Everything ~ Cloud Security
Preventing Deletion of Backups Using an Amazon Backup Vault Resource-based Access Policy

Preventing Deletion of Backups Using an Amazon Backup Vault Resource-based Access Policy

Goodycyb's photo
Goodycyb
·

7 min read

Table of contents

Introduction

AWS Backup provides comprehensive data protection and enables the configuration of backup policies for monitoring AWS resource events. Utilizing a backup vault in AWS allows for secure storage of backups. By assigning policies to the backup vault and its associated resources, a cloud security administrator gains control over user access privileges and the ability to delete recovery points. The implementation of resource-based access policies in Amazon Backup ensures that backups remain protected and are accessible solely to authorized users, thus preventing unauthorized access and data loss.

Lab Objective

In this lab, you will learn how to create backups and ensure their protection from deletion through the implementation of an Amazon backup vault resource-based access policy.

Disclaimer

Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console.

Lab Tasks

  • Sign in to AWS Management Console, Next, create an IAM user by searching for IAM in the above search box

  • On the IAM dashboard, select Users in the left pane and click on Add Users, as shown in the screenshot below, to create a new user.

  • On the Add User page, In the Username field, provide any name (here, the username is Goody). Next, check the box “Provide user access to the AWS Management Console” and under “Are you providing console access to a person?” select the radio button “I want to create an IAM user”. Choose the Autogenerated Password radio button. Then uncheck the box “Users must create a new password at the next sign-in (recommended).”. Once done, click NEXT

NOTE: From a Security point of view, it is recommended to enable “Users must create a new password at next sign-in - Recommended” so that the user can change His or Her Password once signed in.

Check out my write-up on securing IAM User Account

  • In the Set Permissions section, click on Attach Policies directly. In the Filter policies field, search for AWSBackupFullAccess and select the checkbox for AWSBackupFullAccess from the search results. Now, click on Next

  • On the Review and Create page, review the IAM user creation. You can also add new tags, which are optional but help in easily searching for tag keys. (Here, give the tag the name “IAM User”). Once done, click Create User.

  • Once you have clicked on the "Create user" button, a Success message will appear, as depicted in the screenshot below. At this point, you will have the choice to send an email containing the login instructions for the newly created IAM user. Click on the Download.csv file, and to return to the IAM page, simply click on "Return to Users List”.This action will redirect you to the Users page.

  • You will be redirected to the Users page. On this page, click on the name of the user (here, Goody) you created.

  • On the User Info page (here, Goody), copy the User ARN and paste it into a notepad.

  • To create an AWS backup vault, access the Services menu, choose the Storage option, and then select AWS Backup.

  • After launching the AWS Backup Console, access the Backup Vaults feature by clicking on it in the left pane. If the menu is not initially visible, click on the ellipsis located at the top left corner to display it, and subsequently choose Backup Vaults from the menu options.

    • To create a backup vault, click on Create Backup Vault in the Backup Vaults window.

  • In the Create Backup Vault section, type a suitable name under Backup Vault Name (here, Goody-AwsBackup1) and select Encryption Key as default aws/backup. Then, click on Create Backup Vault.

  • The backup vault “Goody-AwsBackup1” was successfully created, as shown below.

  • To create another backup vault, click on the Backup vaults option from the left pane and click on the “Create backup vault button."

  • In the Create Backup Vault section, type a suitable name under Backup Vault Name (here, Goody-AwsBackup2) and select Encryption Key as default aws/backup. Then, click on Create Backup Vault.

  • The Backup vault “Goody-AwsBackup2” was successfully created, as shown below.

  • Click on the Backup Vaults option in the left pane to view all the backup vaults.

Two backup vaults have been successfully created as shown in the above image.

To deny the deletion action to the user (Goody) for the backup vault named Goody-AwsBackup2, create an Amazon backup vault resource-based access policy.

  • To obtain the necessary ARN (Amazon Resource Name) for the backup vault named "Goody-AwsBackup2" to configure the policy, navigate to the Backup vaults page by clicking on "Goody-AwsBackup2

  • Once the Goody-AwsBackup2 page opens, copy the Backup Vault ARN and paste it into Notepad or a sticky note. Scroll down and click Edit under the Access Policy section.

  • In the Edit Access Policy, input the JSON policy code provided below, which restricts access to the resources for the user named Goody. Finally, save the policy by clicking on the "Save policy" button.

Note: Replace the Principal AWS ARN value with the IAM USRER ARN you copied into the notepad, and replace the Resource ARN value you copied into the notepad.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Deny",
         "Principal":{
            "AWS":"arn:aws:iam::181191024753:user/Goody"
         },
         "Action":[
            "backup:DeleteBackupVault"
         ],
         "Resource":"arn:aws:backup:us-west-2:181191024753:backup-vault:Goody-AwsBackup2"
      }
   ]
}

  • The Access policy has been updated successfully.

  • The IAM User (here, Goody) cannot delete the Backup resources. Now, verify the applied restricted resource access policy. To do this, navigate to the IAM dashboard and copy the link under Sign-in URL for IAM users in this account in the AWS Account section in the right pane.

  • To access AWS as a user, open a fresh Chrome incognito window and paste the copied URL. This action will redirect you to the AWS Sign-in page specifically designed for IAM users. Then, input the IAM user credentials obtained from the downloaded.csv file.

  • To verify if the IAM user (Goody) can delete the backup vault, access the Services Search box, enter "AWS Backup," and select it.

  • On the AWS Backup page, click on Backup Vaults from the left navigation pane.

  • You can see three backup vaults under Backup Vaults. Next, click on Goody-AwsBackup2 on the backup vault page.

If you are unable to locate the three backup vaults when clicking on "Backup vaults," please navigate to the region you initially selected at the start of the lab and make the necessary changes. (here in this lab, the region is set to US West (Oregon))

  • On the Goody-AwsBackup2 backup vault page, click on Delete Vault,

  • In the Delete Backup Vault window, type Goody-AwsBackup2 as the backup vault name to confirm the deletion. Then, click the Delete backup vault button.

  • Upon clicking the "Delete Backup Vault" button, an Access Denied message will promptly appear, as depicted in the screenshot below.

The Access Denied message is displayed because you, as the administrator, have recently imposed restrictions on the "Goody-AwsBackup2" backup vault resource by implementing the "DenyBackupvault" policy specifically for the user named "Goody.”

  • Next, try to delete the Goody-AwsBackup1 backup vault. Click on Backup Vaults in the left pane to switch to the Backup Vaults section, and then click on Goody-AwsBackup1. (similar process to what was done above)

  • On the Goody-AwsBackup1 page, click on Delete Vault.

  • Next, in the Delete backup vault window, type Goody-AwsBackup1 to confirm the deletion. Then, click on Delete backup vault.

  • The Goody-AwsBackup1 backup vault gets deleted successfully because you have applied the restricted resources policy to Goody-AwsBackup2 only. Therefore, the user can delete the Goody-AwsBackup1 backup vault resource but not the Goody-AwsBackup2 backup vault.

Lesson

As a cloud security engineer, implementing this feature allows you to enforce a restricted resource policy that applies to designated users and/or specific resources.

To prevent any billing charges, it is important to make sure that you delete, shut down, or terminate all the resources that were created and used during this lab.

Deleting Created Resources

  • Now, delete the instances created in this lab. Navigate to the Backup vaults under AWS Backup in your main AWS Account (Not the IAM user account) and click on the instance created in this lab (here, Goody-AwsBackup2). Click on the Delete Vault button. In the pop-up window, enter the vault’s name and click on Delete Backup Vault.

  • Navigate to Users under the IAM console and select the user created in this lab (here, Goody). Select the checkbox and click on the Delete button. In the pop-up window, enter the user's name and click on Delete.

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!

aws backupAWSaws security#aws backup vaultAWS Community Builder