Amazon EBS Volumes Should Be Protected by a Backup Plan

Overview

This check verifies that your Amazon EBS volumes are included in an AWS Backup plan. AWS Backup provides a centralized way to automate and manage backups across AWS services, ensuring your data is protected and recoverable.

Risk

Without backup coverage, your EBS volumes are vulnerable to:

• Permanent data loss from accidental deletion or corruption
• Extended outages when recovery is needed but no backup exists
• Compliance failures for regulations requiring data backup and retention
• Ransomware or malicious attacks with no recovery path

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to manage AWS Backup
• The AWSBackupDefaultServiceRole IAM role (AWS creates this automatically when you first use AWS Backup)

IAM permissions details

To manage AWS Backup, your IAM user or role needs these permissions:

• backup:CreateBackupPlan
• backup:CreateBackupSelection
• backup:CreateBackupVault
• backup:ListBackupPlans
• iam:PassRole (for the backup service role)

The managed policy AWSBackupFullAccess includes all necessary permissions.

AWS Console Method

1. Open the AWS Backup console

2. Create a backup vault (if you don't have one):

   • Click Backup vaults in the left menu
   • Click Create backup vault
   • Enter a name (e.g., ebs-backup-vault)
   • Click Create backup vault

3. Create a backup plan:

   • Click Backup plans in the left menu
   • Click Create backup plan
   • Select Build a new plan
   • Enter a plan name (e.g., EBS-Daily-Backup)

4. Configure the backup rule:

   • Rule name: DailyBackup
   • Backup vault: Select your vault
   • Backup frequency: Daily
   • Backup window: Use defaults or customize
   • Retention period: 35 days (adjust as needed)
   • Click Create plan

5. Assign your EBS volumes:

   • On the backup plan page, click Assign resources
   • Resource assignment name: AllEBSVolumes
   • IAM role: Select Default role or AWSBackupDefaultServiceRole
   • Under Resource selection, choose one of:
     • Include all resource types and select EBS from the list
     • Include specific resource types, select EBS, then choose specific volumes
   • Click Assign resources

Your EBS volumes are now protected by the backup plan.

AWS CLI (optional)

Step 1: List existing backup plans

aws backup list-backup-plans \
    --region us-east-1

Step 2: Create a backup plan (if needed)

aws backup create-backup-plan \
    --region us-east-1 \
    --backup-plan '{
        "BackupPlanName": "EBS-Daily-Backup",
        "Rules": [{
            "RuleName": "DailyBackup",
            "TargetBackupVaultName": "Default",
            "ScheduleExpression": "cron(0 5 ? * * *)",
            "StartWindowMinutes": 60,
            "CompletionWindowMinutes": 180,
            "Lifecycle": {
                "DeleteAfterDays": 35
            }
        }]
    }'

Save the BackupPlanId from the output.

Step 3: Assign EBS volumes to the plan

To include all EBS volumes:

aws backup create-backup-selection \
    --region us-east-1 \
    --backup-plan-id <BACKUP_PLAN_ID> \
    --backup-selection '{
        "SelectionName": "AllEBSVolumes",
        "IamRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/service-role/AWSBackupDefaultServiceRole",
        "Resources": ["arn:aws:ec2:*:*:volume/*"]
    }'

Replace:

• <BACKUP_PLAN_ID> with the ID from step 2
• <ACCOUNT_ID> with your AWS account ID

To include only volumes with a specific tag (e.g., backup=true):

aws backup create-backup-selection \
    --region us-east-1 \
    --backup-plan-id <BACKUP_PLAN_ID> \
    --backup-selection '{
        "SelectionName": "TaggedEBSVolumes",
        "IamRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/service-role/AWSBackupDefaultServiceRole",
        "ListOfTags": [{
            "ConditionType": "STRINGEQUALS",
            "ConditionKey": "backup",
            "ConditionValue": "true"
        }]
    }'

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Backup plan for EBS volumes

Parameters:
  BackupVaultName:
    Type: String
    Default: Default
    Description: Name of the backup vault to store backups

Resources:
  EBSBackupPlan:
    Type: AWS::Backup::BackupPlan
    Properties:
      BackupPlan:
        BackupPlanName: EBSVolumeBackupPlan
        BackupPlanRule:
          - RuleName: DailyBackup
            TargetBackupVault: !Ref BackupVaultName
            ScheduleExpression: cron(0 5 ? * * *)
            StartWindowMinutes: 60
            CompletionWindowMinutes: 180
            Lifecycle:
              DeleteAfterDays: 35

  EBSBackupSelection:
    Type: AWS::Backup::BackupSelection
    Properties:
      BackupPlanId: !Ref EBSBackupPlan
      BackupSelection:
        SelectionName: AllEBSVolumes
        IamRoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBackupDefaultServiceRole
        Resources:
          - arn:aws:ec2:*:*:volume/*

Outputs:
  BackupPlanId:
    Description: ID of the created backup plan
    Value: !Ref EBSBackupPlan
  BackupPlanArn:
    Description: ARN of the created backup plan
    Value: !GetAtt EBSBackupPlan.BackupPlanArn

Deploy with:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name ebs-backup-plan \
    --region us-east-1

Terraform (optional)

# AWS Backup plan for EBS volumes
resource "aws_backup_vault" "ebs_backup_vault" {
  name = "ebs-backup-vault"
}

resource "aws_backup_plan" "ebs_backup_plan" {
  name = "ebs-volume-backup-plan"

  rule {
    rule_name         = "daily-backup"
    target_vault_name = aws_backup_vault.ebs_backup_vault.name
    schedule          = "cron(0 5 ? * * *)"

    lifecycle {
      delete_after = 35
    }
  }
}

resource "aws_backup_selection" "ebs_selection" {
  name         = "all-ebs-volumes"
  plan_id      = aws_backup_plan.ebs_backup_plan.id
  iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-role/AWSBackupDefaultServiceRole"

  resources = [
    "arn:aws:ec2:*:*:volume/*"
  ]
}

data "aws_caller_identity" "current" {}

To use tag-based selection instead:

resource "aws_backup_selection" "ebs_selection_by_tag" {
  name         = "tagged-ebs-volumes"
  plan_id      = aws_backup_plan.ebs_backup_plan.id
  iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-role/AWSBackupDefaultServiceRole"

  selection_tag {
    type  = "STRINGEQUALS"
    key   = "backup"
    value = "true"
  }
}

Verification

After setting up the backup plan:

1. Go to AWS Backup > Backup plans
2. Click on your backup plan
3. Under Resource assignments, verify your EBS volumes are listed
4. Check Jobs to see scheduled and completed backup jobs

CLI verification

List backup selections for your plan:

aws backup list-backup-selections \
    --region us-east-1 \
    --backup-plan-id <BACKUP_PLAN_ID>

Check recent backup jobs:

aws backup list-backup-jobs \
    --region us-east-1 \
    --by-resource-type EBS \
    --by-state COMPLETED

Re-run Prowler to confirm the check passes:

prowler aws --check ec2_ebs_volume_protected_by_backup_plan --region us-east-1

Additional Resources

• AWS Backup Documentation
• Creating a Backup Plan
• Assigning Resources to a Backup Plan
• AWS Backup Vault Lock

Notes

• Backup frequency: Adjust the schedule based on your Recovery Point Objective (RPO). Daily backups are common, but critical data may need more frequent backups.

• Retention period: The 35-day retention in examples meets many compliance requirements. Adjust based on your data retention policies.

• Tag-based selection: For large environments, use tags (e.g., backup=true) to automatically include new volumes in backup plans.

• Vault Lock: For additional protection against deletion (including ransomware), consider enabling AWS Backup Vault Lock to make backups immutable.

• Cross-region copies: For disaster recovery, configure your backup plan to copy backups to another AWS region.

• Cost considerations: AWS Backup charges for storage used. Monitor backup costs and adjust retention policies as needed.