AWS backup is a managed service acting as a hub to manage everything about the backups of your business critical assets. This service offer a wide range of features, such as:
- Automated backup schedules and retention management
- Centralized backup monitoring
- Incremental backups
- Cross-account management with AWS Organizations
- Automated backup audits and reports with AWS Backup Audit Manager
- Write-once, read-many (WORM) with AWS Backup Vault Lock
Vault Lock is an optional feature of a backup vault, which can be helpful in giving you additional security and control over your backup vaults.
Two different locks are available:
- Governance mode - Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions.
- Compliance mode - Vaults locked in compliance mode cannot be deleted once the cooling-off period (aka
grace time) expires. During grace time, you can still remove the vault lock and change the lock configuration. A Vault protected with this mode must be empty to be deleted. If you have backups into, you must wait until there are expired, an then, remove the Vault.
To apply a compliance mode to a vault, you can optionally set a minimum and maximum retention time. If you didn't set a maximum retention time, snapshots in the Vault will never be deleted, preventing deletion of the Vault. Keep in mind once a vault in compliance mode is locked (after the grace period), it is immutable, meaning the lock cannot be removed - neither by AWS, the root account or an administrator account.
If using Vault Lock feature provides additional protections and immutability to a vault, it didn't protect the individual backups inside the vault.
Legal hold feature is designed to prevent backups from being deleted while under a hold. While the hold is in place, backups under a hold cannot be deleted and lifecycle policies that would alter the backup status (such as transition to a
Deleted state) are delayed until the legal hold is removed.
In conclusion, the Vault Lock and Legal Hold features are essential tools in the realm of data security and compliance. By implementing these features, organizations can significantly enhance their data governance and compliance posture, ensuring that critical data is securely retained and protected.