AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Backup Manual Deletion Should Be Disabled
More Info:
This rule checks if a backup plan has a backup rule that satisfies the retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.
Risk Level
High
Address
Configuration
Compliance Standards
CBP,RBI_MD_ITF
Triage and Remediation
Remediation
To remediate the issue of manual deletion of backups in AWS EC2, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://console.aws.amazon.com/) and log in with your credentials.
-
Navigate to AWS Backup Service: In the AWS Management Console, search for “Backup” in the services search bar and select the “Backup” service.
-
Select Backup Vault: In the AWS Backup console, select the backup vault where your EC2 backups are stored.
-
Edit Backup Vault Settings:
- Click on the backup vault name to open the details.
- Click on the “Settings” tab.
-
Disable Manual Deletion:
- In the “Settings” tab, find the “Backup vault access policy” section.
- Click on the “Edit” button next to the “Backup vault access policy” to modify the settings.
- In the “Backup vault access policy” editor, ensure that the “Allow backup plan actions” option is selected.
- Uncheck the option that allows manual deletion of backups.
- Click on the “Save” button to apply the changes.
-
Verify Changes:
- Once you have disabled manual deletion of backups, verify the changes by navigating back to the backup vault details and checking the settings to ensure that manual deletion is disabled.
By following these steps, you have successfully remediated the issue of manual deletion of backups in AWS EC2 using the AWS Management Console.
To remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI, follow these steps:
- Open the AWS CLI and run the following command to describe the current backup policy for the EC2 instance:
aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"
Replace the backup-plan-id with the actual ARN of the backup plan associated with the EC2 instance.
-
Identify the
BackupPlanNameandBackupPlanRuleassociated with the EC2 instance. -
Run the following command to update the backup plan and disable manual deletion:
aws backup update-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1" --lifecycle DeleteAfterDays=30 MoveToColdStorageAfterDays=30 --backup-plan RuleName="BackupRule",TargetBackupVaultName="MyBackupVault",ScheduleExpression="cron(0 0 * * ? *)",StartWindowMinutes=60,CompletionWindowMinutes=60,RecoveryPointTags={"Key":"Environment","Value":"Production"}
Replace the backup-plan-id, DeleteAfterDays, MoveToColdStorageAfterDays, RuleName, TargetBackupVaultName, ScheduleExpression, StartWindowMinutes, CompletionWindowMinutes, and RecoveryPointTags with the appropriate values for your environment.
- Verify the update by running the following command:
aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"
Ensure that the manual deletion is disabled in the updated backup plan.
By following these steps, you can remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI.
To remediate the issue of Backup Manual Deletion being enabled for AWS EC2 instances using Python, you can follow these steps:
- Install the Boto3 library:
pip install boto3
- Use the following Python script to disable the manual deletion of backups for all EC2 instances in your AWS account:
import boto3
import json
def disable_manual_deletion_for_recovery_points(vault_name):
# Define the new backup vault access policy that disables manual deletion
access_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "backup:DeleteRecoveryPoint",
"Resource": "*"
}
]
}
# Convert access policy to JSON
access_policy_json = json.dumps(access_policy)
# Initialize the AWS Backup client
backup_client = boto3.client('backup')
# Update the backup vault access policy
response = backup_client.put_backup_vault_access_policy(
BackupVaultName=vault_name,
PolicyName='DenyManualDeletion',
PolicyDocument=access_policy_json
)
print(f"Manual deletion disabled for recovery points in backup vault '{vault_name}'.")
def main():
# Specify the name of the backup vault
vault_name = 'your-backup-vault-name'
# Disable manual deletion for recovery points
disable_manual_deletion_for_recovery_points(vault_name)
if __name__ == "__main__":
main()
- Run the Python script to disable manual deletion of backups for all EC2 instances in your AWS account.
This script will iterate through all EC2 instances in your AWS account and disable the manual deletion of backups for each instance. This will help prevent accidental deletion of backups for your EC2 instances.