WAF++ WAF++
Back to WAF++ Homepage

WAF-SOV-030 – Backup Location & Retention Controlled

Pillar: Sovereign | Severity: 🟠 High | Category: Data Residency | Automatable: Medium

Description

Backup policies MUST explicitly define region/location constraints, minimum retention periods, and restore test schedules. Cross-region replication MUST be explicitly approved and directed exclusively to valid sovereign regions.

Backup storage MUST remain within the same jurisdictional boundary as primary data — except with explicitly documented approval.

Rationale

Backups are often the first sovereignty leak that audit teams overlook. A primary database may reside in an approved EU region while automated backup replication silently routes data to a US DR region.

Every backup configuration is a potential data residency violation. Restore tests validate both the technical recoverability and that backup data has not ended up in non-sovereign storage.

Threat Context

Risk Description

Backup replication to US region

Automated DR replication silently routes backup data to non-approved destination regions.

Provider-default backup storage

Managed service backups land in provider-managed storage outside the approved jurisdiction.

Untested restore processes

RPO/RTO violation because the restore process was never practiced.

Missing retention policy

Unclear retention leads to indefinite storage of sensitive data or premature deletion.

Cross-region copy jobs

Scheduled snapshot copies exfiltrate backup data to non-sovereign regions.

Regulatory Mapping

Framework Controls

GDPR

Art. 5(1)(e) – Storage limitation; Art. 32 – Security of processing; Art. 44–46 – Transfers to third countries

BSI C5:2020

OPS-04 – Data management; BCM-01 – Business continuity management

EUCS (ENISA)

BCR-01 – Backup policy; DSP-04 – Data portability

ISO 27001:2022

A.8.13 – Information backup; A.5.29 – Information security during business disruption

Requirement

  • Backup configurations MUST set location/region explicitly

  • backup_retention_period MUST be at least 7 days (non-prod) and 30 days (prod)

  • Point-in-Time Recovery (PITR) MUST be enabled for database services with PII/financial data

  • Cross-region replication MUST be explicitly approved and directed to a sovereign target region

  • Restore tests MUST be performed and documented at least annually (quarterly for critical data)

  • Backup resources MUST be tagged with data-residency and data-class consistent with source data

Implementation Guidance

  1. Declare backup resources in IaC: No implicit backup configurations; all settings explicit.

  2. Set retention periods by data category and enforce in IaC.

  3. Enable PITR for all databases with personal or financial data.

  4. Review cross-region replication: Target region in approval list; DPO review if outside.

  5. Configure immutable backups (Object Lock / Soft Delete) for critical data categories.

  6. Schedule restore drills and document: backup ID, timestamp, achieved RTO, findings.

  7. Tag backup vaults: data-residency and data-class consistent with source data.

Maturity Levels

Level Name Criteria

1

Backups enabled, location uncontrolled

Backups enabled for critical databases; no explicit location constraints.

2

Location and retention defined in IaC

Backup vault location in approved region; minimum retention set and enforced.

3

Full sovereign backup posture

All backup targets verified in approved regions; PITR for PII/financial data; cross-region replication approved.

4

Continuous monitoring and tested restores

Quarterly restore tests with evidence; automated checks for backup location compliance; alerts on backup jobs to non-approved regions.

5

Immutable, auditable sovereign backup process

Object Lock / immutable backups enforced; restore drills automated with RTO measurement; backup compliance dashboard for auditors.

Terraform Checks

waf-sov-030.tf.aws.db-instance-backup-retention

Checks: RDS backup_retention_period >= 7 days.

Compliant Non-Compliant 
resource "aws_db_instance" "main" {
  backup_retention_period = 30
  backup_window           = "03:00-04:00"
  # ...
}
 
resource "aws_db_instance" "main" {
  backup_retention_period = 0
  # ❌ Backups disabled
}

waf-sov-030.tf.aws.dynamodb-pitr-enabled

Checks: DynamoDB PITR must be enabled.

Compliant Non-Compliant 
resource "aws_dynamodb_table" "sovereign" {
  name = "sovereign-table"
  point_in_time_recovery {
    enabled = true
  }
}
 
resource "aws_dynamodb_table" "sovereign" {
  name = "sovereign-table"
  # ❌ No PITR
}

waf-sov-030.tf.azurerm.recovery-vault-location

Checks: Azure Recovery Services Vault must reside in an approved sovereign region.

Compliant Non-Compliant 
resource "azurerm_recovery_services_vault" "backup" {
  name                = "rsv-sovereign-prod"
  location            = "germanywestcentral"
  resource_group_name = azurerm_resource_group.main.name
  sku                 = "Standard"
  soft_delete_enabled = true
}
 
resource "azurerm_recovery_services_vault" "backup" {
  name     = "rsv-prod"
  location = "eastus"  # ❌ Non-sovereign
}

waf-sov-030.tf.aws.s3-versioning-enabled

Checks: S3 backup buckets must have versioning enabled.

# Compliant
resource "aws_s3_bucket_versioning" "backup" {
  bucket = aws_s3_bucket.backup.id
  versioning_configuration {
    status = "Enabled"  # ✅
  }
}

Evidence

Type Required Description

IaC

✅ Required

Terraform backup resources with explicit location, retention, and PITR settings.

Process

✅ Required

Restore test records (at least annually) with backup ID, timestamp, and achieved RTO.

Config

Optional

Cloud console export of the active backup policy with location and retention settings.

Logs

Optional

Backup job logs with source and destination region.

Related Controls

Best Practice