Cloud Disaster Recovery Security — Backup Encryption & Cross-Region Replication Guide
In this tutorial, you'll learn about Cloud Disaster Recovery Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud disaster recovery security ensures backups and replicated data remain protected through encryption at rest and in transit, immutable storage, cross-region Replication with access controls, and regular recovery testing across AWS, Azure, and GCP.
What You Will Learn
How to design secure disaster recovery architectures, encrypt backups, enforce immutability to prevent ransomware from corrupting backups, control access to replicated data, and test recovery procedures.
Why It Matters
Backups are the last line of defense against ransomware, data corruption, and region-wide outages. If backups are not encrypted, immutable, and stored in a separate region or account, they can be compromised alongside primary data.
Real-World Use
DodaTech's DR Strategy uses AWS Backup with cross-region Replication. Backups are encrypted with a KMS key in the DR region, stored in an S3 bucket with Object Lock in GOVERNANCE mode for 365 days, and accessible only through a dedicated backup administration role.
DR Security Architecture
flowchart LR
Prod[Primary Region\nus-east-1] --> Backup[AWS Backup\nAutomated Backups]
Backup --> Encrypt[Encrypted with KMS\nPrimary Region Key]
Encrypt --> Replicate[Cross-Region Replication\nto us-west-2]
subgraph DR Region
Replicate --> DRKey[Encrypted with DR KMS Key]
DRKey --> Immutable["Immutable Storage\nObject Lock / WORM"]
Immutable --> DRRole[DR Admin Role\nSeparate IAM]
end
DRRole --> Restore[Restore Testing\nQuarterly]
style Backup fill:#f90,color:#fff
style Immutable fill:#e00,color:#fff
AWS Backup Security
AWS Backup provides centralized backup management with encryption, cross-region Replication, and access control.
# Create a backup vault with encryption
aws backup create-backup-vault \
--backup-vault-name prod-vault \
--encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/dr-key
# Create a backup plan with cross-region copy
aws backup create-backup-plan \
--backup-plan '{
"BackupPlanName": "prod-dr-plan",
"Rules": [{
"RuleName": "daily-backup",
"TargetBackupVaultName": "prod-vault",
"ScheduleExpression": "cron(0 3 * * ? *)",
"StartWindowMinutes": 60,
"Lifecycle": {"DeleteAfterDays": 90},
"CopyActions": [{
"DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:dr-vault",
"Lifecycle": {"DeleteAfterDays": 365}
}]
}]
}'
# Assign resources to the backup plan
aws backup create-backup-selection \
--backup-plan-id plan-12345678 \
--backup-selection '{
"SelectionName": "prod-ec2-rds",
"IamRoleArn": "arn:aws:iam::123456789012:role/aws-backup-role",
"Resources": [
"arn:aws:ec2:us-east-1:...:instance/i-1234567890abcdef",
"arn:aws:rds:us-east-1:...:db/prod-orders]
]
}'
# List backup vaults and their encryption status
aws backup list-backup-vaults \
--query 'BackupVaultList[*].[BackupVaultName,EncryptionKeyArn]' \
--output table
# Output:
# ------------------------------------------------
# | prod-vault | arn:aws:kms:us-east-1:...:key/dr-key |
# | dr-vault | arn:aws:kms:us-west-2:...:key/dr-dr-key|
# ------------------------------------------------
Azure Site Recovery and Backup Security
Azure Site Recovery replicates workloads to a secondary region. Azure Backup provides encrypted, immutable backup storage.
# Create a Recovery Services vault with geo-redundant storage
az backup vault create \
--resource-group prod-rg \
--name prod-dr-vault \
--location eastus
# Enable cross-region restore
az backup vault backup-properties set \
--name prod-dr-vault \
--resource-group prod-rg \
--cross-region-restore-flag true
# Configure encryption using customer-managed keys
az backup vault encryption update \
--name prod-dr-vault \
--resource-group prod-rg \
--encryption-key-id https://prod-keyvault.vault.azure.net/keys/backup-key \
--infrastructure-encryption true
# Create a backup policy with long-term retention
az backup policy create \
--resource-group prod-rg \
--vault-name prod-dr-vault \
--name prod-dr-policy \
--policy '{
"backupManagementType": "AzureIaasVM",
"schedulePolicy": {"scheduleRunFrequency": "Daily", "scheduleRunTimes": ["03:00"]},
"retentionPolicy": {
"dailySchedule": {"retentionDuration": {"count": 90, "durationType": "Days"}},
"yearlySchedule": {"retentionDuration": {"count": 7, "durationType": "Years"}}
}
}'
# Enable soft delete for the vault
az backup vault backup-properties set \
--name prod-dr-vault \
--resource-group prod-rg \
--soft-delete-feature-state Enabled
az backup vault show \
--name prod-dr-vault \
--query "{Name:name, Encryption:encryption, SoftDelete:properties.softDeleteFeatureState}" \
--output table
# Output:
# Name Encryption SoftDelete
# prod-dr-vault Microsoft.KeyVault Enabled
GCP Disaster Recovery Security
GCP provides backup and DR services through Backup and DR Service, Cloud Storage Replication, and Compute Engine snapshots.
# Enable cross-region bucket replication for backups
gcloud storage buckets update gs://prod-backups \
--hard-delete-window 7d
# Create a Compute Engine snapshot schedule with encryption
gcloud compute resource-policies create snapshot-schedule prod-snapshot-schedule \
--region us-central1 \
--max-retention-days 365 \
--on-source-disk-delete keep-auto-snapshots \
--daily-schedule start-time=03:00
# Attach the schedule to a disk
gcloud compute disks add-resource-policies \
prod-data-disk \
--resource-policies prod-snapshot-schedule \
--zone us-central1-a
# Create a disk snapshot and copy to another region
gcloud compute snapshots create prod-disk-snapshot \
--source-disk prod-data-disk \
--source-disk-zone us-central1-a \
--storage-location us-west2
gcloud compute snapshots list \
--filter="sourceDisk:prod-data-disk" \
--format="table(name, diskSizeGb, status, storageLocations)"
# Output:
# name diskSizeGb status storageLocations
# prod-disk-snapshot 100 READY [us-west2]
Immutable Backups
Immutability prevents backup deletion or modification during the retention period. AWS Backup Vault Lock, Azure soft delete, and GCP retention policies enforce immutability.
Common Mistakes
- Backups in the same region as production: A region-wide outage destroys both production and backups. Always replicate backups to a separate region.
- No encryption on backups: Unencrypted backups are a data breach waiting to happen. Encrypt all backups with customer-managed keys.
- No immutability: Ransomware that compromises the backup system can delete or encrypt backups. Use immutable storage to prevent modification.
- Same IAM role for backup and production: A compromised production role should not be able to access or delete backups. Use a separate backup administration role.
- Not testing recovery: Untested backups are not backups. Test full recovery procedures quarterly at minimum.
Practice Questions
- How does cross-region backup Replication protect against region failures?
- What is the purpose of AWS Backup Vault Lock?
- How does Azure Backup soft delete prevent accidental backup deletion?
- Why should backup encryption use a different key than production data?
- How often should disaster recovery testing occur?
Challenge
Design a secure disaster recovery Strategy across all three clouds. Implement AWS Backup with cross-region Replication and Vault Lock. Configure Azure Backup with geo-redundant storage, customer-managed encryption, and soft delete. Set up GCP Compute Engine snapshot schedules with cross-region copy. Ensure all backups are immutable for at least one year. Create separate IAM roles for backup administration. Document the recovery procedure and test it.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro