Final StretchOrdered learning track

Backup Governance and Restore Readiness

Learn AWS Security, Monitoring and Management - Part 068

Backup governance and restore readiness di AWS: AWS Backup, backup policies, vault, Vault Lock, logically air-gapped vault, cross-account/cross-region copy, restore testing, ransomware recovery posture, evidence, dan operating model.

11 min read2040 words
PrevNext
Lesson 6872 lesson track60–72 Final Stretch
#aws#security#monitoring#management+3 more

Part 068 — Backup Governance and Restore Readiness

Backup sering disalahpahami sebagai urusan storage.

Di production-grade AWS environment, backup adalah recovery control, ransomware resilience boundary, compliance evidence, dan last line of defense ketika preventive, detective, dan responsive control gagal.

Backup yang tidak pernah diuji restore-nya belum bisa dianggap backup.

Backup yang bisa dihapus oleh credential yang sama dengan workload production belum bisa dianggap recovery boundary.

Backup yang tidak punya owner, policy, retention, encryption, cross-account/cross-region strategy, dan evidence belum bisa dianggap governance.

AWS Backup menyediakan primitive untuk membangun ini: backup plan, backup rule, backup selection, backup vault, copy action, backup policies via AWS Organizations, delegated administrator, Vault Lock, logically air-gapped vault, restore testing, Audit Manager, dan job monitoring.

Referensi resmi AWS yang relevan:


1. Mental Model: Backup Bukan File Copy

Backup production harus menjawab enam pertanyaan:

Apa yang harus dipulihkan?
Seberapa jauh data boleh hilang?
Seberapa cepat harus kembali?
Siapa yang boleh menghapus/mengubah backup?
Apakah backup bisa dipulihkan saat account/workload compromise?
Bagaimana kita membuktikan restore benar-benar bisa dilakukan?

Definisi dasar:

IstilahMakna
RPORecovery Point Objective: batas kehilangan data yang dapat diterima.
RTORecovery Time Objective: batas waktu pemulihan yang dapat diterima.
BackupSalinan recovery point.
RestoreProses membuat resource usable dari recovery point.
Backup governancePolicy, ownership, retention, encryption, isolation, evidence.
Restore readinessKeyakinan berbasis uji bahwa recovery point bisa dipulihkan sesuai RTO/RPO.

Backup bukan goal. Restore adalah goal.

Backup success != recovery success
Recovery point exists != application is restored
Snapshot exists != data is consistent
Vault locked != restore path works

2. Threat Model Backup

Backup strategy harus didesain melawan failure dan adversary.

ThreatContoh
Accidental deletionEngineer menghapus table/bucket/volume.
Bad deploymentMigration merusak data.
Regional failureRegion dependency tidak tersedia.
Account compromiseAttacker mencoba menghapus backup.
RansomwareData dienkripsi/dihapus, backup juga ditarget.
Insider threatPrivileged user mengubah retention/deletion.
KMS/key failureBackup ada tetapi tidak bisa decrypt.
Policy driftResource critical tidak lagi tercakup backup plan.
Restore rotBackup berhasil, tetapi restore runbook rusak/tidak pernah diuji.

Backup governance harus mengasumsikan:

Workload account bisa compromise.
Admin credential bisa compromise.
Region bisa bermasalah.
IaC bisa salah.
KMS policy bisa salah.
Backup job success bisa memberi rasa aman palsu.

3. AWS Backup Core Primitive

Primitive:

PrimitiveFungsi
Backup planKontrak jadwal, lifecycle, dan copy backup.
Backup ruleFrekuensi, window, vault target, lifecycle, copy action.
Backup selectionResource mana yang masuk plan, sering berbasis tag.
Backup vaultContainer recovery points.
Recovery pointBackup individual yang dapat direstore.
Copy actionMenyalin backup ke region/account/vault lain.
Vault LockImmutability/retention protection.
Restore testing planUji restore berkala.
Backup Audit ManagerEvidence compliance backup controls.

Jangan mulai dari “backup semua resource”. Mulai dari recovery requirement.


4. Klasifikasi Workload untuk Backup

Tidak semua workload butuh backup yang sama.

TierContohRPORTOStrategy
Tier 0Identity, audit, KMS config, landing zone staterendahrendahimmutable backup, config export, cross-account, tested restore
Tier 1Payment, customer data, regulatory recordsmenit-jammenit-jamfrequent backup/PITR, cross-region/account copy, restore testing
Tier 2Core application statejamjamdaily/hourly backup, tested restore
Tier 3Derived/cache/rebuildabletinggitinggimaybe no backup, rebuild from source
Tier 4Ephemeral computen/an/ano backup; recreate via IaC

Engineering mistake umum:

backup infrastructure yang reproducible
lupa backup data yang non-reproducible

Yang perlu dilindungi adalah state yang tidak bisa dibangun ulang dari code/pipeline.


5. Backup Policy sebagai Governance Contract

Backup policy harus menjawab:

resource class
classification
frequency
retention
copy target
vault lock
restore test frequency
owner
exception process

Contoh policy table:

Data ClassResourceFrequencyRetentionCopyRestore Test
regulatedRDS/Aurorahourly/daily + PITR7y sesuai regulasicross-account + cross-regionmonthly
confidentialEBS/RDS/S3daily90–365dcross-accountquarterly
internalEBS/RDSdaily30–90doptionalsemiannual
ephemeralEC2/ECS tempnonen/anonen/a

Dengan AWS Organizations backup policies, organisasi dapat mendefinisikan backup plans secara terpusat dan menerapkannya ke account/OUs. Ini penting untuk menghindari setiap tim membuat backup policy sendiri tanpa standar.


6. Account Model untuk Backup

Production-grade backup jarang ideal jika semua berada dalam workload account yang sama.

Model yang lebih kuat:

Account roles:

AccountFungsi
Workload accountSource resource dan local operational restore.
Backup delegated admin accountCentral policy, monitoring, governance.
Backup security/recovery accountIsolated vault dan recovery boundary.
Log archive/security accountBackup audit logs dan evidence.
DR account/regionRecovery target untuk major outage/compromise.

Principle:

Credential yang bisa merusak workload tidak boleh otomatis bisa menghancurkan backup final.

7. Backup Vault Design

Backup vault adalah container recovery point. Desain vault menentukan encryption, access control, retention behavior, monitoring, dan restore path.

Vault strategy:

Vault TypeTujuan
Local operational vaultRestore cepat untuk kesalahan biasa.
Locked compliance vaultRetention immutability.
Cross-account vaultIsolasi dari workload account.
Cross-region vaultRegional resilience.
Logically air-gapped vaultRecovery isolation/shareability untuk skenario compromise.

Jangan campur semua data di satu vault generik.

Contoh naming:

vault-prod-tier1-local
vault-prod-tier1-xacct-locked
vault-prod-regulated-7y-compliance
vault-prod-dr-ap-southeast-3
vault-prod-airgapped-critical

Vault policy harus membatasi:

who can start backup jobs
who can copy into vault
who can restore
who can delete recovery points
who can change vault policy
who can change vault lock

8. Vault Lock: Governance Mode vs Compliance Mode

Vault Lock membantu mencegah perubahan retention/delete yang merusak backup.

Mental model:

Vault Lock membuat backup retention lebih sulit atau tidak mungkin diubah/dihapus sebelum waktunya.

Dua mode umum:

ModeKarakter
Governance modeProteksi kuat, tetapi user dengan permission khusus masih bisa mengubah/menghapus lock/config.
Compliance modeSetelah grace time selesai, konfigurasi tidak bisa diubah/dihapus oleh customer/account owner/AWS selama vault berisi recovery point.

Gunakan compliance mode dengan sangat hati-hati.

Checklist sebelum compliance lock:

[ ] Retention benar sesuai legal/business requirement.
[ ] Cost impact dipahami.
[ ] Restore path diuji.
[ ] KMS/encryption design benar.
[ ] Vault policy benar.
[ ] Exception/legal hold process jelas.
[ ] Grace time digunakan untuk validasi.
[ ] Approval multi-person dilakukan.

Compliance lock yang salah bisa membuat organisasi membayar retention panjang yang tidak bisa dibatalkan.


9. Logically Air-Gapped Vault

Logically air-gapped vault adalah vault yang didesain untuk recovery isolation dan secure sharing lintas account/Organizations.

Gunanya:

mengurangi risiko source account compromise menghancurkan semua recovery point
mempercepat restore lintas account
mendukung ransomware recovery posture
menyediakan boundary pemulihan yang lebih terisolasi

Pattern:

Hal yang harus dipahami:

  • Ini “logical” air gap, bukan offline tape.
  • Access, sharing, restore, encryption, dan approval tetap harus didesain.
  • Restore target account harus siap.
  • KMS/key model harus diuji.
  • Security automation jangan sampai salah menghapus/mengganggu recovery workflow.

10. KMS dan Encryption Failure Mode

Backup sering gagal dipulihkan bukan karena recovery point hilang, tetapi karena key/access salah.

Pertanyaan wajib:

KMS key mana yang mengenkripsi backup?
Siapa bisa decrypt saat restore?
Apakah key berada di source account atau backup account?
Apakah key policy mengizinkan AWS Backup service role?
Apakah cross-account copy butuh re-encryption?
Apakah key bisa dihapus oleh compromised admin?
Apakah key rotation/alias change memengaruhi runbook?

Failure mode:

FailureDampak
KMS key deleted/scheduled deletionBackup tidak bisa dipulihkan.
Key policy terlalu sempitRestore job gagal.
Key policy terlalu longgarData bisa didecrypt pihak tidak berwenang.
Cross-account grant tidak benarCopy/restore gagal.
Vault lock ada tapi key tidak terlindungiBackup immutable tetapi unreadable.

Invariant:

Backup immutability tanpa key recoverability adalah ilusi.

11. Resource Selection: Tag-Based, But Guarded

AWS Backup selection sering berbasis tag.

Contoh:

backup:tier = tier1
backup:enabled = true
backup:plan = regulated-7y

Tag-based selection scalable, tetapi punya risiko:

tag dihapus -> resource keluar dari backup
tag salah -> resource tidak pernah dibackup
tag privilege tidak dilindungi -> attacker bisa opt out backup

Guardrail:

SCP/IAM deny removing protected backup tags on prod resources
Config rule detects critical resource without backup tag
AWS Backup protected resource report
Security Hub/Config finding for backup non-compliance
periodic inventory diff: critical resource vs backup plan coverage

Better model:

resource criticality source of truth
-> tag enforced by provisioning pipeline
-> Config detects drift
-> Backup selection consumes tag
-> Audit Manager/evidence verifies coverage

Jangan mengandalkan tag manual.


12. Backup Frequency dan Consistency

Frekuensi backup harus mengikuti RPO, bukan kebiasaan.

RPOPattern
minutesPITR/continuous backup/service-native replication.
hourlyFrequent backup rule + copy strategy.
dailyStandard snapshot backup.
weekly/monthlyArchive/compliance retention.

Consistency concern:

ResourceConcern
RDS/AuroraTransaction consistency, PITR, parameter/subnet/security context.
DynamoDBPITR, table schema/indexes, IAM/app config.
EBSApp/filesystem consistency if snapshot while writes active.
EFSFile-level state and restore target.
S3Versioning, lifecycle, delete markers, object lock, replication.
EKSCluster state + persistent volumes + manifests/config.

Backup data saja tidak cukup jika application metadata tidak bisa direkonstruksi.

Contoh:

Database restored, tetapi Secrets Manager secret lama hilang.
Snapshot restored, tetapi KMS key policy tidak mengizinkan app role.
EBS restored, tetapi launch template/security group/IAM role tidak cocok.
DynamoDB restored, tetapi stream/event consumer state tidak sinkron.

Restore readiness harus mencakup dependency.


13. Cross-Region dan Cross-Account Copy

Cross-region melindungi dari regional failure.

Cross-account melindungi dari account compromise atau accidental destructive access.

Kombinasi keduanya memberi resilience lebih kuat.

Decision table:

RequirementNeeded?
Accidental deletion recoveryLocal vault mungkin cukup.
Workload account compromiseCross-account copy.
Regional outageCross-region copy.
Ransomware resilienceLocked/cross-account/logically air-gapped vault.
Regulatory retentionVault Lock + evidence + access controls.
Fast restoreLocal plus pre-tested restore target.

Trade-off:

lebih banyak copy = biaya lebih besar
lebih banyak isolation = restore path lebih kompleks
lebih panjang retention = compliance lebih kuat tetapi cost/legal risk lebih besar

14. Restore Testing

Restore testing adalah titik balik dari backup theater menjadi recovery engineering.

AWS Backup restore testing plan memungkinkan organisasi mendefinisikan frekuensi test, window, dan resource selection untuk menguji restore secara berkala.

Restore test harus menjawab:

Apakah recovery point bisa dipilih?
Apakah restore job berhasil?
Apakah resource hasil restore usable?
Apakah aplikasi bisa membaca data?
Apakah IAM/KMS/network dependency benar?
Apakah RTO realistis?
Apakah runbook masih benar?

Minimal restore test stages:

Test yang hanya memastikan restore job status COMPLETED belum cukup.

Untuk database:

connectivity test
schema/version validation
row count/checksum sample
application smoke test
permission test
performance sanity check

Untuk object storage:

object count/sample verification
metadata/tag/ACL validation
sensitive data control validation
application read path test

15. Restore Runbook

Setiap critical resource harus punya restore runbook.

Template:

Resource class:
Business owner:
Technical owner:
RPO:
RTO:
Backup plan:
Vault:
Cross-account/cross-region copy:
KMS key:
Restore target:
Network dependencies:
IAM roles:
Secrets/config dependencies:
Validation steps:
Rollback/re-cutover steps:
Communication steps:
Evidence required:

Runbook contoh high-level RDS:

1. Identify restore point based on incident timestamp and corruption window.
2. Confirm target account/region and isolation requirement.
3. Validate KMS decrypt permission.
4. Restore DB to new instance/cluster, not overwriting original.
5. Apply parameter/subnet/security group configuration.
6. Run integrity queries/checksums.
7. Run application smoke tests against restored endpoint.
8. Decide cutover strategy: DNS/config switch, app redeploy, or data repair.
9. Monitor error/latency after cutover.
10. Preserve old corrupted state if forensic analysis required.

16. Backup Monitoring

Backup jobs need monitoring like production workloads.

Signals:

backup job failed
copy job failed
restore job failed
restore test failed
backup job duration anomaly
last successful backup age exceeds RPO
recovery point count below expectation
vault policy changed
vault lock changed/attempted change
KMS key scheduled deletion
critical resource missing backup coverage

Routing:

Critical backup failure can be an incident.

Example:

Tier-1 database has no successful backup within RPO window
-> create SEV-2/SEV-1 depending on recovery risk

17. Backup Compliance Evidence

Compliance asks:

Can you prove critical data is backed up?
Can you prove backup retention is enforced?
Can you prove backup cannot be deleted early?
Can you prove restores are tested?
Can you prove who accessed or restored data?

Evidence sources:

EvidenceSource
Backup plan definitionAWS Backup / Organizations policy / IaC.
Resource selectionAWS Backup selection, tags, inventory.
Job success/failureAWS Backup jobs, EventBridge events.
Recovery point inventoryAWS Backup vault/recovery point APIs.
Vault lock statusAWS Backup vault lock config.
Restore test resultsAWS Backup restore testing reports/jobs.
Access auditCloudTrail events.
Policy driftConfig/custom controls/IaC drift.
KMS usageCloudTrail KMS events where applicable.

Evidence should be generated, not manually assembled during audit week.


18. Ransomware Recovery Posture

Ransomware-style threat in cloud often targets:

production data
snapshots
backup vaults
KMS keys
IAM policies
logging/audit services
replication targets

Defensive posture:

immutable/locked backup
cross-account backup vault
cross-region copy
separate backup admin role
MFA/JIT for restore/delete-sensitive operations
SCP preventing backup/security service tampering
CloudTrail and Config monitoring
restore testing into clean account
logically air-gapped vault for critical recovery points

Ransomware recovery question:

If the workload account admin is compromised, can we still restore clean data without trusting that account?

If answer is no, backup is not isolated enough.


19. Clean Recovery Account Pattern

Untuk compromise besar, restore ke account yang sama mungkin tidak aman.

Pattern:

Clean recovery account harus punya:

predefined OU placement
baseline guardrails
IAM Identity Center access
logging/security services enabled
network baseline
KMS restore path
application deployment pipeline
DNS/cutover plan

Jangan menunggu incident untuk membuat account recovery pertama kali.


20. Backup Access Control

Backup restore adalah privileged data access.

Risiko:

user tidak bisa read database production, tetapi bisa restore backup lalu read semua data
user tidak bisa delete resource, tetapi bisa delete recovery point
admin bisa change retention menjadi pendek lalu delete after expiration
automation role terlalu luas di semua vault

Control:

separate backup admin and restore operator roles
approval for restore of sensitive data
deny delete recovery point except controlled automation
MFA/JIT for sensitive restore
CloudTrail alert for restore/delete/vault policy changes
least privilege per vault/classification

Restore harus dianggap data access event.


21. IaC and Backup Drift

Backup configuration should be code-defined.

But backup has runtime state.

Code-managed:

backup plans
vaults
vault policies
backup selections
organization backup policies
EventBridge monitoring rules
IAM roles
KMS policies
restore testing plans

Runtime-monitored:

job success
recovery point creation
copy job success
restore job results
vault lock status
unexpected policy changes
resource coverage drift

IaC alone cannot prove backup works. It only proves desired configuration was declared.


22. Common Failure Modes

Failure ModeConsequenceControl
Resource not taggedNo backup createdConfig detection + tag enforcement.
Backup job fails silentlyRPO missedEventBridge alarm + incident threshold.
Vault in same account onlyAttacker/admin can delete backupCross-account copy + vault lock.
KMS key deletedBackup unreadableSCP/key deletion alert + key governance.
Restore never testedFalse confidenceRestore testing plan + evidence.
Retention too shortCannot recover after delayed detectionRisk-based retention.
Retention too longCost/legal exposureClassification-based retention.
Restore role too broadData exposureLeast privilege + approval.
Vault Lock misconfiguredPermanent costly mistakegrace period + multi-person review.
Backup covers data but not configApp cannot recoverApp-level restore runbook.
Cross-region copy not monitoredDR illusionCopy job monitoring.
Clean recovery account absentSlow ransomware recoveryPre-provisioned recovery environment.

23. Backup Dashboard

Dashboard should show recovery readiness, not just backup count.

Sections:

critical resources coverage
last successful backup age vs RPO
backup job failures by owner
copy job failures by target region/account
restore test success/failure
vault lock status
recovery points by classification
resources without backup tag
KMS/key risk for backup vaults
incident-grade backup failures

Bad dashboard:

Total backup jobs this week: 10,231

Good dashboard:

Tier-1 resources missing successful backup within RPO: 2
Regulated vaults without compliance lock: 0
Restore tests failed this month: 1
Cross-account copy failures for critical resources: 3

24. Production Checklist

[ ] Critical resources classified by RPO/RTO.
[ ] AWS Backup delegated administrator configured where appropriate.
[ ] Organization backup policies or equivalent IaC governance exist.
[ ] Backup selections are automated and protected from tag tampering.
[ ] Local, cross-account, and cross-region strategy defined by tier.
[ ] Backup vault policies are least privilege.
[ ] Vault Lock used where retention immutability is required.
[ ] Logically air-gapped vault considered for critical/ransomware-sensitive workloads.
[ ] KMS key policies tested for backup/copy/restore.
[ ] Restore testing plans exist for Tier-0/Tier-1/Tier-2 resources.
[ ] Restore runbooks include application validation, not only infrastructure restore.
[ ] Backup/copy/restore failures route to owner or Incident Manager based on severity.
[ ] Clean recovery account/region strategy exists for compromise scenario.
[ ] CloudTrail monitors restore/delete/vault policy/key changes.
[ ] Backup evidence is available for audit.

25. Kesimpulan

Backup governance adalah soal kemampuan organisasi bertahan saat state rusak atau hilang.

Desain yang matang tidak bertanya:

Apakah backup aktif?

Ia bertanya:

Apakah data critical tercakup?
Apakah recovery point cukup baru?
Apakah backup terlindungi dari compromised account?
Apakah key untuk decrypt aman dan tersedia?
Apakah restore pernah diuji?
Apakah aplikasi bisa hidup dari hasil restore?
Apakah evidence cukup untuk audit?

Backup tanpa restore test adalah asumsi.

Vault tanpa access governance adalah risiko.

Cross-account copy tanpa runbook adalah ilusi.

Immutability tanpa KMS recoverability adalah jebakan.

Recovery readiness adalah hasil dari policy, isolation, monitoring, testing, evidence, dan latihan.

Di Part 069 kita akan masuk ke Compliance as Engineering System: bagaimana compliance dibangun sebagai pipeline kontrol dan evidence, bukan checklist manual menjelang audit.

Lesson Recap

You just completed lesson 68 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.