Logically air-gapped vaults
| The preview for logically air-gapped vaults has closed. |
Overview
AWS Backup is previewing a secondary type of vault which can store copies of backups in other vaults. A logically air-gapped vault is a specialized vault which offers increased security features in addition to those of a backup vault as well as the ability to share vault access to other accounts and organizations so that recovery time (RTO) can be faster and more flexible in case of an incident that requires rapid restoration of resources.
Logically air-gapped vaults come equipped with additional protection features: each of these vaults is encrypted with an AWS owned key, and each vault has a vault lock set in compliance mode.
You can choose to share a logically air-gapped vault across organizations and accounts so that the backups stored within can be restored from an account with which the vault is shared, if needed.
There are no additional charges for storage in logically air-gapped vaults during
the preview period. Backups in standard backup vaults and cross-Region copies will still be
charged at published rates
(see pricing
Use case
A logically air-gapped vault is a secondary vault that serves as part of a data protection strategy. This vault can help enhance your organizational retention and recovery when you desire a vault for your backups that
Is automatically set with a vault lock in compliance mode
-
Contains backups which can be shared with and restored from a different account than the one that created the backup
Comes encrypted with an AWS owned key
Resources supported in a logically air-gapped vault include
Amazon EC2
Amazon EBS
Amazon S3
Amazon EFS
Amazon RDS
This preview of logically air-gapped vaults is only available in US East (N. Virginia) Region. Because this feature is currently only in one Region, cross-Region copy is not supported during this preview period.
Compare and contrast with a standard backup vault
A backup vault is the primary and standard type of vault used in AWS Backup. Each backup is stored in a backup vault when the backup is created. You can assign resource-based policies to manage backups stored in the vault, such as the lifecycle of backups stored within the vault.
A logically air-gapped vault is a specialized vault with additional security and flexible sharing for faster recovery time (RTO). This vault stores copies of backups that were initially created and stored within a standard backup vault.
Backup vaults can be encrypted with a key, a security mechanism that limits access to intended users. These keys can be customer managed or AWS managed. Additionally, a backup vault can be even more secured by a vault lock; logically air-gapped vaults come equipped by a vault lock in compliance mode.
If the AWS KMS key was not manually changed or set as a KMS key at the time the initial resource was created, a backup cannot be copied into a logically air-gapped vault.
| Feature | Backup vault | Logically air-gapped vault (preview) |
|---|---|---|
When a backup is created, it is stored as a recovery point |
Backups are not stored in this vault upon creation |
|
Can store initial backups of resources and copies of backups |
Can store copies of backups from other vaults |
|
|
Can optionally be encrypted with a key (customer managed or AWS managed) Can optionally be locked with a vault lock |
Is encrypted with an AWS owned key Is always locked with a vault lock in compliance mode |
|
Sharability |
Access can be managed through policies and AWS Organizations Not compatible with AWS Resource Access Manager |
Can optionally be shared across accounts using AWS RAM |
Backups can be restored by the same account that owns the vault |
Backups can be restored by a different account than the one which owns the backup if the vault is shared with that separate account |
|
Available in all Regions in which AWS Backup operates |
Available in US East (N. Virginia) Region during preview |
|
Can store backups that contain all AWS Backup supported resources |
Can store backups that contain Amazon EC2, Amazon EBS, Amazon EFS, Amazon S3, or Amazon RDS data |
