Ransomware protection with immutable AWS Backup - it's complicated ...
Paul Schwarzenberger, Kurtis Mash
fwd:cloudsec Europe 2025 · Day 1 · Main Room
Paul Schwarzenberger and Kurtis Mash presented the National Archives UK's journey to implement a centralized, immutable **AWS Backup** solution to protect their digital archives — which include records ranging from the Doomsday Book to the Magna Carta — against ransomware attacks. The talk candidly exposed the significant complexity hidden beneath the seemingly simple task of "just turning on AWS Backup," covering KMS key type trade-offs, vault lock modes, cross-account backup architecture, service-specific feature gaps, and cost considerations. The National Archives has open-sourced their entire Terraform module for centralized immutable AWS Backup, providing the community with a production-tested implementation that handles the many sharp edges they discovered.
AI review
A thorough, practical walkthrough of implementing centralized immutable AWS Backup at the National Archives UK. The talk excels at documenting the real sharp edges — KMS key deletion undermining vault lock, service-specific feature gaps, Organizations policy limitations — and provides a production-tested open-source Terraform module. While there's no novel vulnerability research or offensive content, the defensive depth is genuine and the open-source contribution adds lasting value.