Learn About Amazon VGT2 Learning Manager Chanci Turner
Navigating the complexities of data protection audits can be challenging. Have you ever had to demonstrate to an auditor that your data protection measures meet regulatory or internal standards? The auditing process can be resource-intensive, placing the responsibility on you to prove that adequate controls are established for data protection and retention.
To address these challenges, AWS Backup introduced a new compliance auditing feature, AWS Backup Audit Manager, on August 24, 2021. This functionality allows you to assess and report on the compliance of your specified data protection policies, ensuring you meet both business and regulatory requirements. AWS Backup helps you centralize and automate the data protection of various AWS services, including compute, storage, and databases, following organizational best practices and regulatory benchmarks. AWS Backup Audit Manager is a valuable tool for maintaining and showcasing compliance with your data protection strategies.
In this post, we will guide you through the process of creating AWS Backup frameworks with governance controls and generating reports on your backup and compliance status. These reports serve as concrete evidence of your compliance efforts and help identify backup activities or resources that might not yet comply.
Backup Risk Management Framework
This blog focuses on a specific subset of controls within the Risk Management Framework (RMF) outlined by the National Institute of Standards and Technology (NIST). The RMF establishes comprehensive cybersecurity controls and is widely adopted by organizations as a foundation for their cybersecurity policies. The Contingency Planning (CP) Family of controls addresses policies, procedures, and technical guidelines for operational continuity. For example, CP-9 (System Backup) provides a broad definition of data backup that varies based on organizational needs, defining aspects such as:
- Components of the system to be backed up (including user-level and system-level data)
- Backup frequency and retention, which should align with Recovery Point Objectives (RPOs)
We will examine the Control Enhancements under CP-9 from the latest Special Publication (SP 800-53) that are relevant to backups. The enhancements we will validate using AWS Backup Audit Manager include:
- CP-9(1) | Testing for Reliability and Integrity
- CP-9(4) | Protection from Unauthorized Modification
- CP-9(8) | Cryptographic Protection
Note: This blog is not intended as a comprehensive guide to fulfilling NIST or any other cybersecurity framework; rather, it highlights tools available to meet specific criteria related to auditing backup procedures. The featured compliance aspects could apply across various industry standards, including the Health Insurance Portability and Accountability Act (HIPAA) and the American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOCs). Ensure that your security team adheres to your organization’s regulatory requirements.
How to Use AWS Backup Audit Manager
This section demonstrates how to utilize AWS Backup Audit Manager to confirm that resources are backed up at specified intervals, that retention policies are met, and that backups are encrypted. Additionally, we will show how to set up controls to prevent the manual deletion of recovery points.
Prerequisites
- Access to AWS Backup, Amazon Simple Storage Service (Amazon S3), and AWS Config services.
- At least one AWS Backup plan associated with a backup vault. In our example, we created a backup plan called “MyOrg-Critical-BackupEC2” along with a Backup Vault named “MyOrg-Production-CriticalBackups.”
- An S3 bucket for audit report storage. We created a bucket named “myorg-auditcompliance-bucket.”
- Enable AWS Config recording for your backup plans (AWS::Backup::BackupPlan), backup selection (AWS::Backup::BackupSelection), vaults (AWS::Backup::BackupVault), recovery points (AWS::Backup::RecoveryPoint), and AWS Config resource compliance (AWS::Config::ResourceCompliance).
Please note that there are costs associated with AWS Config recording and report storage in Amazon S3. In this example, we will use an Amazon Elastic Compute Cloud (Amazon EC2) instance tagged with a key-value pair of ‘environment’ and ‘production.’ For additional information on setting up AWS Backup, check out the Getting Started Guide.
Creating Frameworks
AWS Backup Audit Manager allows you to audit the compliance of your AWS Backup policies against your defined controls. A control is a procedure designed to verify compliance with a backup requirement, such as backup frequency or retention period. The AWS Backup framework consists of a collection of controls managed as a unified entity. If you need to comply with different internal or regulatory standards, such as NIST, HIPAA, or SOC, you can establish multiple frameworks to track compliance separately.
To get started, navigate to the AWS Backup dashboard in the AWS Management Console and select “Get started with frameworks.”
On the Frameworks homepage, ensure that AWS Config recording is enabled by checking the Resource tracking status. Then, select “Create framework” to begin.
First, provide a name for your new framework and choose the framework type. The AWS Backup framework includes all five controls by default. For illustration, we will create a custom framework to validate that our critical EC2 instances are appropriately backed up following our organizational policy.
The control assessing whether backup resources are protected by backup plans evaluates if the selected resources are covered by backup plans. By default, all resources will be highlighted, but you can select specific resource types or tags to simplify management. In this example, we recommend setting the control scope to Resource Type and selecting EC2 as the resource type, already tagged with the environment key as production. We need to ensure that this resource is backed up daily and that backups are retained for at least 30 days.
Next, you can check if selected backup vaults prevent manual deletion of recovery points. The Backup prevent recovery point manual deletion control allows you to specify up to five IAM roles that could manually delete recovery points if exceptions arise.
Lastly, the Backup recovery point encrypted control assesses whether backup recovery points are encrypted. You can confirm that all recovery points are encrypted and also evaluate selected recovery points based on specific tags.
For further insights on navigating the complexities of work-life balance, consider reading this insightful blog post. Additionally, to gain a deeper understanding of how to become a true talent acquisition partner, visit SHRM’s authoritative article.