WAF-SOV-030 – Backup Location & Retention Controlled

Pillar: Sovereign | Severity: 🟠 High | Category: Data Residency | Automatable: Medium

Description

Backup policies MUST explicitly define region/location constraints, minimum retention periods, and restore test schedules. Cross-region replication MUST be explicitly approved and directed exclusively to valid sovereign regions.

Backup storage MUST remain within the same jurisdictional boundary as primary data — except with explicitly documented approval.

Rationale

Backups are often the first sovereignty leak that audit teams overlook. A primary database may reside in an approved EU region while automated backup replication silently routes data to a US DR region.

Every backup configuration is a potential data residency violation. Restore tests validate both the technical recoverability and that backup data has not ended up in non-sovereign storage.

Threat Context

Risk	Description
Backup replication to US region	Automated DR replication silently routes backup data to non-approved destination regions.
Provider-default backup storage	Managed service backups land in provider-managed storage outside the approved jurisdiction.
Untested restore processes	RPO/RTO violation because the restore process was never practiced.
Missing retention policy	Unclear retention leads to indefinite storage of sensitive data or premature deletion.
Cross-region copy jobs	Scheduled snapshot copies exfiltrate backup data to non-sovereign regions.

Risk

Description

Backup replication to US region

Automated DR replication silently routes backup data to non-approved destination regions.

Provider-default backup storage

Managed service backups land in provider-managed storage outside the approved jurisdiction.

Untested restore processes

RPO/RTO violation because the restore process was never practiced.

Missing retention policy

Unclear retention leads to indefinite storage of sensitive data or premature deletion.

Cross-region copy jobs

Scheduled snapshot copies exfiltrate backup data to non-sovereign regions.

Regulatory Mapping

Framework	Controls
GDPR	Art. 5(1)(e) – Storage limitation; Art. 32 – Security of processing; Art. 44–46 – Transfers to third countries
BSI C5:2020	OPS-04 – Data management; BCM-01 – Business continuity management
EUCS (ENISA)	BCR-01 – Backup policy; DSP-04 – Data portability
ISO 27001:2022	A.8.13 – Information backup; A.5.29 – Information security during business disruption
BSI C3A:2026	Dimension 4 – Data: Backup location and residency; Dimension 6 – Supply Chain: Backup provider inventory

Framework

Controls

GDPR

Art. 5(1)(e) – Storage limitation; Art. 32 – Security of processing; Art. 44–46 – Transfers to third countries

BSI C5:2020

OPS-04 – Data management; BCM-01 – Business continuity management

EUCS (ENISA)

BCR-01 – Backup policy; DSP-04 – Data portability

ISO 27001:2022

A.8.13 – Information backup; A.5.29 – Information security during business disruption

BSI C3A:2026

Dimension 4 – Data: Backup location and residency; Dimension 6 – Supply Chain: Backup provider inventory

Requirement

Backup configurations MUST set location/region explicitly
backup_retention_period MUST be at least 7 days (non-prod) and 30 days (prod)
Point-in-Time Recovery (PITR) MUST be enabled for database services with PII/financial data
Cross-region replication MUST be explicitly approved and directed to a sovereign target region
Restore tests MUST be performed and documented at least annually (quarterly for critical data)
Backup resources MUST be tagged with data-residency and data-class consistent with source data

Implementation Guidance

Declare backup resources in IaC: No implicit backup configurations; all settings explicit.
Set retention periods by data category and enforce in IaC.
Enable PITR for all databases with personal or financial data.
Review cross-region replication: Target region in approval list; DPO review if outside.
Configure immutable backups (Object Lock / Soft Delete) for critical data categories.
Schedule restore drills and document: backup ID, timestamp, achieved RTO, findings.
Tag backup vaults: data-residency and data-class consistent with source data.

Maturity Levels

Level	Name	Criteria
1	Backups enabled, location uncontrolled	Backups enabled for critical databases; no explicit location constraints.
2	Location and retention defined in IaC	Backup vault location in approved region; minimum retention set and enforced.
3	Full sovereign backup posture	All backup targets verified in approved regions; PITR for PII/financial data; cross-region replication approved.
4	Continuous monitoring and tested restores	Quarterly restore tests with evidence; automated checks for backup location compliance; alerts on backup jobs to non-approved regions.
5	Immutable, auditable sovereign backup process	Object Lock / immutable backups enforced; restore drills automated with RTO measurement; backup compliance dashboard for auditors.

Level

Name

Criteria

Backups enabled, location uncontrolled

Backups enabled for critical databases; no explicit location constraints.

Location and retention defined in IaC

Backup vault location in approved region; minimum retention set and enforced.

Full sovereign backup posture

All backup targets verified in approved regions; PITR for PII/financial data; cross-region replication approved.

Continuous monitoring and tested restores

Quarterly restore tests with evidence; automated checks for backup location compliance; alerts on backup jobs to non-approved regions.

Immutable, auditable sovereign backup process

Object Lock / immutable backups enforced; restore drills automated with RTO measurement; backup compliance dashboard for auditors.

Terraform Checks

waf-sov-030.tf.aws.db-instance-backup-retention

Checks: RDS backup_retention_period >= 7 days.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_db_instance" "main" { backup_retention_period = 30 backup_window = "03:00-04:00" # ... }`	`resource "aws_db_instance" "main" { backup_retention_period = 0 # ❌ Backups disabled }`

resource "aws_db_instance" "main" {
  backup_retention_period = 30
  backup_window           = "03:00-04:00"
  # ...
}

resource "aws_db_instance" "main" {
  backup_retention_period = 0
  # ❌ Backups disabled
}

waf-sov-030.tf.aws.dynamodb-pitr-enabled

Checks: DynamoDB PITR must be enabled.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_dynamodb_table" "sovereign" { name = "sovereign-table" point_in_time_recovery { enabled = true } }`	`resource "aws_dynamodb_table" "sovereign" { name = "sovereign-table" # ❌ No PITR }`

resource "aws_dynamodb_table" "sovereign" {
  name = "sovereign-table"
  point_in_time_recovery {
    enabled = true
  }
}

resource "aws_dynamodb_table" "sovereign" {
  name = "sovereign-table"
  # ❌ No PITR
}

waf-sov-030.tf.azurerm.recovery-vault-location

Checks: Azure Recovery Services Vault must reside in an approved sovereign region.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "azurerm_recovery_services_vault" "backup" { name = "rsv-sovereign-prod" location = "germanywestcentral" resource_group_name = azurerm_resource_group.main.name sku = "Standard" soft_delete_enabled = true }`	`resource "azurerm_recovery_services_vault" "backup" { name = "rsv-prod" location = "eastus" # ❌ Non-sovereign }`

resource "azurerm_recovery_services_vault" "backup" {
  name                = "rsv-sovereign-prod"
  location            = "germanywestcentral"
  resource_group_name = azurerm_resource_group.main.name
  sku                 = "Standard"
  soft_delete_enabled = true
}

resource "azurerm_recovery_services_vault" "backup" {
  name     = "rsv-prod"
  location = "eastus"  # ❌ Non-sovereign
}

waf-sov-030.tf.aws.s3-versioning-enabled

Checks: S3 backup buckets must have versioning enabled.

# Compliant
resource "aws_s3_bucket_versioning" "backup" {
  bucket = aws_s3_bucket.backup.id
  versioning_configuration {
    status = "Enabled"  # ✅
  }
}

waf-sov-030.tf.stackit.backup-retention

Checks: StackIT database instances must have backup retention enabled.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "stackit_mysql_instance" "main" { project_id = stackit_project.main.id name = "sovereign-mysql" backup_retention_period = 14 # Backups stored in eu-central-1 }`	`resource "stackit_mysql_instance" "main" { project_id = stackit_project.main.id name = "mysql" # No backup retention configured }`

resource "stackit_mysql_instance" "main" {
  project_id = stackit_project.main.id
  name       = "sovereign-mysql"
  backup_retention_period = 14
  # Backups stored in eu-central-1
}

resource "stackit_mysql_instance" "main" {
  project_id = stackit_project.main.id
  name       = "mysql"
  # No backup retention configured
}

Supported providers: AWS, Azure, StackIT, OVH, Hetzner Cloud

waf-sov-030.tf.ovh.backup-location-sovereign

Checks: OVH backups must remain in sovereign regions.

Supported providers: OVH

waf-sov-030.tf.hcloud.backup-location-sovereign

Checks: Hetzner Cloud backups must remain in sovereign regions.

Supported providers: Hetzner Cloud

Evidence

Type	Required	Description
IaC	✅ Required	Terraform backup resources with explicit location, retention, and PITR settings.
Process	✅ Required	Restore test records (at least annually) with backup ID, timestamp, and achieved RTO.
Config	Optional	Cloud console export of the active backup policy with location and retention settings.
Logs	Optional	Backup job logs with source and destination region.

Type

Required

Description

IaC

✅ Required

Terraform backup resources with explicit location, retention, and PITR settings.

Process

✅ Required

Restore test records (at least annually) with backup ID, timestamp, and achieved RTO.

Config

Optional

Cloud console export of the active backup policy with location and retention settings.

Logs

Optional

Backup job logs with source and destination region.

Related Controls

Regulatorisches Mapping

Framework	Controls
DSGVO	Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung
BSI C5:2020	OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement
EUCS (ENISA)	DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff
ISO 27001:2022	A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen
ISO 27017	CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services
ISO 27018	A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII
BSI C3A:2026	Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen
GAIA-X	Sovereign Cloud – Anforderungen an Datenlokation und Transparenz
NIST SP 800-53	SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality
NIST CSF 2.0	GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management
FedRAMP	SC-1, SC-7, SC-8 (High baseline)
TISAX	Information security – Data protection; Prototype protection – Sensitive data handling
ANSSI SecNumCloud	Domain – Data protection; Domain – Cloud security
BIO	BIO – Gegevensbescherming; BIO – Cloudbeveiliging
ENS High	ds.info.1 – Datos personales; ds.info.2 – Calificación de la información
UK NCSC CAF	B3 – Understanding data; B4 – System security
CMMC 2.0	SC.L2-3.13.16 – Protect CUI confidentiality at rest
IRAP	ISM – Data protection; ISM – Cloud security
CCCS PBMM	SC-7 – Boundary protection; SC-8 – Transmission confidentiality
MAS TRM	Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls
ISMAP	Data sovereignty and cloud security
FISC	Technical measures – Data protection

Framework

Controls

DSGVO

Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung

BSI C5:2020

OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement

EUCS (ENISA)

DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff

ISO 27001:2022

A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen

ISO 27017

CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services

ISO 27018

A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII

BSI C3A:2026

Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen

GAIA-X

Sovereign Cloud – Anforderungen an Datenlokation und Transparenz

NIST SP 800-53

SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality

NIST CSF 2.0

GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management

FedRAMP

SC-1, SC-7, SC-8 (High baseline)

TISAX

Information security – Data protection; Prototype protection – Sensitive data handling

ANSSI SecNumCloud

Domain – Data protection; Domain – Cloud security

BIO

BIO – Gegevensbescherming; BIO – Cloudbeveiliging

ENS High

ds.info.1 – Datos personales; ds.info.2 – Calificación de la información

UK NCSC CAF

B3 – Understanding data; B4 – System security

CMMC 2.0

SC.L2-3.13.16 – Protect CUI confidentiality at rest

IRAP

ISM – Data protection; ISM – Cloud security

CCCS PBMM

SC-7 – Boundary protection; SC-8 – Transmission confidentiality

MAS TRM

Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls

ISMAP

Data sovereignty and cloud security

FISC

Technical measures – Data protection

WAF-SOV-030 – Backup Location & Retention Controlled

Description

Rationale

Threat Context

Regulatory Mapping

Requirement

Implementation Guidance

Maturity Levels

Terraform Checks

waf-sov-030.tf.aws.db-instance-backup-retention

waf-sov-030.tf.aws.dynamodb-pitr-enabled

waf-sov-030.tf.azurerm.recovery-vault-location

waf-sov-030.tf.aws.s3-versioning-enabled

waf-sov-030.tf.stackit.backup-retention

waf-sov-030.tf.ovh.backup-location-sovereign

waf-sov-030.tf.hcloud.backup-location-sovereign

Evidence

Related Controls

Regulatorisches Mapping

Best Practice