Ensure Backup Vault is encrypted at rest using KMS CMK
AWS Backup is a fully-managed service that makes it easy to centralize and automate data protection across AWS services, in the cloud, and on premises.You can configure backup policies and monitor activity for your AWS resources in one place. Ensure you haveencryption enabled for your backup vault with you CMK.This will help protect your backups in this backup vault even more securely
Risk Level: High
Cloud Entity: AWS Backup BackupVault
CloudGuard Rule ID: D9.CFT.CRY.16
Covered by Spectral: Yes
Category: Management Tools
GSL LOGIC
AWS_Backup_BackupVault should have EncryptionKeyArn
REMEDIATION
From CFT
Resources:
mybackupvault:
Type: AWS::Backup::BackupVault
Properties:
...
EncryptionKeyArn: CMK_ARN
...
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-backup-backupvault.html#cfn-backup-backupvault-encryptionkeyarn
- https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html
AWS Backup BackupVault
Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.Do not include sensitive data, such as passport numbers, in the name of a backup vault.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated about 1 year ago