A company runs applications in hundreds of production AWS accounts. The company uses AWS Organizations with all features enabled and has a centralized backup operation that uses AWS Backup.
The company is concerned about ransomware attacks. To address this concern, the company has created a new policy that all backups must be resilient to breaches of privileged-user credentials in any production account.
Which combination of steps will meet this new requirement? (Choose three.)
To ensure backups are resilient to breaches of privileged-user credentials, implement cross-account backups with AWS Backup vaults in designated non-production accounts to isolate backups from potential breaches. Adding a Service Control Policy (SCP) that restricts the modification of AWS Backup vaults enhances security by preventing unauthorized changes. Implementing AWS Backup Vault Lock in compliance mode ensures that backups cannot be modified or deleted during their retention period, providing extra protection against compromised credentials.
The solution is A, B and C1. We need to create a Cross Account Backup -> Put it in a Backup Account -> Control modification to the backup account with SCP. A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html B. Add an SCP that restricts the modification of AWS Backup vaults. https://aws.amazon.com/blogs/storage/managing-access-to-backups-using-service-control-policies-with-aws-backup/ C1. Implement AWS Backup Vault Lock in compliance mode. https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
ACE for sure A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. This will allow the company to securely copy their backups to other accounts that are part of their organization for operational or security reasons1. C. Implement AWS Backup Vault Lock in compliance mode. This will provide an additional layer of protection and immutability to the backup vaults, preventing any user (including the root user) or AWS from deleting or modifying the backups until the retention period is complete2. E. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier. This will help the company to avoid accidental or malicious deletion of backups by enforcing a minimum retention period and moving the backups to a lower-cost storage tier2.
ACD you mean?
A, C1, D you mean.
ABC is definitely the answer. D. Configuring backup frequency does not do anything to prevent breaches E. AWS backup does not currently support S3 as a storage location for backups. You can use AWS backup to make a backup of S3 buckets but cannot use it to store backups.
ABC seems more reasonable over D(E) - as others mentioned, configuring backup doesn't protect from compromised creds attack. Moderator, please fix the answer letters order
ABC1 for sure
Answer : ACC ( ACD).. there is typo in question second C should be D, D should be E, E should be F.. saying that the other options B. SCP restricting vault modification: Offers a good layer of protection, but doesn't directly address the concern of compromised credentials in production accounts. E. Cold Tier backups: Ensures backup accessibility in case of attacks, but doesn't specifically protect against compromised credentials. F. S3 Object Lock: Provides immutability within the non-production account, but if that account is breached, backups could still be compromised.
ACD for sure
A, C, D
ABC are obvious correct. The question is why the rest of the answers are wrong. C. Implement least privilege access for the IAM service role that is assigned to AWS Backup. The question is looking for solution that survive privilege access breach. No matter how least privilege is granted, there must be other privilege users which can get more privileges. . D. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier. Lifecycle doesn't prevent the backups to be deleted . E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production account. Ensure that the S3 bucket has S3 Object Lock enabled. AWS backup doesn't support S3 as the storage.
A, C1, D B is incorrect: concern of compromised credentials: SCPs could potentially be modified by a user with sufficient privileges in the organization’s master account. C2: good for ensuring backup availability but does not directly address resilience against breaches of privileged-user credentials. E: provide similar benefits to using AWS Backup Vault Lock but is more complex to manage. AWS Backup Vault Lock is specifically designed for backup resilience and is more straightforward to implement within AWS Backup's framework.
A, B, C for me.
ABC For me
A C(C1) D are correct in questions.
ACD are correct, that is A, C1 and D in question.
Should be BCD. https://aws.amazon.com/blogs/storage/managing-access-to-backups-using-service-control-policies-with-aws-backup/ Cross-Account is not feasible. Hundreds of accounts.
ABC1 is the answer
A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts. C. Implement AWS Backup Vault Lock in compliance mode. E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production account. Ensure that the S3 bucket has S3 Object Lock enabled.