BDR-09: Backup Encryption

Control Description

The backup tool is configured to automatically protect backups of the in-scope applications and related databases utilizing the Advanced Encryption Standard (AES).

Plain Meaning

This control requires that all backup data is automatically encrypted using AES encryption to protect sensitive information from unauthorized access, both during transmission and while stored at rest.

---

RDS Snapshot Encryption

Our organization leverages Amazon RDS and AWS Backup for comprehensive backup encryption that fully satisfies the BDR-09 control requirements.

RDS Snapshot Encryption

Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. This ensures that:

• Automatic Encryption: All RDS snapshots inherit encryption from the source database
• AES-256 Standard: Uses industry-standard AES-256 encryption algorithm
• KMS Integration: Leverages AWS Key Management Service (KMS) for key management
• Consistent Security: Maintains encryption throughout the backup lifecycle

AWS Backup Encryption Capabilities

AWS Backup provides comprehensive encryption for all backup types:

• Independent Encryption: AWS Backup can encrypt backups with different keys than the source resource
• AES-256 Algorithm: All AWS Backup encryption uses the industry-standard AES-256 encryption
• KMS Key Management: Supports both customer-managed keys (CMK) and AWS-managed keys
• Cross-Region Encryption: Automatically encrypts cross-region backup copies

Related Controls

Backup and Disaster Recovery

• BDR-04: Backup Procedures: Overall backup procedures and policies
• BDR-05: Backup Testing: Backup testing and validation
• BDR-06: Data Retention and Destruction: Data retention policies and secure deletion
• BDR-07: Backup Storage and Security: Secure backup storage implementation
• BDR-08: Daily Incremental Backups: Incremental backup procedures

Encryption Controls

• DS-01: Removable Media Encryption: Encryption of backup media
• DS-03: Data Classification and Handling: Classification of backup data
• LS-01: Database Encryption at Rest: Database backup encryption
• LS-16: Encrypted Transmissions: Encrypted backup transmission

Access Management

• LS-04: Access Authorization: Backup access authorization
• LS-05: Access Review: Regular backup access reviews
• LS-07: Privileged Access Management: Privileged backup access controls
• LS-22: Asset Management: Backup asset tracking and management

Monitoring and Logging

• COM-02: Centralized Logging Solution: Backup activity logging
• COM-08: Quarterly Internal Network Scans: Backup security scanning

Resources and References

Leadline Architecture Design

• Observability & Monitoring: Monitoring and logging for backup operations and security
• SSDLC Security Practices: Security practices for backup infrastructure and data protection

AWS Resources

• AWS Backup Encryption Documentation
• Amazon RDS Encryption
• AWS KMS Best Practices
• AWS Backup Service