Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure AWS Backup Vault Access Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Backup-002

Ensure that an Amazon Backup vault access policy is configured to prevent the deletion (accidentally or intentionally) of AWS backups in the backup vault. A backup vault is a container used to organize AWS backups.

This rule resolution is part of the Conformity solution.

Security

The ability to delete recovery points (i.e. backups) stored within your AWS Backup vaults is determined by the permissions that you grant to your users. You can enforce deletion protection and restrict deleting recovery points by configuring the resource-based access policies associated with your vaults.

Audit

To determine the configuration of the access policies associated with your Amazon Backup vaults, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Backup service dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, under Dashboard, choose Backup vaults.

04 Select the backup vault that you want to examine, then click on its name to access the resource configuration details.

05 On the selected vault configuration page, inside the Access policy section, check the associated policy document for the following statement, where Resource element value (highlighted) represents the Amazon Resource Name (ARN) of the selected backup vault: 

"Statement": [
    {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "backup:DeleteRecoveryPoint",
        "Resource": "arn:aws:backup:<aws-region>:<aws-account-id>:backup-vault:<backup-vault-name>"
    }
]

If the verified resource-based access policy does not contain the specified statement or there is no access policy attached at all, the selected Amazon Backup vault does not have deletion protection implemented for its backups.
Note: "Principal": "*" and "Principal" : { "AWS" : "*" } are equivalent

06 Repeat steps no. 4 and 5 to check the access policy configuration for other AWS Backup vaults available in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-backup-vaults command (OSX/Linux/UNIX) to list the names of all backup vaults available in the selected AWS region: 

aws backup list-backup-vaults
    --region us-east-1
    --output table
    --query 'BackupVaultList[*].BackupVaultName'

02 The command output should return a table with the requested AWS Backup vault names: 

---------------------------
|    ListBackupVaults     |
+-------------------------+
|  cc-internal-app-vault  |
|  cc-prod-backup-vault   |
+-------------------------+

03 Run get-backup-vault-access-policy command (OSX/Linux/UNIX) using the name of the backup vault that you want to examine as identifier parameter to return the access policy document that is associated with the selected vault: 

aws backup get-backup-vault-access-policy
    --region us-east-1
    --backup-vault-name cc-internal-app-vault

04 Based on the resource-based access policy configuration, the command output should return one of the following:

  1. If the command output returns the "ResourceNotFoundException" error, as shown in the example below, the selected Amazon Backup vault is not associated with an access policy, therefore there is no deletion protection configured for the selected vault.
    Note: "Principal": "*" and "Principal" : { "AWS" : "*" } are equivalent 
    An error occurred (ResourceNotFoundException) when calling the GetBackupVaultAccessPolicy operation: Cryopd arn:aws:backup:us-east-1:123456789012:backup-vault:cc-internal-app-vault has no associated policy.
  2. If get-backup-vault-access-policy command output returns an access policy document but this document does not contain the policy statement listed below (where Resource value represents the ARN of the backup vault), the selected Amazon Backup vault does not have deletion protection enabled for its backups: 
    "Statement": [
    {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "backup:DeleteRecoveryPoint",
        "Resource": "arn:aws:backup:<aws-region>:<aws-account-id>:backup-vault:<backup-vault-name>"
    }
]

05 Repeat step no. 3 and 4 to verify the access policy configuration for other AWS Backup vaults available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

The resource-based access policy associated with an AWS vault allows you to specify who has access to the backups within that vault and what actions they can perform on these backups. To define and implement an access policy that denies all users the ability to delete existing or future backups inside a backup vault, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Backup service dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, under Dashboard, choose Backup vaults.

04 Click on the name of the vault that you want to reconfigure (see Audit section part I to identify the right resource).

05 On the selected vault configuration page, in the Access policy section, perform one of the following:

  1. If the selected backup vault does not have an access policy attached, paste the policy document listed below within the Policy editor box. Make sure that you replace the Resource element value (highlighted ARN) with your own vault ARN: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "backup:DeleteRecoveryPoint",
            "Resource": "arn:aws:backup:<aws-region>:<aws-account-id>:backup-vault:<backup-vault-name>"
        }
    ]
}
  2. If the vault selected does have an access policy attached, add the policy statement listed below to the existing policy document available in the Policy editor box. Make sure that you replace the Resource element value (ARN – highlighted) with your own backup vault ARN: 
    "Statement": [
    {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "backup:DeleteRecoveryPoint",
        "Resource": "arn:aws:backup:<aws-region>:<aws-account-id>:backup-vault:<backup-vault-name>"
    }
]

06 Click Attach Policy to attach/update the specified resource-based access policy.

07 Repeat steps no. 4 – 6 to implement deletion protection using policies for other AWS Backup vaults available in the current region.

08 Change the AWS region from the navigation bar to repeat the entire remediation/resolution process for the other regions.

Using AWS CLI

01 Define the resource-based policy that is used to manage access permissions on the target backup vault. Create a new policy document, name it vault-access-policy.json, and paste the content listed below. If the selected backup vault has an access policy attached, add just the policy statement to the existing document. Regardless of the policy configuration used, replace the highlighted information, i.e. the ARN of the selected backup vault with your own vault ARN: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "backup:DeleteRecoveryPoint",
            "Resource": "arn:aws:backup:us-east-1:122330079136:backup-vault:cc-internal-app-vault"
        }
    ]
}

02 Run put-backup-vault-access-policy command (OSX/Linux/UNIX) using the file name of the newly created policy document (i.e. vault-access-policy.json) as command parameter to attach the access policy defined at the previous step to the selected Amazon Backup vault (the command does not produce an output): 

aws backup put-backup-vault-access-policy
    --region us-east-1
    --backup-vault-name cc-internal-app-vault
    --policy file://vault-access-policy.json

03 Repeat step no. 1 and 2 to configure deletion protection using access policies for other AWS Backup vaults available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the entire process for other regions.

References

Publication date Apr 23, 2019

Related Backup rules