Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add entropy scan support and remove requirement for elastio:resource tag on aws-backup-restored resource #83

Merged
merged 4 commits into from
Apr 26, 2024
Merged

Add entropy scan support and remove requirement for elastio:resource tag on aws-backup-restored resource #83

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5f77b57
Add entropy scan support and remove requirement for `elastio:resource…
Veetaha Apr 26, 2024
15fc27e
Reformat
Veetaha Apr 26, 2024
d841fc0
better wording
Veetaha Apr 26, 2024
e47139e
More consistency
Veetaha Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions aws-backup-elastio-integration/elastio-api/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,13 @@ An encrypted and compressed copy of your data can be efficiently imported into a

Elastio can scan the resource created as part of [AWS Backup restore testing](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing.html). The temporarily restored resource may be modified by Elastio directly for better performance and optimized cost. For example, Elastio stops the restored EC2 instance, detaches its volumes and attaches them to the worker EC2 instance that performs the scan.

> ❗Elastio never modifies customer's data. IAM permissions restrict Elastio to modify **only** resources created and managed by Elastio itself. All such resources have `elastio:resource=true` tag. During regular operation of Elastio all data is treated as sensitive and Elastio can only read and create snapshots of customer resources. AWS Backup restore testing is an exception where a temporarily restored resource is created and handed to the scanning software to restore-test it.
---

For Elastio to be able to modify the temporarily restored resource, you must grant explicit permission by adding a tag `elastio:resource=true` to the restored resource.
❗Elastio never modifies customer's production data. IAM permissions restrict Elastio to modify **only** the resources listed below.
- Resources created and managed by Elastio itself. All such resources have `elastio:resource=true` tag.
- Resources created by AWS Backup restore testing. All such resources have `awsbackup-restore-test` tag.

During regular operation of Elastio all data is treated as sensitive and Elastio can only read and create snapshots of customer resources. AWS Backup restore testing is an exception where a temporarily restored resource is created and handed to the scanning software to restore-test it.

## Lambda API

Expand Down Expand Up @@ -70,6 +73,12 @@ Elastio Connector stack deploys an AWS Lambda function named `elastio-bg-jobs-se
// Optional. If omitted then malware scan is disabled.
"malware": true,

// Optional. If omitted then entropy scan is disabled. Warning! Enabling this
// kind of scan may result in a lot of noise alerts, since it checks for files
// becoming encrypted. File encryption often happens during regular operation
// of many applications, and thus doesn't immediately imply a ransomware attack.
"entropy": false,

// Name of the AWS EventBridge event bus scan reports will be written to.
//
// Optional. If omitted, the value will be read from an SSM parameter named
Expand Down