choices, click Create vault lock.
To confirm you wish to create this lock in the chosen mode, type
confirmin the text box, then check the box acknowledging the configuration is as intended.
If the steps have been completed successfully, a "Success" banner will appear at the top of the console.
Lock a backup vault programmatically
To configure Amazon Backup Vault Lock, use the API PutBackupVaultLockConfiguration. The parameters to include will depend on
which vault lock mode you intend. If you wish to create a vault lock in governance mode, do not
include ChangeableForDays. If this parameter is included, the vault lock will be
created in compliance mode.
Here is a CLI example of a compliance mode vault lock creation:
aws backup put-backup-vault-lock-configuration \ --backup-vault-namemy_vault_to_lock\ --changeable-for-days3\ --min-retention-days7\ --max-retention-days30
Here is a CLI example of a governance mode vault lock creation:
aws backup put-backup-vault-lock-configuration \ --backup-vault-namemy_vault_to_lock\ --min-retention-days7\ --max-retention-days30
You can configure four options.
-
BackupVaultNameThe name of the vault to lock.
-
ChangeableForDays(include only for compliance mode)This parameter instructs Amazon Backup to create the vault lock in compliance mode. Omit this parameter if you intend to create the lock in governance mode.
This value is expressed in days. It must be a number no less than 3 and no greater than 36,500; otherwise, an error will return.
From the creation of this vault lock until the expiration of the date specified, the vault lock can be removed from the vault using
DeleteBackupVaultLockConfiguration. Alternatively, during this time, you can change the configuration usingPutBackupVaultLockConfiguration.On and after the specified date determined by this parameter, the backup vault will be immutable and cannot be changed or deleted.
-
MaxRetentionDays(optional)This is a numerical value expressed in days. This is the maximum retention period that the vault retains its recovery points.
The maximum retention time frame you choose should be in alignment with your organization's policies for retaining data. If your organization instructs data to be retained for a period, this value can be set to that period (in days). For example, financial or banking data may be required to be kept for 7 years (approximately 2,557 days, depending on leap years).
If not specified, Amazon Backup Vault Lock will not enforce a maximum retention period. If specified, backup and copy jobs to this vault with lifecycle retention periods longer than the maximum retention period will fail. Recovery points already saved in the vault prior to the vault lock's creation are not affected. The longest maximum retention period you can specify is 36500 days (approximately 100 years).
-
MinRetentionDays(optional; required for CloudFormation)This is a numerical value expressed in days. This is the minimum retention period that the vault retains its recovery points. This setting should be set to the amount of time your organization is required to maintain data. For example, if regulations or law requires data to be retained for at least seven years, the value in days would be approximately 2,557, depending on leap years.
If not specified, Amazon Backup Vault Lock will not enforce a minimum retention period. If specified, backup and copy jobs to this vault with lifecycle retention periods shorter than the minimum retention period will fail. Recovery points already saved in the vault prior to Amazon Backup Vault Lock are not affected. The shortest minimum retention period you can specify is 1 day.
Review a backup vault for its Amazon Backup Vault Lock configuration
You can review Amazon Backup Vault Lock details on a vault anytime by calling DescribeBackupVault or ListBackupVaults APIs.
To determine whether you applied a vault lock to a backup vault, call
DescribeBackupVault and check the Locked property. If
"Locked": true, like the following example, you have applied Amazon Backup Vault Lock
to your backup vault.
{ "BackupVaultName": "my_vault_to_lock", "BackupVaultArn": "arn:aws:backup:us-east-1:555500000000:backup-vault:my_vault_to_lock", "EncryptionKeyArn": "arn:aws:kms:us-east-1:555500000000:key/00000000-1111-2222-3333-000000000000", "CreationDate": "2021-09-24T12:25:43.030000-07:00", "CreatorRequestId": "ac6ce255-0456-4f84-bbc4-eec919f50709", "NumberOfRecoveryPoints": 1, "Locked": true, "MinRetentionDays": 7, "MaxRetentionDays": 30, "LockDate": "2021-09-30T10:12:38.089000-07:00" }
The preceding output confirms the following options:
-
Lockedis a Boolean that indicates whether you have applied Amazon Backup Vault Lock to this backup vault.Truemeans that Amazon Backup Vault Lock causes delete or update operations to the recovery points stored in the vault to fail (regardless of whether you are still in the cooling-off grace time period). -
LockDateis the UTC date and time when your cooling-off grace time period ends. After this time, you cannot delete or change your lock on this vault. Use any publicly-available time converters to convert this string to your local time.
If "Locked":false, like the following example, you have not applied a vault
lock (or a previous one has been deleted).
{ "BackupVaultName": "my_vault_to_lock", "BackupVaultArn": "arn:aws:backup:us-east-1:555500000000:backup-vault:my_vault_to_lock", "EncryptionKeyArn": "arn:aws:kms:us-east-1:555500000000:key/00000000-1111-2222-3333-000000000000", "CreationDate": "2021-09-24T12:25:43.030000-07:00", "CreatorRequestId": "ac6ce255-0456-4f84-bbc4-eec919f50709", "NumberOfRecoveryPoints": 3, "Locked": false }
Vault lock removal during grace time (Compliance mode)
To delete your vault lock during grace time (the time after locking the vault but
before your LockDate) using the Amazon Backup console,
Sign in to the Amazon Web Services Management Console, and open the Amazon Backup console at https://console.amazonaws.cn/backup
. In the left navigation under My account, click Backup vaults, then click Backup Vault Lock.
Click the vault lock you wish to remove, then click Manage vault lock.
Click Delete vault lock.
A warning box will appear, asking you to confirm your intent to delete the vault lock. Type
confirminto the text box, then click confirm.
After the steps have all been completed successfully, a Success banner will appear at the top of the console screen.
To delete your vault lock during grace time using a CLI command,
use DeleteBackupVaultLockConfiguration like this CLI example:
aws backup delete-backup-vault-lock-configuration \ --backup-vault-namemy_vault_to_lock
Amazon Web Services account closure with a locked vault
When you close an Amazon Web Services account that contains a backup vault, Amazon and Amazon Backup suspend your account for 90 days with your backups intact. If you do not reopen your account during those 90 days, Amazon deletes the contents of your backup vault, even if Amazon Backup Vault Lock was in place.
Additional security considerations
Amazon Backup Vault Lock adds an additional layer of security to your data protection defense in depth. Vault lock can be combined with these other security features:
-
Amazon Backup vault and recovery point access policies, which allow you to grant or deny permissions at the vault level,
-
Amazon Backup security best practices, including its library of customer managed policies that allow you to grant or deny backup and restore permissions by Amazon supported service, and
-
Amazon Backup Audit Manager, which allows you to automate compliance checks for your backups against a list of controls you define.
You can work through Creating frameworks using the Amazon Backup API for the control Backups are protected by Amazon Backup Vault Lock with Amazon Backup Audit Manager to help ensure that your intended resources are protected with a vault lock.
-
Mechanisms that render resources inactive can impact the ability to restore them. While they still cannot be deleted in a locked vault, they can be in a state other than active. For instance, the Amazon Elastic Compute Cloud setting that allows you to disable an AMI can temporarily block the ability to restore backups of EC2 instances. This affects all EC2 recovery points, even backups affected by a vault lock or a legal hold.
If an EC2 backup is disabled, you can re-enable a disabled AMI. Once it is re-enabled, it is eligible to be restored. To block the AMI disable feature, you can use IAM policies to not allow
ec2:DisableImage.
Note
Amazon Backup Vault Lock is not the same feature as Amazon S3 Glacier Vault Lock, which is compatible only with S3 Glacier.