Resilience Bundle

AWS Backup (including the newer Logically Air-Gapped Vault), AWS Vault Lock, and cross-account/cross-region disaster recovery patterns via AWS Elastic Disaster Recovery (DRS). On the Security Specialty exam, resilience isn't really about uptime — it's about whether your recovery data and recovery PATH survive the same incident that took down production, especially ransomware and a fully compromised account.

Data Protection — primary role Governance — immutability/retention Responsive — recovery execution

Immutable

Logically air-gapped vault, by default

Nov 2025

KMS CMK support added to LAG vaults

72 hrs

Vault Lock compliance-mode grace period

MPA

Multi-party approval for recovery

The Core Mental Model — Recovery Has to Survive the Incident

The Question Behind Every Resilience Scenario

AWS Backup (standard) — centralized, policy-driven backup across AWS services (EC2, EBS, RDS, DynamoDB, EFS, S3, and more). Good baseline protection, but a STANDARD backup vault, by default, can still be reached and deleted by anyone with sufficient permissions in that same account — including a compromised administrator credential or a malicious insider.
Vault Lock — adds WORM (write-once, read-many) immutability to a backup vault. Governance mode allows specific IAM principals to remove the lock; Compliance mode is truly immutable — once the grace period (typically 72 hours) expires, NOT EVEN THE ROOT USER can shorten retention or delete the vault while recovery points exist.
Logically Air-Gapped (LAG) Vault — the newest, sharpest tool: immutable BY DEFAULT (auto-compliance-lock, no separate Vault Lock step needed), and specifically designed to be SHARED to a separate, isolated recovery account via AWS RAM — so even if the production account is fully compromised (ransomware, malicious insider with admin rights, or a destroyed account), the backup data living in a different account's air-gapped vault remains recoverable.
AWS Elastic Disaster Recovery (DRS) — continuous, near-real-time block-level replication of EC2-based workloads to a recovery Region/account, enabling fast failover (minutes, not hours) and a structured failback process once the primary is restored.

⚠️ The Recurring Exam Theme

Resilience questions on this exam are really asking: "if the production account/credentials are fully compromised, does your backup survive?" A standard backup vault in the SAME account as production — even with Vault Lock — is still reachable by a sufficiently privileged compromised identity in that account (Vault Lock protects against accidental/malicious deletion attempts subject to IAM, but doesn't change which account the data lives in). The textbook answer to "ransomware-resilient, cross-account-isolated backup" is almost always a Logically Air-Gapped Vault shared to a separate recovery account via RAM — not just Vault Lock alone.

Exam Domain Mapping

Domain	Where This Bundle Shows Up
Data Protection	The centerpiece — backup immutability, encryption of recovery points, retention enforcement
Threat Detection & Incident Response	Ransomware recovery scenarios, GuardDuty malware scanning of backups before restore
Management & Security Governance	Cross-account backup sharing via RAM, Multi-party approval governance, Backup Audit Manager compliance controls
Identity & Access Management	Cross-account DRS failback IAM roles, recovery-account access governance

Decision Tree — Mental Model

Threat

Ransomware encrypting/deleting production data AND any backups reachable from the compromised account; full account compromise eliminating the owning account's ability to authorize its own recovery; AZ/Region outage

↓

Security Goal

Ensure recovery data is immutable, isolated from the production account's own blast radius, and recoverable even if the production account itself is inaccessible

↓

AWS Service

The Resilience Bundle

AWS Backup (standard vaults) Vault Lock (WORM immutability) Logically Air-Gapped Vault (cross-account isolation) AWS DRS (continuous replication + failover)

↓

Implementation

Centralize backup policy via Organizations backup policies; copy critical backups to a LAG vault in a separate recovery account; enable Multi-party approval for that vault; replicate critical EC2 workloads via DRS to a separate recovery Region/account.

↓

Monitoring

GuardDuty malware scanning of recovery points before restore; Backup Audit Manager controls for cross-Region/cross-account copy and Vault Lock compliance; failover/failback drill results.

↓

Remediation

Direct restore from the LAG vault in the isolated recovery account; DRS failover to recovery instances; structured failback (reversed replication) once the primary is clean and restored.

Final Summary

Must Memorize

Logically Air-Gapped Vaults are immutable BY DEFAULT (auto-compliance-lock) — no separate Vault Lock configuration step required
Vault Lock Compliance mode = truly immutable after the grace period (~72 hrs) — not even root can shorten retention or delete while recovery points exist; Governance mode is removable by authorized IAM principals
LAG vaults share via AWS RAM to a separate recovery account for direct restore — this cross-account isolation is the key ransomware-resilience property
KMS customer-managed key support for LAG vaults was added November 2025 (previously AWS-owned key only)
DRS supports both cross-Region AND cross-account failover/failback, requiring pre-created Failback/right-sizing IAM roles in both directions

Must Understand

Why a standard backup vault in the SAME account as production doesn't fully solve the "compromised admin credential" threat model
Multi-party approval's role: authorizing recovery access even when the vault-OWNING account itself becomes inaccessible
The distinction triangle: standard vault (baseline) vs Vault Lock (immutability within the account) vs LAG vault (immutability + cross-account isolation)

Can De-prioritize

Exact dollar pricing per GB stored/restored
Console UI navigation specifics
Full list of every AWS service AWS Backup supports

Exam appearance probability: MEDIUM-HIGH

Core Services — Deep Dive

AWS Backup — Core Concepts Centralized, policy-driven

What it doesCentralizes and automates backup across AWS services (EC2, EBS, RDS, DynamoDB, EFS, FSx, S3, EKS, and more) under unified backup plans, retention rules, and lifecycle policies

Backup vaultThe logical container storing recovery points — by default a STANDARD vault, reachable/deletable by sufficiently privileged IAM principals in the same account

Organizations backup policiesCentrally enforce consistent backup plans across every account in an AWS Organization, ensuring no account "forgets" to back up a resource type

Cross-Region / cross-account copyA backup plan can automatically copy recovery points to a different Region and/or a different account as part of the same backup job

GuardDuty integration: malware scanning of backups can occur BEFORE a restore is completed, catching ransomware/malware that may have been silently captured into the backup itself.

AWS Backup Vault Lock WORM immutability

Governance modeProvides WORM protection, but IAM principals with specific permissions CAN still remove the lock or modify retention settings — flexible, but not truly tamper-proof against an insider/compromised admin

Compliance modeOnce the grace period (typically 72 hours) expires, the lock becomes PERMANENT — the vault cannot be deleted while recovery points exist, and the retention period cannot be shortened by ANYONE, including the root user

Vault Lock protects against accidental or malicious DELETION/RETENTION-SHORTENING within the rules of the lock — it does NOT, by itself, move the data out of the production account's blast radius. A compromised account with sufficient access could, in theory, still reach a Vault-Locked vault in that same account (though not delete protected recovery points in Compliance mode) — this is precisely the gap LAG vaults close with cross-account isolation.
"Enforce a retention period that even our own root user cannot shorten, for regulatory compliance" → Vault Lock in Compliance mode.

Logically Air-Gapped (LAG) Vault High — the sharpest 2024-2026 addition

StatusGA since August 2024 (preview since 2023); a continuously expanding-coverage feature

Default protectionImmutable backup copies, LOCKED BY DEFAULT (automatic Compliance-mode Vault Lock) — no separate Vault Lock configuration step needed

EncryptionEncrypted with an AWS-owned KMS key by default (protecting against accidental/malicious deletion of a CUSTOMER-managed key being used as an attack vector); as of November 2025, customer-managed KMS keys (CMKs) are also supported for organizations needing that level of control

Cross-account sharingShared to other accounts (including across an entire AWS Organization) via AWS Resource Access Manager (RAM), enabling DIRECT restore from the shared account without first copying the backup elsewhere

Service coverage growthEC2, EBS, RDS, S3, EFS at preview (2023); expanded to single-step cross-Region database snapshot copy for Aurora, Neptune, and DocumentDB (Feb 2026); expanded to support Amazon EKS (March 2026)

The single-step cross-Region database copy (Feb 2026) eliminated a previously required two-step process — copy to the target Region's standard vault FIRST, then copy again to the LAG vault. The old way required custom Lambda/scripts just to monitor intermediate copy status; the new single-action copy achieves faster RPOs and removes the intermediate cost entirely.
"Protect our backups so that even if our production account is fully compromised by ransomware with admin-level access, the backup data in a separate account remains intact and directly restorable" → Logically Air-Gapped Vault shared via RAM to an isolated recovery account, not just Vault Lock alone.

Multi-Party Approval (MPA) for LAG Vaults High — exam-fresh, June 2025

What it doesRequires multiple authorized individuals to approve critical recovery operations (like sharing/restoring from a LAG vault) BEFORE they execute — a distributed decision-making control preventing any single person from unilaterally authorizing recovery

The specific gap it closesAuthorizes access to backups for approved accounts EVEN WHEN the vault-OWNING account itself becomes inaccessible due to an inadvertent or malicious event — solving the "what if the account that owns the air-gapped vault is itself the one that got compromised/locked out" problem

MechanismApproval teams are managed through an IAM Identity Center-enabled Approval portal; team members review and approve sharing/recovery requests collaboratively

CostNo additional charge for integrating and using MPA teams with LAG vaults

This directly supports a "clean recovery account" pattern: provision a separate, pristine recovery account in advance, and use MPA-governed sharing requests to authorize restoring into it when needed — without depending on the (possibly compromised) original owning account's continued availability or trustworthiness.

AWS Elastic Disaster Recovery (DRS) Continuous replication + failover

What it doesContinuously replicates EC2-based workloads (and on-premises/other-cloud servers) at the block level to a recovery Region, enabling fast (minutes) recovery instance launch during an actual disaster

Cross-Region failbackAfter failing over to a recovery Region, DRS supports failing BACK to the original source Region — but failback requires starting REVERSED replication first (copying data from the recovered instances back to the source), which takes time and incurs cross-Region data transfer cost

Cross-account failbackAlso supported between AWS accounts — requires Failback and in-AWS right-sizing IAM roles to be pre-created via the Trusted Account page, in BOTH directions (source-to-recovery AND recovery-to-source)

Opt-in Region constraintIf either the source or recovery Region is an opt-in Region, that Region must be explicitly enabled in BOTH the source and recovery accounts; if both are opt-in Regions, both must be enabled in both accounts

Recovered instances after failover are NOT automatically protected going forward — to protect them, you must navigate to the recovery instance and (in a real DR event, as opposed to a drill) begin the reversed-replication/failback protection process deliberately.
Traffic redirection (e.g. via Route 53) to the newly failed-back instances is NOT handled by DRS itself — it's a separate step using your own DNS/traffic management tooling.
Cross-PARTITION failback (e.g. commercial ↔ GovClous) is explicitly NOT supported; cross-Region failback WITHIN the GovCloud partition (us-gov-west-1 ↔ us-gov-east-1) is supported.

AWS Exam Thinking

Requirement → Keywords → Expected Answer → why every distractor fails.

Protect backups so they remain intact and restorable even if production account credentials are fully compromised by ransomware

ransomware-resilientsurvives account compromisecross-account isolation

Expected Answer

Logically Air-Gapped Vault shared via RAM to a separate recovery account

Distractor	Why it's wrong
Vault Lock alone in the production account	Protects against deletion/retention-shortening within IAM rules, but the data still lives in the SAME, now-compromised account — doesn't achieve the cross-account isolation the requirement needs
Standard backup vault with cross-Region copy only	Still within the same account — protects against a Regional outage, not an account-level compromise

Enforce a retention period that not even the account's own root user can shorten

retention enforcementnot even root

Expected Answer

Vault Lock in Compliance mode

Distractor	Why it's wrong
Vault Lock in Governance mode	Authorized IAM principals CAN still remove the lock or modify retention — doesn't meet the "not even root" bar

Authorize backup recovery access even though the original vault-owning account has become completely inaccessible

owning account inaccessibleauthorize recovery anyway

Expected Answer

Multi-Party Approval for the Logically Air-Gapped Vault

Distractor	Why it's wrong
Standard RAM sharing alone	RAM sharing alone doesn't provide a governed approval mechanism specifically designed to function when the OWNING account itself is inaccessible — MPA's approval team/portal is the purpose-built solution

Achieve a fast (minutes-scale) failover for EC2-based workloads to a different AWS Region during an actual disaster

fast failoverEC2 workloadsminutes-scale recovery

Expected Answer

AWS Elastic Disaster Recovery (DRS)

Distractor	Why it's wrong
AWS Backup with cross-Region copy alone	Backup/restore is generally slower than DRS's continuous block-level replication purpose-built for fast EC2 failover; Backup is point-in-time recovery, not continuous near-real-time replication

Reduce RPO and eliminate intermediate copy costs when sending Aurora database snapshots to a cross-Region air-gapped vault

single-step copyAuroracross-Region LAG vault

Expected Answer

Single-action database snapshot copy directly to the cross-Region LAG vault (Feb 2026 capability)

Distractor	Why it's wrong
Two-step copy (target Region vault, then LAG vault) with a custom Lambda monitor	The OLD, pre-Feb-2026 pattern — now unnecessary; the single-action copy achieves the same outcome faster and cheaper, without custom monitoring scripts

Integrations

AWS Resource Access Manager (RAM)

WhatThe mechanism for sharing a Logically Air-Gapped Vault to other accounts (including cross-Organization) for direct restore

Amazon GuardDuty

WhatMalware scanning of backups before restore completes, catching ransomware/malware captured into a recovery point

AWS KMS

WhatEncrypts LAG vault recovery points — AWS-owned key by default, customer-managed key (CMK) supported since November 2025, from the same account or across accounts

IAM Identity Center

WhatPowers the Multi-Party Approval portal where approval team members review and authorize LAG vault sharing/recovery requests

AWS Organizations

WhatBackup policies centrally enforce consistent backup plans across every account; LAG vaults can be shared across an entire Organization

AWS Backup Audit Manager

WhatProvides controls specifically for cross-Region copy, cross-account copy, and Vault Lock compliance — generating audit evidence of resilience posture

Costs, Limits & Quotas

Pricing Model

AWS BackupPer-GB stored (warm/cold tiers), plus restore charges

Cross-Region/cross-account copyStandard data transfer charges apply for the copy operation

Multi-Party ApprovalNo additional charge to integrate/use with LAG vaults

AWS DRSPer-hour charge per replicated source server, plus underlying storage/compute for replication and recovery instances; cross-Region failback transfer incurs standard data transfer cost

Common Cost Mistakes

Using the old two-step cross-Region-then-LAG-vault database copy process (with custom Lambda monitoring) when the single-action copy (Feb 2026+) achieves the same outcome more cheaply
Replicating every EC2 instance via DRS regardless of actual criticality, rather than scoping continuous replication to genuinely DR-critical workloads
Leaving failed-over DRS recovery instances unprotected (no reversed replication started) for extended periods, risking data loss if a SECOND incident hits the recovery Region

Cost Optimization

Use the single-action cross-Region database snapshot copy to LAG vaults (Aurora/Neptune/DocumentDB) to eliminate intermediate copy storage costs
Scope DRS continuous replication to genuinely critical EC2 workloads rather than blanket-replicating an entire fleet
Use Backup lifecycle policies to transition older recovery points to cold storage tiers automatically

Limits & Quotas

Vault Lock compliance grace periodTypically 72 hours — after which the lock is permanent for the life of any recovery points in the vault

LAG vault service coverage (preview-era baseline)EC2, EBS, RDS, S3, EFS — since expanded to include Aurora/Neptune/DocumentDB cross-Region single-step copy (Feb 2026) and EKS (March 2026)

DRS cross-partition failbackNOT supported between commercial and GovCloud partitions; cross-Region failback WITHIN GovCloud (us-gov-west-1 ↔ us-gov-east-1) is supported

DRS opt-in Region requirementAny opt-in Region involved in failover/failback must be explicitly enabled in BOTH the source and recovery accounts

⚠️ Exam trap

After a DRS failover, the newly recovered instances are NOT automatically protected against a further incident — reversed replication/failback protection must be deliberately initiated. This is a common "what's the very next step after failover" trap.

Best Practices & Common Exam Traps

8 — Best Practices

Must Know

LAG vaults are immutable by default — no separate Vault Lock step required
Vault Lock Compliance mode = immutable even from root after the grace period; Governance mode is removable by authorized IAM
LAG vault cross-account sharing (via RAM) is what actually achieves ransomware/compromised-account resilience — Vault Lock alone doesn't move data out of the production account
MPA solves recovery authorization even when the vault-owning account itself is inaccessible
DRS failover ≠ automatic ongoing protection — reversed replication must be deliberately started afterward

Good Practice

Use Organizations backup policies to centrally enforce consistent backup coverage across all accounts
Copy critical backups to a LAG vault in a dedicated, isolated recovery account
Enable GuardDuty malware scanning before restore for any backup that could have captured an active compromise
Conduct regular DRS failover AND failback drills, not just failover drills

Advanced Practice

Provision a "clean recovery account" in advance and govern access to it via Multi-Party Approval-backed LAG vault sharing
Use customer-managed KMS keys on LAG vaults (since Nov 2025) where regulatory requirements demand it, over the AWS-owned-key default
Use the single-action cross-Region database snapshot copy for Aurora/Neptune/DocumentDB to simplify and accelerate the cross-Region LAG vault pattern
Pre-create cross-account DRS failback IAM roles in BOTH directions well before an actual incident, not during one

9 — Common Exam Traps

Misconception	Reality
"Vault Lock alone makes our backups ransomware-proof"	It prevents deletion/retention-shortening, but the data still lives in the same (potentially compromised) account — a Logically Air-Gapped Vault shared cross-account is what achieves true isolation
"Governance mode and Compliance mode provide the same level of immutability"	Governance mode is removable by authorized IAM principals; Compliance mode becomes permanent (not even root can override) after the grace period
"LAG vaults require manually configuring Vault Lock after creation"	False — LAG vaults come with automatic Compliance-mode lock by default, no separate configuration step
"After a DRS failover, our workload is automatically protected against a second incident"	False — reversed replication/failback protection must be deliberately initiated; recovered instances are unprotected until then
"DRS failback works the same way across any two AWS partitions"	False — cross-partition failback (commercial ↔ GovCloud) is explicitly unsupported; only cross-Region failback within the same partition (including within GovCloud) is supported

Lookalike Comparisons

Comparison	What actually differs
Standard vault vs Vault Lock vs LAG vault	Reachable/deletable baseline vs WORM-protected (same account) vs immutable AND cross-account-isolated by default — increasing levels of resilience against the same-account compromise threat
Vault Lock Governance vs Compliance mode	Removable by authorized IAM principals vs permanently immutable (not even root) after the grace period expires
RAM sharing alone vs Multi-Party Approval	Grants cross-account access to the resource generally vs specifically governs and authorizes RECOVERY requests, including when the owning account itself is inaccessible
AWS Backup vs AWS DRS	Point-in-time recovery points on a backup schedule vs continuous, near-real-time block-level replication purpose-built for fast EC2 failover — different RPO/RTO profiles for different workload criticality
DRS failover vs failback	Launching recovery instances in the target Region/account during a disaster vs the structured, reversed-replication process to return to the original source afterward — failback is NOT just "failover in reverse," it has its own distinct prerequisites

Flashcards — 16 Cards

Click card to flip. Mark right or wrong to track score.

Click to reveal answer

1 / 16

Mark: Score: 0/0

Practice Quiz — 9 Questions

SCS-C02 scenario style, Easy → Specialty. Select an answer to reveal the explanation.

out of 9 correct