Contents
- Replicated Backup Protection with Elastio
- Configure EC2/EBS Automatic Backup Scans
- Granting Permission to Elastio for Accessing Customer Managed Keys (CMKs)
- S3 and EFS Protection
Elastio provides seamless protection for AWS Backup Recovery Points replicated from other AWS accounts. Here's how Elastio supports different recovery point types.
-
EC2 and EBS Recovery Points:
These recovery points can be scanned directly by Elastio, ensuring comprehensive ransomware and malware protection. -
S3 and EFS Recovery Points:
These recovery points can be scanned through AWS Backup's Restore Testing workflow, verifying the integrity and security of your data during recovery.
Configure EC2/ EBS Automatic Backup Scans
To enable automatic backup scans with Elastio, edit the AWS Backup plans in the source account (the account where Recovery Points are replicated from). Follow these steps:
Step 1: Create or Edit a Backup Plan in the Source Account
-
Navigate to the AWS Backup Console:
Open the AWS Backup console in the source account. -
Create or Edit a Backup Plan:
- Click Create backup plan or modify an existing one.
- Configure the backup plan according to your requirements.
Step 2: Add the Elastio Scan Tag
- In the Tags added to recovery points (optional) section, add the following tag:
- This tag instructs Elastio to scan all recovery points created by this backup plan.
Step 3: Finalize the Plan
- After adding the tag, click Create plan to save your backup plan.
Step 4: Add Metadata Tags to Recovery Points (EC2 Recovery Points Only)
Why This Is Required:
AWS Backup does not transfer volume metadata to the replicated EC2 recovery points. Adding tags helps correlate volumes in the Elastio Console.
- Deploy the CloudFormation template in workload accounts to tag AWS Backup Recovery Points.
This ensures metadata tags are added to all EC2 Recovery Points.
Configuration Results
With this configuration, Elastio will automatically scan all EC2 and EBS Recovery Points copied to the destination account by AWS Backup.
Granting Permission to Elastio for Accessing Customer Managed Keys (CMKs)
When using Customer Managed Keys (CMKs), you must authorize Elastio to access these keys for data protection.
Steps to Grant Permission
-
Identify Relevant Encryption Keys:
- Determine which CMKs encrypt backups in the AWS Backup Vaults.
- Locate the keys in the AWS Key Management Service (KMS) Console.
-
Add Authorization Tag:
Add the following tag to all identified CMKs: -
Update Key Policy for Shared Keys (If Applicable):
If the CMK is shared from another AWS account, update the key policy to allow access from the Elastio deployment account. Use the policy below:{ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::KMS_KEY_ACCOUNT:root", "arn:aws:iam::CLOUD_CONNECTOR_ACCOUNT:root" ] }, "Action": "kms:*", "Resource": "*" } ] }
- Replace
KMS_KEY_ACCOUNT
with the AWS account ID where the CMK is located. - Replace
CLOUD_CONNECTOR_ACCOUNT
with the AWS account ID where Elastio is deployed.
- Replace
S3 and EFS Protection
To protect S3 and EFS Recovery Points, use the AWS Backup Restore Test to automate scans. This process ensures the integrity and security of these recovery points.