AWS Introduces Logically Air-Gapped Vault for Enhanced Data Security
AWS recently announced the public preview of AWS Backup logically air-gapped vault, a new type of vault that can be shared for recovery with other accounts using AWS Resource Access Manager (RAM).
During a service restore, one key customer need is the ability to share recovery points stored in AWS Backup with other accounts, including cross-organization sharing, for quicker direct restore. Additionally, customers require maintaining access to the original AWS Key Management Service (AWS KMS) Customer Managed Key (CMK) used to encrypt the recovery point. The new AWS Backup logically air-gapped vault aims to fulfill these customer needs by providing a new type of vault that can be shared for recovery with other accounts using AWS RAM.
The logically air-gapped vault from AWS Backup works by introducing immutable backup copies that are locked by default and further protected through encryption using AWS-owned keys. By employing an AWS Backup owned KMS key to encrypt recovery points, customers can mitigate the risk of accidental or unwanted deletions of customer managed keys. Moreover, the new feature simplifies sharing backup data with other accounts for restore purposes.
Aabith Venkitachalapathy, an enterprise solutions architect at AWS, writes:
Employing an AWS Backup owned KMS key to encrypt recovery points helps customers with accidental or unwanted deletions of customer managed keys.
Customers can leverage AWS RAM to share the vault data with specific accounts, including cross-organization sharing, for faster direct restore. Once the vault is shared, backups can be directly restored, eliminating the step of copying backups into the destination account first. This capability reduces operational overhead, minimizes the time to recover from a data loss event, and lowers the cost of extra copies.
To create a new logically air-gapped vault in AWS Backup, users can log in to the AWS Management Console, open the AWS Backup console, select “Create logically air-gapped vaults” from the Vaults menu, enter the required details, and then view the newly created vault under “Vaults owned by this account” using the “Search by vault name” filter. Other options for creating a new logically air-gapped vault in AWS Backup include using the API or CLI.
Create a vault to complete the logically air-gapped vault creation process (Source: AWS News blog post)
Once the logically air-gapped vault has been created, users can find a recovery point to be copied into the new vault or use the new vault as a copy destination in a backup plan. They can also set up the logically air-gapped vault as the destination of a Copy operation using an AWS Backup plan rule to establish automated data protection strategies.
In an AWS Storage blog post, the authors conclude:
The key benefits of using an AWS Backup logically air-gapped vault are that it can significantly decrease recovery time and operational overhead and streamline recovery testing by providing the ability to share the vault across organizations and accounts. Furthermore, it offers heightened protection by automatically locking the vault in compliance mode and preventing accidental deletion of encryption keys by encrypting the vault using an AWS-owned key. These benefits are especially relevant as ransomware remains top of mind and can be used for highly sensitive workloads.
Lastly, the AWS Backup support for logically air-gapped vaults is available in the various AWS regions.