Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EBS Volumes Should Be Protected by a Backup Plan

This rule ensures that EBS volumes are safeguarded with a backup plan to prevent data loss.

RuleEBS volumes should be protected by a backup plan
FrameworkGxP EU Annex 11
Severity
High

Compliance Rule: EBS Volumes Backup for GxP EU Annex 11

Overview

The Good Manufacturing Practice (GMP) standards dictated by EU Annex 11 require that electronic records be protected against loss. In the context of Amazon Web Services (AWS), this involves ensuring that Elastic Block Store (EBS) volumes, used for storing data in the AWS cloud, are regularly backed up. Compliance with these standards is critical for maintaining the integrity and availability of electronic records, especially for companies in the pharmaceutical, healthcare, and life sciences sectors.

Detailed Backup Plan Requirements

Rule Description

EBS volumes containing GxP relevant data must be backed up consistently and automatically to prevent data loss and ensure data recovery capabilities. The following are the key components of a compliant backup plan:

  • Automated Snapshots: Implement automated snapshot policies that capture the state of EBS volumes at regular intervals.
  • Cross-Region Backup: Store backups in a separate geographic location from the source to ensure availability in the event of a regional failure.
  • Retention Policy: Define a data retention policy that keeps snapshots for the required duration to comply with GxP regulatory standards.
  • Backup Encryption: Ensure that the snapshots are encrypted using AES-256 encryption or an equivalent standard.
  • Documentation: Maintain documentation of the backup procedures and policies, including schedules, retention periods, and recovery processes.

Troubleshooting Steps for Backup Failures

If a backup plan is not in place or is failing, follow these steps:

  1. 1.
    Verify Backup Schedules: Confirm that the automated backup schedules are configured correctly.
  2. 2.
    Check IAM Permissions: Ensure that the IAM role responsible for backups has the necessary permissions.
  3. 3.
    Monitor Backup Jobs: Regularly review AWS CloudWatch logs or the AWS Backup dashboard for backup job failures.
  4. 4.
    Resolve Configuration Issues: Identify and resolve any misconfigurations in the backup plan.
  5. 5.
    Validate Network Connectivity: Make sure the network connectivity permits snapshots to be copied to the backup region.
  6. 6.
    Retention Policy Compliance: Check that snapshots are retained as per the GxP requirements.
  7. 7.
    Test Recovery Process: Periodically perform a recovery test to ensure the backups are functional.

Necessary AWS CLI Commands

To create an automated backup policy with the necessary GxP compliance features, you can use AWS CLI commands:

Configure AWS Backup Vault with Encryption

aws backup create-backup-vault --backup-vault-name "GxPBackupVault" --encryption-key-arn "arn:aws:kms:<region>:<account-id>:key/<key-id>"

Create a Backup Plan

aws backup create-backup-plan --backup-plan '{"BackupPlanName":"GxPBackupPlan","Rules":[{"RuleName":"DailyBackup","TargetBackupVaultName":"GxPBackupVault","ScheduleExpression":"cron(0 0 * * ? *)","StartWindowMinutes":60,"CompletionWindowMinutes":360,"RecoveryPointTags":{"tag-key":"tag-value"},"Lifecycle":{"MoveToColdStorageAfterDays":30,"DeleteAfterDays":3650},"CopyActions":[{"DestinationBackupVaultArn":"arn:aws:backup:destination-region:account-id:backup-vault:destination-vault"}] }] }'

Assign Resources to the Backup Plan

aws backup create-selection --backup-plan-id "<backup-plan-id>" --backup-selection '{"SelectionName":"GxPSelection","IamRoleArn":"arn:aws:iam::<account-id>:role/service-role/<role-name>","Resources":["arn:aws:ec2:<region>:<account-id>:volume/<volume-id>"]}'

Step-by-Step Backup Remediation Guide

  1. 1.
    Create a Backup Vault
    • Use the provided AWS CLI command to create an encrypted backup vault.
  2. 2.
    Define a Backup Plan
    • Craft a backup plan using the
      create-backup-plan
      command which automates daily backups and sets up cross-region copying of snapshots following your region's requirements.
  3. 3.
    Assign EBS Volumes
    • Define which EBS volumes will be included in the backup plan through the
      create-selection
      command, specifying the volume ARNs.
  4. 4.
    Enable Backup Monitoring
    • Monitor backup jobs through AWS CloudWatch and set up alerts for any issues.

By following these guidelines, businesses can ensure that their EBS volumes are backed up according to GxP EU Annex 11 standards, mitigating the risk of data loss and maintaining regulatory compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now