Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Backup Service Lifecycle Configuration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that a compliant lifecycle configuration is enabled for your Amazon Backup plans in order to meet compliance requirements when it comes to security and cost optimization. The AWS Backup lifecycle configuration defines when scheduled backups are transitioned to cold storage and when these are set to expire. Prior to running this conformity rule by the Cloud Conformity engine, you need to specify your own Amazon Backup lifecycle configuration in the rule settings. The lifecycle configuration parameters that must be defined for the rule settings are MoveToColdStorageAfterDays – the number of days after creation that a backup recovery point is moved to cold storage and DeleteAfterDays – the number of days after creation that a recovery point is deleted (must be greater than MoveToColdStorageAfterDays).

Security
Cost
optimisation

Amazon Backup service transitions and expires backups automatically according to the lifecycle configuration that you define. That being said, having a compliant lifecycle configuration enabled for your AWS Backup plans will enforce your backup strategy to follow security best practices and meet regulatory compliance within your organization.


Audit

To determine if your AWS Backup plans have a compliant lifecycle configuration enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Backup service dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, select Backup plans.

04 Choose the backup plan that you want to examine, then click on the plan name to access its configuration details.

05 In the Backup rules section, select the backup rule that you want to examine, then click Edit to access the rule configuration.

06 On the Edit Backup rule: <rule-name> page, in the Schedule section, under Lifecycle, check Transition to cold storage and Expire settings. If these settings are both set to Never, there is no lifecycle configuration enabled for the selected Amazon Backup plan. If one or both of these settings have different values than Never, compare the Transition to cold storage and Expire values to MoveToColdStorageAfterDays and DeleteAfterDays parameters value defined in the rule settings, in your Cloud Conformity account. If the configuration values don't match, the lifecycle configuration defined for the selected AWS Backup plan rule is not compliant.

07 Repeat step no. 5 and 6 to examine other backup rules created for the selected AWS Backup plan.

08 Repeat steps no. 4 – 7 to determine the lifecycle configuration for other Amazon Backup plans available within the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-backup-plans command (OSX/Linux/UNIX) to list the IDs of all the AWS Backup plans available in the selected region:

aws backup list-backup-plans
    --region us-east-1
    --query 'BackupPlansList[*].BackupPlanId'

02 The command output should return an array with the requested backup plan IDs:

[
    "abcd1234-abcd-1234-abcd-1234abcd1234",
    "1234abcd-1234-abcd-1234-abcd1234abcd"
]

03 Run get-backup-plan command (OSX/Linux/UNIX) using the ID of the backup plan that you want to examine as identifier and custom query filters to return the lifecycle configuration defined for the selected Amazon Backup plan. The lifecycle configuration consists of MoveToColdStorageAfterDays and DeleteAfterDays parameters, where MoveToColdStorageAfterDays represents the number of days after creation that a backup recovery point is moved to cold storage and DeleteAfterDays represents the number of days after creation that a recovery point is deleted:

aws backup get-backup-plan
    --region us-east-1
    --backup-plan-id abcd1234-abcd-1234-abcd-1234abcd1234
    --query 'BackupPlan.Rules[*].{MoveToColdStorageAfterDays: Lifecycle.MoveToColdStorageAfterDays, DeleteAfterDays:Lifecycle.DeleteAfterDays}'

04 Based on the lifecycle configuration available for the selected backup plan, the command request can return of the following outputs:

  1. If both MoveToColdStorageAfterDays and DeleteAfterDays parameters return null, as shown in the example below, there is no lifecycle configuration enabled for the selected Amazon Backup plan:
    [
        {
            "MoveToColdStorageAfterDays": null,
            "DeleteAfterDays": null
        }
    ]
    
  2. If MoveToColdStorageAfterDays and DeleteAfterDays parameters return different values (i.e. number of days), as shown in the example below, compare these values to MoveToColdStorageAfterDays and DeleteAfterDays parameter values defined in the rule settings, in your Cloud Conformity account. If the configuration values do not match, the lifecycle configuration defined for the selected Amazon Backup plan rule is not compliant:
    [
        {
            "MoveToColdStorageAfterDays": 14,
            "DeleteAfterDays": 120
        }
    ]
    

05 Repeat step no. 3 and 4 to determine the lifecycle configuration for other AWS Backup plans available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To implement compliant lifecycle configurations for your existing Amazon Backup plans, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Backup service dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, select Backup plans.

04 Choose the backup plan that you want to reconfigure, then click on the plan name to access its configuration details.

05 In the Backup rules section, select the backup rule that you want to update, then click Edit to access the rule configuration.

06 Within Schedule section, under Lifecycle, perform the following actions:

  1. Select Days after creation from the Transition to cold storage dropdown list, and inside the value box enter the number of days, defined in the conformity rule settings, for the MoveToColdStorageAfterDays configuration parameter.
  2. Now select Days after creation from the Expire dropdown list, and inside the value box enter the number of days, defined in the conformity rule settings, for the DeleteAfterDays lifecycle configuration parameter. Any backups transitioned to cold storage must be stored there for a minimum of 90 days. That being said, the Expire setting must be 90 days greater than the Transition to cold storage setting.
  3. Click Save to apply the changes.

07 If required, repeat step no. 5 and 6 to update other backup rules created for the selected AWS Backup plan.

08 Repeat steps no. 4 – 7 to reconfigure the lifecycle configuration for other Amazon Backup plans available in the current region.

09 Change the AWS region from the navigation bar to repeat the entire process for the other regions.

Using AWS CLI

01 Redefine your Amazon Backup plan in order to reconfigure the existing lifecycle configuration. Create a new JSON document, name it backup-plan-config.json, and paste the content listed below. Configure the MoveToColdStorageAfterDays and DeleteAfterDays parameters to match the configuration values defined within the rule settings, in your Cloud Conformity account. Note that any backups transitioned to cold storage must be stored there for a minimum of 90 days. Therefore, the DeleteAfterDays parameter value must be 90 days greater than the MoveToColdStorageAfterDays value:

{
  "BackupPlanName": "cc-production-backup-plan",
  "Rules": [
    {
      "RuleName": "DailyBackups",
      "TargetBackupVaultName": "Default",
      "ScheduleExpression": "cron(0 5 ? * * *)",
      "StartWindowMinutes": 480,
      "CompletionWindowMinutes": 10080,
      "Lifecycle": {
        "MoveToColdStorageAfterDays": 90,
        "DeleteAfterDays": 365
      }
    }
  ]
}

02 Run update-backup-plan command (OSX/Linux/UNIX) using the backup plan definition configured at the previous step (i.e. backup-plan-config.json) as parameter, to update the lifecycle configuration for the specified Amazon Backup plan:

aws backup update-backup-plan
    --region us-east-1
    --backup-plan-id abcd1234-abcd-1234-abcd-1234abcd1234
    --backup-plan file://backup-plan-config.json

03 The command output should return the update-backup-plan command request metadata:

{
    "BackupPlanArn": "arn:aws:backup:us-east-1:123456789012:backup-plan:abcd1234-abcd-1234-abcd-1234abcd1234",
    "CreationDate": 1552671016.402,
    "BackupPlanId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

04 Repeat steps no. 1 – 3 to redefine the lifecycle configuration for other Amazon Backup plans available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire process for other regions.

References

Publication date Mar 22, 2019