Rule: EC2 Instances Should Be Protected by Backup Plan

This rule ensures that EC2 instances have a backup plan in place for protection. Monitor compliance to maintain data integrity.

Rule	EC2 instances should be protected by backup plan
Framework	FedRAMP Moderate Revision 4
Severity	✔ Medium

EC2 Instances Backup Plan for FedRAMP Moderate Revision 4

Backup plans are critical for maintaining the integrity of data within Amazon EC2 instances, particularly for organizations that must comply with stringent federal standards such as FedRAMP Moderate Revision 4. Compliance with these standards ensures that sensitive government data is handled securely and resiliently.

Rule Details

This rule pertains to the implementation of a robust backup strategy for EC2 instances. Backups must occur regularly to create point-in-time recovery options and protect against data loss. The backup plan should align with the FedRAMP Moderate Baseline's requirements, which are designed to mitigate risk for federal information systems.

Backup Strategy Requirements for FedRAMP Moderate Revision 4:

Frequency of Backups: Back up EC2 instances at least daily.
Retention Policy: Retain backups for a minimum of 90 days.
Encryption: Use cryptographic methods to secure backups during transit and at rest.
Testing: Regularly test backup integrity and restorability.
Documentation: Document the backup process, including frequency, scope, and testing methods.

Troubleshooting Steps

If backups are not occurring as scheduled or are failing, follow these steps:

1.
Check the Amazon CloudWatch logs for any errors related to the backup jobs.

2.
Verify that the AWS Identity and Access Management (IAM) roles and policies associated with backups have the correct permissions.

3.
Ensure that there is sufficient storage space for backups.

4.
Review the Amazon Data Lifecycle Manager (DLM) or third-party backup solution configurations for compliance with the defined backup criteria.

5.
Examine network configurations and security groups to ensure that they allow the backup traffic.

Required CLI Commands and Code Snippets

To implement a backup plan for EC2 instances, AWS's Data Lifecycle Manager can be used. The following AWS CLI commands help create and manage the lifecycle policy:

# Create an IAM policy for DLM permissions
aws iam create-policy --policy-name DLMBackupPermissions --policy-document file://DLMBackupPolicy.json

# Attach the policy to the required role or user
aws iam attach-role-policy --policy-arn arn:aws:iam::[AWS_ACCOUNT_ID]:policy/DLMBackupPermissions --role-name [ROLE_NAME]

# Create a DLM lifecycle policy
aws dlm create-lifecycle-policy --execution-role-arn arn:aws:iam::[AWS_ACCOUNT_ID]:role/[ROLE_NAME] --description "EC2 Backup Policy for FedRAMP" --state ENABLED --policy-details file://DLMPolicyDetails.json

In this command, replace

[AWS_ACCOUNT_ID]

with your actual AWS account ID and

[ROLE_NAME]

with the role designated for managing backups. The

DLMBackupPolicy.json

and

DLMPolicyDetails.json

are the JSON files defining the backup policy details and associated permissions.

Step-by-Step Guide for Remediation

1.

Create IAM Policy and Role: Create an IAM policy and role that grants the necessary permissions for lifecycle management of snapshots. Attach this role to the DLM service.

2.

Configure Backup Policy: Define a lifecycle policy that specifies the backup frequency, retention, and encryption requirements. Use the AWS DLM to create and manage this policy.

3.

Validate Backup Configuration: After configuring the backup policy, validate that backups are being taken as per the schedule by observing the snapshots via AWS Management Console or by listing them using CLI commands.

4.

Test Backups: Periodically test the backups by attempting to restore EC2 instances from snapshots to ensure the recovery process meets recovery time objectives (RTOs) and recovery point objectives (RPOs).

5.

Document Process: Document the entire backup and test process as per FedRAMP guidelines, including any issues encountered and their resolutions.

Note: All CLI commands should be executed from an environment that has AWS CLI installed and configured with the appropriate permissions for managing EC2 instances and creating snapshots. Additionally, ensure all applicable regulatory and compliance guidelines are followed when setting up and managing backups for FedRAMP-controlled systems.

Rule: EC2 Instances Should Be Protected by Backup Plan

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Details

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Backup Strategy Requirements for FedRAMP Moderate Revision 4:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Required CLI Commands and Code Snippets

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Details

Backup Strategy Requirements for FedRAMP Moderate Revision 4:

Troubleshooting Steps

Required CLI Commands and Code Snippets

Step-by-Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities?
Find Out Now