Rule: EBS volumes should be in a backup plan
This rule requires EBS volumes to be included in a backup plan to ensure data safety and disaster recovery.
| Rule | EBS volumes should be in a backup plan |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
EBS Volumes Backup for NIST Cybersecurity Framework (CSF) v1
Ensuring that Elastic Block Store (EBS) volumes are included in a backup plan is vital for adhering to the NIST Cybersecurity Framework's guidance on maintaining resilient systems. Below is a detailed description of the rule, along with troubleshooting steps, necessary code samples, and step-by-step remediation guides.
Rule Description
Amazon Elastic Block Store (EBS) is a block storage service designed for use with Amazon EC2 instances. EBS volumes can store data beyond the lifetime of a single EC2 instance and are used for scenarios requiring persistence, high performance, and high reliability.
As part of the NIST Cybersecurity Framework (CSF), specifically aligning with the Recover function, organizations are expected to maintain comprehensive recovery plans including regular backups and testing of EBS volumes. This aligns with the framework's goal of reducing recovery time after a cyber incident.
Troubleshooting
If backup plans are not currently in place or functioning correctly, troubleshoot using the following steps:
- 1.Check Backup Schedules:
- Verify that Amazon Data Lifecycle Manager (DLM) policies are in place and scheduled correctly.
- Ensure that the tags applied to EBS volumes are matching those specified in the DLM policies.
- 2.Verify Execution:
- Look at Amazon CloudWatch Events to ensure that backup events have been triggered according to the schedule.
- Inspect the Amazon Simple Notification Service (SNS) notifications for any error messages during backup attempts.
- 3.Check IAM Permissions:
- Ensure that the IAM role associated with the DLM policy has the correct permissions for backing up EBS volumes.
Code Samples
The following AWS CLI commands and policies can be used to set up and verify backup compliance:
- 1.Create IAM Policy for DLM Access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"
],
"Resource": "*"
}
]
}
- 1.Create a DLM Policy:
Using AWS CLI, you can run the following command:
aws dlm create-lifecycle-policy --execution-role-arn [ROLE_ArN] --description "[DESCRIPTION]" --state ENABLED --policy-details file://[Your-Policy-File.json]
Ensure you replace
[ROLE_ArN][DESCRIPTION][Your-Policy-File.json]Step by Step Guide for Remediation
- 1.
Create the IAM Role:
- Use the IAM Console or AWS CLI to create an IAM role with the policy for DLM to create, manage, and delete snapshots.
- 2.
Set Up a DLM Lifecycle Policy:
- Log in to the AWS Management Console.
- Navigate to the EC2 Dashboard and choose 'Lifecycle Manager' in the navigation pane.
- Click on 'Create Snapshot Lifecycle Policy'.
- Specify a policy name, description, target tags, and schedule.
- Define the retention rules for how long snapshots should be kept.
- Set the IAM role you have created to give DLM permission to manage snapshots.
- Confirm and create the policy.
- 3.
Test Backup System:
- Create a test volume and tag it to match the policy.
- Monitor the DLM Dashboard and CloudWatch Events to confirm snapshots are taken as expected.
- Perform test restores of snapshots to ensure they are viable.
- 4.
Monitor and Review:
- Regularly monitor backup policies and execution logs.
- Review backup procedures annually or after significant infrastructure changes.
By adhering to these detailed steps, your EBS volumes should be consistently backed up according to the best practices set forth by the NIST Cybersecurity Framework, helping to ensure that your organization is well-prepared for data recovery in the event of a cyber incident.