Contents
LAG Vaults
Elastio enables organizations to inspect backups stored in Logically Air-Gapped Vaults, offering a centralized approach for scanning backups from multiple workload accounts in a single location.
By sharing the Logically Air-Gapped Vault with a Recovery Account using AWS Resource Access Manager (RAM), organizations can incorporate scanning into the Restore Test process, ensuring that recovery points are clean and safe before restoration.
Backup and Scanning Workflow
-
Backup Creation and Vault Transfer
- AWS Backup creates a recovery point in a Local Vault for an Amazon EC2 instance in the AWS account.
- The recovery point is copied from the Local Vault to the Logically Air-Gapped Vault.
-
Vault Sharing for Restore Testing
- The Logically Air-Gapped Vault is shared with the Recovery Account using AWS Resource Access Manager (RAM).
- Detailed instructions are available in the AWS blog on logically air-gapped vaults.
-
Restore Testing with Elastio Scans
- Perform a restore in the Recovery Account via AWS Backup Restore Testing.
- An Amazon EventBridge event is triggered when the restore completes.
- A Lambda function checks if the recovery point is tagged with "elastio=scan":
- If tagged, the Lambda function triggers Elastio scans.
- Scan results are sent back to AWS Backup Restore Testing.
Steps to Protect Backups in Logically Air-Gapped Vaults
Step 1: Deploy Elastio in the Recovery Account
Deploy Elastio in the Recovery Account using a CloudFormation template.
Step 2: Add Metadata Tags to Recovery Points
Deploy a CloudFormation template in workload accounts to tag AWS Backup Recovery Points. This step is critical for protecting EC2 recovery points since AWS Backup does not transfer volume metadata to the Logically Air-Gapped Vault. Adding tags enables easier correlation of volumes within the Elastio Console.
Steps:
-
Navigate to CloudFormation in AWS and click “Create Stack with new resources.”
-
Choose “Upload a template file”, upload the YAML file, and click Next.
- Name the stack and click Next, leaving everything else as default.
- Click Next.
- Acknowledge the terms and click “Submit.”
Step 3: Add Action Tags to AWS Backup Plans
Add the tag "elastio=scan" to the Backup Plan in the source account to enable automatic scanning of recovery points created under this plan.
-
Steps:
- Go to AWS Backup Console and click “Create backup plan.”
- Set the plan details and add "elastio=scan" under “Tags added to the recovery points - optional.”
- Click “Create Plan.”
- Go to AWS Backup Console and click “Create backup plan.”
Once created, all recovery points associated with this plan will be automatically scanned by Elastio.
Step 4: Enable Restore Testing Integration
Deploy a CloudFormation template in the Recovery Account to integrate Elastio scans into the AWS Backup Restore Testing process.
-
Steps:
- Navigate to CloudFormation in AWS and click “Create Stack with new resources.”
-
Step 1: Choose “Amazon S3 URL”, paste the link, and click Next.
-
Step 2: Name the stack and click Next, leaving everything else as default.
-
Step 3: Click Next.
- Step 4: Acknowledge the terms and click “Submit.”
- Navigate to CloudFormation in AWS and click “Create Stack with new resources.”
Step 5: Add Restore-Test Tags to Backup Plans
Add the tag "elastio=scan" to the Backup Plan in the source account to enable scanning as part of Restore Testing.
-
Steps:
- Go to AWS Backup Console and click “Create backup plan.”
- Set the plan details and add "elastio=scan" under “Tags added to the recovery points - optional.”
- Click “Create Plan.”
- Go to AWS Backup Console and click “Create backup plan.”
All recovery points associated with this plan will automatically trigger Elastio scans during Restore Testing.
Key Considerations
- Automated Scanning: Elastio scans all recovery points for EC2 and EBS created by AWS Backup. For S3 and EFS, scanning occurs as part of the Restore Test process.
- Tagging for Automation: Proper tagging of recovery points ensures seamless integration with Elastio scans and simplifies recovery workflows.