How do I configure an AWS Backup Vault Lock?
I want to configure an AWS Backup Vault Lock for my backup vault.
Resolution
AWS Backup Vault Lock is an optional feature of a backup vault. For more information, see AWS Backup Vault Lock.
Lock a backup vault using the console
To add a vault lock to your backup vault, complete the following steps:
- Open the AWS Backup console.
- In the navigation pane, choose Backup vaults. Then, choose Backup Vault Lock.
- Under How vault locks work or Vault locks, choose + Create vault lock.
- Under Vault lock details, choose the backup vault to which you want your lock applied.
- Under Vault lock mode, choose Governance mode or Compliance mode. For more information on choosing your modes, see Vault lock modes.
- For Retention period, choose the minimum and maximum retention periods (maximum retention period is optional). Only backup jobs within the retention periods are successful.
If you chose Compliance mode, then Vault lock start date is shown. A compliance mode vault lock has a cooling-off period from the creation of the vault lock until the vault and its lock become unchangeable. Choose a grace time for the duration of the cooling-off period. The period must be at least three days (72 hours).
Important: After the grace time is expired, the vault and its lock are immutable. It can't be changed or deleted by any user or by AWS. - Choose Create vault lock.
- Enter confirm in the text box and check the box to add the vault lock.
If the steps have been completed successfully, then a Success banner appears at the top of the console.
Lock a backup vault programmatically
To configure an AWS Backup Vault Lock programmatically, use the PutBackupVaultLockConfiguration API.
To create a vault lock in governance mode, don't include the parameter ChangeableForDays. If the ChangeableForDays parameter is included, then the vault lock is created in compliance mode. For more information, see Lock a backup vault programmatically.
Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.
The following are examples of using the put-backup-vault-lock-configuration API:
The following command locks the backup vault my_vault_to_lock1 with governance mode:
aws backup put-backup-vault-lock-configuration --backup-vault-name my\_vault\_to\_lock1 --min-retention-days 1 --region us-east
The following command locks the vault my_vault_to_lock2 with compliance mode. The --changeable-for-days parameter is added to configure the grace time:
aws backup put-backup-vault-lock-configuration --backup-vault-name my\_vault\_to\_lock --min-retention-days 1 --changeable-for-days 3 --region us-east
Determine if a vault is locked in compliance or governance mode using the console
To review an AWS Backup Vault Lock details using the console, do the following:
- Open the AWS Backup console.
- In the navigation pane, choose Backup vaults. Then, choose Backup Vault Lock.
- The vault lock status is shown.
Determine if a vault is locked in compliance or governance mode programmatically
To review the AWS Backup Vault Lock details on a vault use the DescribeBackupVault or ListBackupVaults APIs.
The following is an example for the DescribeBackupVault command:
aws backup describe-backup-vault --backup-vault-name s3Backup { "BackupVaultName": "s3Backup", "BackupVaultArn": "arn:aws:backup:us-east-1:XXXXX5457:backup-vault:s3Backup", "EncryptionKeyArn": "arn:aws:kms:us-east-1:XXXXX5457:key/xxxxxxxxx-e4e294b5e1ff", "CreationDate": "2022-02-23T08:45:08.904000+00:00", "CreatorRequestId": "xxxxxxxxx-5903d602b45a", "NumberOfRecoveryPoints": 0, "Locked": true, "MinRetentionDays": 1, "LockDate": "2023-03-26T12:05:24.117000+01:00" }
The following is an example for the ListBackupVaults command:
aws backup list-backup-vaults --region us-east-1 { "BackupVaultList": \[ { "BackupVaultName": "Vault100", "BackupVaultArn": "arn:aws:backup:us-east-1:XXXXXX15457:backup-vault:Vault100", "CreationDate": "2021-02-21T18:45:12.611000+00:00", "EncryptionKeyArn": "arn:aws:kms:us-east-1:XXXXX5457:key/xxxxxxxx-e4e294b5e1ff", "CreatorRequestId": "xxxxxxxx-8f3d5b584447", "NumberOfRecoveryPoints": 6, "Locked": true }, { "BackupVaultName": "destinationvault", "BackupVaultArn": "arn:aws:backup:us-east-1:XXXXXXX15457:backup-vault:destinationvault", "CreationDate": "2022-10-03T22:56:44.129000+01:00", "EncryptionKeyArn": "arn:aws:kms:us-east-1:XXXXXXX15457:key/xxxxxxxxx-aa4f-48834efceebe", "CreatorRequestId": "xxxxxxxxxx-ea7cb20a2a01", "NumberOfRecoveryPoints": 5, "Locked": false }, { "BackupVaultName": "s3Backup", "BackupVaultArn": "arn:aws:backup:us-east-1:XXXXXX5457:backup-vault:s3Backup", "CreationDate": "2022-02-23T08:45:08.904000+00:00", "EncryptionKeyArn": "arn:aws:kms:us-east-1:XXXXXXX5457:key/xxxxxxxxx-e4e294b5e1ff", "CreatorRequestId": "xxxxxxxxxx-5903d602b45a", "NumberOfRecoveryPoints": 0, "Locked": true, "MinRetentionDays": 1, "LockDate": "2023-03-26T12:05:24.117000+01:00" }
The preceding example output provides the following information:
- The s3Backup and Vault100 vaults have a vault lock turned on because Locked is set to true.
- The destinationvault vault doesn't have a vault lock turned on because Locked is set to false.
- The s3Backup vault uses compliance mode because a LockDate is populated.
- The Vault100 vault uses governance mode because it doesn't contain a LockDate.
Related information
Enhance the security posture of your backups with AWS Backup Vault Lock
Relevant content
- Accepted Answerasked 10 months ago
- asked 2 years ago
- asked 2 years ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 9 months ago
