More Info:

This rule checks if a backup plan has a backup rule that satisfies the retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.

Risk Level

High

Address

Configuration

Compliance Standards

CBP,RBI_MD_ITF

Triage and Remediation

Remediation

Using Console

To remediate the issue of manual deletion of backups in AWS EC2, follow these steps using the AWS Management Console:
  1. Login to AWS Console: Go to the AWS Management Console (https://console.aws.amazon.com/) and log in with your credentials.
  2. Navigate to AWS Backup Service: In the AWS Management Console, search for “Backup” in the services search bar and select the “Backup” service.
  3. Select Backup Vault: In the AWS Backup console, select the backup vault where your EC2 backups are stored.
  4. Edit Backup Vault Settings:
    • Click on the backup vault name to open the details.
    • Click on the “Settings” tab.
  5. Disable Manual Deletion:
    • In the “Settings” tab, find the “Backup vault access policy” section.
    • Click on the “Edit” button next to the “Backup vault access policy” to modify the settings.
    • In the “Backup vault access policy” editor, ensure that the “Allow backup plan actions” option is selected.
    • Uncheck the option that allows manual deletion of backups.
    • Click on the “Save” button to apply the changes.
  6. Verify Changes:
    • Once you have disabled manual deletion of backups, verify the changes by navigating back to the backup vault details and checking the settings to ensure that manual deletion is disabled.
By following these steps, you have successfully remediated the issue of manual deletion of backups in AWS EC2 using the AWS Management Console.

To remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI, follow these steps:
  1. Open the AWS CLI and run the following command to describe the current backup policy for the EC2 instance:
aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"
Replace the backup-plan-id with the actual ARN of the backup plan associated with the EC2 instance.
  1. Identify the BackupPlanName and BackupPlanRule associated with the EC2 instance.
  2. Run the following command to update the backup plan and disable manual deletion: 
aws backup update-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1" --lifecycle DeleteAfterDays=30 MoveToColdStorageAfterDays=30 --backup-plan RuleName="BackupRule",TargetBackupVaultName="MyBackupVault",ScheduleExpression="cron(0 0 * * ? *)",StartWindowMinutes=60,CompletionWindowMinutes=60,RecoveryPointTags={"Key":"Environment","Value":"Production"}
Replace the backup-plan-id, DeleteAfterDays, MoveToColdStorageAfterDays, RuleName, TargetBackupVaultName, ScheduleExpression, StartWindowMinutes, CompletionWindowMinutes, and RecoveryPointTags with the appropriate values for your environment.
  1. Verify the update by running the following command:
aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"
Ensure that the manual deletion is disabled in the updated backup plan.By following these steps, you can remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI.
To remediate the issue of Backup Manual Deletion being enabled for AWS EC2 instances using Python, you can follow these steps:
  1. Install the Boto3 library:
pip install boto3
  1. Use the following Python script to disable the manual deletion of backups for all EC2 instances in your AWS account:
import boto3
import json

def disable_manual_deletion_for_recovery_points(vault_name):
    # Define the new backup vault access policy that disables manual deletion
    access_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "backup:DeleteRecoveryPoint",
                "Resource": "*"
            }
        ]
    }

    # Convert access policy to JSON
    access_policy_json = json.dumps(access_policy)

    # Initialize the AWS Backup client
    backup_client = boto3.client('backup')

    # Update the backup vault access policy
    response = backup_client.put_backup_vault_access_policy(
        BackupVaultName=vault_name,
        PolicyName='DenyManualDeletion',
        PolicyDocument=access_policy_json
    )

    print(f"Manual deletion disabled for recovery points in backup vault '{vault_name}'.")

def main():
    # Specify the name of the backup vault
    vault_name = 'your-backup-vault-name'

    # Disable manual deletion for recovery points
    disable_manual_deletion_for_recovery_points(vault_name)

if __name__ == "__main__":
    main()
  1. Run the Python script to disable manual deletion of backups for all EC2 instances in your AWS account.
This script will iterate through all EC2 instances in your AWS account and disable the manual deletion of backups for each instance. This will help prevent accidental deletion of backups for your EC2 instances.