By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to store copies of AWS backups that are not accessible from AWS organisation root account

0

For historical reasons, I have an AWS organisation where AWS Backups are created for critical workloads in the organisation root account. I currently replicate these backups to another dedicated AWS account for backups (using AWS Backup copy function). I would like to protect these backup copies against a compromise of the organisation root account (e.g. if the root account is compromised, there should be no way for the attacker to delete both the original backup and the copy in the child account).

Is that even feasible?

  • My organisations has all features enabled, and it seems we can't go back and disable that once enabled.
  • I thus cannot delete the AWSServiceRoleForOrganizations role in the backup account, nor the AWSServiceRoleForSSO role, which in particular allow to easily gain access to the backup account through SSO.
  • I also tried removing my backup account from the organisation but the AWS Backup copy job no longer works in that case.

Any guidance would be greatly appreciated

1 Answer
0

One option is to use Glacier Vault Lock. It allows you to apply compliance policies on the backed up data: https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions