Rule: EC2 Instances Should Be Protected by Backup Plan
Ensure compliance with the requirement to protect EC2 instances with a backup plan.
| Rule | EC2 instances should be protected by backup plan |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
EC2 instances should be protected by a backup plan to comply with NIST 800-171 Revision 2. This rule ensures that proper backup measures are in place to protect critical data and restore it in case of data loss, system failures, or disasters. Regular backups are essential for maintaining data integrity, business continuity, and meeting compliance requirements.
Troubleshooting Steps:
- 1.Ensure that the Amazon Web Services (AWS) account you are accessing has the necessary permissions to create and manage backups.
- 2.Verify that the EC2 instances you want to backup are running and accessible.
- 3.Check if you have sufficient storage capacity in your chosen backup location (either AWS Backup or a custom backup solution).
- 4.Review the backup schedule and retention policy to ensure they align with your compliance requirements.
Code Samples (AWS Backup CLI):
To enable backup for an EC2 instance, follow these steps:
- 1.Install and configure the AWS CLI if not already done.
- 2.Open the command-line interface and execute the following command:
aws backup create-backup-plan --backup-plan '{ "BackupPlanName": "MyBackupPlan", "Rules": [ { "RuleName": "EC2BackupRule", "TargetBackupVaultName": "MyBackupVault", "ScheduleExpression": "cron(0 0 ? * MON-FRI *)", "StartWindowMinutes": 60, "Lifecycle": { "DeleteAfterDays": 30, "MoveToColdStorageAfterDays": 90 } } ] }'
This command creates a backup plan named "MyBackupPlan" and associates it with the "EC2BackupRule". Adjust the parameters according to your requirements.
- 1.Verify the successful creation of the backup plan by executing:
aws backup describe-backup-plan --backup-plan-id <backup-plan-id>
This command provides detailed information about the backup plan, including the backup plan ID.
- 1.To associate the EC2 instance(s) with the backup plan, execute the following command:
aws backup start-backup-job --resource-arn <ec2-instance-arn> --backup-vault-name MyBackupVault --iam-role-arn <iam-role-arn>
Replace
<ec2-instance-arn><iam-role-arn>Remediation Steps:
To enable backup protection and meet the NIST 800-171 Revision 2 requirement, follow these steps:
- 1.Identify the critical EC2 instances that need backup protection.
- 2.Determine the suitable backup schedule and retention policy to fulfill your compliance needs (e.g., daily backups with a retention period of 30 days).
- 3.Create a backup plan using the AWS CLI or AWS Management Console with the appropriate parameters, such as backup plan name, rule name, backup schedule, retention period, etc.
- 4.Review and verify the backup plan settings to ensure they align with your compliance requirements.
- 5.Associate the EC2 instances with the backup plan by executing the appropriate CLI command or using the AWS Management Console.
Please note that AWS Backup is the recommended solution for managing backups in AWS, but you have the flexibility to choose a custom backup solution as long as it complies with the NIST 800-171 Revision 2 guidelines.
Regularly monitor the backup operations, validate restoration procedures, and periodically test the backups to ensure the integrity and availability of your EC2 instance data.