By Eswar Nalamaru, Elastio, and Sabith Venkitachalapathy, AWS
Today’s large enterprises face significant cybersecurity risks, including ransomware and advanced threats that can compromise critical data. To protect against these, organizations need secure, isolated backups that can be quickly recovered. However, traditional methods for creating these backups are often too complex and expensive for large-scale use. This leaves many companies vulnerable to data loss and business disruptions. This blog post examines how AWS Backup’s logically air-gapped vault feature offers a practical solution for creating secure, scalable backups to enhance cyber-resilience.
The AWS Backup logically air-gapped vault is a highly secure storage construct that logically isolates backups and encrypts them using AWS-owned keys, providing an additional layer of protection. Furthermore, the vault’s integration with AWS Resource Access Manager (RAM) allows for easy and controlled sharing across multiple AWS accounts, enabling faster recovery times and minimizing Recovery Time Objectives (RTOs) while maintaining strict security measures.
AWS Backup logically air-gapped vaults significantly enhance recovery capabilities, but their effectiveness ultimately depends on the quality of the stored backups. In light of the recent surge in ransomware attacks, which have targeted backups in 94% of cases last year [Sophos], maintaining backup integrity has become more crucial than ever. By implementing Logically Air-Gapped Vaults, organizations can better protect their backups from potential corruption that might otherwise go undetected. This proactive approach ensures that the data remains reliable and usable when recovery is needed, potentially saving organizations from increased recovery costs and operational disruptions.
Many organizations face the challenge of confirming whether their immutable backups are clean and ready for recovery. Elastio addresses this urgent need by inspecting backup data for ransomware, ensuring that businesses always have a recent, verified, clean copy of their data for rapid restoration.
Elastio acts as a last layer of defense by ensuring that your backups are always reliable during ransomware attacks and that you always have a clean copy of the data. Previously, Elastio integrated with AWS Backup to protect your EC2 and EBS Recovery points. With the new version of Elastio, you can scan your EC2, EBS, EFS, S3, and VMware Recovery Points. Further, it integrates with AWS Backup Restore testing to monitor your Recovery Points in Logically Air-Gapped Vaults.
AWS Backup Logically Air-Gapped Vaults and Ransomware Recovery
To utilize Logically Air-Gapped Vaults, configure AWS Backup’s Backup Plans within your Workload Account to copy backups to the Logically Air-Gapped Vault. Once activated, the Backup Plan automatically transfers backups from the Local Vault to the Logically Air-Gapped Vault.
AWS Backup allows customers to share Recovery Points stored in Logically Air-Gapped Vaults with a designated Recovery Account. To enable cross-account access, use AWS Resource Access Manager (RAM) to share a Logically Air-Gapped Vault with other AWS accounts, including those across different organizations. This powerful sharing capability ensures that backups stored in the Logically Air-Gapped Vault can be swiftly and reliably restored from any authorized shared account, enhancing disaster recovery readiness and operational flexibility.
Logically Air-Gapped Vaults are encrypted using AWS-owned encryption keys. So, Elastio cannot mount the backups of EC2 and EBS directly from Logically Air-gapped Vaults. So, the Recovery Points can be scanned before going to Logically Air-gapped Vaults or restoring Recovery Points from the Logically Air-gapped Vaults.
How Elastio works with AWS Backup Logically Air-Gapped Vaults
Elastio offers flexible deployment options to cater to varying customer requirements, but two primary approaches are commonly used to inspect backups stored in AWS LAG Vaults.
Approach 1: Scan backups in the Workload Account before they reach the Logically Air-Gapped Vault
Elastio can be deployed in the Workload Account to inspect backups before copying them to the Logically Air-Gapped Vault. This approach allows Elastio to detect ransomware earlier in the attack cycle, identifying threats in your data before they reach the Logically Air-Gapped Vault.
AWS Backup creates a recovery point in an AWS Backup Vault for an Amazon EC2 instance in the AWS account.
Recovery Point creation triggers Amazon EventBridge.
A Lambda function is triggered on the event and checks if the recovery point is tagged with “elastio:action=scan.”
If the recovery point is tagged, the Lambda triggers Elastio scans.
Steps to protect backups before moving to Logically Air-Gapped Vaults:
Deploy Elastio in the Workload account with a CloudFormation Template.
Deploy the CLoudFormation Template in the workload accounts to add tags to AWS Backup Recovery Points. Note that this step is required to protect EC2 Recovery points, as AWS Backup does not pass the metadata of the volumes to the Logically Air-Gapped Vaults. It will be challenging to correlate the volumes in the Elastio Console without this.
Go to CloudFormation in AWS and click “Create Stack with new resources.”
In Step 1, choose “Upload a template file”, upload the YAML file, and click Next
In Step 2, give the name for the stack and click Next by leaving everything default.
In Step 3, leave everything default and click Next. In Step 4, acknowledge at the bottom of the screen and click “Submit.”
Add “elastio:action=scan” in the source account AWS Backup Plan.
Go to AWS Backups and click the “Create backup plan” button.
On the Backup Plan creation page, set a plan, and at the bottom of the page, add elastio:action=scan to the “Tags added to the recovery points – optional” section, as shown in the screenshot below. Click “Create Plan”.
Once the plan is created, all the recovery points created with this backup plan are automatically scanned by Elastio.
Elastio scans EC2 and EBS AWS Backup Recovery Points created by AWS Backup. To scan S3 and EFS Recovery points, Elastio scans the Recovery Points as part of a restore test plan.
Approach 2: Scan the backups within the Logically Air-Gapped Vault
Elastio can scan backups once they are stored in the Logically Air-Gapped Vault, offering a more centralized solution by inspecting backups from multiple workload accounts in one location.
By sharing the Logically Air-Gapped Vault with a Recovery Account through AWS Resource Access Manager (RAM), organizations can inspect backups as part of a Restore Test process, ensuring that recovery points are clean before restoration.
AWS Backup creates a recovery point in a Local Vault for an Amazon EC2 instance in the AWS account.
The recovery point is copied from the Local Vault to the Logically Air-Gapped Vault.
The Logically Air-Gapped Vault is shared with the Recovery Account using AWS Resource Access Manager to perform Restore Testing. Detailed instructions on sharing the recovery points are available in the blog: Introducing AWS Backup logically air-gapped vault.
Perform a restore in the Recovery account via AWS Backup Restore Testing.
An Amazon EventBridge event is triggered when the restore is completed.
A Lambda function is triggered on the event and looks if the recovery point is tagged with “elastio:restore-test=scan.”
If the recovery point is tagged, the Lambda triggers Elastio scans.
The scan results are sent back to AWS Backup restore testing.
Steps to protect backups in Logically Air-Gapped Vaults:
Deploy Elastio in the Recovery account with a CloudFormation Template.
Deploy the CloudFormation Template in the workload accounts to add tags to AWS Backup Recovery Points. Note that this step is required to protect EC2 Recovery Points, as AWS Backup does not pass the metadata of the volumes to the Logically Air-Gapped Vaults. It will be easier to correlate the volumes in the Elastio Console with this.
Go to CloudFormation in AWS and click “Create Stack with new resources.”
In Step 1, choose “Upload a template file”, upload the YAML file, and click Next
In Step 2, give the name for the stack and click Next by leaving everything default.
In Step 3, leave everything default and click Next. In Step 4, acknowledge at the bottom of the screen and click “Submit.”
Add “elastio:action=scan” in the source account AWS Backup Plan.
Go to AWS Backup Console and click the “Create backup plan” button.
On the Backup Plan creation page, set a plan, and at the bottom of the page, add elastio:action=scan to the “Tags added to the recovery points – optional” section, as shown in the screenshot below. Click “Create Plan”.
Once the plan is created, all the recovery points created with this backup plan are automatically scanned by Elastio.
Elastio scans EC2 and EBS AWS Backup Recovery Points created by AWS Backup. To scan S3 and EFS Recovery points, Elastio scans the Recovery Points as part of a restore test plan.
Deploy the CFN to integrate Elastio with the AWS Backup Restore Testing. This CFN allows Elastio to scan recovery points as the ransomware protection step of the restore testing process.
Go to CloudFormation in AWS and click “Create Stack with new resources.”
In Step 1, choose “Amazon S3 URL”, paste the link, and click “Next.”
In Step 2, give the name for the stack and click Next by leaving everything default.
In Step 3, leave everything default and click Next. In Step 4, acknowledge at the bottom of the screen and click “Submit.”
Add “elastio:restore-test=scan” in the source account AWS Backup’s Backup Plan. Elastio automatically scans recovery Points with these tags as part of restore testing.
Go to AWS Backup and click the “Create backup plan” button.
On the Backup Plan creation page, set a plan, and at the bottom of the page, add elastio:restore-test=scan to the “Tags added to the recovery points – optional” section, as shown in the screenshot below. Click “Create Plan”.
Once the plan is created, all the recovery points created with this backup plan are automatically scanned by Elastio.
Conclusion
