How is a legal hold different from AWS Backup Vault Lock?

2 minuto de leitura
0

I want to understand the differences between a legal hold and a vault lock.

Resolution

A legal hold provides protection for AWS Backup recovery points. To create a legal hold, there must be existing recovery points.

AWS Backup Vault Lock provides protection for backup vaults. A vault lock is an additional layer of defense that protects recovery points in your backup vaults from inadvertent or malicious deletions. You can lock a backup vault for each of your vaults in AWS Backup.

The following are features of a legal hold:

  • A legal hold provides additional protection against deleting individual recovery points.
  • Deletion of recovery points is blocked for the AWS Backup console, AWS Command Line Interface (AWS CLI), and APIs.
  • Lifecycle transitions to cold storage proceed as expected, but transition to deletion is blocked.
  • When recovery points are under a legal hold, altering or modifying recovery points is postponed until the hold is released.
  • The option to disassociate a recovery point from AWS Backup and release control to a source AWS service is blocked. This is because the source service might have control over deleting disassociated recovery points.
  • AWS Identity and Access Management (IAM) identities who have the required IAM permissions can remove legal holds.

The following are features of AWS Backup Vault Lock:

  • A vault lock provides additional protection and immutability to a vault.
  • Deletion of recovery points is blocked for the AWS Backup console, AWS Command Line Interface (AWS CLI), and APIs.
  • If a vault lock is activated on the vault, then you can't alter or modify recovery points.
  • A vault lock uses the WORM (write-once, read-many) configuration for all the backups that you create and store in a backup vault.
  • A vault lock enforces retention periods that prevent early deletions by privileged users, such as the AWS account root user.
  • Whether you can remove the vault lock depends on the vault lock mode. If you use governance mode for your vault lock, then IAM identities who have the required permissions can remove the vault lock. If you use compliance mode, then no user can alter or delete the vault lock, nor can AWS Support.
AWS OFICIAL
AWS OFICIALAtualizada há 10 meses