How to sustain from Ransomware attacks using AWS Backup technics

Karthik Nair
Cloud Computing
December 23, 2021

How to sustain from Ransomware attacks using AWS Backup technics   


Ransomware is continuing as the number one threat to the data across all type of Industries. There have been sizable number of Ransomware attacks in 2021 with an increase in volume (by 37 per cent) during the ongoing pandemic noticed. SonicWall recorded an all-time high of 78.4 million ransomware attacks globally in June 2021.

Ransomware is a destructive threat for your data and in this blog, I will discuss various technics of AWS Backup that can help you to sustain from Ransomeware attacks on your AWS workload.

Some Ransomeware Artifacts

American oil pipeline system Colonial Pipeline, Acer, Chicago-based CNA Financial Corp, Kia Motors and many Indian companies are the victims of Ransomeware attacks of 2021.  


According to Sophos, the average bill for recovering from a ransomware attack, including downtime, people hours, device costs, network costs, lost opportunities, ransom paid, etc. was $1.85 million in 2021.

One of the recent reports says that U.S. government gives ransomware attacks the same level of priority as terrorism. For any organization, Ransomware attacks can have highly staggering impact.

What is Ransomeware attack

Ransomware is malicious code designed by cyber criminals to gain unauthorized access to systems and data and encrypt that data to block access by legitimate users. Once ransomware has locked users out of their systems and encrypted their sensitive data, cyber criminals demand a ransom to providing a decryption key to unlock the blocked systems and decrypt data. In theory, if the ransom is paid within the allotted time, systems and data are decrypted and made available once again and normal operations continue. However, if the ransom demand is not satisfied, organizations risk permanent destruction or public-facing data leaks controlled by the attacker. That to there is no rule of game.

Potential Impact of Ransomware

Ransomeware impacts the organization's business quite adversely. The security attack creates large financial loss for the business in the form repayment, large productivity impact, decreased revenue over time, exposure of sensitive data, and reputational damage.

The shattering fact about Ransomware attack

  • The average ransom paid in 2020 was $312,493 USD.
  • The largest recorded ransom paid was $4.5 million USD.
  • If you pay the ransom, there’s a reported 97% chance that you’ll get an active key that would decrypt your data.
  • However, 46% of the time, companies report there’s some level of corruption. And, of course, restoration isn’t immediate, so there’s still a massive impact.
  • 80% of paying organizations reportedly get hit again. It makes sense. Once you’ve paid out, organizations reveal their weakness.

Prevention is better than cure

It is always better to prevent it than curing/recovering from any Ransomware threats. There are best practices and controls AWS provides to protect from these security threats.

Mitigation and prevention capabilities are detailed in the below URL, you should enable this preventive controls and services prior to deploying critical workloads in AWS.

Should I protect my backups?

As threat actors have evolved over years, the latest tactics involves encrypting backup data along with the master/production/main data. Threat actor destroys the actual backups and deploy a new backup with their keys (encryption keys) which prevent users to restore the original backup. It is essential to ensure that bad actors don’t encrypt your backup along with your primary data. If they succeed, you will have no choice but to pay the ransom, and that will encourage them to try it again.

Unique Features of AWS Backup

There are few capabilities that enriches the security posture to protect against Ransomware attacks on your backup.

1. AWS Multi-account backup method

AWS Backup has unique feature of having a second copy of your backup in another AWS account (can be different region) part of your organization.

This capability can be extended by having an isolated and protected dedicated account to store the second copy of your critical backups.

No alt text provided for this image

The above diagram shows the usage of two accounts part of same AWS Organization storing copies of backup. The source account is where the actual workloads are running, stores backups in Backup Vault using a dedicated encryption key (AWS CMK). The copy of the backups is stored on Destination Account to add additional protection for the backup. These backups are encrypted using different encryption keys.

Please refer the following link to setup multi-account AWS backup :-

2. AWS Backup Vault Lock

AWS Backup Vault Lock enforces a write-once, read-many (WORM) setting for all the backups you store and create in a backup vault. With AWS Backup Vault Lock, you can add an additional layer of defence that protects backups (recovery points) in your backup vaults from inadvertent or malicious:

  • Delete operations and
  • Updates that shorten or otherwise alter their retention period

AWS Backup Vault Lock helps you can enforce retention periods, prevent early deletions by privileged users (including the AWS account root user), and meet your organization’s data protection policies and procedures.


AWS Backup Vault Lock takes effect immediately. It gives you a minimum three-day (72-hour) cooling-off period to delete or update its configuration before it permanently locks your vault. You can optionally extend the duration of this cooling-off period. Use this cooling-off period to test AWS Backup Vault Lock against your workloads and use cases.

After your cooling-off period expires, you cannot delete or otherwise alter AWS Backup Vault Lock using the AWS Backup console, API, CLI, or SDK.

How to Enable Vault Lock on your Backup vault:-

2.1 How to bring cost efficiency without compromising security.

Although Backup Vault provides additional layer of protection for your backups, there is cost implication of storing your backup for a longer duration as once you enabled Vault lock, you would unable to delete backups.

2.2.1 Solution approach for cost efficiency

2.2.2 Backup Plan

You create multiple backup plans created according to your backup compliance needs, each backup plan can have a Backup Vault for storage. Each of the backup plan can also have Cold Transition and retention period configured to efficiently use storage medium for cost efficiency.

No alt text provided for this image

The above screen shows the properties of backup plan that can be configured for cost efficient backup storage.

2.2.3 Transition to cold storage

AWS Backup can automatically transition your backups to cold storage. You configure AWS Backup to tier your backups to cold storage. You can access both your warm and cold backups in the same backup vault. You can't change this setting after AWS Backup transitions a recovery point to cold.

Please note “Backups that are transitioned to cold storage must be stored in cold storage for a minimum of 90 days”

2.2.4 Retention period

This configuration dictates how long to store your backups. AWS Backup automatically deletes your backups at the end of this period to save storage costs for you. AWS Backup can retain snapshots between 1 day and 100 years (or indefinitely, if you do not enter a retention period), and continuous backups between 1 and 35 days.

In the above screenshot, configuration of Transition to Cloud Storage of “1 month” and Retention period of “12 months” dictates Backup to move the backup from S3 to Cold storage after 1 month and permanently delete after 12 months.

3. Access policies on backup vaults

It is essential to lock down your backup vault from malicious access.

3.1 Deny access to delete recovery points in a backup vault

The below JSON formatted security policy prevents everyone from deleting recovery points (backups).


  "Version": "2012-10-17",

  "Statement": [


          "Sid": "statement ID",

          "Effect": "Deny",

          "Principal": "*",

          "Action": "backup:DeleteRecoveryPoint",

          "Resource": "*",

          "Condition": {

              "StringNotEquals": {

                  "aws:userId": [










Or you can simply set this permission from the console itself.

No alt text provided for this image

4. Lock the dedicated account

You should lock access to your dedicated account as same as you control the access to your master workload account, it prevents your backup copy from tampering by the bad actor when he does privilege escalation attack.

No alt text provided for this image

As a best practice, the permission for Account B (as depicted in above diagram) can be limited for the local account to ensure that the access is only used by local users for restoration.

5. Event Monitoring

While we provide all relevant protection on the backup vaults, we should also monitor activities and alert if some of the tampering activities are observed, act immediately in such situation. We can use AWS CloudWatch Alert or Event Bridge to configure alerts.

The bare minimum Events to be monitored: -

No alt text provided for this image

The above are the AWS Backup related security controls to protect against Ransomware attack, there are also certain general security principles to be followed

a)     Dedicated accounts for Backup Admins: -, Although cloud operation removes dedicated team for storage, backup etc., it is better to have a dedicated set of operators with required permission set configured for AWS Backup.

b)     Configure MFA access: - Implement two-factor authentication for all backup administrator accounts and ensure that accounts are configured with the minimum privilege required for their function.

Below list are AWS Default permissions available for your backup operators. You can curate the required permission for your backup operators instead of providing an unlimited permission.

No alt text provided for this image

Since backup operators are one of the targets in Ransomeware attacks, it is critical to set MFA for these operators.

c. Enable CloudTrail: - As Ransomware attacks happens over a long period before it visible for users. During this course, hundreds of changes would have made to your infrastrcture before encrypting your data and demanding ransom. The changes made in the Cloud infrastructure will be enabled/used by the attackers to relaunch the attacks in the event of restoration, such as creating privileged users, S3 buckets with treats etc. CloudTrail can provide you the list of activities attackers performed on your AWS infrastrcture before conducting data theft and encryption. This log trail helps you on your Incident response.,

d. Enable Guard Duty: - Amazon Guard Duty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. During attack, Privilege Escalation, Defense Evasion, Lateral Movement Command and Control and Exfiltration are few stages which can be early identified by Guard Duty.

Complete guide on Ransomware Risk Management on AWS Using the NIST Cyber

Security Framework (CSF)


There is no single tool or solution to prevent Ransomeware attacks as on date, AWS has provided many controls that can help us to protect workloads from these attacks. It is vital to use these methods when you deploy your AWS infrastrcture.

Karthik Nair

Senior cloud architect  at Wipro Limited | Cloud evangelist | AWS Community Builder

Related Posts


Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form