Backup recovery point manual deletion disabled remediation

Using Console

Using CLI

To remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI, follow these steps:

Open the AWS CLI and run the following command to describe the current backup policy for the EC2 instance:

aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"

Replace the backup-plan-id with the actual ARN of the backup plan associated with the EC2 instance.

Identify the BackupPlanName and BackupPlanRule associated with the EC2 instance.
Run the following command to update the backup plan and disable manual deletion:

aws backup update-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1" --lifecycle DeleteAfterDays=30 MoveToColdStorageAfterDays=30 --backup-plan RuleName="BackupRule",TargetBackupVaultName="MyBackupVault",ScheduleExpression="cron(0 0 * * ? *)",StartWindowMinutes=60,CompletionWindowMinutes=60,RecoveryPointTags={"Key":"Environment","Value":"Production"}

Replace the backup-plan-id, DeleteAfterDays, MoveToColdStorageAfterDays, RuleName, TargetBackupVaultName, ScheduleExpression, StartWindowMinutes, CompletionWindowMinutes, and RecoveryPointTags with the appropriate values for your environment.

Verify the update by running the following command:

aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"

Ensure that the manual deletion is disabled in the updated backup plan.By following these steps, you can remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI.

Using Python

To remediate the issue of Backup Manual Deletion being enabled for AWS EC2 instances using Python, you can follow these steps:

Install the Boto3 library:

pip install boto3

Use the following Python script to disable the manual deletion of backups for all EC2 instances in your AWS account:

import boto3
import json

def disable_manual_deletion_for_recovery_points(vault_name):
    # Define the new backup vault access policy that disables manual deletion
    access_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "backup:DeleteRecoveryPoint",
                "Resource": "*"
            }
        ]
    }

    # Convert access policy to JSON
    access_policy_json = json.dumps(access_policy)

    # Initialize the AWS Backup client
    backup_client = boto3.client('backup')

    # Update the backup vault access policy
    response = backup_client.put_backup_vault_access_policy(
        BackupVaultName=vault_name,
        PolicyName='DenyManualDeletion',
        PolicyDocument=access_policy_json
    )

    print(f"Manual deletion disabled for recovery points in backup vault '{vault_name}'.")

def main():
    # Specify the name of the backup vault
    vault_name = 'your-backup-vault-name'

    # Disable manual deletion for recovery points
    disable_manual_deletion_for_recovery_points(vault_name)

if __name__ == "__main__":
    main()

Run the Python script to disable manual deletion of backups for all EC2 instances in your AWS account.

This script will iterate through all EC2 instances in your AWS account and disable the manual deletion of backups for each instance. This will help prevent accidental deletion of backups for your EC2 instances.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Backup recovery point manual deletion disabled remediation

Triage and Remediation

Remediation