AWS Backup and Vault Lock

Questions and Answers

An organization requires a backup solution that prevents any modifications to the backup policies once they are set. Which AWS Backup Vault Lock mode should they implement?

• Governance mode, allowing specific IAM users to make policy updates while preventing deletion of recovery points.
• Compliance mode, ensuring that the backup policy cannot be changed or deleted for the duration of the lock period. (correct)
• Audit mode, which provides monitoring capabilities but does not enforce immutability.
• Read-only mode, restricting any modifications to the backup configurations.

A company wants to implement a backup strategy using AWS Backup across multiple AWS accounts in different regions. What capabilities of AWS Backup facilitate this requirement?

• AWS Backup supports cross-region and cross-account backup capabilities, allowing centralized management and data protection. (correct)
• AWS Backup requires the use of third-party tools to manage backups across multiple accounts and regions.
• AWS Backup only supports backup within a single AWS account and region due to security restrictions.
• AWS Backup relies on manual replication to other accounts and regions, which is a time-consuming and error-prone process.

Which security feature of AWS Backup Vault Lock utilizes a Write Once Read Many (WORM) approach, preventing any modifications or deletions of backup data?

• Auditing
• Access Control
• Encryption
• Immutability (correct)

A company needs to back up several different AWS resources, including EC2 instances, RDS databases, and S3 buckets. How does AWS Backup simplify this process?

AWS Backup provides a single centralized service to manage backups for various AWS services. (D)

An administrator is tasked with setting up compliance rules for the retention and lifecycle of AWS Backups. Where can these rules be configured?

AWS Backup (B)

Flashcards

AWS Backup

A centralized service to manage backups for various AWS services like EC2, RDS, and S3.

AWS Backup Capabilities

Automates backup schedules, enables cross-region and cross-account backups and supports individual file or system restores .

AWS Backup Compliance and Security

Set rules for backup retention, lifecycle, and access control using IAM.

Backup Vault Lock

A secure container for storing backups with immutable safeguards.

Compliance Mode (Vault Lock)

Policies cannot be changed or deleted for the lock period, providing strong immutability.

Study Notes

• AWS Backup centralizes backups for various AWS services like EC2, RDS, EFS, S3, and DocumentDB.
• Automated backup scheduling is provided.
• Backups can be performed across regions and accounts.
• It is possible to restore individual files or entire systems.
• For compliance and security, retention and lifecycle rules can be set for backups.
• Access is controlled within IAM.
• The backup process can be monitored.

Backup Vault Lock

• Backup Vault Lock enhances security and compliance with immutable safeguards.
• Policies set become immutable using the WORM (Write Once Read Many) method.
• No one, including the root user, can change or delete the recovery points.
• Regulatory compliance is provided.

Value Lock Modes

• Compliance mode ensures the policy cannot be changed or deleted for the lock period.
• Governance mode allows specified IAM users to update policies but not delete recovery points.

Description

AWS Backup centralizes backups for various AWS services, with automated scheduling and cross-region/account capabilities. Backup Vault Lock enhances security with immutable, WORM-protected policies, preventing unauthorized changes or deletions of recovery points, ensuring regulatory compliance.