Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EBS Volumes Protected by Backup Plan

This rule ensures EBS volumes have a backup plan for protection.

RuleEBS volumes should be protected by a backup plan
FrameworkFedRAMP Moderate Revision 4
Severity
High

EBS Volumes Backup Plan for FedRAMP Moderate Revision 4

AWS Elastic Block Store (EBS) volumes house essential data for many applications running on EC2 instances. As per FedRAMP Moderate Revision 4, it's crucial to have robust backup strategies to ensure data resiliency and recovery. Here we detail the backup plan requirements and steps to ensure compliance with FedRAMP standards.

Backup Plan Requirements

FedRAMP Moderate Revision 4 mandates that EBS volumes be regularly backed up and that the backup data is encrypted. The recovery point objective (RPO) and recovery time objective (RTO) should comply with the agency’s requirements.

Rule Details

  • EBS volumes must be backed up regularly
  • Backups must be encrypted using AWS KMS keys
  • Backup retention policy should be defined
  • Test recovery procedure regularly
  • Logs and reports must be generated and reviewed

Backup Strategies

Using AWS Backup

AWS Backup is a managed backup service that supports EBS volumes:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Navigate to AWS Backup.
  3. 3.
    Create a new backup plan.
    • Define a backup rule, schedule, and retention period.
    • Select the appropriate KMS encryption key.
  4. 4.
    Assign resources by creating a resource assignment.
  5. 5.
    Monitor backups from the AWS Backup Dashboard.

Using Amazon Data Lifecycle Manager

  1. 1.
    Open the Amazon EC2 console.
  2. 2.
    In the navigation pane, choose ‘Lifecycle Manager’.
  3. 3.
    Click on ‘Create snapshot lifecycle policy’.
  4. 4.
    Set the policy details including tags, schedule, retention, and encryption with KMS keys.
  5. 5.
    Confirm and create the policy.

Troubleshooting

If backups are failing, check the following:

  • Proper IAM roles and permissions are set.
  • KMS key policies allow AWS Backup or Lifecycle Manager to use the key.
  • Network configuration does not restrict access to backup endpoints.
  • AWS service limits are not exceeded.
  • Adequate free space is available in the S3 bucket used for storing snapshots.

Remediation Steps

If you do not have a backup plan in place:

  1. 1.
    Verify your user has necessary permissions.
  2. 2.
    Choose an AWS backup service.
  3. 3.
    Configure a backup plan with encryption and proper RPO/RTO.
  4. 4.
    Ensure logging and monitoring are configured.

CLI Commands

To create an EBS snapshot:

aws ec2 create-snapshot \
  --volume-id vol-1234567890abcdef0 \
  --description "Snapshot description" \
  --tag-specifications 'ResourceType=snapshot,Tags=[{Key=your-key,Value=your-value}]' \
  --query SnapshotId \
  --output text

To automate backup creation:

aws databackup create-backup-plan \
  --backup-plan '{"BackupPlanName": "MyBackupPlan","Rules": [{"RuleName": "DailyBackups","TargetBackupVaultName": "MyBackupVault","ScheduleExpression": "cron(0 12 * * ? *)","StartWindowMinutes": 60,"CompletionWindowMinutes": 120,"RecoveryPointTags": {"Key": "Value"},"Lifecycle": {"MoveToColdStorageAfterDays": 30,"DeleteAfterDays": 365},"CopyActions": [{"DestinationBackupVaultArn": "arn:aws:backup:us-east-1:123456789012:vault:MyDestinationBackupVault"}]}]}'

Ensure that the usage of CLI commands complies with your organization's policies and permissions set by IAM roles before execution.

In conclusion, adherence to these guidelines will help ensure your AWS EBS volumes are protected according to FedRAMP Moderate requirements, which can enhance your organization's data resilience. Regularly review and test your backup processes to maintain compliance and data integrity.

Is your System Free of Underlying Vulnerabilities?
Find Out Now