Skip to main content

πŸ“ AWS Backup Vault contains unencrypted Recovery Points 🟒

  • Contextual name: πŸ“ Vault contains unencrypted Recovery Points 🟒
  • ID: /ce/ca/aws/backup/vault-contains-unencrypted-recovery-points
  • Located in: πŸ“ AWS Backup

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Ensure that all Recovery Points stored within an AWS Backup Vault are encrypted. AWS Backup offers centralized backup and recovery capabilities, enforcing encryption on recovery points is a critical security measure to protect data at rest.

Rationale​

Encrypting backup data is essential to protect sensitive information (such as application assets, customer records, and proprietary intellectual property) from unauthorized access. Unencrypted recovery points risk data breaches and can lead to regulatory fines or reputational damage.

Impact​

If an unauthorized user with access to the vault’s storage location could restore and inspect unencrypted backups.

Enabling encryption may incur additional charges for KMS key usage and management. The IAM role performing backup and restore operations must have permissions to use the specified KMS key.

Audit​

This policy flags an AWS Backup Backup Vault as INCOMPLIANT if at least one related AWS Backup Recovery Point is not encrypted with a KMS key indicated by the KMS Master Key ID field being empty.

Remediation​

Open File

Remediation​

AWS Backup supports independent encryption for all fully managed resource types. Independent encryption lets you choose a distinct KMS key for your recovery points, separate from the source resource’s encryption. For example, you can back up an Amazon S3 bucket encrypted with SSE-S3 but store its recovery points under a customer-managed KMS key in your backup vault.

Resources Supporting Independent Encryption​

AWS Backup encrypts vaults with a KMS key by default. All recovery points stored in the vault that support independent encryption will adopt the vault’s KMS key, even if the original resource is unencrypted.

Resources Not Supporting Independent Encryption​

For resource types not yet fully integrated with AWS Backup’s independent encryption (e.g., RDS or EBS), recovery points inherit the encryption settings of the source resource. Review the service-specific documentation (e.g., Amazon EBS encryption) to adjust encryption on the source resource.

IAM and KMS Permissions​

Ensure the principal (role or user) executing backup and restore operations has the necessary KMS actions in its IAM policy. Confirm the KMS key policy grants the principal permission to use the key. Without proper permissions, Backup jobs will report success, but individual recovery point objects will not be backed up or restored, resulting in unnoticed data gaps.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Backup.1] AWS Backup recovery points should be encrypted at rest1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption32
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9(8) Cryptographic Protection (M)(H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-12 Information Management and Retention (L)(M)(H)1
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-12 Information Management and Retention (L)(M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9(8) Cryptographic Protection (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-12 Information Management and Retention (L)(M)(H)1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-9(8) System Backup _ Cryptographic Protection1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-12 Information Management and Retention31