Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Backup

Backup.1: Backup vault recovery points are not KMS-encrypted

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Backup.1 check?

Backup.1 looks at each AWS Backup recovery point and fails when its IsEncrypted flag is false. Whether a recovery point is encrypted depends on the vault's KMS key and, for some resource types, on the source resource — the control catches the cases where that chain breaks.

Why does Backup.1 matter?

A single recovery point of a production database contains every row of every customer record at the moment of backup. If it is unencrypted and an attacker gets read access to the vault — a misconfigured IAM role, a compromised CI runner with backup permissions, a cross-account share — the entire database walks out the door. GDPR Article 32, HIPAA, and PCI DSS all require encryption at rest, and auditors do not accept the source was unencrypted as a defence.

How do I fix Backup.1?

  1. Assign a customer-managed KMS key to the backup vault and rotate it on a schedule.
  2. Encrypt the source EBS volume or RDS instance — their snapshots inherit encryption from the source, so an unencrypted source produces an unencrypted recovery point regardless of the vault key.
  3. Recreate affected recovery points from now-encrypted sources.

Remediation script · bash

# 1. Bulk-enable free SSE-SQS on every unencrypted queue in the region.
for q in $(aws sqs list-queues --query 'QueueUrls[]' --output text); do
  state=$(aws sqs get-queue-attributes --queue-url $q \
    --attribute-names KmsMasterKeyId SqsManagedSseEnabled --query 'Attributes' --output text)
  [ -z "$state" ] && aws sqs set-queue-attributes --queue-url $q \
    --attributes '{"SqsManagedSseEnabled":"true"}' && echo "encrypted $q"
done

# 2. High-throughput stream: SSE-KMS with a 5-minute data-key reuse window to keep KMS cost flat.
aws kinesis start-stream-encryption --stream-name payment-events \
  --encryption-type KMS \
  --key-id arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

# 3. Find unencrypted recovery points (Backup.1 reads IsEncrypted per recovery point, not per vault).
aws backup list-recovery-points-by-backup-vault --backup-vault-name prod-backups \
  --query 'RecoveryPoints[?IsEncrypted==`false`].[RecoveryPointArn,ResourceType]' --output table

# 4. Confirm an at-rest Config rule is evaluating so regressions are caught automatically.
aws configservice describe-compliance-by-config-rule --config-rule-names sqs-queue-encrypted \
  --query 'ComplianceByConfigRules[].Compliance.ComplianceType'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt other services at rest (queues, streams, logs, ML).

Is Backup.1 a false positive?

Configuring the vault with a KMS key is not sufficient on its own. EBS and RDS snapshots inherit encryption from their source, so the control can still fail with the root cause back at an unencrypted volume or instance.

Full lesson Encrypt other services at rest (queues, streams, logs, ML) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Backup controls ↗ Check your own account for Backup.1 →
Part of the learning path Encrypt everything