Skip to main content
LOWBackupSecurity

Backup Vault Hardening

backup-vault-hardening

What this rule checks

Detects Backup vaults using AWS-managed keys or without a vault lock for compliance.

How to fix it

  1. 1Specify a customer-managed KMS key via EncryptionKeyArn
  2. 2Add a BackupVaultLock to enforce retention and prevent deletion
FlaggedThe backup vault has neither a customer-managed KMS key (EncryptionKeyArn) nor any vault lock, so cdk-insights raises the two backup-vault-hardening findings (default AWS-managed key + no vault lock).
import * as backup from 'aws-cdk-lib/aws-backup';

// No EncryptionKeyArn (default AWS-managed key) and no lock configuration.
new backup.CfnBackupVault(this, 'Vault', {
  backupVaultName: 'app-backup-vault',
});
FixedSupplying encryptionKeyArn plus an inline lockConfiguration (minRetentionDays) satisfies both branches of the check β€” the vault is CMK-encrypted and lock-protected β€” so zero backup-vault-hardening findings are emitted.
import * as backup from 'aws-cdk-lib/aws-backup';

// Customer-managed KMS key + inline Backup Vault Lock (compliance mode).
new backup.CfnBackupVault(this, 'Vault', {
  backupVaultName: 'app-backup-vault',
  encryptionKeyArn:
    'arn:aws:kms:eu-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
  lockConfiguration: {
    minRetentionDays: 30,
  },
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::Backup::BackupVaultAWS::Backup::BackupVaultLock

Compliance frameworks

SOC2HIPAANIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate β€” a genuinely public endpoint, say. You can dismiss backup-vault-hardening and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "backup-vault-hardening", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::backup-vault-hardening',
  reason: 'Why this is intentional',
});

Use the rule ID backup-vault-hardening shown above β€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app β€” free, no account, your code never leaves your machine.

More Backup rules