AWS

Enhance your backup security with AWS Backup Vault Lock.

Jeremy Chauvet

Dec 14, 2023 — 2 min read

AWS backup is a managed service acting as a hub to manage everything about the backups of your business critical assets. This service offer a wide range of features, such as:

Automated backup schedules and retention management
Centralized backup monitoring
Incremental backups
Cross-account management with AWS Organizations
Automated backup audits and reports with AWS Backup Audit Manager
Write-once, read-many (WORM) with AWS Backup Vault Lock

AWS Backup centralized monitoring in action

Vault Lock

Vault Lock is an optional feature of a backup vault, which can be helpful in giving you additional security and control over your backup vaults.

Two different locks are available:

Governance mode - Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions.
Compliance mode - Vaults locked in compliance mode cannot be deleted once the cooling-off period (aka grace time) expires. During grace time, you can still remove the vault lock and change the lock configuration. A Vault protected with this mode must be empty to be deleted. If you have backups into, you must wait until there are expired, an then, remove the Vault.
To apply a compliance mode to a vault, you can optionally set a minimum and maximum retention time. If you didn't set a maximum retention time, snapshots in the Vault will never be deleted, preventing deletion of the Vault. Keep in mind once a vault in compliance mode is locked (after the grace period), it is immutable, meaning the lock cannot be removed - neither by AWS, the root account or an administrator account.

Legal hold

If using Vault Lock feature provides additional protections and immutability to a vault, it didn't protect the individual backups inside the vault.

Legal hold feature is designed to prevent backups from being deleted while under a hold. While the hold is in place, backups under a hold cannot be deleted and lifecycle policies that would alter the backup status (such as transition to a Deleted state) are delayed until the legal hold is removed.

In conclusion, the Vault Lock and Legal Hold features are essential tools in the realm of data security and compliance. By implementing these features, organizations can significantly enhance their data governance and compliance posture, ensuring that critical data is securely retained and protected.

Gitlab manifesto

Inspired by « The Frugal Architect » from Amazon CTO Werner Vogels, this manifesto explain simple laws to create sustainable, scalable and human-friendly delivery processes on Gitlab. Law 1 - Use labels to categorise Merge Requests During the lifetime of a project, maintainers may handle dozens of merge requests, depending on the

Dependency management automation with Renovate

Modern IT systems are built on top of dozens of software applications and programming languages. These systems often depend on third-party components, which help developers avoid reinventing the wheel. These components, mostly libraries or frameworks, have their own lifecycles, allowing for the addition of new features and the patching of

Functional tests on containers with Google container-structure-test

Over the years, I've built hundreds of Docker images for dozens of major companies in Europe & USA. Every time, the same question needs to be answered: "how can we test this image before using it?". Most of these companies answered this question by adding an

How to apply your company password policy convention on Hashicorp Vault

In a recent post, we've seen how your user naming convention can be applied to some of the dynamic secrets Vault can handle. In this article, we will see how companies can also set their password policy convention. Password policies not related to policies, which are used to