Are cloud workload backups isolated from the production account/credentials?
Demonstrate that cloud workload backup repositories and access credentials are administratively and logically isolated from production accounts, preventing lateral movement from compromised production resources to backup infrastructure.
Description
What this control does
This control ensures that cloud workload backups are stored in separate accounts or protected by independent credentials that are isolated from the production environment. The isolation prevents a single compromised credential set from enabling both production system access and backup deletion. Effective implementation typically involves cross-account backup vaults, separate IAM roles with no cross-trust, or air-gapped backup repositories that production workloads cannot access directly. This architectural separation is critical for ransomware resilience and disaster recovery integrity.
Control objective
What auditing this proves
Demonstrate that cloud workload backup repositories and access credentials are administratively and logically isolated from production accounts, preventing lateral movement from compromised production resources to backup infrastructure.
Associated risks
Risks this control addresses
- Ransomware operators with production credentials delete or encrypt backups before deploying payload, eliminating recovery options
- Compromised production service account or IAM role with write/delete permissions destroys backup data during incident
- Insider threat with production access maliciously purges backups to maximize damage or cover evidence of exfiltration
- Credential stuffing or phishing attack grants adversary simultaneous access to production and backup infrastructure through shared authentication
- Automated malware spreading laterally through cloud APIs identifies and corrupts backup snapshots using production API tokens
- Misconfigured IAM policies inadvertently grant production workloads deletion rights over backup repositories during infrastructure-as-code deployment
- Compliance violation resulting in inability to demonstrate immutable or isolated backup storage during regulatory audit or breach investigation
Testing procedure
How an auditor verifies this control
- Obtain architectural diagrams and IAM policy documentation showing backup account structure, cross-account relationships, and credential management boundaries.
- Inventory all backup repositories, vaults, and snapshot storage locations across cloud subscriptions, identifying the owning account or project for each.
- Review IAM roles, service principals, and credentials used by production workloads, documenting all permissions related to backup operations.
- Examine IAM policies and role trust relationships attached to backup repositories to verify production accounts lack delete, modify, or administrative permissions.
- Select a representative sample of production compute resources and attempt to enumerate backup vault contents using their assigned credentials or instance profiles.
- Review backup configuration files and infrastructure-as-code templates to confirm cross-account ARNs, external IDs, or separate authentication mechanisms are defined.
- Verify that backup administrator access requires separate authentication factors or privileged access workstation not used for production operations.
- Test credential rotation and break-glass procedures to confirm production credential compromise does not yield backup vault access through cached tokens or shared secrets.