Exactly a year ago, an unauthorized intruder gained access to Code Spaces’ Amazon Web Services (AWS) control panel and attempted to extort a large sum of money from the company in exchange for relinquishing access/control back to Code Spaces. However, by the time Code Spaces finally managed to regain access to their AWS account, the damage had already been done. Over a 12-hour period, most of Code Spaces’ data and backups, including the offsite backups, were partially or completely deleted.
Over the last year, we’ve received recurring requests from our customers to allow backup and recovery across multiple AWS accounts using Cloud Protection Manager (CPM) in order to prevent attacks that lead to snapshot and data deletion. Put simply, if data and snapshots are stored in an additional account, guarded separately from the original account, backup data is safe from security holes and attacks. As we saw our current and prospective customers’ inputs as best-practice for backups, we implemented this input in CPM’s version 1.8, and included cross-AWS-account backup and restore capabilities, allowing automatic copy and recovery of snapshots between AWS accounts.
CPM’s Backup and DR Capabilities
CPM provides you with a fully-featured backup and disaster recovery solution within Amazon EC2. Using CPM’s policy-based backup solution, you can specify a policy where snapshots are automatically copied to other AWS accounts or AWS regions. You also have the option to determine whether the snapshots should be kept or deleted in the original account once they are copied to the DR account. You may prefer to keep the same snapshot in multiple accounts as an additional security measure, or choose not to do so in order to reduce storage costs (check out my previous article about the snapshot costs n2ws).
CPM automatically deletes older EBS snapshots according to the retention windows and policies you configure. However, they can be configured to be tagged by CPM as “Ready for Deletion” instead of actually deleting them. This can allow you to use CPM with “safer” IAM credentials for the vault account (without delete snapshot permissions). So, even if CPM is compromised (very unlikely), the vault account credentials can’t be used to delete the snapshots. Only the owner of the DR account can execute the deletion manually or with a script (using a different IAM user than the one CPM uses). It is important to note that the owner of the DR account has different credentials than those of the original account, thereby ensuring that your data remains protected.
CPM also allows you to recover snapshots to an account that is different than the one in which the snapshots are stored. In a data-loss scenario, this capability enables you to recover your instances and volumes back into their original account, while the snapshots are stored elsewhere. This way, only snapshots are stored in your DR account, while CPM recovers your instances back to the original account, or to a third account, with a single click. To further preserve your data’s security before performing recovery, CPM only permits snapshot recovery into accounts that have already been registered in CPM.
Large Enterprise Real Life Configuration
A production account of a large enterprise in Amazon EC2 is typically accessible and used by many of its employees. Such an AWS account may be vulnerable to actions of potentially disgruntled employees or unauthorized access by hackers. While there are various access control options provided by AWS and others, one way to greatly improve the resiliency to data loss is by using CPM and setting an additional AWS account acting as a backup vault. This account has separate credentials known only to a trusted person within the organization, making it inaccessible to the users of the production account. By setting a cross-account backup policy in CPM, all backup data from the production account is automatically stored in the vault. In case the production data is lost or compromised, the backup data can instantly be copied back and restored to the original account or other pre-defined accounts. The separate “vault” account for backups allows organizations to provide an open work environment to their developers without compromising continuous backup and DR data security.
One of our key customers is a large media organization with multiple AWS accounts. A primary account is used for the production environment while another one was created to store the snapshots for backup and DR purposes. The DR account contains snapshots of hundreds of EC2 instances with tens of terabytes of EBS storage. The customer defined a policy in CPM that once the snapshots are copied into the DR account, they are automatically deleted from the primary account to avoid double payment for the backup data. In cases of outages or degradation in production, the customer can use CPM to automatically recover its instances back into its primary production account.
Can You Trust CPM?
In 2013, we released our backup and recovery product, CPM, which is currently among the most popular enterprise solutions sold on AWS’ Marketplace. Today, thousands of production application and database servers running on AWS cloud are backed up with CPM.
CPM is safe, reliable, and secure. It has a wide user base, ranging from SMBs to large enterprises, government agencies and universities all over the world. The CPM solution has been qualified by many organizations and it is trusted to maintain a reliable backup. As data security is key to product integrity, CPM is a highly-secured solution: All AWS secret keys stored in CPM are encrypted and the CPM server is only accessible via HTTPS and SSH. Secret keys are never displayed in CPM’s GUI and are always encrypted in CPM’s databases. Contrary to third-party SaaS solutions, the CPM instance is launched within the customer’s own EC2 environment and under the customer’s own security policies, so all data and credentials are never exposed outside of the customer infrastructure. To strengthen security further, we also suggest adding an AWS security group around the CPM instance so that no one outside of your organization’s network can gain access to it. With Cloud Protection Manager, you can rest assured that your data remains secured and protected.
Getting Started with CPM
You can try out Cloud Protection Manager with the 30-day free trial available on the AWS Marketplace. To help you get started, you can find on our website detailed product documentation, including a Quick Start Guide and a full User’s Guide and video tutorials. After launching your own trial instance, you can try out the backup features provided by CPM in your own environment, including cross-account backup and recovery, and determine which CPM version best suits your needs. Learn more about Cloud Protection Manager