Ensure Backup Vault is encrypted at rest using KMS CMK

AWS Backup is a fully-managed service that makes it easy to centralize and automate data protection across AWS services, in the cloud, and on premises.You can configure backup policies and monitor activity for your AWS resources in one place. Ensure you haveencryption enabled for your backup vault with you CMK.This will help protect your backups in this backup vault even more securely

Risk Level: High
Cloud Entity: AWS Backup BackupVault
CloudGuard Rule ID: D9.CFT.CRY.16
Covered by Spectral: Yes
Category: Management Tools


AWS_Backup_BackupVault should have EncryptionKeyArn


From CFT
Type: AWS::Backup::BackupVault
EncryptionKeyArn: CMK_ARN

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-backup-backupvault.html#cfn-backup-backupvault-encryptionkeyarn
  2. https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html

AWS Backup BackupVault

Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.Do not include sensitive data, such as passport numbers, in the name of a backup vault.

Compliance Frameworks

  • AWS CloudFormation ruleset