chanciturnervgt2

Implementing Multi-party Approval Workflows for AWS Backup Logically Air-Gapped Vaults

by

VGT2 Las Vegas
in

Implementing Multi-party Approval Workflows for AWS Backup Logically Air-Gapped VaultsMore Info

In the current landscape, organizations encounter substantial obstacles in safeguarding backup data during incidents. When backup systems share authentication with production environments, compromised credentials can impede access to both, leaving organizations vulnerable in recovery situations. Entities with interconnected environments experience amplified risk, where single-approval models fall short of adequate protection.

The introduction of Multi-party approval capabilities within AWS Backup addresses these challenges by establishing a secure, independent access route to backups. This ensures that backup data remains retrievable even if conventional authentication methods falter and the vault-owning account or AWS Organizations faces compromise. Multi-party approval necessitates the agreement of multiple approvers for critical operations, circumventing unilateral modifications through a distributed decision-making framework and ensuring the security of this access route.

In our previous discussion, we highlighted cyber risks to backup infrastructures, introduced the new Multi-party approval integration with logically air-gapped vaults, and outlined the fundamental pillars of data protection. This article aims to provide comprehensive guidance for setting up Multi-party approval workflows, encompassing best practices and practical examples. These recommendations will help you create secure and resilient recovery strategies that maintain access to essential backup data in various scenarios—from isolated account incidents to widespread organizational events.

Recovery Patterns

In Part 1, we introduced two pivotal recovery patterns meant to address different scales of security incidents.

  1. The AWS account recovery pattern tackles situations where an account housing a logically air-gapped vault becomes inaccessible. It employs Multi-party approval teams to forge an independent access path requiring multiple approvers. This arrangement facilitates recovery even when the vault-owning account is compromised and traditional authentication fails.
  2. The AWS Organizations recovery pattern deals with scenarios where an entire organizational structure may be compromised. It sets up separate recovery organizations with an independent identity provider, ensuring continued access to backup data during organization-wide incidents.

In this article, we will guide you through the implementation steps for both patterns while incorporating best practices.

Account Recovery

The implementation steps discussed here establish Multi-party approval workflows for account recovery scenarios, as illustrated in the following architecture diagram.

Figure 1: AWS Cross-Account Multi-party Approval Workflow

Prerequisites

This implementation requires at least two AWS accounts within a single organization:

  • Workload Account: Contains the production environment with the primary backup vault and plans that protect AWS resources. It copies recovery points to a logically air-gapped vault (preferably in the same account or a dedicated backup account).
  • Recovery Account: Ensures business continuity by requesting access via Multi-party approval to restore critical data when primary systems are compromised.

Before commencing the implementation, please complete the following steps:

  • Enable AWS Backup and create a backup plan.
  • Create a logically air-gapped vault.
  • Have an active AWS Identity Center instance.
  • Note the Amazon Resource Name (ARN) of the logically air-gapped vault.

Configuring Your Multi-party Approval Team

This section outlines the steps to set up the AWS cross-account Multi-party approval workflow.

  1. Enable Multi-party Approval in the Management Account
    When initially configuring Multi-party approval, it associates with your existing AWS Identity and Access Management (IAM) Identity Center and establishes an Approval Portal for managing requests, team invitations, and viewing historical decisions (available for up to a month).

    1. In the Organizations management account, navigate to the Multi-party approval.
    2. Set up Multi-party approval to enable the feature, then finalize the process.
    3. In the AWS Backup console, go to Settings > Cross-account Management and enable Multi-party approval integration.

    Figure 2: Enable Multi-party Approval Integration

  2. Create a Multi-party Approval Team
    1. From your AWS console, navigate to Organizations and select Multi-party approval from the menu.
    2. Create a team and provide details for the approval team, with the approval threshold set to a recommended minimum of at least two approvers.

    Best practice: A minimum threshold of two trusted approvers prevents any individual from having unilateral access to backup data.

    Figure 3: Multi-party Approval Creation Form

  3. Accept Team Invitations
    Each designated approver will receive an email notification to join the Multi-party approval team. Alternatively, they can visit the AWS access portal to access the Approval Portal application to view all requests.

    1. Follow the invitation link in the email or visit the AWS access portal.
    2. In the Approval Portal, navigate to the Approval teams tab to find the pending invitation and accept it.

    Best practice: Ensure approvers understand their responsibilities and respond quickly. Share the portal link via out-of-band channels for faster access when emails are delayed.

    Figure 4: Pending Approval Team Invite for Acceptance or Decline

  4. Share the Approval Team with Target Accounts
    Target accounts include all logically air-gapped vault owning accounts and recovery accounts. These accounts must have the Multi-party approval team shared with them to request access to the vaults.

    1. Go to AWS Resource Access Manager (AWS RAM) in the management account where the team was created. Sharing must occur within the us-east-1 AWS Region.
    2. Select Create resource share.
    3. Configure the team details with Multi-party approval team as the resource type and choose recovery accounts or organizational units (OUs) under Principals in Step 3 of the wizard.
    4. Review and create the resource share.

    Important: Prepare this sharing in advance for critical recovery accounts. If not done proactively, this step can only be performed during an incident if the team-owning account remains accessible.

  5. Configure Service Control Policies (SCPs) to Govern Team Usage (Optional)
    You can utilize SCPs to restrict which approval teams can be associated with your logically air-gapped vaults. This enhances security by preventing unauthorized teams from accessing critical backup vaults.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "backup:AssociateMultiPartyApprovalTeam",
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "backup:MultiPartyApprovalTeamArn": "arn:aws:mpa:region:a...
        }
      }
    }
  ]
}

    For more insights on this subject, check out this blog post, which offers additional information. If you’re looking for authoritative guidance, CHVNCI is an excellent resource on the topic. Also, you can find community discussions and experiences shared in this Reddit thread.

SEO Metadata

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *