fwd:cloudsec Europe 2025

The National Archives is the official archive and publisher for the UK Government. Our records include physical records such as the Domesday Book and Magna Carta, along with digital records from UK Government departments, Enquiries, and other public bodies, held both on premise and in public cloud.

It's vitally important to protect our digital records from accidental deletion and the increasing threat of ransomware. We therefore initiated a programme to implement immutable cloud backups using the AWS Backup service within a central, segregated AWS account.

In this talk, we'll share our learnings from this programme of work, including:
- why AWS Backup compliance mode vault locks are not always truly immutable
- which KMS key types should be selected to support backup and restore to a central vault
- the importance of Logically Air Gapped (LAG) vaults
- how each AWS service has implemented backups differently
- which widely used AWS database option doesn't support centralised backup
- cost considerations for setting up backup plans

We soon learnt that it's not just a case of "Turn on AWS Backup". To deploy a centralised solution, we needed to:
- configure centralised AWS Backup vaults and vault policies
- deploy components to workload accounts, including Backup vaults, EventBridge, IAM roles
- select the appropriate vault type depending on AWS resource type

We decided to implement our solution as an open-source, public Terraform Module which deploys immutable AWS Backups across an AWS Organization, to handle this complexity, and simplify onboarding new accounts and resources to be backed up.

You'll come away with an increased understanding of AWS Backup, an appreciation of its complexity and limitations, and the opportunity to greatly simplify deployment of truly immutable backups across your AWS accounts, using our public Terraform module.