Clarification: Deleting an AWS Backup Vault with a Backup Vault Lock in Compliance Mode

0

Question

If I want to delete my Backup Vault that has a compliance lock outside of the grace period to remove the lock, is the following understanding correct?

  1. I must disable new backups from being written to the vault. This involves:

    • Alter or remove all account-specific AWS Backup plans to stop writing to the vault.
    • Alter or remove any AWS Organization Backup Policies to stop writing to the vault.
    • Alter any automation to stop using the AWS CLI or SDK to write to the vault.
    • Alter or remove any AWS services from writing to the vault (e.g. a Lambda function triggered by some custom EventBridge role)
    • Instruct teams to stop writing on-demand backups to the vault.
    • If the vault is not in the AWS Organization management account, then enforcement of above requirements is possible via AWS Organization SCPs.
    • If the vault is in the management account, enforcement is possible by ensuring no IAM principals have an explicit ALLOW to create recovery points in their attached IAM policies that is not overruled by an explicit DENY. One exception is that the management account root user cannot be blocked by IAM policies.
  2. After completing the above, I must wait for all recovery points in the vault to reach the minimum retention age specified in the vault's policy. Once the minimum age is reached, I can delete the recovery points manually or, if a maximum age was specified, wait for them to automatically be deleted when they reach their maximum age. Once the vault is empty, I can delete the backup vault.

  3. If a new recovery point is inadvertently written to the vault, it will effectively "reset the clock" of the waiting period to delete the vault, since it will be subject to the vault lock's minimum retention period and, per documentation below, vaults can only be deleted when empty.

References

  • (Delete a backup vault): To guard against accidental or malicious mass deletion, you can delete a backup vault in AWS Backup only after you delete (or your backup plan lifecycles) all the recovery points in your backup vault.Any backup vault, with our without a compliance lock, cannot be deleted if it has recovery points that have not been manually deleted or automatically deleted by a backup retention policy.

  • AWS Backup Vault Lock: When a lock is active in Compliance mode and the grace time is over, the vault configuration cannot be altered or deleted by a customer, account/data owner, or AWS. Each vault can have one vault lock in place.

asked 7 months ago562 views
1 Answer
1

Hello.

If the grace period has expired, you will probably not be able to delete a vault with vault lock enabled.
https://repost.aws/knowledge-center/backup-delete-vault-lock

A vault lock with compliance mode has a grace time period. To delete a vault lock with compliance mode, you must delete the lock before the grace time expires. After the grace time is expired, the vault and its lock are immutable. No user or service can change it. If you try to delete the vault lock after the grace time period, you receive an InvalidRequestException error.

profile picture
EXPERT
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions