Backup Vault Hardening
backup-vault-hardening
What this rule checks
Detects Backup vaults using AWS-managed keys or without a vault lock for compliance.
How to fix it
- 1Specify a customer-managed KMS key via EncryptionKeyArn
- 2Add a BackupVaultLock to enforce retention and prevent deletion
import * as backup from 'aws-cdk-lib/aws-backup';
// No EncryptionKeyArn (default AWS-managed key) and no lock configuration.
new backup.CfnBackupVault(this, 'Vault', {
backupVaultName: 'app-backup-vault',
});import * as backup from 'aws-cdk-lib/aws-backup';
// Customer-managed KMS key + inline Backup Vault Lock (compliance mode).
new backup.CfnBackupVault(this, 'Vault', {
backupVaultName: 'app-backup-vault',
encryptionKeyArn:
'arn:aws:kms:eu-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
lockConfiguration: {
minRetentionDays: 30,
},
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::Backup::BackupVaultAWS::Backup::BackupVaultLockIntentional? Suppress this finding
Sometimes a flag is deliberate β a genuinely public endpoint, say. You can dismiss backup-vault-hardening and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "backup-vault-hardening", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::backup-vault-hardening',
reason: 'Why this is intentional',
});Use the rule ID backup-vault-hardening shown above β not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app β free, no account, your code never leaves your machine.