BR-1 |
Backup and recovery |
10.1 - Ensure Regular Automated Backups |
11.2 - Perform Automated Backups |
CP-2: CONTINGENCY PLAN |
nan |
Ensure regular automated backups |
Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. |
For Azure Backup supported resources (such as Azure VMs, SQL Server, HANA databases, Azure PostgreSQL Database, File Shares, Blobs or Disks), enable Azure Backup and configure the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. |
How to enable Azure Backup: |
For AWS Backup supported resources (such as EC2, S3, EBS or RDS), enable AWS Backup and configure the desired frequency and retention period. |
AWS Backup supported resources and third-party applications: |
Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards |
|
|
|
|
CP-4: CONTINGENCY PLAN TESTING |
|
|
|
|
https://docs.microsoft.com/azure/backup/ |
|
https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html |
|
|
|
|
|
CP-9: INFORMATION SYSTEM BACKUP |
|
|
|
For resources or services not supported by Azure Backup, use the native backup capability provided by the resource or service. For example, Azure Key Vault provides a native backup capability. |
|
For resources/services not supported by AWS Backup, such as AWS KMS, enable the native backup feature as part of its resource creation. |
|
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
|
|
|
|
|
|
Auto-Enable Backup on VM Creation using Azure Policy: |
|
Amazon S3 versioning: |
|
|
|
|
|
|
|
|
|
For resources/services that are neither supported by Azure Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: |
https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup |
For resources/services that are neither supported by AWS Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: |
https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
|
|
|
|
|
|
|
|
- If you use Azure Storage for data storage, enable blob versioning for your storage blobs which will allow you to preserve, retrieve, and restore every version of every object stored in your Azure Storage. |
|
- If Amazon S3 is used for data storage, enable S3 versioning for your storage backet which will allow you to preserve, retrieve, and restore every version of every object stored in your S3 bucket. |
|
|
|
|
|
|
|
|
|
|
- Service configuration settings can usually be exported to Azure Resource Manager templates. |
|
- Service configuration settings can usually be exported to CloudFormation templates. |
AWS CloudFormation best practices: |
Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation |
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html |
|
BR-2 |
Backup and recovery |
10.4 - Ensure Protection of Backups |
11.3 - Protect Recovery Data |
CP-6: ALTERNATE STORAGE SITE |
3.4 |
Protect backup and recovery data |
Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. |
Use multi-factor-authentication and Azure RBAC to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. |
Overview of security features in Azure Backup: |
Use AWS IAM access control to secure AWS Backup. This includes securing the AWS Backup service access and backup and restore points. Example controls include: |
Security in AWS Backup: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
|
CP-9: INFORMATION SYSTEM BACKUP |
|
|
|
|
https://docs.microsoft.com/azure/backup/security-overview |
- Use multi-factor authentication (MFA) for critical operations such as deletion of a backup/restore point. |
https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html |
|
|
|
|
|
|
|
|
|
For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using a customer managed key. In this case, ensure the customer-managed key in the Azure Key Vault is also in the backup scope. If you use a customer-managed key, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. |
|
- Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources. |
|
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
|
|
|
|
|
|
|
|
|
Encryption of backup data using customer-managed keys: |
- Use AWS KMS in conjunction with AWS Backup to encrypt the backup data either using customer-managed CMK or an AWS-managed CMK associated with the AWS Backup service. |
Security Best Practices for Amazon S3: |
|
|
|
|
|
|
|
|
|
Safeguard backup data from accidental or malicious deletion, such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable geo-redundant storage or cross-region restoration to ensure backup data is restorable when there is a disaster in primary region. You can also enable Zone-redundant Storage (ZRS) to ensure backups are restorable during zonal failures. |
https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk |
- Use AWS Backup Vault Lock for immutable storage of critical data. |
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html |
Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation |
|
|
|
|
|
|
|
|
|
|
- Secure S3 buckets through access policy, disabling public access, enforcing data at-rest encryption, and versioning control. |
|
|
|
|
|
|
|
|
|
|
Note: If you use a resource's native backup feature or backup services other than Azure Backup, refer to the Microsoft Cloud Security Benchmark (and service baselines) to implement the above controls. |
Security features to help protect hybrid backups from attacks: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Backup - set cross region restore |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore |
|
|
|
BR-3 |
Backup and recovery |
10.4 - Ensure Protection of Backups |
11.3 - Protect Recovery Data |
CP-9: INFORMATION SYSTEM BACKUP |
nan |
Monitor backups |
Ensure all business-critical protectable resources are compliant with the defined backup policy and standard. |
Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure Policy for backup to audit and enforce such controls. For Azure Backup supported resources, Backup Center helps you centrally govern your backup estate. |
Govern your backup estate using Backup Center: |
AWS Backup works with other AWS tools to empower you to monitor its workloads. These tools include the following: |
AWS Backup Monitoring: |
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/backup/backup-center-govern-environment |
- Use AWS Backup Audit Manager to monitor the backup operations to ensure the compliance. |
https://docs.aws.amazon.com/aws-backup/latest/devguide/monitoring.html |
|
|
|
|
|
|
|
|
|
Ensure critical backup operations (delete, change retention, updates to backup config) are monitored, audited, and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, and audit triggered user actions on vaults. |
|
- Use CloudWatch and Amazon EventBridge to monitor AWS Backup processes. |
|
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
|
|
|
|
|
|
|
|
|
Monitor and operate backups using Backup center: |
- Use CloudWatch to track metrics, create alarms, and view dashboards. |
Monitoring AWS Backup events using EventBridge: |
|
|
|
|
|
|
|
|
|
Note: Where applicable, also use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. |
https://docs.microsoft.com/azure/backup/backup-center-monitor-operate |
- Use EventBridge to view and monitor AWS Backup events. |
https://docs.aws.amazon.com/aws-backup/latest/devguide/eventbridge.html |
|
|
|
|
|
|
|
|
|
|
|
- Use Amazon Simple Notification Service (Amazon SNS) to subscribe to AWS Backup-related topics such as backup, restore, and copy events. |
|
|
|
|
|
|
|
|
|
|
|
Monitoring and reporting solutions for Azure Backup: |
|
Monitoring AWS Backup metrics with CloudWatch: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/backup/monitoring-and-alerts-overview |
|
https://docs.aws.amazon.com/aws-backup/latest/devguide/cloudwatch.html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Using Amazon SNS to track AWS Backup events: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Audit backups and create reports with AWS Backup Audit Manager: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html |
|
BR-4 |
Backup and recovery |
10.3 - Test Data on Backup Media |
11.5 - Test Data Recovery |
CP-4: CONTINGENCY PLAN TESTING |
nan |
Regularly test backup |
Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective). |
Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. |
How to recover files from Azure Virtual Machine backup: |
Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. |
Restoring a backup: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
|
CP-9: INFORMATION SYSTEM BACKUP |
|
|
|
|
https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm |
|
https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-a-backup.html |
|
|
|
|
|
|
|
|
|
You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. |
|
You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. |
|
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation |
|
|
|
|
|
|
|
|
|
How to restore Key Vault keys in Azure: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 |
|
|
Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security |