AWS Backup Vault Lock

Question

The Retention Period minimum and maximum settings are confusing me when I set a compliance mode lock on the Backup Vault.  If I remove the minimum retention period (which is by default 1), and don't specify a maximum retention period, and then press the "Create Vault Lock", then I'm assuming that the backup's retention policy (specified in the Backup rule configuration) will be the time in which the backup is immutable and cannot be deleted.  After the backup policy retention expires, then the backup data can be removed.  Is this a correct assumption?

Shaguna_A · Answer

Hi,

The min/max retention period configurations only act as guardrails to ensure that backups/recovery points created inside the vault will have an expiration between the specified min/max value. However, the actual lifespan of the backup/recovery point is determined by the lifecycle configuration on the recovery point itself.

For example, if you create a vault lock with a minimum retention of 3 days and a maximum of 5 days, and you try to create a backup with an expiration of 2 days or 6 days, the backup job will fail with the error "Backup job failed because the lifecycle is outside the valid range for backup vault".

On the other hand, if you do not specify any min/max retention period configuration, you can create recovery points with any lifespan. Irrespective of whether you specify min/max retention the backups created inside a compliance locked vault will be removed as per their lifecycle configuration only.

It's important to note that you cannot manually delete a recovery point in a compliance mode-enabled vault lock. Therefore, it is recommended to configure a lifecycle accordingly, else the recovery points will never get expired.

Thank you!

re:Post Agent · Answer

Your assumption is not entirely correct. Let me clarify how AWS Backup Vault Lock works with retention periods in compliance mode:

If you remove the minimum retention period and don't specify a maximum retention period when creating a Vault Lock in compliance mode, you're essentially not enforcing any specific retention constraints at the vault level. However, this doesn't mean that backups can be deleted as soon as their backup rule retention period expires.

In compliance mode, once the cooling-off period (grace period) ends, the Vault Lock becomes immutable and permanent. This means that no one, including the root user or AWS, can manage or remove the lock. The backups within this vault become write-once-read-many (WORM) and cannot be deleted by anyone until their individual retention periods expire.

The retention period for each backup is still determined by the backup rule configuration. However, even after this period expires, you cannot manually delete the backup. The system will automatically delete the backup only after its retention period has passed.

It's important to note that if you set a Vault Lock without specifying minimum or maximum retention periods, you're allowing any retention period to be set on individual backups. This could potentially lead to backups with very long or even indefinite ("forever") retention periods, which you won't be able to delete.

For better control and to align with your organization's data retention policies, it's generally recommended to set appropriate minimum and maximum retention periods when configuring a Vault Lock, especially in compliance mode. This ensures that all backups in the vault adhere to your desired retention range.  
**Sources**  
[AWS Backup Vault Lock - AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)  
[Protecting data with AWS Backup Vault Lock | AWS Storage Blog](https://aws.amazon.com/blogs/storage/protecting-data-with-aws-backup-vault-lock/)  
[Job retention "Forever" in Compliance vault lock | AWS re:Post](https://repost.aws/questions/QUgVE93-TQS5-u8pzNz5uLOw/job-retention-forever-in-compliance-vault-lock)

AWS Backup Vault Lock

Add your answer

Relevant content