Protect AWS Backups from Ransom Operations

• Protect AWS Backups from Ransom Operations
  • Overview
    • JSON Policy
    • Explanation
      • Statements
    • When to Use This Policy
    • Benefits
    • Potential Drawbacks
    • Summary
  • Sources

Overview

This AWS Service Control Policy (SCP) is designed to prevent threat actors with admin permissions from conducting ransomware operations by deleting AWS backups. It specifically protects recovery points with the tag aws_backup_bcp_tier. This SCP should be applied to the Root Organizational Unit (OU) to provide comprehensive protection across all accounts.

For more information on leveraging this SCP, refer to the PrimeHarbor blog on Deploying AWS Backup.

JSON Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ProtectVaults",
      "Effect": "Deny",
      "Action": [
        "backup:DeleteBackupVault",
        "backup:DeleteRecoveryPoint"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/aws_backup_bcp_tier": "*"
        },
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE"
          ]
        }
      }
    }
  ]
}

Explanation

Statements

• Sid: "ProtectVaults" - A unique identifier for this specific statement within the policy.
• Effect: "Deny" - This policy denies the specified actions.
• Action:
  • backup:DeleteBackupVault - Prevents deletion of backup vaults.
  • backup:DeleteRecoveryPoint - Prevents deletion of recovery points.
• Resource: ["*"] - Applies to all resources.
• Condition:
  • StringEquals: Ensures the policy applies only to resources tagged with aws_backup_bcp_tier.
  • StringNotLike: Ensures the policy applies unless the principal ARN matches the specified pattern, allowing exceptions for specific roles:
    • arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE

When to Use This Policy

• Preventing Ransom Operations: Use this policy to protect AWS backups from being deleted by unauthorized actors, including those with admin permissions.
• Securing Critical Data: Ensures that critical backup data remains intact and recoverable in case of a security breach.

Benefits

• Enhanced Security: Protects against ransomware operations by preventing the deletion of backups.
• Data Integrity: Ensures that critical recovery points are preserved, allowing for data recovery in the event of an attack.
• Compliance: Helps maintain compliance with data protection and disaster recovery policies by safeguarding backup data.

Potential Drawbacks

• Restricted Flexibility: May limit the ability of administrators to delete backup vaults and recovery points if not properly managed.
• Management Overhead: Requires ongoing management to ensure that the policy conditions and exceptions are appropriately maintained.

Summary

This SCP is crucial for protecting your AWS backups from potential ransomware operations by denying delete actions on backup vaults and recovery points tagged with aws_backup_bcp_tier. By applying this policy to the Root OU, you ensure comprehensive protection across all accounts. Regularly review and update the policy to ensure it aligns with your organizational requirements and security practices.

Sources

• PrimeHarbor primeharbor