Backup & Replication Security
Key concepts
AWS Backup for centralized backups
Cross-region backup copies
Backup vault lock (WORM)
S3 Object Lock
Snapshot sharing security
Overview
Backup and replication are critical components of data protection, ensuring business continuity and disaster recovery. AWS provides multiple services and features to secure backups, prevent unauthorized deletion, and maintain data integrity across regions and accounts.
Understanding backup security is important for the SAA-C03 exam because it combines data protection with security controls. You must know how to use AWS Backup for centralized management, implement immutable backups with Vault Lock and S3 Object Lock, secure cross-account and cross-region backups, and protect snapshots from unauthorized access.
Immutable Backups (WORM)
Immutable backups (WORM - Write Once Read Many) protect against ransomware, accidental deletion, and malicious insiders by preventing backup deletion or modification for a specified retention period.
Focus on AWS Backup policies, Vault Lock for compliance (Governance vs Compliance mode), S3 Object Lock modes, encrypted snapshot sharing with KMS, and cross-region/cross-account backup strategies.
Key Concepts
AWS Backup

AWS Backup
AWS Backup is a fully managed backup service that centralizes and automates backups across AWS services including EC2, RDS, DynamoDB, EFS, FSx, S3, Storage Gateway, Aurora, DocumentDB, Neptune, and VMware Cloud on AWS.
Backup Vault Lock
Vault Lock Protection
Vault Lock provides immutable backup storage for compliance and ransomware protection. It has two modes: Governance (can be overridden with IAM permissions) and Compliance (cannot be overridden by anyone, including root).
GOVERNANCE MODE:
├── Prevents most users from deleting backups
├── Users with special IAM permissions CAN delete
├── Useful for: Testing, flexible retention
└── Can be disabled by authorized admins
COMPLIANCE MODE:
├── NO ONE can delete backups (not even root)
├── Cannot be disabled once enabled
├── Retention period is immutable
├── Useful for: Regulatory compliance (SEC, FINRA)
└── WARNING: Irreversible once enabled!
Vault Lock Policy Properties:
├── MinRetentionDays: Minimum backup retention
├── MaxRetentionDays: Maximum backup retention
├── ChangeableForDays: Grace period before lock
└── After grace period: PERMANENTLY LOCKEDS3 Object Lock

S3 Object Lock
S3 Object Lock provides WORM protection for individual S3 objects. Must be enabled at bucket creation and requires versioning.
S3 Object Lock Modes
| Mode | Deletion | Modification | Override |
|---|---|---|---|
| Governance | Blocked | Blocked | Yes (with IAM permission) |
| Compliance | Blocked | Blocked | No (not even root) |
Retention Modes:
├── Governance Mode
│ ├── Blocks delete/overwrite
│ ├── Can be bypassed with s3:BypassGovernanceRetention
│ └── Good for: Most data protection needs
│
└── Compliance Mode
├── Blocks delete/overwrite
├── CANNOT be bypassed (ever)
├── Retention cannot be shortened
└── Good for: Regulatory requirements
Legal Hold:
├── Prevents deletion regardless of retention
├── Can be applied/removed anytime
├── No expiration date
└── Useful for: Legal discovery, investigationsSnapshot Security
Snapshot Security
Encrypted snapshots remain encrypted and cannot be shared directly cross-account. You must re-encrypt with a KMS key that has cross-account access before sharing.
EBS Snapshots:
├── Encrypted snapshots remain encrypted
├── Cannot share encrypted snapshots cross-account directly
├── Must re-encrypt with shared key for cross-account
└── Snapshots inherit encryption from volume
RDS Snapshots:
├── Encrypted snapshots remain encrypted
├── Cannot share encrypted snapshots cross-account
├── Must copy snapshot with different key
└── Automated backups are not shareable
AMI Security:
├── AMIs can be shared publicly or privately
├── Encrypted volumes require key sharing
├── Launch permissions control who can use
└── Consider: Embedded secrets, sensitive dataHow It Works
AWS Backup Architecture

BACKUP PLAN:
├── Backup rules (schedule, lifecycle)
├── Resource assignments (by tag or resource ID)
└── Copy rules (cross-region, cross-account)
BACKUP VAULT:
├── Storage container for recovery points
├── Encryption with KMS
├── Access policies
└── Optional Vault Lock
RECOVERY POINT:
├── Point-in-time backup
├── Stored in backup vault
├── Lifecycle rules (warm → cold → delete)
└── Can be restored or copiedCross-Account Backup Strategy

Production Account (111111111111):
├── AWS Backup plan
├── Backup vault (source)
└── Copy rule → Target account
Backup Account (222222222222):
├── Backup vault (destination)
├── Vault Lock (COMPLIANCE mode)
├── Separate credentials
└── Limited access
Benefits:
├── Isolation from production compromise
├── Protection from account-level ransomware
├── Separation of duties
└── Compliance with backup isolation requirementsCross-Region Backup
Primary Region (us-east-1):
├── Production workloads
├── Local backup vault
└── Copy rule → DR region
DR Region (us-west-2):
├── Backup vault (destination)
├── Recovery points replicated
└── Ready for disaster recovery
Considerations:
├── Data transfer costs
├── Encryption key availability in DR region
├── RPO/RTO requirements
└── Regional service availabilityUse Cases
Use Case 1: Ransomware Protection
Scenario: Company needs to protect backups from ransomware that may compromise admin credentials.
Solution:
- Create dedicated backup account (isolated from production)
- Enable AWS Backup with cross-account copy
- Apply Vault Lock in COMPLIANCE mode
- Set minimum retention period longer than incident response time
{
"BackupPlan": {
"Rules": [{
"RuleName": "DailyBackup",
"ScheduleExpression": "cron(0 5 ? * * *)",
"TargetBackupVault": "production-vault",
"CopyActions": [{
"DestinationBackupVaultArn": "arn:aws:backup:us-east-1:BACKUP-ACCOUNT:backup-vault:isolated-vault"
}]
}]
},
"VaultLock": {
"Mode": "COMPLIANCE",
"MinRetentionDays": 30,
"MaxRetentionDays": 365
}
}Use Case 2: Compliance with SEC 17a-4
Scenario: Financial services company must maintain immutable records for 7 years.
Solution:
- Configure S3 bucket with Object Lock enabled
- Set Compliance mode with 7-year retention
- Use Glacier Deep Archive for cost optimization
- Document compliance configuration
Use Case 3: Secure Snapshot Sharing
Scenario: Share encrypted EBS snapshots with partner account.
Solution:
- Create KMS key with cross-account access
- Copy snapshot encrypted with shared key
- Share snapshot with partner account
- Partner can copy/restore using shared key
# 1. Add partner account to KMS key policy
aws kms put-key-policy \
--key-id alias/shared-key \
--policy-name default \
--policy file://cross-account-key-policy.json
# 2. Copy snapshot with shared key
aws ec2 copy-snapshot \
--source-region us-east-1 \
--source-snapshot-id snap-xxx \
--encrypted \
--kms-key-id alias/shared-key
# 3. Share snapshot with partner account
aws ec2 modify-snapshot-attribute \
--snapshot-id snap-yyy \
--attribute createVolumePermission \
--operation-type add \
--user-ids 444455556666Use Case 4: Legal Hold for Investigation
Scenario: Legal team requires preservation of specific data during investigation.
Solution:
- Apply Legal Hold to relevant S3 objects
- Legal Hold prevents deletion regardless of retention
- Remove Legal Hold when investigation complete
- Document chain of custody
Best Practices
Backup Security Best Practices
-
Use separate backup account
- Isolate backups from production accounts
- Different credentials and access controls
- Protects against account compromise
-
Enable Vault Lock for critical backups
- COMPLIANCE mode for regulatory requirements
- GOVERNANCE mode for operational protection
- Set appropriate retention periods
-
Encrypt all backups
- Use customer managed KMS keys
- Enable default encryption on vaults
- Plan for key rotation
-
Test restore procedures regularly
- Verify backups are usable
- Document restore procedures
- Measure RTO/RPO compliance
S3 Object Lock Best Practices
-
Enable at bucket creation
- Cannot enable on existing buckets
- Plan data retention requirements first
- Consider costs of compliance mode
-
Use Governance mode initially
- Test retention policies
- Allows correction of mistakes
- Upgrade to Compliance when confident
-
Combine with versioning
- Object Lock requires versioning
- Protects all versions
- Consider storage costs
-
Document Legal Hold procedures
- Define who can apply/remove
- Track objects under hold
- Audit access and changes
Cross-Account Best Practices
-
Least privilege access
- Backup account should have minimal permissions
- Only backup service should write
- Restrict restore permissions
-
Monitor backup operations
- CloudWatch metrics for backup jobs
- Alerts for failed backups
- Audit trail in CloudTrail
-
Regular access review
- Review who can access backup account
- Remove unnecessary permissions
- Verify Vault Lock configurations
Common Exam Scenarios
Exam Scenarios
| Scenario | Solution | Why |
|---|---|---|
| Protect backups from ransomware | Cross-account backup + Vault Lock | Isolation + immutability |
| Regulatory immutable storage | S3 Compliance mode or Vault Lock Compliance | Cannot be bypassed |
| Share encrypted EBS snapshot | Re-encrypt with shared key, then share | Direct sharing does not work |
| Preserve data for legal hold | S3 Legal Hold | Prevents deletion indefinitely |
| Centralize backup management | AWS Backup | Single service for all resources |
| Backup to different region | AWS Backup copy rules | Cross-region disaster recovery |
| Flexible deletion prevention | Governance mode | Authorized users can override |
| Permanent deletion prevention | Compliance mode | No override possible |
Common Pitfalls
Pitfall 1: Enabling Compliance Mode Prematurely
Mistake: Enabling S3 Compliance mode before testing.
Why it fails: Cannot be disabled or shortened; objects locked forever
Correct Approach: Test with Governance mode first; understand implications
Pitfall 2: Not Planning Cross-Account Key Access
Mistake: Sharing encrypted snapshots without key access.
Why it fails: Partner account cannot decrypt snapshot
Correct Approach: Create shared key with cross-account policy before sharing
Pitfall 3: Backup Account in Same OU
Mistake: Placing backup account in same OU as production.
Why it fails: SCPs affecting production may affect backups
Correct Approach: Dedicated OU for backup/security accounts
Pitfall 4: Ignoring Backup Costs
Mistake: Not planning for backup storage costs.
Why it fails: Immutable backups accumulate; cannot delete early
Correct Approach: Calculate costs before enabling; use lifecycle to cold storage
Pitfall 5: Manual Backup Management
Mistake: Managing backups per-service without centralization.
Why it fails: Inconsistent policies; missed backups; audit difficulty
Correct Approach: Use AWS Backup for centralized policy management
Related Services
Quick Reference
AWS Backup Pricing
AWS Backup Pricing
| Component | Cost |
|---|---|
| Backup storage (warm) | Varies by service |
| Backup storage (cold) | ~50% of warm |
| Cross-region data transfer | Standard transfer rates |
| Restore | Free (data transfer may apply) |
S3 Object Lock Retention
S3 Object Lock Retention
| Mode | Override | Root Override | Shorten Retention |
|---|---|---|---|
| Governance | Yes (IAM) | Yes | Yes (IAM) |
| Compliance | No | No | No |
| Legal Hold | Remove only | Remove only | N/A |
Vault Lock States
1. CREATED (no lock)
└── Vault accessible, no restrictions
2. LOCK INITIATED
└── Grace period active (ChangeableForDays)
└── Can abort lock during grace period
3. LOCKED (Governance)
└── Requires IAM permission to delete
└── Can be removed by authorized users
4. LOCKED (Compliance)
└── Cannot be removed
└── Cannot be modified
└── Permanent until retention expiresCLI Commands
# Create backup vault
aws backup create-backup-vault \
--backup-vault-name my-vault \
--encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/xxx
# Put vault lock policy
aws backup put-backup-vault-lock-configuration \
--backup-vault-name my-vault \
--min-retention-days 30 \
--max-retention-days 365 \
--changeable-for-days 3
# Enable S3 Object Lock (at bucket creation)
aws s3api create-bucket \
--bucket my-locked-bucket \
--object-lock-enabled-for-bucket
# Put object with retention
aws s3api put-object \
--bucket my-locked-bucket \
--key file.txt \
--body file.txt \
--object-lock-mode COMPLIANCE \
--object-lock-retain-until-date 2025-12-31T00:00:00Z
# Apply legal hold
aws s3api put-object-legal-hold \
--bucket my-locked-bucket \
--key file.txt \
--legal-hold Status=ONTest Your Knowledge
A company needs to ensure backups cannot be deleted by anyone, including administrators, for 7 years to meet regulatory requirements. What should they use?
How can encrypted EBS snapshots be shared with another AWS account?
What is the primary benefit of storing backups in a separate AWS account?
Which AWS Backup Vault Lock mode allows authorized users to delete backups if needed?