Resolution
----------

A [legal hold](https://docs.aws.amazon.com/aws-backup/latest/devguide/legalhold.html) provides protection for AWS Backup recovery points. To [create a legal hold](https://docs.aws.amazon.com/aws-backup/latest/devguide/legalhold.html#legalhold-creation), there must be existing recovery points.

[AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) provides protection for backup vaults. A vault lock is an additional layer of defense that protects recovery points in your backup vaults from inadvertent or malicious deletions. You [can lock a backup vault](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html#lock-backup-vault-console) for each of your vaults in AWS Backup.

The following are features of a legal hold:

*   A legal hold provides additional protection against deleting individual recovery points.
*   Deletion of recovery points is blocked for the AWS Backup console, AWS Command Line Interface (AWS CLI), and APIs.
*   Lifecycle transitions to cold storage proceed as expected, but transition to deletion is blocked.
*   When recovery points are under a legal hold, altering or modifying recovery points is postponed until the hold is released.
*   The option to [disassociate](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DisassociateRecoveryPoint.html) a recovery point from AWS Backup and release control to a source AWS service is blocked. This is because the source service might have control over deleting disassociated recovery points.
*   AWS Identity and Access Management (IAM) identities who have the required IAM permissions can remove legal holds.

The following are features of AWS Backup Vault Lock:

*   A vault lock provides additional protection and immutability to a vault.
*   Deletion of recovery points is blocked for the AWS Backup console, AWS Command Line Interface (AWS CLI), and APIs.
*   If a vault lock is activated on the vault, then you can't alter or modify recovery points.
*   A vault lock uses the WORM (write-once, read-many) configuration for all the backups that you create and store in a backup vault.
*   A vault lock enforces retention periods that prevent early deletions by privileged users, such as the AWS account root user.
*   Whether you can remove the vault lock [depends on the vault lock mode](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html#backup-vault-lock-modes). If you use governance mode for your vault lock, then IAM identities who have the required permissions can remove the vault lock. If you use compliance mode, then no user can alter or delete the vault lock, nor can AWS Support.

I want to understand the differences between a legal hold and a vault lock.

Differences between a legal hold and an AWS Backup Vault Lock

How is a legal hold different from AWS Backup Vault Lock?

Storage

Recovering a VMware Cloud on AWS VM backup to EC2 using AWS Backup

How do I remove an AWS Backup Vault Lock?

How do I migrate an Amazon RDS continuous backup recovery point from a backup vault that's locked in Compliance mode?

How do I configure an AWS Backup Vault Lock?

How do I delete a recovery point from a backup vault in AWS Backup?

Efficiencies with Backup Vaults for AWS Backups

Import existing Backup Vault with Vault lock in  Cloudformation stack

Clarification: Deleting an AWS Backup Vault with a Backup Vault Lock in Compliance Mode

S3 Object Lock Legal Holds vs. Retention Period

AWS Backup, backup vault underlying storage

How is a legal hold different from AWS Backup Vault Lock?

Resolution

Relevant content