Air Gap Recover
Two-Organisation Air-Gap Architecture
SOURCE ORG
Customer Production
VAULT ORG
Isolated Recovery
Separate AWS Organizations
Not accounts — distinct IAM, billing, and trust boundaries
Zero Inbound Access
No trust relationships, no VPNs, no shared credentials
One-Way Replication
Vault receives copies but cannot access source
Automated Snapshot Pipeline
Tag Discovery
Lambda scans for resources tagged DisasterRecovery:Protection=true. Self-service — customers control what gets protected.
Snapshot Creation
DLM creates automated snapshots at configurable intervals. EBS supports 1-60 min schedules. RDS automated daily + transaction logs.
Cross-Account Share
Source shares snapshot with vault account ID. One-way operation — vault cannot access source. EBS: unlimited accounts. RDS: 20 account limit.
Copy & Re-Encrypt
Vault Lambda copies shared snapshot and re-encrypts with customer-specific vault KMS key. Independent copy — no source dependency.
Immutable Retention
SCPs prevent snapshot deletion. S3 Object Lock compliance mode for object data. Configurable retention 7-365 days. Legal hold available.
KMS Re-Encryption
Customer-managed envelope encryption with zero shared keys
Source Account
Data encrypted with customer-managed CMK
Never uses default aws/ebs or aws/rds keysKey Policy Grant
Source CMK grants kms:Decrypt + kms:CreateGrant to vault account
Scoped to ec2/rds via kms:ViaService conditionSnapshot Share
Snapshot shared with vault account ID
Remains encrypted with source CMKVault Copy
Vault copies snapshot with its own CMK
Re-encrypted — source key no longer neededSecurity Guarantees
- Source and vault maintain completely separate KMS keys
- Source key compromise does not affect vault copies
- Automated key rotation under customer control
- All key usage logged via CloudTrail
- Meets HIPAA, GDPR, PCI-DSS encryption requirements
AWS Service Matrix
Recovery Procedures
Identify Scope
Determine affected services and blast radius. Select recovery point from available snapshots. Initiate recovery workflow.
Restore Snapshots
Terraform-driven parallel restoration. EBS volumes, RDS instances, S3 data restored from vault copies. Infrastructure recreated from IaC.
Decrypt & Validate
Snapshots decrypted with customer vault KMS keys. Data integrity checks run automatically. Application health validation.
Promote to Production
DNS cutover to recovered environment. Automated health checks pass. Clean room option: validate in isolated sandbox first.
Zero-Trust Security Model
Separate AWS Organisations
Not just accounts — distinct organisations with separate IAM, billing, SCPs, and trust boundaries. Attackers would need to compromise two entirely separate AWS environments.
Lambda-Based Execution
MSP triggers Lambda functions but cannot access data. Functions execute with customer IAM permissions. 15-minute temporary credentials auto-expire.
Tag-Based Discovery
Customers control protection via resource tags. No manual inventory needed. Self-service add/remove protection. Granular per-resource control.
Immutable Audit Trail
CloudTrail logs replicated to air-gapped account. S3 Object Lock prevents log tampering. All API calls recorded. Integration with SIEM platforms.
Compliance Framework Mapping
How Air Gap Recover helps satisfy specific controls
ISO 27001:2022
- A.8.13 Information Backup
- A.8.14 Redundancy
- A.5.30 ICT Readiness
Automated quarterly DR testing, immutable audit trails
NIST CSF v2.0
- PR.IP-4 Backups
- PR.DS-1 Data-at-Rest
- RC.RP-1 Recovery Plan
Continuous backup, customer-managed encryption
DORA Art. 12 & 25
- Art.12 Backup Policies
- Art.25 Resilience Testing
- Art.28 Third-Party Risk
15-min RPO, automated drills, zero-trust MSP model
SOC 2
- CC6.1 Access Controls
- CC7.2 Detection
- A1.2 Availability
Org-level isolation, real-time monitoring, 99.99% SLA
HIPAA
- §164.308 Data Backup
- §164.312 Audit Controls
- §164.312 Encryption
Immutable ePHI backups, CloudTrail logging, AES-256
GDPR Art. 32
- Confidentiality
- Integrity
- Availability
- Resilience
Customer KMS keys, Object Lock, multi-region, sub-60 min RTO
Automated Evidence
- CloudTrail immutable audit logs
- Quarterly DR test reports
- Power BI compliance dashboards
- Encryption key usage reports
- Backup inventory & retention policies
Infrastructure as Code
Terraform + Terragrunt
Complete infrastructure defined in code. Terragrunt for DRY multi-account configuration. Automated provisioning and decommissioning.
Tag-Based Discovery
agr:protect = true on any supported resource. Lambda auto-discovers tagged resources. No manual configuration required.
Policy Enforcement
SCPs enforced at organisation level. IAM policies generated from templates. Compliance guardrails via Control Tower.
Drift Detection
Terraform plan detects configuration drift. CloudFormation drift detection for AWS resources. Automated remediation workflows.
Deployment & Integration
Foundation
- Vault AWS Org provisioned
- Control Tower guardrails configured
- KMS keys generated
- IAM roles & SCPs deployed
Integration
- Source account Lambda deployed
- Replication rules configured
- Tag-based discovery enabled
- Initial full sync begins
Validation
- DR drill executed end-to-end
- RTO/RPO targets validated
- Monitoring & alerting configured
- Runbooks delivered & tested
Databarracks Manages
- Vault org setup & management
- Lambda function deployment
- Replication configuration
- 24/7 monitoring & support
- Quarterly DR drills
Customer Provides
- AWS org access (read-only for Lambda)
- KMS key policy grants
- Resource tagging
- DNS cutover during recovery
Prerequisites
Technical Specifications
Performance Benchmarks
Next Steps
Architecture Review
60-min deep dive into your AWS estate
- Current DR gap analysis
- Service coverage mapping
- Integration requirements
Technical POC
1PB free, 1 month evaluation
- Full vault org provisioned
- End-to-end DR drill
- RTO/RPO validation
Production Deployment
4-6 weeks to full protection
- Phased service rollout
- 24/7 monitoring
- Quarterly DR drills