Cyber Resilience on AWS
Cyber resilience is the ability to recover workloads to a known-good state after an adversary has affected the environment. Prevention works to keep threat actors out and detection works to find them quickly. Cyber resilience focuses on recovery, restoring a trustworthy environment when backups, credentials, or parts of the infrastructure can no longer be assumed to be safe.
Isolating Recovery from Production
The core architectural idea in cyber resilience is that the recovery environment, including its identities, keys, and network paths, shouldn't share a trust boundary with the environment being recovered. If production identity is compromised, recovery must be able to proceed without depending on it. Most customers achieve this using separate AWS accounts inside an AWS Organization. A common pattern uses three account roles: Production Accounts, Recovery Accounts, and Security Accounts.
The production account is where workloads run. If a cyber event is confirmed, these accounts are isolated from the recovery process. The recovery account is used to manage the recovery process, including restoring backups and rebuilding systems. The security account is used to manage security controls and monitoring systems.
AWS Backup and Logically Air-Gapped Vaults
AWS Backup provides a logically air-gapped backup storage solution that is deletion-protected. This means that even if an adversary gains access to the production environment, they will not be able to delete or modify backups stored in AWS Backup. This provides an additional layer of protection for backups and ensures that they are available for recovery when needed.
The AWS Backup vault is a logically air-gapped storage solution that is designed to be highly available and durable. It provides a highly secure environment for storing backups, with access controls and encryption to prevent unauthorized access.
Validation Pipeline
A validation pipeline is used to check whether a backup is recoverable and safe to use. This pipeline includes a series of checks and validations to ensure that the backup is complete and consistent. The pipeline also checks for any signs of tampering or corruption of the backup.
The validation pipeline is an important part of the recovery process, as it ensures that the backup is reliable and can be used to recover the workload. It also provides an additional layer of protection against ransomware and other destructive events.
Recovery Workflow
The recovery workflow is a step-by-step process that is used to recover a workload from a backup. The workflow includes a series of parallelizable stages that can be executed concurrently to reduce recovery time. The workflow also includes a series of checks and validations to ensure that the recovery process is successful.
The recovery workflow is designed to be flexible and scalable, and can be customized to meet the specific needs of the organization. It also provides a highly secure environment for recovery, with access controls and encryption to prevent unauthorized access.
Rebuild-Restore-Rotate Framework
The Rebuild-Restore-Rotate framework is a decision-making framework that is used to determine the best approach for recovery. The framework considers a series of factors, including the type of workload, the level of damage, and the availability of backups. The framework provides a structured approach to recovery, and helps to ensure that the recovery process is successful.
The Rebuild-Restore-Rotate framework is designed to be flexible and adaptable, and can be customized to meet the specific needs of the organization. It also provides a highly secure environment for recovery, with access controls and encryption to prevent unauthorized access.
Selecting the Right Recovery Point
Selecting the right recovery point is a critical part of the recovery process. The recovery point should be chosen based on a series of factors, including the type of workload, the level of damage, and the availability of backups. The recovery point should also be validated to ensure that it is complete and consistent.
The recovery point should be selected using a structured approach, such as the Rebuild-Restore-Rotate framework. This framework provides a decision-making process that considers a series of factors and helps to ensure that the recovery process is successful. The recovery point should also be documented and communicated to all stakeholders to ensure that everyone is aware of the recovery plan.