Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure AWS Backup Vault Access Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Backup-002

Ensure that the resource-based policy associated with your AWS Backup vault is configured to prevent the deletion (accidentally or intentionally) of the backups available in the backup vault. A backup vault is a container used to organize AWS backups.

This rule resolution is part of the Conformity solution.

Security

The ability to delete recovery points (i.e., backups) stored within your AWS Backup vaults is determined by the permissions that you grant to your users. You can enforce deletion protection and restrict deleting recovery points by modifying the resource-based policy associated with your backup vault.

Audit

To check the access policy (i.e., resource-based policy) associated with your AWS Backup vault, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Backup console available at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, under My account, choose Vaults.

04 Select the Vaults owned by this account tab.

05 Click on the name (link) of the AWS Backup vault that you want to examine.

06 In the Access policy section, check the resource-based policy defined for the selected vault. If the policy document does not contain the policy statement listed below (i.e., "Statement":[{"Effect":"Deny","Principal":"*","Action":"backup:DeleteRecoveryPoint","Resource":"*"}]) or there is no access policy defined for your backup vault, deletion protection through access policies is not implemented on the selected AWS Backup vault. 

"Statement": [
	{
		"Effect": "Deny",
		"Principal": "*",
		"Action": "backup:DeleteRecoveryPoint",
		"Resource": "*"
	}
]

07 Repeat steps no. 5 and 6 for each AWS Backup vault available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-backup-vaults command (OSX/Linux/UNIX) to list the name of each AWS Backup vault available in the selected AWS cloud region: 

aws backup list-backup-vaults
	--region us-east-1
	--output table
	--query 'BackupVaultList[*].BackupVaultName'

02 The command output should return a table with the requested backup vault identifiers (names): 

---------------------------
|    ListBackupVaults     |
+-------------------------+
|  cc-internal-app-vault  |
|  cc-prod-backup-vault   |
|  cc-app-backup-vault    |
+-------------------------+

03 Run get-backup-vault-access-policy command (OSX/Linux/UNIX) with the name of the AWS Backup vault that you want to examine as the identifier parameter and custom output filters to return the access policy defined for the selected backup vault: 

aws backup get-backup-vault-access-policy
	--region us-east-1
	--backup-vault-name cc-internal-app-vault
	--query 'Policy'

04 Based on the vault configuration, the command should return one of the following outputs:

  1. If the get-backup-vault-access-policy command output returns the ResourceNotFoundException error, as shown in the example below, there is no access policy defined for your backup vault, therefore, deletion protection using access policies is not available for the selected AWS Backup vault: 
    An error occurred (ResourceNotFoundException) when calling the GetBackupVaultAccessPolicy operation: Backup Vault arn:aws:backup:us-east-1:123456789012:backup-vault:cc-internal-app-vault has no associated POLICY
  2. If the command output returns a policy document but the policy does not contain the statement listed below (i.e., "Statement":[{"Effect":"Deny","Principal":"*","Action":"backup:DeleteRecoveryPoint","Resource":"*"}]), deletion protection through access policies is not implemented on the selected AWS Backup vault: 
    "Statement": [
	{
		"Effect": "Deny",
		"Principal": "*",
		"Action": "backup:DeleteRecoveryPoint",
		"Resource": "*"
	}
]

05 Repeat steps no. 3 and 4 for each AWS Backup vault available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS regions.

Remediation / Resolution

The AWS Backup vault access policy allows you to specify who has access to the backups stored within your vault and what actions they can perform on these backups. To implement an access policy that denies all users the ability to delete existing or future backups inside your backup vault, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Backup console available at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, under My account, choose Vaults.

04 Select the Vaults owned by this account tab.

05 Click on the name (link) of the AWS Backup vault that you want to configure.

06 Choose Edit from the Access policy section and perform one of the following operations based on your vault configuration:

  1. If there is no access policy defined for your backup vault, paste the policy document listed below in the policy editor text box available under Access policy details: 
    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Deny",
			"Principal": "*",
			"Action": "backup:DeleteRecoveryPoint",
			"Resource": "*"
		}
	]
}
  2. If your backup vault is associated with an access policy, add the policy statement listed below to the existing policy document, under Access policy details: 
    "Statement": [
	{
		"Effect": "Deny",
		"Principal": "*",
		"Action": "backup:DeleteRecoveryPoint",
		"Resource": "*"
	}
]

07 Choose Save policy to apply the permission changes.

08 Repeat steps no. 5 – 7 for each Amazon backup vault that you want to configure, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other AWS regions.

Using AWS CLI

01 Define the access policy used to manage access permissions for your AWS Backup vault. Create a new policy document, name the file cc-vault-access-policy.json, and paste the content listed below. If your backup vault is already associated with an access policy, add just the policy statement (i.e., "Statement":[{"Effect":"Deny","Principal":"*","Action":"backup:DeleteRecoveryPoint","Resource":"*"}]) to the existing policy document: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Deny",
			"Principal": "*",
			"Action": "backup:DeleteRecoveryPoint",
			"Resource": "*"
		}
	]
}

02 Run put-backup-vault-access-policy command (OSX/Linux/UNIX) with the policy document defined at the previous step (i.e., cc-vault-access-policy.json) as the value for the --policy parameter, to update the access policy associated with your AWS Backup vault (the command does not produce an output): 

aws backup put-backup-vault-access-policy
	--region us-east-1
	--backup-vault-name cc-internal-app-vault
	--policy file://cc-vault-access-policy.json

03 Repeat steps no. 1 and 2 for each Amazon backup vault that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other AWS regions.

References

Publication date Apr 23, 2019

Related Backup rules