Automating Backup Compliance in AWS with AWS Backup Audit Manager

Learn About Amazon VGT2 Learning Manager Chanci Turner

In the realm of AWS, ensuring backup compliance involves establishing and enforcing policies that safeguard your backups, such as encryption, protection from manual deletion, and maintaining the integrity of backup lifecycle settings. AWS Backup Audit Manager, a key feature of the AWS Backup service, equips users with built-in compliance controls for these aspects and allows customization to suit specific data protection strategies. It is also capable of automatically identifying any breaches of the established data protection policies.

Implementing security and compliance early in the development lifecycle—often referred to as “shifting left”—not only accelerates release times but also enhances overall security. This approach necessitates the seamless integration of security measures throughout the development process. In this blog post, I will discuss a solution that incorporates AWS Backup Audit Manager with AWS CodePipeline, enabling developers to embed automated backup controls for AWS resources directly into their workflows and effectively shift left concerning backup compliance.

Solution Overview

This solution is designed for deployment within a multi-account architecture using AWS Organizations. Developers can add, modify, or remove backup compliance controls from a designated developer account, while other accounts where Backup Audit Manager controls are deployed are referred to as managed accounts.

Utilizing the newly announced support for AWS CloudFormation in Backup Audit Manager, I will provision a Backup Audit Manager framework equipped with various backup-related data protection controls. CodePipeline will facilitate the creation and deployment of this framework as an AWS CloudFormation StackSet in the developer account. When developers check in or update Backup Audit Manager controls using standard Git commands, these modifications are propagated to the managed accounts via CodePipeline. This solution leverages the Backup Audit Manager framework StackSet in the developer account as the foundation for deploying stacks into selected managed accounts across specified AWS Regions. The architecture diagram below illustrates the entire workflow of this solution.

Prerequisites

To initiate this solution, ensure that AWS Config is enabled in both the developer account and all managed accounts within the organization. Follow Step 1 outlined in the “Automate Configuration Compliance at Scale” blog post to utilize AWS Systems Manager Quick Setup for a streamlined setup process.

1. Integrate AWS Cloud9’s local Git repository with the AWS CodeCommit remote repository:
   • Complete Step 1 from the AWS CodeCommit tutorial to create a CodeCommit Git repository, naming it (for instance, “BackupDevOps”). Take note of the branch name (like master, main, etc.) you will use for checking in source code.
   • AWS Cloud9 simplifies the process of establishing a local Git repository connected to CodeCommit. Follow the provided steps to set up AWS Cloud9 and link it with your CodeCommit repository.
2. Download the necessary files from the GitHub repository associated with this post and upload them to the root directory of your local AWS Cloud9 Git repository:
   • aws-backupcompliance-framework.yaml: This template provisions your Backup Audit Manager framework.
   • buildspec.yml
   • buildspec-update.yml
3. In the downloadable files, substitute the accountID parameter with the AWS Account ID of your shared services account, and replace the region parameter with your shared services account’s AWS Region. Additionally, update the managedaccount and managedregion parameters with comma-separated AWS Account IDs and Regions of the managed accounts where the solution will be deployed.
4. Use standard Git commands from your AWS Cloud9 cloned repository’s root folder (where the buildspec.yml file is located) in the AWS Cloud9 console to check in your source code:

   git add .
   git commit -m "initial commit"
   git push origin

5. Create an Amazon Simple Storage Service (Amazon S3) staging bucket, following the naming convention: s3-backupdevops-accountid-region.

Setup

The complete solution, available for download along with a detailed README, can be installed in a single step:

• Launch the aws-backupcompliance-codepipeline.yml CloudFormation template. This template provisions CodePipeline-based DevOps automation with stages for AWS CodeCommit and AWS CodeBuild, enabling the build and deployment of your backup across the designated accounts and regions within your organization. It accepts the following parameters:
  • RepositoryName: Name of the CodeCommit repository for the backup compliance templates (refer to Step 2a of the prerequisites).
  • BranchName: Branch in the CodeCommit repository for the backup compliance templates (refer to Step 2a of the prerequisites).
  • BackupComplianceStagingBucket: Staging bucket for the Backup Audit Manager framework template (refer to Step 6 of the prerequisites).

Testing and Validation

1. Validate DevOps
   • In the CodePipeline console, navigate to Pipelines, select the backupcompliance-pipeline, and confirm that the DevOps code pipeline initiates correctly and that the CodeCommit and CodeBuild stages execute successfully.
   • From the AWS Config console, go to Rules and verify that Backup-related AWS Config rules are provisioned for various AWS Backup resources, including backup selection, vaults, plans, and recovery points.
2. Validate Compliance
   • To test our solution, we will trigger a sample backup compliance finding by evaluating the BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN control. This control checks whether AWS resources are safeguarded by a backup plan. We can accomplish this by launching an Amazon Aurora MySQL cluster without an associated backup plan.
   • Log into the Amazon RDS console of your managed AWS account and follow the steps to launch an Amazon Aurora MySQL cluster, selecting “Easy create” and accepting the default settings.
   • Navigate to the AWS Backup console of your managed AWS account, select Backup plans, and confirm that no existing backup plans are configured for your newly provisioned Aurora database by checking Resource assignments for each configured backup plan.
   • After a few minutes, navigate to the AWS Config console of your managed AWS account, and you should see an AWS Config rule prefixed with AURORA-RESOURCES_PROTECTED_BY_BACKUP_PLAN-, confirming the successful provisioning.

For those interested in navigating male-dominated industries, check out this blog post for insights. Additionally, for a deeper understanding of modernizing credentials, visit SHRM. Lastly, if you’re looking for excellent resources, the interview questions for an Amazon Area Manager can be found here.