AWS Config Rule: Backup Recovery Point Manual Deletion Disabled

Description: Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region

To resolve this manually, we will need to head to the AWS Backup Dashboard within the AWS Console. Head to the subheading Backup Vaults and select one of your AWS Backup Vaults.

We will need to head to the Access Policy section and ensure that we attach a statement which will prevent the action backup:DeleteRecoveryPoint, but also on the scale of resources within this vault.

An example Access Policy has been included below to assist you with this. 

The Policy Statement above will explicitly deny all principals from deleting all recovery points in the vault that this policy is attached to.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here