Ensure encryption at rest is enabled for AWS Backup Vault

MEDIUM

Description

A Backup Vault will allow administrators to store backups in an organized location with encryption options using AWS Key Management Service (KMS) keys. There is a default backup vault, but for each additional vault created, an encryption key will need to be set. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html

Remediation

All new backup vaults require encryption by default, however the encryption key specifically used can be selected only when a new vault is created. To create a new vault:
In AWS Console -

Sign in to the AWS Console and open the Backup Console.
Under Backup Vaults, select Create backup vault.
Select the specific encryption key to be used from the dropdown.
Select Create backup vault.

In Terraform -

In the aws_backup_vault resource, set the kms_key_arn to use the KMS key to be used for encryption.

For more information, see the AWS or Terraform documentation.
References:
https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault

Policy Details

Rule Reference ID: AC_AWS_0401

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_backup_vault

Resource Category: Storage

Resource Type: Backup Vault

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001