6.2.4. Secure Replication and Backup

First Principle: Backups are your last line of defense against data destruction — whether from ransomware, accidental deletion, or infrastructure failure. But backups themselves must be secured: an attacker who can delete your backups has defeated your recovery capability.

Amazon Data Lifecycle Manager (DLM):

• Automates EBS snapshot and AMI creation, retention, and deletion
• Policy-based: define schedules and retention counts
• Cross-Region copy for disaster recovery

AWS Backup:

• Centralized backup service covering S3, EBS, RDS, DynamoDB, EFS, FSx, and more
• Backup plans define schedule, retention, and lifecycle rules
• Backup vaults store backups with independent access policies
• Vault Lock (Compliance mode) prevents anyone from deleting backups — ransomware protection for backups
• Cross-account backup copies backups to a separate account (isolating them from the production blast radius)

Ransomware Protection Architecture:

AWS DataSync:

• Automated data transfer between on-premises storage and AWS (S3, EFS, FSx)
• Encryption in transit (TLS) and integrity verification
• Scheduling for regular data synchronization
• Use case: migrating data with integrity guarantees, ongoing hybrid replication

⚠️ Exam Trap: AWS Backup Vault Lock in Compliance mode prevents backup deletion — even by the root account. This is the key defense against ransomware that targets backups. If a question asks about protecting backups from deletion, Vault Lock is the answer.

Scenario: A ransomware attack encrypts production data and attempts to delete backups. Because AWS Backup copies go to an isolated account with Vault Lock enabled, the attacker can't reach or delete the backups. The company restores from the isolated backup vault within hours.

Reflection Question: Why must backup security be independent of production security, and how does cross-account Vault Lock achieve this independence?