Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Problem:
Currently, backup responsibilities are delegated to customers, Solution Architects (SA), or operations teams, leading to potential errors or omissions. Integrating a standardized backup strategy into the (Security Reference Architecture) SRA design is essential.
Solution:
Implement AWS Backup Service Control Policies (SCP) at the root level, account level, or Organizational Unit (OU) level. This approach ensures that each account adheres to a consistent backup policy, leveraging appropriate tagging and AWS recommended backup solutions and schedules.
Key steps:
• Tagging Strategy:
• Define tags such as Key: Backup, Value: Daily, Key: Backup, Value: Weekly Key: Backup, Value: Monthly .
• Each tag corresponds to a specific backup plan that appropriately backs up the associated resources.
• The backups plans for Daily have a retention period of a week, weekly backups retention is a month, and monthly backups are year.
Centralized Backup Management:
• Implement a centralized backup vault account. Similar to logging or audit accounts, this account would serve a single purpose with tightly controlled access.
• Ensure backups from member accounts are copied to this central vault.
Metadata Preservation:
• Ensure snapshots and AMIs in both member and central vaults retain all resource metadata tags, facilitating complete resource restoration if needed.
Automated Vault Creation:
• Use terraform to create backup vaults in member accounts at the time of account creation.
• Apply the backup policy via SCP to utilize these vaults.
Role Management:
• Use the default IAM role service-role/AWSBackupDefaultServiceRole for backup operations. This role, created during account setup, aligns with AWS best practices and will automatically receive updates for any additional service needs in the future.
By adopting this strategy, we ensure consistent, automated, and reliable backups across all accounts, minimizing the risk of human error and enhancing overall data protection.
Community Note
Problem: Currently, backup responsibilities are delegated to customers, Solution Architects (SA), or operations teams, leading to potential errors or omissions. Integrating a standardized backup strategy into the (Security Reference Architecture) SRA design is essential. Solution: Implement AWS Backup Service Control Policies (SCP) at the root level, account level, or Organizational Unit (OU) level. This approach ensures that each account adheres to a consistent backup policy, leveraging appropriate tagging and AWS recommended backup solutions and schedules. Key steps: • Tagging Strategy: • Define tags such as Key: Backup, Value: Daily, Key: Backup, Value: Weekly Key: Backup, Value: Monthly . • Each tag corresponds to a specific backup plan that appropriately backs up the associated resources. • The backups plans for Daily have a retention period of a week, weekly backups retention is a month, and monthly backups are year. Centralized Backup Management: • Implement a centralized backup vault account. Similar to logging or audit accounts, this account would serve a single purpose with tightly controlled access. • Ensure backups from member accounts are copied to this central vault. Metadata Preservation: • Ensure snapshots and AMIs in both member and central vaults retain all resource metadata tags, facilitating complete resource restoration if needed. Automated Vault Creation: • Use terraform to create backup vaults in member accounts at the time of account creation. • Apply the backup policy via SCP to utilize these vaults. Role Management: • Use the default IAM role service-role/AWSBackupDefaultServiceRole for backup operations. This role, created during account setup, aligns with AWS best practices and will automatically receive updates for any additional service needs in the future. By adopting this strategy, we ensure consistent, automated, and reliable backups across all accounts, minimizing the risk of human error and enhancing overall data protection.