Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Centrally manage AWS Backup from the Management account to enforce consistent backup coverage for resources in the core landing zone accounts - Management, Log Archive, and Audit - using organization backup policies and cross-account vault copies stored in the Log Archive account.
Core landing zone accounts host infrastructure that underpins the entire organization: CloudTrail log buckets, Config delivery channels, IAM Identity Center configuration, Security Hub aggregation, and audit tooling. Loss of this data through accidental deletion or ransomware would impair both operations and compliance posture across every workload account. AWS Backup organization policies (a type of Organizations policy) are attached to the Management, Log Archive, and Audit OUs from the Management account and define backup plans that automatically protect tagged resources without requiring any action from member account operators. Backup recovery points are written to a vault in the source account and copied to a separate cross-account vault in the Log Archive account. The Log Archive vault is protected with AWS Backup Vault Lock in compliance mode, making recovery points immutable for the duration of the retention window and preventing deletion even by the vault owner.
Core landing zone accounts are high-value targets. An attacker or misconfigured automation that corrupts or deletes Config history, CloudTrail archives, or Identity Center configuration can neutralize the organization's ability to detect, investigate, and respond to incidents. Centralized backup via organization policy removes the dependency on per-account manual configuration and ensures that backup coverage cannot be disabled by member account administrators. Vault Lock in the Log Archive account prevents recovery points from being deleted even if the Management account is compromised.
Remediation Strategy
Enable organization-level backup, create vaults with Vault Lock in the Log Archive account, and attach a central backup policy to core OUs.
Enable organization backup features in the Management account.
Create LandingZoneCoreVault in core accounts and ArchiveVault with compliance-mode Vault Lock in Log Archive.
Deploy the Organizations Backup Policy to the core accounts OU.
Tag target resources with BackupPlan: LandingZoneCore.
# ==============================================================================
# STEP 1: INITIALIZE ORGANIZATION POLICY
# ==============================================================================
ROOT_ID=$(aws organizations list-roots --query "Roots[0].Id" --output text)
aws organizations enable-policy-type \
--root-id "$ROOT_ID" \
--policy-type BACKUP_POLICY
# ==============================================================================
# STEP 2: PROVISION VAULTS & VAULT LOCK (RUN VIA CENTRAL STACK OR LOCAL PROFILE)
# ==============================================================================
aws backup create-backup-vault --backup-vault-name LandingZoneCoreVault
aws backup create-backup-vault --backup-vault-name ArchiveVault
# Apply Immutable Compliance Mode Vault Lock
# This triggers a 72-hour cooling period where it can still be modified
aws backup put-backup-vault-lock-configuration \
--backup-vault-name ArchiveVault \
--min-retention-days 1 \
--max-retention-days 365 \
--changeable-for-days 3
# ==============================================================================
# STEP 3: ASSEMBLE AND ATTACH POLICY TO OU
# ==============================================================================
# Validate structure and create the Organization Backup Policy
POLICY_ID=$(aws organizations create-policy \
--name "CoreBackup" \
--type BACKUP_POLICY \
--content file://policy.json \
--query "Policy.PolicySummary.Id" \
--output text)
# Attach to your designated Organizational Unit
aws organizations attach-policy \
--policy-id "$POLICY_ID" \
--target-id "<OU_ID>"Enforcement Logic
Verify organization-wide backup settings and policy attachments via Organizations API. Audit backup job completion and cross-account recovery points in the ArchiveVault.
# Verify Org Policy and Settings
aws backup describe-global-settings --query "GlobalSettings.isCrossAccountBackupEnabled"
aws organizations list-policies --filter BACKUP_POLICY
aws organizations list-targets-for-policy --policy-id <ID>
# Verify Jobs (Last 24h)
aws backup list-backup-jobs --by-state COMPLETED --by-created-after $(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ)
# Verify Archive Vault
aws backup list-recovery-points-by-backup-vault --backup-vault-name ArchiveVaultResources in the Log Archive account that are themselves backup targets (e.g. the central S3 logging bucket) are excluded from the backup plan to prevent circular dependencies. Their protection is provided by S3 Versioning and Object Lock rather than AWS Backup.
Ephemeral EC2 instances used for short-lived build or test workloads within core accounts may be excluded if they carry no persistent state, subject to documented approval and a tag of BackupExempt: true.
Vault Lock in compliance mode cannot be removed after the changeable_for_days cool-off window expires - even by AWS Support. Set changeable_for_days to at least 3 to allow for misconfiguration correction before the lock becomes permanent. The organization backup policy uses @@assign operator semantics from the Organizations policy language; @@append and @@remove are also available for policy inheritance across nested OUs. The date filter in the backup job detection query uses GNU date syntax (Linux); on macOS replace with date -u -v-24H +%Y-%m-%dT%H:%M:%SZ. The AWS Backup IAM role requires both the backup and restore managed policies - the restore policy is frequently omitted and causes restore job failures discovered only during an actual DR event.