Skip to content

Cloud Disaster Recovery Security — Backup Encryption & Cross-Region Replication Guide

DodaTech Updated 2026-06-24 5 min read

In this tutorial, you'll learn about Cloud Disaster Recovery Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud disaster recovery security ensures backups and replicated data remain protected through encryption at rest and in transit, immutable storage, cross-region Replication with access controls, and regular recovery testing across AWS, Azure, and GCP.

What You Will Learn

How to design secure disaster recovery architectures, encrypt backups, enforce immutability to prevent ransomware from corrupting backups, control access to replicated data, and test recovery procedures.

Why It Matters

Backups are the last line of defense against ransomware, data corruption, and region-wide outages. If backups are not encrypted, immutable, and stored in a separate region or account, they can be compromised alongside primary data.

Real-World Use

DodaTech's DR Strategy uses AWS Backup with cross-region Replication. Backups are encrypted with a KMS key in the DR region, stored in an S3 bucket with Object Lock in GOVERNANCE mode for 365 days, and accessible only through a dedicated backup administration role.

DR Security Architecture

flowchart LR
  Prod[Primary Region\nus-east-1] --> Backup[AWS Backup\nAutomated Backups]
  Backup --> Encrypt[Encrypted with KMS\nPrimary Region Key]
  Encrypt --> Replicate[Cross-Region Replication\nto us-west-2]
  
  subgraph DR Region
    Replicate --> DRKey[Encrypted with DR KMS Key]
    DRKey --> Immutable["Immutable Storage\nObject Lock / WORM"]
    Immutable --> DRRole[DR Admin Role\nSeparate IAM]
  end
  
  DRRole --> Restore[Restore Testing\nQuarterly]
  
  style Backup fill:#f90,color:#fff
  style Immutable fill:#e00,color:#fff

AWS Backup Security

AWS Backup provides centralized backup management with encryption, cross-region Replication, and access control.

# Create a backup vault with encryption
aws backup create-backup-vault \
  --backup-vault-name prod-vault \
  --encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/dr-key

# Create a backup plan with cross-region copy
aws backup create-backup-plan \
  --backup-plan '{
    "BackupPlanName": "prod-dr-plan",
    "Rules": [{
      "RuleName": "daily-backup",
      "TargetBackupVaultName": "prod-vault",
      "ScheduleExpression": "cron(0 3 * * ? *)",
      "StartWindowMinutes": 60,
      "Lifecycle": {"DeleteAfterDays": 90},
      "CopyActions": [{
        "DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:dr-vault",
        "Lifecycle": {"DeleteAfterDays": 365}
      }]
    }]
  }'

# Assign resources to the backup plan
aws backup create-backup-selection \
  --backup-plan-id plan-12345678 \
  --backup-selection '{
    "SelectionName": "prod-ec2-rds",
    "IamRoleArn": "arn:aws:iam::123456789012:role/aws-backup-role",
    "Resources": [
      "arn:aws:ec2:us-east-1:...:instance/i-1234567890abcdef",
      "arn:aws:rds:us-east-1:...:db/prod-orders]
    ]
  }'

# List backup vaults and their encryption status
aws backup list-backup-vaults \
  --query 'BackupVaultList[*].[BackupVaultName,EncryptionKeyArn]' \
  --output table
# Output:
# ------------------------------------------------
# | prod-vault | arn:aws:kms:us-east-1:...:key/dr-key |
# | dr-vault   | arn:aws:kms:us-west-2:...:key/dr-dr-key|
# ------------------------------------------------

Azure Site Recovery and Backup Security

Azure Site Recovery replicates workloads to a secondary region. Azure Backup provides encrypted, immutable backup storage.

# Create a Recovery Services vault with geo-redundant storage
az backup vault create \
  --resource-group prod-rg \
  --name prod-dr-vault \
  --location eastus

# Enable cross-region restore
az backup vault backup-properties set \
  --name prod-dr-vault \
  --resource-group prod-rg \
  --cross-region-restore-flag true

# Configure encryption using customer-managed keys
az backup vault encryption update \
  --name prod-dr-vault \
  --resource-group prod-rg \
  --encryption-key-id https://prod-keyvault.vault.azure.net/keys/backup-key \
  --infrastructure-encryption true

# Create a backup policy with long-term retention
az backup policy create \
  --resource-group prod-rg \
  --vault-name prod-dr-vault \
  --name prod-dr-policy \
  --policy '{
    "backupManagementType": "AzureIaasVM",
    "schedulePolicy": {"scheduleRunFrequency": "Daily", "scheduleRunTimes": ["03:00"]},
    "retentionPolicy": {
      "dailySchedule": {"retentionDuration": {"count": 90, "durationType": "Days"}},
      "yearlySchedule": {"retentionDuration": {"count": 7, "durationType": "Years"}}
    }
  }'

# Enable soft delete for the vault
az backup vault backup-properties set \
  --name prod-dr-vault \
  --resource-group prod-rg \
  --soft-delete-feature-state Enabled

az backup vault show \
  --name prod-dr-vault \
  --query "{Name:name, Encryption:encryption, SoftDelete:properties.softDeleteFeatureState}" \
  --output table
# Output:
# Name          Encryption               SoftDelete
# prod-dr-vault Microsoft.KeyVault       Enabled

GCP Disaster Recovery Security

GCP provides backup and DR services through Backup and DR Service, Cloud Storage Replication, and Compute Engine snapshots.

# Enable cross-region bucket replication for backups
gcloud storage buckets update gs://prod-backups \
  --hard-delete-window 7d

# Create a Compute Engine snapshot schedule with encryption
gcloud compute resource-policies create snapshot-schedule prod-snapshot-schedule \
  --region us-central1 \
  --max-retention-days 365 \
  --on-source-disk-delete keep-auto-snapshots \
  --daily-schedule start-time=03:00

# Attach the schedule to a disk
gcloud compute disks add-resource-policies \
  prod-data-disk \
  --resource-policies prod-snapshot-schedule \
  --zone us-central1-a

# Create a disk snapshot and copy to another region
gcloud compute snapshots create prod-disk-snapshot \
  --source-disk prod-data-disk \
  --source-disk-zone us-central1-a \
  --storage-location us-west2

gcloud compute snapshots list \
  --filter="sourceDisk:prod-data-disk" \
  --format="table(name, diskSizeGb, status, storageLocations)"
# Output:
# name                 diskSizeGb  status  storageLocations
# prod-disk-snapshot   100         READY   [us-west2]

Immutable Backups

Immutability prevents backup deletion or modification during the retention period. AWS Backup Vault Lock, Azure soft delete, and GCP retention policies enforce immutability.

Common Mistakes

  1. Backups in the same region as production: A region-wide outage destroys both production and backups. Always replicate backups to a separate region.
  2. No encryption on backups: Unencrypted backups are a data breach waiting to happen. Encrypt all backups with customer-managed keys.
  3. No immutability: Ransomware that compromises the backup system can delete or encrypt backups. Use immutable storage to prevent modification.
  4. Same IAM role for backup and production: A compromised production role should not be able to access or delete backups. Use a separate backup administration role.
  5. Not testing recovery: Untested backups are not backups. Test full recovery procedures quarterly at minimum.

Practice Questions

  1. How does cross-region backup Replication protect against region failures?
  2. What is the purpose of AWS Backup Vault Lock?
  3. How does Azure Backup soft delete prevent accidental backup deletion?
  4. Why should backup encryption use a different key than production data?
  5. How often should disaster recovery testing occur?

Challenge

Design a secure disaster recovery Strategy across all three clouds. Implement AWS Backup with cross-region Replication and Vault Lock. Configure Azure Backup with geo-redundant storage, customer-managed encryption, and soft delete. Set up GCP Compute Engine snapshot schedules with cross-region copy. Ensure all backups are immutable for at least one year. Create separate IAM roles for backup administration. Document the recovery procedure and test it.

FAQ

What is cloud disaster recovery security?

The practice of protecting backup and replicated data through encryption, immutability, access controls, and cross-region storage to ensure recoverability after an incident.

How does AWS Backup Vault Lock work?

Vault Lock enforces a WORM (write-once-read-many) model on backup vaults, preventing backups from being deleted or altered during the lock period.

What is Azure Backup soft delete?

Soft delete retains deleted backup data for 14 days (configurable), allowing recovery of accidentally or maliciously deleted backups.

Does GCP support immutable backups?

Yes, using Cloud Storage retention policies and Bucket Lock for immutable object storage.

Why should backups be in a different AWS region?

A region-wide disaster or compromise affects all resources in the region. Cross-region backups ensure data survives the loss of an entire region.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro