Skip to content

Enable immutable backups

After 24 hours: Verify backups

You must wait 24 hours to ensure that at least one backup exists.

  • Go to AWS console > AWS Backup > Backup vaults
  • Verify that the vault lock status is Locked – Governance mode.
  • Go to the backup vault with the same name as your environment
  • Verify that there is at least one recovery point

Info

Governance mode locks can be modified by users with extended permissions.

Compliance mode locks can only be modified for changeable_for_days days. After that, it cannot be modified by any user, including the root user. This ensures that the backup cannot be deleted by anyone.

Step 1: Enable immutable backups

In the file config_override.tf create a new local changeable_for_days like this:

locals{
    ...
    changeable_for_days = 3
    ...
}

This sets a three day wait period until the lock becomes immutable.

Step 2: Apply the configuration

Warning

Once these changes are applied a three day countdown begins. When Compliance mode is in effect, backups can only be deleted by lifecycle rules. Not even AWS support can override this lock.

Initialize Terraform and apply the configuration:

terraform init
terraform apply

Step 3: Verify vault lock

  • Go to AWS console > AWS Backup > Backup vaults
  • Verify that the vault lock status is Locked – Compliance mode.