Now you can lock particular person Amazon Elastic Block Retailer (Amazon EBS) snapshots so as to implement higher compliance together with your information retention insurance policies. Locked snapshots can’t be deleted till the lock is expired or launched, supplying you with the ability to maintain important backups secure from unintended or malicious deletion, together with ransomware assaults.
The Want for Locking
AWS clients use EBS snapshots for backups, catastrophe restoration, information migration, and compliance. Prospects in monetary providers and well being care usually want to satisfy particular compliance necessities, with prescribed time frames for retention, and in addition want to make sure that the snapshots are really Write As soon as Learn Many (WORM). In an effort to meet these necessities, clients have carried out options that use a number of AWS accounts with one-way “air gaps” between them.
EBS Snapshot Lock
The brand new EBS Snapshot Lock characteristic lets you meet your retention and compliance necessities with out the necessity for customized options. You’ll be able to lock new and present EBS snapshots utilizing a lock period that may vary from at some point to about 100 years. The snapshot is locked for the required period and can’t be deleted.
There are two lock modes:
Governance – This mode protects snapshots from deletions by all customers. Nevertheless, with the right IAM permissions, the lock period might be prolonged or shortened, the lock might be deleted, and the mode might be modified from Governance mode to Compliance mode.
Compliance – This mode protects snapshots from actions by the foundation person and all IAM customers. After a cooling-off interval of as much as 72 hours, neither the snapshot nor the lock might be deleted till the lock period expires, and the mode can’t be modified. With the right IAM permissions the lock period might be prolonged, nevertheless it can’t be shortened.
Snapshots in both mode can nonetheless be shared or copied. They are often archived to the low-cost Amazon EBS Snapshots Archive tier, and locks might be utilized to snapshots which have already been archived.
Utilizing Snapshot Lock
From the EBS Console I choose a snapshot (Snap-Month-to-month-2023-09) and select Handle snapshot lock from Snapshot Settings within the Actions menu:
It is a month-to-month snapshot and I wish to lock it for one yr. I select Governance mode and choose the period, then click on Save lock settings:
I attempt to delete it, and the deletion fails, because it ought to:
Now I wish to lock one in all my annual snapshots for five years, utilizing Compliance mode this time:
I set my cooling-off interval to 24 hours, simply in case I alter my thoughts. Maybe I’ve to run some type of audit or remaining date validation on the snapshot earlier than committing to preserving it round for 5 years.
Programmatically, I can use new API features to determine and management locks on my EBS snapshots:
LockSnapshot – Lock a snapshot in governance or compliance mode, or modify the settings of a snapshot that’s already locked.
UnlockSnapshot – Unlock a snapshot that’s is governance mode, or is in compliance mode however inside the cooling-off interval.
DescribeLockedSnapshots – Get details about the lock standing of my snapshots, with optionally available filtering based mostly on the state of the lock.
IAM customers will need to have the suitable permissions (ec2:lockSnapshot, ec2:UnlockSnapshot, and ec2:DescribeLockedSnapshots) so as to use these features.
Issues to Know
Listed below are a few issues to remember about this new characteristic:
AWS Backup – AWS Backup independently manages retention for the snapshots that it creates. We don’t advocate locking them.
Pricing – There isn’t any further cost for the usage of this characteristic. You pay the standard charges for storage of snapshots and archived snapshots.
Areas – EBS Snapshot Locking is accessible in all industrial AWS Areas.
KMS Key Retention – If you’re utilizing customer-managed AWS Key Administration Service (AWS KMS) keys to encrypt your EBS volumes and snapshots, you want to ensure that the important thing will stay legitimate for the lifetime of the snapshot.