AWS Backup recovery point is encrypted at rest
backup_recovery_point_encrypted
AWS Backup recovery points are evaluated for encryption at rest using the backup vault's KMS configuration. Items lacking vault-level encryption are highlighted, regardless of the source resource's encryption.
Risk
Unencrypted recovery points can be read or copied if vault access is obtained, enabling offline analysis and data theft (confidentiality). Snapshots or restores may be altered (integrity), and unsafe restores can disrupt recovery operations (availability).
prowler aws --checks backup_recovery_point_encrypted
Recommendation
Encrypt all recovery points with KMS, preferring customer-managed keys for rotation and control. Apply least privilege to keys and vaults, require encrypted copies across accounts/Regions, and continuously monitor for unencrypted artifacts. Use aws/backup or CMEK consistently.
Remediation
- In AWS Backup, go to Backup vaults > Create backup vault
- Enter a name and select a KMS key (aws/backup or a customer-managed key)
- Save the vault
- Go to Backup plans > select your plan > Edit and set the Target backup vault to the encrypted vault > Save
- To remediate existing unencrypted recovery points: Recovery points > select the item > Copy > choose the encrypted vault > Start copy, then delete the original unencrypted recovery point
Source Code
Resource Type
AwsBackupRecoveryPoint
References
- https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html#backup-1
- https://readmedium.com/how-would-you-desgin-a-solution-for-autmated-backup-and-recovery-of-data-and-services-in-aws-311662f5a43e
- https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html
- https://medium.com/cloud-devops-security-ai-career-talk/how-would-you-desgin-a-solution-for-autmated-backup-and-recovery-of-data-and-services-in-aws-311662f5a43e
- https://github.com/turbot/steampipe-mod-aws-compliance/issues/598