Overview
Air Gap Recover is a fully AWS-native disaster recovery solution that protects your critical infrastructure by replicating data to an isolated AWS organization. Unlike traditional backup solutions that rely on proprietary agents or third-party storage, we exclusively use native AWS services to ensure maximum reliability, security, and performance.
Key Principle
Every component of Air Gap Recover uses AWS-managed services. This means no custom infrastructure to maintain, no proprietary protocols to trust, and no vendor lock-in beyond AWS itself.
Why AWS Native?
- → No additional attack surface: All data flows through AWS-managed APIs with AWS-native encryption
- → Instant compatibility: Works with any AWS service that supports snapshots or replication
- → Zero infrastructure overhead: No agents, gateways, or custom storage to manage
- → AWS SLA guarantee: Backed by AWS's 99.99% uptime commitment
Architecture
Air Gap Recover operates across two AWS Organizations: your Source Organization (production environment) and a separate Destination Organization (air-gapped vault).
Source Org
• Production Accounts
• S3 Buckets
• RDS Databases
• EBS Volumes
• Aurora Clusters
REPLICATION
Cross-Account
Cross-Region
Vault Org
• Isolated Accounts
• Immutable Copies
• Encrypted at Rest
• Control Tower Gov.
• SCPs Enforced
Cross-Account Isolation
The destination organization is completely isolated from your production environment. Even if an attacker gains full access to your source organization, they cannot access or modify data in the vault organization without separate credentials and multi-factor authentication.
S3 Cross-Region Replication
For S3 buckets, we leverage S3 Cross-Region Replication (CRR) with cross-account replication to continuously sync objects to your vault organization.
How It Works
- Bucket Configuration: We configure S3 replication rules on your source buckets to replicate all objects to a destination bucket in the vault organization.
- Cross-Account IAM Roles: AWS assumes an IAM role in the destination account with write-only permissions to the vault bucket.
- Automatic Replication: Every new object uploaded to the source bucket is automatically replicated within minutes.
- Immutability: Destination buckets use S3 Object Lock to prevent deletion or modification for a configurable retention period.
- Encryption: Objects are encrypted in transit (TLS) and at rest (AES-256 or KMS).
Replication Features
✓ Version Replication
All object versions are replicated, preserving your version history
✓ Delete Marker Replication
Optional replication of delete markers for complete consistency
✓ Metadata Preservation
Object metadata, tags, and ACLs are replicated
✓ Replication Time Control
99.99% of objects replicated within 15 minutes (SLA-backed)
Cost Optimization
S3 CRR only transfers changed data. If you modify a 1GB file by changing 1MB, only 1MB is replicated. This dramatically reduces data transfer costs compared to full-copy backup solutions.
Native AWS Snapshots
For databases and block storage, we use AWS-native snapshot capabilities to create point-in-time backups and share them cross-account to your vault organization.
Supported Services
Amazon RDS Snapshots
Automated and manual snapshots of RDS databases (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server)
- • Automated daily snapshots with configurable retention
- • Cross-account snapshot sharing to vault organization
- • Encrypted snapshots using AWS KMS
- • Instant restore to new RDS instance in any region
Amazon Aurora Snapshots
Cluster snapshots for Aurora MySQL and Aurora PostgreSQL
- • Continuous incremental backups to Amazon S3
- • Point-in-time recovery (PITR) up to the last 5 minutes
- • Cross-account cluster snapshot sharing
- • Backtrack feature for MySQL (rewind without restore)
Amazon EBS Snapshots
Block-level snapshots of EBS volumes attached to EC2 instances
- • Incremental snapshots (only changed blocks are saved)
- • Cross-account and cross-region snapshot sharing
- • EBS Direct APIs for fast snapshot recovery
- • Archive tier for long-term retention at 75% lower cost
Amazon EFS Replication
Continuous replication of EFS file systems to another region
- • Automatic replication to a destination EFS in vault account
- • Recovery Point Objective (RPO) of 15 minutes
- • Encryption in transit and at rest
- • Transparent to applications (no configuration changes)
Cross-Account Snapshot Workflow
- Snapshot Creation: AWS creates a snapshot of your database or volume in your source account (automated on a schedule).
- Snapshot Sharing: The snapshot is shared with your vault organization's account ID using AWS's built-in snapshot sharing.
- Snapshot Copy: A Lambda function in the vault account automatically copies the shared snapshot, creating an independent copy owned by the vault account.
- Immutability Enforcement: IAM policies and Service Control Policies (SCPs) prevent deletion of snapshots before retention period expires.
- Encryption: Snapshots are re-encrypted using a KMS key owned by the vault account, ensuring source account cannot access data.
Security & Governance
The vault organization is secured using AWS Control Tower, Service Control Policies (SCPs), and strict IAM policies to ensure data cannot be tampered with or deleted.
AWS Control Tower
Your vault organization is governed by AWS Control Tower, which provides:
Account Factory
Automated provisioning of vault accounts with pre-configured security guardrails
Guardrails
Preventive and detective controls enforced across all accounts
Centralized Logging
CloudTrail and Config logs aggregated in a secure log archive account
Compliance Dashboard
Real-time visibility into compliance status and drift detection
Service Control Policies (SCPs)
SCPs enforce organization-wide restrictions that cannot be overridden, even by the account root user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration"
],
"Resource": "arn:aws:s3:::vault-*/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgID": "o-vaultorgid"
}
}
},
{
"Effect": "Deny",
"Action": [
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
}
]
} Example SCP preventing deletion of vault objects and snapshots
Encryption Architecture
Multi-Layer Encryption
- 1. In Transit: All replication uses TLS 1.2+ with perfect forward secrecy
- 2. At Rest (Source): Data encrypted with source account KMS keys
- 3. At Rest (Vault): Data re-encrypted with vault account KMS keys (AES-256)
- 4. Key Isolation: Vault KMS keys cannot be accessed from source organization
Access Controls
Access to the vault organization requires:
- → Separate AWS Account: Vault organization has no trust relationship with source organization
- → MFA Enforcement: All human access requires hardware MFA (U2F or TOTP)
- → IP Allowlisting: API access restricted to known corporate IP ranges
- → CloudTrail Monitoring: All API calls logged and monitored for anomalies
AWS Services Used
Air Gap Recover exclusively uses AWS-managed services. Here's the complete list of AWS services that power the solution:
Storage & Data
- • Amazon S3 (Cross-Region Replication)
- • Amazon RDS (Snapshots)
- • Amazon Aurora (Backtrack & Snapshots)
- • Amazon EBS (Volume Snapshots)
- • Amazon EFS (Replication)
Security & Governance
- • AWS Control Tower (Organization Governance)
- • AWS Organizations (Account Management)
- • AWS IAM (Access Control)
- • AWS KMS (Encryption Key Management)
- • AWS CloudTrail (API Logging)
- • AWS Config (Compliance Monitoring)
Automation & Orchestration
- • AWS Lambda (Serverless Functions)
- • Amazon EventBridge (Event Routing)
- • AWS Step Functions (Workflow Orchestration)
- • AWS Systems Manager (Parameter Store)
- • AWS CloudFormation (Infrastructure as Code)
Monitoring & Alerting
- • Amazon CloudWatch (Metrics & Logs)
- • Amazon SNS (Notifications)
- • AWS X-Ray (Distributed Tracing)
- • Amazon GuardDuty (Threat Detection)
Zero Custom Infrastructure
Notice what's NOT on this list: No EC2 instances, no custom databases, no third-party agents, no proprietary storage systems. Every component is a fully-managed AWS service with AWS SLAs.
Service Support Matrix
| Service | Protection Method | Cross-Account |
|---|---|---|
| Amazon S3 | Cross-Region Replication | ✓ |
| Amazon RDS | Automated Snapshots | ✓ |
| Amazon Aurora | Cluster Snapshots | ✓ |
| Amazon EBS | Volume Snapshots | ✓ |
| Amazon EFS | EFS Replication | ✓ |
| FSx for Windows/Lustre | FSx Backups | ✓ |
Ready to Protect Your AWS Infrastructure?
Start your 14-day free trial and see how easy AWS-native disaster recovery can be.