Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Protected Amazon Backup Resource Types

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Protected Resource Types feature is enabled and configured for Amazon Backup service within your AWS cloud account in order to help you meet business continuity, disaster recovery, and compliance requirements. This feature allows you to configure which cloud resource types (EC2, RDS, EFS and others) are protected by backup plans in the specified AWS region. You can also use the feature to enable protection for the newly supported resource types in your existing backup plans. The set of resource types that will be protected by Amazon Backup plans within the specified AWS account and region must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Reliability

Amazon Backup Protected Resource Types feature allows you to choose which resource types are protected by backup plans on per-region basis. To comply with internal regulations, use this feature to disable or enable backups of certain resource types. If the feature is not properly configured for each AWS region, if you try to create an on-demand backup or backup plan using resources from an AWS service that is not enabled, you receive an error message and the backup process can't be successfully completed.

Audit

To check the protected backup resource types configuration within the specified AWS account and region, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Protected Amazon Backup Resource Types conformity rule settings and identify the resource types protected by Amazon Backup within the selected region.

02 Sign in to AWS Management Console.

03 Navigate to Amazon Backup console at https://console.aws.amazon.com/backup/.

04 Select the AWS cloud region that you want to access from the console navigation bar.

05 In the left navigation panel, under My account, choose Settings to access the configuration settings available for Amazon Backup in the selected AWS region.

06 On the Settings page, in the Service opt-in section, check the Status column to determine the configuration status of each resource type supported by Amazon Backup service. Compare the list with the resource types protected by Amazon Backup (i.e. Status set to Enabled) in the selected region with the one identified at step no. 1. If the list of protected AWS resource types is different than the one defined in the conformity rule settings, the Amazon Backup configuration for protected resource types is not compliant within the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat steps no. 4 – 6 to verify the Amazon Backup protected resource type configuration for other cloud regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Protected Amazon Backup Resource Types conformity rule settings and identify the resource types protected by Amazon Backup within the selected region.

02 Run describe-region-settings command (OSX/Linux/UNIX) to describe Amazon Backup resource type configuration settings available for the specified region. If the boolean value of a supported AWS cloud service is set to true, Amazon Backup protect that service's resources in the selected region when included in an on-demand backup or scheduled backup plan. If the value is set to false, Amazon Backup does not protect that service's resources in the selected region: 

aws backup describe-region-settings
  --region us-east-1
  --query 'ResourceTypeOptInPreference'

03 The command output should return the requested configuration information: 

{
  "RDS": false,
  "Aurora": false,
  "EFS": false,
  "Storage Gateway": false,
  "DynamoDB": false,
  "EC2": false,
  "EBS": false
}

Check the describe-region-settings command output to determine the configuration status of each resource type supported by Amazon Backup service (true for protected, false for unprotected). Compare this list with the one identified at step no. 1. If the list of protected AWS resource types returned by the command output is different than the one defined in the conformity rule settings, the Amazon Backup configuration for protected resource types is not compliant within the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to verify the Amazon Backup protected resource type configuration for other regions.

Remediation / Resolution

To update the Amazon Backup protected resource type configuration in the specified AWS account and region in order to meet compliance requirements, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Protected Amazon Backup Resource Types conformity rule settings and note the resource types protected by Amazon Backup within the selected region.

02 Sign in to AWS Management Console.

03 Navigate to Backup service dashboard at https://console.aws.amazon.com/backup/.

04 Select the AWS cloud region that you want to access from the console navigation bar.

05 In the left navigation panel, under My account, choose Settings to access the configuration settings available for Amazon Backup in the selected AWS region.

06 On the Settings page, in the Service opt-in section, choose Configure resources to modify the Amazon Backup protected resource type configuration available for the selected region.

07 On the Configure resources page, use the toggle switches to enable or disable the resource types that will be protected by backup plans in the selected AWS region, based on the protected resource type configuration defined in the conformity rule settings, identified at step no. 1. Click Confirm to save the configuration changes.

08 Change the AWS region from the console navigation bar and repeat steps no. 4 – 7 to update the Amazon Backup protected resource type configuration in other AWS regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Protected Amazon Backup Resource Types conformity rule settings and note the resource types protected by Amazon Backup within the selected region.

02 Run update-region-settings command (OSX/Linux/UNIX) to update the Amazon Backup protected resource type configuration in the specified AWS region in order to enable and/or disable the resource types that will be protected by backup plans in the selected cloud region, based on the protected resource type configuration defined in the conformity rule settings, identified at step no. 1. The following command example, enables backup protection for Amazon EC2, RDS and EBS resources, and disables protection for Amazon EFS, Aurora and DynamoDB resources (the update-region-settings command does not produce an output): 

aws backup update-region-settings
  --region us-east-1
  --resource-type-opt-in-preference EC2=true,RDS=true,EBS=true,EFS=false,Aurora=false,DynamoDB=false

03 Change the AWS region by updating the --region command parameter value and repeat step no. 2 to update the Amazon Backup protected resource type configuration in other AWS cloud regions.

References

Publication date Aug 3, 2020

Related Backup rules