Backup Manual Deletion Should Be Disabled
More Info:
This rule checks if a backup plan has a backup rule that satisfies the retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.
Risk Level
High
Address
Configuration
Compliance Standards
CBP,RBI_MD_ITF
Remediation
Using Console
To remediate the issue of manual deletion of backups in AWS EC2, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://console.aws.amazon.com/) and log in with your credentials.
-
Navigate to AWS Backup Service: In the AWS Management Console, search for “Backup” in the services search bar and select the “Backup” service.
-
Select Backup Vault: In the AWS Backup console, select the backup vault where your EC2 backups are stored.
-
Edit Backup Vault Settings:
- Click on the backup vault name to open the details.
- Click on the “Settings” tab.
-
Disable Manual Deletion:
- In the “Settings” tab, find the “Backup vault access policy” section.
- Click on the “Edit” button next to the “Backup vault access policy” to modify the settings.
- In the “Backup vault access policy” editor, ensure that the “Allow backup plan actions” option is selected.
- Uncheck the option that allows manual deletion of backups.
- Click on the “Save” button to apply the changes.
-
Verify Changes:
- Once you have disabled manual deletion of backups, verify the changes by navigating back to the backup vault details and checking the settings to ensure that manual deletion is disabled.
By following these steps, you have successfully remediated the issue of manual deletion of backups in AWS EC2 using the AWS Management Console.
Using CLI
To remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI, follow these steps:
- Open the AWS CLI and run the following command to describe the current backup policy for the EC2 instance:
aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"
Replace the backup-plan-id with the actual ARN of the backup plan associated with the EC2 instance.
-
Identify the
BackupPlanNameandBackupPlanRuleassociated with the EC2 instance. -
Run the following command to update the backup plan and disable manual deletion:
aws backup update-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1" --lifecycle DeleteAfterDays=30 MoveToColdStorageAfterDays=30 --backup-plan RuleName="BackupRule",TargetBackupVaultName="MyBackupVault",ScheduleExpression="cron(0 0 * * ? *)",StartWindowMinutes=60,CompletionWindowMinutes=60,RecoveryPointTags={"Key":"Environment","Value":"Production"}
Replace the backup-plan-id, DeleteAfterDays, MoveToColdStorageAfterDays, RuleName, TargetBackupVaultName, ScheduleExpression, StartWindowMinutes, CompletionWindowMinutes, and RecoveryPointTags with the appropriate values for your environment.
- Verify the update by running the following command:
aws backup get-backup-plan --backup-plan-id "arn:aws:backup:us-west-2:123456789012:backup-plan:1"
Ensure that the manual deletion is disabled in the updated backup plan.
By following these steps, you can remediate the issue of backup manual deletion being enabled for AWS EC2 instances using AWS CLI.
Using Python
To disable manual deletion for backup recovery points, you can utilize Boto3, the AWS SDK for Python, to update the backup vault access policy. Here’s a Python script that demonstrates how to accomplish this:
import boto3
import json
def disable_manual_deletion_for_recovery_points(vault_name):
# Define the new backup vault access policy that disables manual deletion
access_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "backup:DeleteRecoveryPoint",
"Resource": "*"
}
]
}
# Convert access policy to JSON
access_policy_json = json.dumps(access_policy)
# Initialize the AWS Backup client
backup_client = boto3.client('backup')
# Update the backup vault access policy
response = backup_client.put_backup_vault_access_policy(
BackupVaultName=vault_name,
PolicyName='DenyManualDeletion',
PolicyDocument=access_policy_json
)
print(f"Manual deletion disabled for recovery points in backup vault '{vault_name}'.")
def main():
# Specify the name of the backup vault
vault_name = 'your-backup-vault-name'
# Disable manual deletion for recovery points
disable_manual_deletion_for_recovery_points(vault_name)
if __name__ == "__main__":
main()
Make sure to replace 'your-backup-vault-name' with the name of your backup vault. This script updates the access policy for the specified backup vault to deny the backup:DeleteRecoveryPoint action for all principals, effectively preventing manual deletion of recovery points.