Ransomware-resilient architecture on AWS: How we secured a SaaS company’s critical data
Client Story
As a cybersecurity services provider, we partnered with a SaaS company to fortify its AWS environment against ransomware threats. We eliminated ransomware extortion risks by designing an unbreakable backup architecture. By leveraging AWS-native immutable backups, S3 Object Lock, and a multi-layered disaster recovery strategy, we ensured the client’s critical data remained recoverable even if attackers gained full administrative control.
The Challenge
Ransomware gangs increasingly target backups to force victims into paying ransoms. For the SaaS company, traditional backup methods posed vulnerabilities:
- Attackers with admin access could delete or encrypt backups stored in the same AWS account.
- S3 buckets lacked immutability, risking tampering during an attack.
- No centralized disaster recovery plan existed for restoring systems if AWS accounts were compromised or deleted.
We needed to design a solution that guaranteed recoverability, even if attackers infiltrated the environment.
The Solution
We implemented a multi-phase strategy to protect backups and enable rapid recovery:
- Configured undeletable backups for Amazon RDS, EC2, EBS, and DynamoDB using AWS Backup’s immutable vaults.
- Enabled retention locks to prevent deletion or alteration during the retention period, even by admins.
- Applied WORM (Write Once, Read Many) policies to S3 buckets storing sensitive data, ensuring backups could not be encrypted or deleted.
- Used legal holds and fixed retention periods to meet regulatory requirements while blocking ransomware tampering.
- Backups were replicated to a separate AWS account with restricted access, creating a logical air gap.
- Data duplicated to a secondary AWS Region ensured geographic redundancy, mitigating regional outages or attacks.
- Automated daily backups exported to an isolated AWS account, ensuring data persisted even if the primary account was deleted.
- Leveraged AWS’s 14-day account recovery window to restore access if attackers deleted the account.
- Pre-configured AWS Elastic Disaster Recovery (DRS) templates enabled full-environment restoration within hours.
- Regular drills validated recovery point objectives (RPOs) of 24 hours and recovery time objectives (RTOs) of 4 hours.
1. Immutable Backups for Critical AWS Services
AWS Backup with Compliance Mode:
S3 Object Lock for Compliance:
2. Cross-Account and Cross-Region Replication
3. Disaster Recovery Plan for Worst-Case Scenarios
Account Deletion Protection:
Rapid Restore Workflows:
Ready to protect your cloud environment
against modern threats?
Tech stack
- AWS
- AWS S3
- EC2
- RDS
The Results
Our solution eliminated ransomware risks and delivered:
- Zero Data Loss:
Clean recovery points even after admin-level compromise. - No Ransom Payments:
Full environment restores from protected backups without paying attackers. - Regulatory Compliance:
Audit-ready reports from AWS Backup and S3, which means data integrity for stakeholders. - Business Continuity:
Maintained uptime SLAs in simulated attacks, preserving customer trust and revenue.
By combining AWS-native immutability, cross-account redundancy, and automated disaster recovery, we provided the SaaS client with a ransomware-proof backup strategy. This approach not only neutralized extortion threats but also aligned with AWS best practices for cyber resilience. The project underscores Erbis’s expertise in transforming AWS security postures to withstand modern adversarial tactics.
Let’s discuss your needs
Ransomware threats are evolving—and your defenses should too. Whether you’re operating a SaaS platform, managing critical customer data, or navigating compliance-heavy industries, we can help you build a ransomware-resilient AWS architecture tailored to your risks. At Erbis, we specialize in leveraging AWS-native tools to design custom solutions that secure your data, ensure recoverability, and keep your business running even under attack.
Related Cases
