AWS Backup Security: Vault Lock, Air-Gapped Vaults, and Malware Scanning
Protect your AWS backups with a layered security approach: Vault Lock provides WORM protection (Governance for flexibility, Compliance for true immutability), Air-Gapped Vaults add cross-account isolation, GuardDuty scans backups for malware before restore, and Audit Manager ensures continuous compliance. Use all four layers for comprehensive ransomware protection.
Introduction
Backups are your last line of defense against ransomware, accidental deletion, and data corruption. But what good is a backup if an attacker can delete it, or if you restore malware-infected data back into production?
AWS Backup has evolved significantly over the past few years, adding powerful security features that address these exact concerns. From WORM-protected vault locks that even AWS can't remove, to automated malware scanning powered by GuardDuty, to compliance auditing that keeps regulators happy - there's now a comprehensive toolkit for securing your backup infrastructure.
In this guide, I'll walk you through the four pillars of AWS Backup security: Vault Lock, Logically Air-Gapped Vaults, Malware Scanning, and Audit Manager. Whether you're building a ransomware-resistant architecture or preparing for a compliance audit, these features should be part of your backup strategy.
AWS Backup Vault Lock
AWS Backup Vault Lock provides WORM (write-once-read-many) protection for your backups, preventing deletion or modification even by privileged users including the root account. It has been assessed by Cohasset Associates for compliance with SEC 17a-4, CFTC, and FINRA regulations.
Lock Modes
There are two modes to choose from, each with different levels of protection:
Governance Mode - Role-based access control:
- Can be removed by users with sufficient IAM permissions
- Intended for organizational governance
- Ensures only designated personnel can make changes
- No grace period required
- Flexible for testing and iteration
Compliance Mode - Immutable WORM storage:
- Cannot be deleted or modified after grace period
- Not even AWS can remove the lock
- Minimum 72-hour (3-day) cooling-off period
- Required for regulatory compliance
- Permanent and irreversible after grace time
Compliance Mode vault locks are PERMANENT and IRREVERSIBLE after the grace period expires. The only way to remove a compliance lock is to terminate the entire AWS account, which also deletes all backups. Test thoroughly in Governance Mode before enabling Compliance Mode.
Configuration Parameters
| Parameter | Description | Range |
|---|---|---|
| MinRetentionDays | Minimum retention period. Backups with shorter retention will fail. | 1 day minimum |
| MaxRetentionDays | Maximum retention period. Backups with longer retention will fail. | Up to 36,500 days (~100 years) |
| ChangeableForDays | Grace period before lock becomes immutable (Compliance mode only) | 3 to 36,500 days |
CLI Examples
Compliance Mode (immutable after 3 days):
# Lock vault with compliance mode (immutable after 3 days)
aws backup put-backup-vault-lock-configuration \
--backup-vault-name my_vault \
--changeable-for-days 3 \
--min-retention-days 7 \
--max-retention-days 30Governance Mode (can be removed with IAM permissions):
# Lock vault with governance mode (can be removed with IAM permissions)
aws backup put-backup-vault-lock-configuration \
--backup-vault-name my_vault \
--min-retention-days 7 \
--max-retention-days 30Start with Governance Mode to test your retention policies and backup workflows. Once you've confirmed everything works correctly, switch to Compliance Mode for production vaults that need true WORM protection.
Important: Once a vault is locked in compliance mode and the grace period expires, the only way to remove the lock is to terminate the AWS account. This also deletes all backups. Plan carefully before enabling compliance mode.
Logically Air-Gapped Vaults
Logically air-gapped vaults provide enhanced protection by automatically including compliance mode vault lock and offering cross-account sharing capabilities for disaster recovery.
Key features:
- Auto Compliance Lock - Every logically air-gapped vault automatically comes with Vault Lock in compliance mode
- Encryption Options - Encrypted with AWS-owned key by default, or optionally with customer-managed KMS key
- Cross-Account Sharing - Integrate with AWS RAM to share vaults with other accounts for restore operations
- Multi-Party Approval - Enable MPA for recovery even if the vault-owning account is inaccessible
Logically air-gapped vaults are ideal for storing copies of your most critical backups. While they're in the same AWS infrastructure, the compliance lock and cross-account isolation provide defense-in-depth against both external attackers and insider threats.
Best Practice: Use logically air-gapped vaults as part of a tiered backup strategy. Copy critical backups from local vaults to air-gapped vaults in a separate account for maximum ransomware protection.
Create your air-gapped vault in a separate AWS account that has minimal access - ideally a dedicated "backup vault" account with restricted IAM policies and no workloads. This provides true isolation from compromised accounts.
Backup Malware Scanning
Amazon GuardDuty Malware Protection for AWS Backup became generally available in November 2025. It integrates automated scanning into your backup workflows, using multiple malware detection engines to analyze backup data for threats without requiring additional security software or agents.
Supported Resources
- Amazon EC2 - Scan EC2 instance backups for malware and ransomware
- Amazon EBS - Scan EBS volume snapshots and backups
- Amazon S3 - Scan S3 bucket backups for malicious content
Scan Types
| Type | Description | Use Case |
|---|---|---|
| Full Scan | Scans entire backup contents with latest threat models | Initial scans, pre-restore verification, periodic deep scans |
| Incremental Scan | Only scans data changed since last backup | Cost-optimized daily/continuous scanning |
Malware scanning adds time and cost to your backup workflow. Factor this into your RPO calculations and backup windows. For large EC2 instances with many files, full scans can take significant time.
How It Works
- Backup Completes - AWS Backup successfully creates a recovery point in your vault
- Automatic Scan Initiated - If enabled in backup plan, GuardDuty automatically begins scanning (asynchronous, no performance impact)
- Files Analyzed - Multiple malware detection engines decrypt and scan all files within the backup
- Status Updated - Recovery point marked as "No threats found" or "Threats found" for quick identification
- Notifications Sent - EventBridge events and Security Hub findings deliver alerts for automated workflows
Set up EventBridge rules to automatically quarantine or tag recovery points that contain malware. This prevents accidental restore of infected backups and creates an audit trail for security investigations.
Third-Party Alternative: Elastio
Elastio Ransomware Recovery Platform integrates with AWS Backup to scan for ransomware encryption, insider threats, malware binaries, and file system corruption. It validates recovery points continuously and in near real-time, supporting EC2, EBS, EFS, S3, and VMware recovery points.
AWS Backup Audit Manager
AWS Backup Audit Manager helps you audit the compliance of your backup policies against controls you define, automatically detecting violations and generating audit-ready reports for regulators.
Available Controls
- Resources protected by backup plan
- Backup plan minimum frequency and retention
- Prevent recovery point manual deletion
- Recovery point encrypted
- Recovery point minimum retention
- Cross-Region copy
- Cross-account copy
- Backups protected by Vault Lock
- Resources in logically air-gapped vault
- Last recovery point created
Audit Manager controls map directly to common compliance frameworks like SOC 2, HIPAA, and PCI-DSS. Use the prebuilt control mappings to accelerate your compliance posture and reduce audit preparation time.
Report Types
| Report | Description | Frequency |
|---|---|---|
| Backup Jobs Report | Details of all backup operations and their status | Daily (automatic) + On-demand |
| Control Compliance Report | Compliance status against defined framework controls | Daily (automatic) + On-demand |
| Resource Compliance Report | Per-resource compliance status and details | Daily (automatic) + On-demand |
AWS Backup Audit Manager controls map to prebuilt standard controls in AWS Audit Manager, allowing you to import compliance findings into your organization's overall compliance reports.
Complete Backup Security Stack
Combine these services for comprehensive backup protection against ransomware, accidental deletion, and compliance violations:
| Layer | Purpose | Service |
|---|---|---|
| Immutability | WORM protection prevents deletion even by root user | Vault Lock (Compliance Mode) |
| Isolation | Cross-account isolation with built-in compliance lock | Logically Air-Gapped Vaults |
| Malware Detection | Scan backups for malware before restore operations | GuardDuty Malware Protection |
| Compliance Monitoring | Continuous evaluation and audit-ready reporting | Backup Audit Manager |
| Encryption | Encrypt backups at rest with AWS or customer keys | KMS Integration |
Troubleshooting
Common Issues and Solutions
Issue: Backup job fails with "Vault lock retention violation"
Cause: The backup plan's retention period is shorter than the vault's MinRetentionDays or longer than MaxRetentionDays.
Solution: Adjust your backup plan's retention settings to fall within the vault lock's allowed range. Check with aws backup describe-backup-vault --backup-vault-name <name> to see the lock configuration.
Issue: Cannot delete recovery point from locked vault
Cause: Vault Lock is preventing deletion (working as intended for Compliance Mode, may be restrictive for Governance Mode).
Solution: For Governance Mode, ensure you have the backup:DeleteBackupVaultLockConfiguration permission. For Compliance Mode, wait for the retention period to expire - manual deletion is not possible.
Issue: Air-gapped vault copy job fails
Cause: Missing cross-account permissions, KMS key access issues, or vault doesn't exist in target account.
Solution: Verify the target vault exists and accepts copies. Check that the source account has permission to use the target vault's KMS key. Review the backup vault access policy in the target account.
Issue: Malware scan shows "Scan skipped" status
Cause: GuardDuty Malware Protection is not enabled, or the resource type is not supported.
Solution: Enable GuardDuty Malware Protection for AWS Backup in the GuardDuty console. Verify the backup is for a supported resource type (EC2, EBS, S3).
Issue: Malware scan takes extremely long or times out
Cause: Large backup with many files, or high load on the scanning service.
Solution: Consider using incremental scans for daily backups and full scans only periodically. For very large backups, expect scan times measured in hours. Check GuardDuty service quotas if consistently hitting limits.
Issue: Audit Manager shows resources as "Non-compliant" unexpectedly
Cause: Resources may not be tagged correctly for the backup plan, or backup jobs may be failing silently.
Solution: Check the resource compliance report for specific violation details. Verify resource tags match the backup plan's resource assignment. Review backup job history for failures.
Issue: Cannot remove Compliance Mode vault lock during grace period
Cause: Incorrect IAM permissions or the grace period has already expired.
Solution: Verify you have the backup:DeleteBackupVaultLockConfiguration permission. Check the lock status with aws backup describe-backup-vault - if ChangeableForDays shows 0 or the lock is marked as "Locked", the grace period has expired and the lock is permanent.
Issue: Cross-account restore fails with permission denied
Cause: The restoring account doesn't have permission to access the vault or use the KMS key.
Solution: Verify the vault is shared via AWS RAM with the restoring account. Ensure the KMS key policy allows the restoring account's backup service role to decrypt. Check that the restore role has the necessary IAM permissions.
Conclusion
AWS Backup security has come a long way. With Vault Lock, you can make your backups truly immutable - not even AWS can delete them once compliance mode kicks in. Air-gapped vaults give you cross-account isolation with built-in compliance protection. GuardDuty malware scanning ensures you're not restoring infected data. And Audit Manager keeps you audit-ready without manual effort.
For most organizations, I recommend implementing a tiered approach:
- Standard vault with governance mode lock for day-to-day backups
- Logically air-gapped vault in a separate account for critical data
- Malware scanning enabled on backup plans for production workloads
- Audit Manager framework mapped to your compliance requirements
The key is to implement these controls before you need them. Ransomware attacks don't announce themselves in advance, and compliance audits have a way of showing up faster than expected. Build your backup security stack now, and sleep easier knowing your data is protected.
Questions about implementing backup security for your AWS workloads? Feel free to reach out!