Reading25 min read·Module 1

Backup & Replication Security

Key concepts

  • AWS Backup for centralized backups

  • Cross-region backup copies

  • Backup vault lock (WORM)

  • S3 Object Lock

  • Snapshot sharing security

Overview

Backup and replication are critical components of data protection, ensuring business continuity and disaster recovery. AWS provides multiple services and features to secure backups, prevent unauthorized deletion, and maintain data integrity across regions and accounts.

Understanding backup security is important for the SAA-C03 exam because it combines data protection with security controls. You must know how to use AWS Backup for centralized management, implement immutable backups with Vault Lock and S3 Object Lock, secure cross-account and cross-region backups, and protect snapshots from unauthorized access.

Immutable Backups (WORM)

Immutable backups (WORM - Write Once Read Many) protect against ransomware, accidental deletion, and malicious insiders by preventing backup deletion or modification for a specified retention period.

Exam Tip

Focus on AWS Backup policies, Vault Lock for compliance (Governance vs Compliance mode), S3 Object Lock modes, encrypted snapshot sharing with KMS, and cross-region/cross-account backup strategies.


Key Concepts

AWS Backup

AWS Backup Overview
Figure 1: AWS Backup provides centralized backup management across services

AWS Backup

AWS Backup is a fully managed backup service that centralizes and automates backups across AWS services including EC2, RDS, DynamoDB, EFS, FSx, S3, Storage Gateway, Aurora, DocumentDB, Neptune, and VMware Cloud on AWS.

Backup Vault Lock

Vault Lock Protection

Vault Lock provides immutable backup storage for compliance and ransomware protection. It has two modes: Governance (can be overridden with IAM permissions) and Compliance (cannot be overridden by anyone, including root).

TEXTVault Lock Modes
GOVERNANCE MODE:
├── Prevents most users from deleting backups
├── Users with special IAM permissions CAN delete
├── Useful for: Testing, flexible retention
└── Can be disabled by authorized admins

COMPLIANCE MODE:
├── NO ONE can delete backups (not even root)
├── Cannot be disabled once enabled
├── Retention period is immutable
├── Useful for: Regulatory compliance (SEC, FINRA)
└── WARNING: Irreversible once enabled!

Vault Lock Policy Properties:
├── MinRetentionDays: Minimum backup retention
├── MaxRetentionDays: Maximum backup retention
├── ChangeableForDays: Grace period before lock
└── After grace period: PERMANENTLY LOCKED

S3 Object Lock

S3 Object Lock
Figure 2: S3 Object Lock prevents object deletion for retention period

S3 Object Lock

S3 Object Lock provides WORM protection for individual S3 objects. Must be enabled at bucket creation and requires versioning.

S3 Object Lock Modes

ModeDeletionModificationOverride
GovernanceBlockedBlockedYes (with IAM permission)
ComplianceBlockedBlockedNo (not even root)
TEXTS3 Object Lock Retention
Retention Modes:
├── Governance Mode
│   ├── Blocks delete/overwrite
│   ├── Can be bypassed with s3:BypassGovernanceRetention
│   └── Good for: Most data protection needs
│
└── Compliance Mode
    ├── Blocks delete/overwrite
    ├── CANNOT be bypassed (ever)
    ├── Retention cannot be shortened
    └── Good for: Regulatory requirements

Legal Hold:
├── Prevents deletion regardless of retention
├── Can be applied/removed anytime
├── No expiration date
└── Useful for: Legal discovery, investigations

Snapshot Security

Snapshot Security

Encrypted snapshots remain encrypted and cannot be shared directly cross-account. You must re-encrypt with a KMS key that has cross-account access before sharing.

TEXTSnapshot Security Considerations
EBS Snapshots:
├── Encrypted snapshots remain encrypted
├── Cannot share encrypted snapshots cross-account directly
├── Must re-encrypt with shared key for cross-account
└── Snapshots inherit encryption from volume

RDS Snapshots:
├── Encrypted snapshots remain encrypted
├── Cannot share encrypted snapshots cross-account
├── Must copy snapshot with different key
└── Automated backups are not shareable

AMI Security:
├── AMIs can be shared publicly or privately
├── Encrypted volumes require key sharing
├── Launch permissions control who can use
└── Consider: Embedded secrets, sensitive data

How It Works

AWS Backup Architecture

AWS Backup Architecture
Figure 3: AWS Backup with cross-region and cross-account copy
TEXTAWS Backup Components
BACKUP PLAN:
├── Backup rules (schedule, lifecycle)
├── Resource assignments (by tag or resource ID)
└── Copy rules (cross-region, cross-account)

BACKUP VAULT:
├── Storage container for recovery points
├── Encryption with KMS
├── Access policies
└── Optional Vault Lock

RECOVERY POINT:
├── Point-in-time backup
├── Stored in backup vault
├── Lifecycle rules (warm → cold → delete)
└── Can be restored or copied

Cross-Account Backup Strategy

Cross-Account Backup
Figure 4: Cross-account backup isolates backups from production account compromise
TEXTCross-Account Backup Setup
Production Account (111111111111):
├── AWS Backup plan
├── Backup vault (source)
└── Copy rule → Target account

Backup Account (222222222222):
├── Backup vault (destination)
├── Vault Lock (COMPLIANCE mode)
├── Separate credentials
└── Limited access

Benefits:
├── Isolation from production compromise
├── Protection from account-level ransomware
├── Separation of duties
└── Compliance with backup isolation requirements

Cross-Region Backup

TEXTCross-Region Backup Configuration
Primary Region (us-east-1):
├── Production workloads
├── Local backup vault
└── Copy rule → DR region

DR Region (us-west-2):
├── Backup vault (destination)
├── Recovery points replicated
└── Ready for disaster recovery

Considerations:
├── Data transfer costs
├── Encryption key availability in DR region
├── RPO/RTO requirements
└── Regional service availability

Use Cases

Use Case 1: Ransomware Protection

Scenario: Company needs to protect backups from ransomware that may compromise admin credentials.

Solution:

  • Create dedicated backup account (isolated from production)
  • Enable AWS Backup with cross-account copy
  • Apply Vault Lock in COMPLIANCE mode
  • Set minimum retention period longer than incident response time
JSONRansomware-Resistant Backup
{
  "BackupPlan": {
    "Rules": [{
      "RuleName": "DailyBackup",
      "ScheduleExpression": "cron(0 5 ? * * *)",
      "TargetBackupVault": "production-vault",
      "CopyActions": [{
        "DestinationBackupVaultArn": "arn:aws:backup:us-east-1:BACKUP-ACCOUNT:backup-vault:isolated-vault"
      }]
    }]
  },
  "VaultLock": {
    "Mode": "COMPLIANCE",
    "MinRetentionDays": 30,
    "MaxRetentionDays": 365
  }
}

Use Case 2: Compliance with SEC 17a-4

Scenario: Financial services company must maintain immutable records for 7 years.

Solution:

  • Configure S3 bucket with Object Lock enabled
  • Set Compliance mode with 7-year retention
  • Use Glacier Deep Archive for cost optimization
  • Document compliance configuration

Use Case 3: Secure Snapshot Sharing

Scenario: Share encrypted EBS snapshots with partner account.

Solution:

  1. Create KMS key with cross-account access
  2. Copy snapshot encrypted with shared key
  3. Share snapshot with partner account
  4. Partner can copy/restore using shared key
SHShare Encrypted Snapshot
# 1. Add partner account to KMS key policy
aws kms put-key-policy \
  --key-id alias/shared-key \
  --policy-name default \
  --policy file://cross-account-key-policy.json

# 2. Copy snapshot with shared key
aws ec2 copy-snapshot \
  --source-region us-east-1 \
  --source-snapshot-id snap-xxx \
  --encrypted \
  --kms-key-id alias/shared-key

# 3. Share snapshot with partner account
aws ec2 modify-snapshot-attribute \
  --snapshot-id snap-yyy \
  --attribute createVolumePermission \
  --operation-type add \
  --user-ids 444455556666

Scenario: Legal team requires preservation of specific data during investigation.

Solution:

  • Apply Legal Hold to relevant S3 objects
  • Legal Hold prevents deletion regardless of retention
  • Remove Legal Hold when investigation complete
  • Document chain of custody

Best Practices

Backup Security Best Practices

  1. Use separate backup account

    • Isolate backups from production accounts
    • Different credentials and access controls
    • Protects against account compromise
  2. Enable Vault Lock for critical backups

    • COMPLIANCE mode for regulatory requirements
    • GOVERNANCE mode for operational protection
    • Set appropriate retention periods
  3. Encrypt all backups

    • Use customer managed KMS keys
    • Enable default encryption on vaults
    • Plan for key rotation
  4. Test restore procedures regularly

    • Verify backups are usable
    • Document restore procedures
    • Measure RTO/RPO compliance

S3 Object Lock Best Practices

  1. Enable at bucket creation

    • Cannot enable on existing buckets
    • Plan data retention requirements first
    • Consider costs of compliance mode
  2. Use Governance mode initially

    • Test retention policies
    • Allows correction of mistakes
    • Upgrade to Compliance when confident
  3. Combine with versioning

    • Object Lock requires versioning
    • Protects all versions
    • Consider storage costs
  4. Document Legal Hold procedures

    • Define who can apply/remove
    • Track objects under hold
    • Audit access and changes

Cross-Account Best Practices

  1. Least privilege access

    • Backup account should have minimal permissions
    • Only backup service should write
    • Restrict restore permissions
  2. Monitor backup operations

    • CloudWatch metrics for backup jobs
    • Alerts for failed backups
    • Audit trail in CloudTrail
  3. Regular access review

    • Review who can access backup account
    • Remove unnecessary permissions
    • Verify Vault Lock configurations

Common Exam Scenarios

Exam Scenarios

ScenarioSolutionWhy
Protect backups from ransomwareCross-account backup + Vault LockIsolation + immutability
Regulatory immutable storageS3 Compliance mode or Vault Lock ComplianceCannot be bypassed
Share encrypted EBS snapshotRe-encrypt with shared key, then shareDirect sharing does not work
Preserve data for legal holdS3 Legal HoldPrevents deletion indefinitely
Centralize backup managementAWS BackupSingle service for all resources
Backup to different regionAWS Backup copy rulesCross-region disaster recovery
Flexible deletion preventionGovernance modeAuthorized users can override
Permanent deletion preventionCompliance modeNo override possible

Common Pitfalls

Pitfall 1: Enabling Compliance Mode Prematurely

Mistake: Enabling S3 Compliance mode before testing.

Why it fails: Cannot be disabled or shortened; objects locked forever

Correct Approach: Test with Governance mode first; understand implications

Pitfall 2: Not Planning Cross-Account Key Access

Mistake: Sharing encrypted snapshots without key access.

Why it fails: Partner account cannot decrypt snapshot

Correct Approach: Create shared key with cross-account policy before sharing

Pitfall 3: Backup Account in Same OU

Mistake: Placing backup account in same OU as production.

Why it fails: SCPs affecting production may affect backups

Correct Approach: Dedicated OU for backup/security accounts

Pitfall 4: Ignoring Backup Costs

Mistake: Not planning for backup storage costs.

Why it fails: Immutable backups accumulate; cannot delete early

Correct Approach: Calculate costs before enabling; use lifecycle to cold storage

Pitfall 5: Manual Backup Management

Mistake: Managing backups per-service without centralization.

Why it fails: Inconsistent policies; missed backups; audit difficulty

Correct Approach: Use AWS Backup for centralized policy management



Quick Reference

AWS Backup Pricing

AWS Backup Pricing

ComponentCost
Backup storage (warm)Varies by service
Backup storage (cold)~50% of warm
Cross-region data transferStandard transfer rates
RestoreFree (data transfer may apply)

S3 Object Lock Retention

S3 Object Lock Retention

ModeOverrideRoot OverrideShorten Retention
GovernanceYes (IAM)YesYes (IAM)
ComplianceNoNoNo
Legal HoldRemove onlyRemove onlyN/A

Vault Lock States

TEXTVault Lock Lifecycle
1. CREATED (no lock)
   └── Vault accessible, no restrictions

2. LOCK INITIATED
   └── Grace period active (ChangeableForDays)
   └── Can abort lock during grace period

3. LOCKED (Governance)
   └── Requires IAM permission to delete
   └── Can be removed by authorized users

4. LOCKED (Compliance)
   └── Cannot be removed
   └── Cannot be modified
   └── Permanent until retention expires

CLI Commands

SHAWS Backup and Object Lock CLI
# Create backup vault
aws backup create-backup-vault \
  --backup-vault-name my-vault \
  --encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/xxx

# Put vault lock policy
aws backup put-backup-vault-lock-configuration \
  --backup-vault-name my-vault \
  --min-retention-days 30 \
  --max-retention-days 365 \
  --changeable-for-days 3

# Enable S3 Object Lock (at bucket creation)
aws s3api create-bucket \
  --bucket my-locked-bucket \
  --object-lock-enabled-for-bucket

# Put object with retention
aws s3api put-object \
  --bucket my-locked-bucket \
  --key file.txt \
  --body file.txt \
  --object-lock-mode COMPLIANCE \
  --object-lock-retain-until-date 2025-12-31T00:00:00Z

# Apply legal hold
aws s3api put-object-legal-hold \
  --bucket my-locked-bucket \
  --key file.txt \
  --legal-hold Status=ON

Test Your Knowledge

Q

A company needs to ensure backups cannot be deleted by anyone, including administrators, for 7 years to meet regulatory requirements. What should they use?

AS3 Governance mode
BS3 Compliance mode
CAWS Backup Governance mode
DIAM policies
Q

How can encrypted EBS snapshots be shared with another AWS account?

AShare directly - encryption is transparent
BDecrypt the snapshot first, then share
CRe-encrypt with a KMS key shared with the target account
DEncrypted snapshots cannot be shared cross-account
Q

What is the primary benefit of storing backups in a separate AWS account?

AReduced storage costs
BFaster backup performance
CProtection from account-level compromise
DAutomatic cross-region replication
Q

Which AWS Backup Vault Lock mode allows authorized users to delete backups if needed?

ACompliance mode
BGovernance mode
CStandard mode
DFlexible mode

Further Reading

Related services

AWS BackupS3EBS