AWS did just release cross-account backups for AWS Backups, but my data already exists in two places (the live data in GSuite and the copy in the AWS account). I am storing the backup Vault in the same account as the EFS as my primary motivation is to get the data copied to AWS.
I configured my EFS to be encrypted at rest, and the access from the ECS is configured to use encryption in transit. Security considerations EncryptionĪWS Backups are always encrypted. The AWS Backup service will also generate events that are sent to the SNS under error conditions.
If found, the alarm is sent to an SNS that I’m subscribed to. The output of the script run by the ECS is recorded to CloudWatch Logs, where a CloudWatch Alarm monitors for the word “ERROR”. The primary benefit of this architecture is AWS Backup takes care of incremental backups for me, meaning it only stores the changes each night, and makes it easy to recover the state of my data from any day in the past 35 days (this could be set longer). Historically, a number of folks have setup an EC2 and S3 bucket for this purpose, but I decided to run a nightly ECS container with an attached EFS, which itself is backed up via AWS Backup. I could have used GAM for the drive backups, but it doesn’t maintain directory structure, which is important to me, so I turned to rclone. Got-your-back is made by Jay Lee, a manager at Google for Enterprise support, and the creator of GAM which is the de facto standard for interacting with the GSuite APIs. I used got-your-back and rclone for the email and drive backups respectively. My business is only myself, so using a featureful vendor solution isn’t needed, and it is nice to avoid some third-party risk of a vendor having access to all my email and company data, so I setup backups myself in AWS. I don’t know how Google would handle such an incident, but other scenarios also exist, however unlikely, that make me want to have backups of this data. My account is part of the Advanced Protection Program, but in a worst case scenario an attacker that obtained code execution on my laptop could wipe/ransom this data. My business relies on Google Workspaces (previously known as G Suite) for email and Google Drive. I didn’t have my own house in order as well as I would have liked, so this week I set up automated backups, and did so in a generalized way that others can use via my cdk app backup_runner. There was an infamous breach of a company named CodeSpaces that ran on AWS who had all of their data deleted by an attacker and the company had to shutdown within hours of the breach. In giving training to companies on their AWS security, I advise they have backups.
0 kommentar(er)
