Backup Manual Deletion Should Be Disabled
More Info:
This rule checks if a backup plan has a backup rule that satisfies the retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.Risk Level
HighAddress
ConfigurationCompliance Standards
CBP,RBI_MD_ITFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of manual deletion of backups in AWS EC2, follow these steps using the AWS Management Console:
- Login to AWS Console: Go to the AWS Management Console (https://console.aws.amazon.com/) and log in with your credentials.
- Navigate to AWS Backup Service: In the AWS Management Console, search for “Backup” in the services search bar and select the “Backup” service.
- Select Backup Vault: In the AWS Backup console, select the backup vault where your EC2 backups are stored.
-
Edit Backup Vault Settings:
- Click on the backup vault name to open the details.
- Click on the “Settings” tab.
-
Disable Manual Deletion:
- In the “Settings” tab, find the “Backup vault access policy” section.
- Click on the “Edit” button next to the “Backup vault access policy” to modify the settings.
- In the “Backup vault access policy” editor, ensure that the “Allow backup plan actions” option is selected.
- Uncheck the option that allows manual deletion of backups.
- Click on the “Save” button to apply the changes.
-
Verify Changes:
- Once you have disabled manual deletion of backups, verify the changes by navigating back to the backup vault details and checking the settings to ensure that manual deletion is disabled.
Using CLI
Using CLI
To remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI, follow these steps:Replace the Replace the Ensure that the manual deletion is disabled in the updated backup plan.By following these steps, you can remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI.
- Open the AWS CLI and run the following command to describe the current backup policy for the EC2 instance:
backup-plan-id with the actual ARN of the backup plan associated with the EC2 instance.-
Identify the
BackupPlanNameandBackupPlanRuleassociated with the EC2 instance. - Run the following command to update the backup plan and disable manual deletion:
backup-plan-id, DeleteAfterDays, MoveToColdStorageAfterDays, RuleName, TargetBackupVaultName, ScheduleExpression, StartWindowMinutes, CompletionWindowMinutes, and RecoveryPointTags with the appropriate values for your environment.- Verify the update by running the following command:
Using Python
Using Python
To remediate the issue of Backup Manual Deletion being enabled for AWS EC2 instances using Python, you can follow these steps:
- Install the Boto3 library:
- Use the following Python script to disable the manual deletion of backups for all EC2 instances in your AWS account:
- Run the Python script to disable manual deletion of backups for all EC2 instances in your AWS account.