Back to Home
Technical Documentation

Built on AWS Native Services

Air Gap Recover leverages enterprise-grade AWS services to provide immutable, cross-account disaster recovery without custom infrastructure or third-party dependencies.

Overview

Air Gap Recover is a fully AWS-native disaster recovery solution that protects your critical infrastructure by replicating data to an isolated AWS organization. Unlike traditional backup solutions that rely on proprietary agents or third-party storage, we exclusively use native AWS services to ensure maximum reliability, security, and performance.

Key Principle

Every component of Air Gap Recover uses AWS-managed services. This means no custom infrastructure to maintain, no proprietary protocols to trust, and no vendor lock-in beyond AWS itself.

Why AWS Native?

  • No additional attack surface: All data flows through AWS-managed APIs with AWS-native encryption
  • Instant compatibility: Works with any AWS service that supports snapshots or replication
  • Zero infrastructure overhead: No agents, gateways, or custom storage to manage
  • AWS SLA guarantee: Backed by AWS's 99.99% uptime commitment

Architecture

Air Gap Recover operates across two AWS Organizations: your Source Organization (production environment) and a separate Destination Organization (air-gapped vault).

Source Org

• Production Accounts

• S3 Buckets

• RDS Databases

• EBS Volumes

• Aurora Clusters

REPLICATION

Cross-Account
Cross-Region

Vault Org

• Isolated Accounts

• Immutable Copies

• Encrypted at Rest

• Control Tower Gov.

• SCPs Enforced

Cross-Account Isolation

The destination organization is completely isolated from your production environment. Even if an attacker gains full access to your source organization, they cannot access or modify data in the vault organization without separate credentials and multi-factor authentication.

S3 Cross-Region Replication

For S3 buckets, we leverage S3 Cross-Region Replication (CRR) with cross-account replication to continuously sync objects to your vault organization.

How S3 Cross-Region Replication Works

Object-Level Live Replication

S3 CRR operates at the object level, automatically replicating new and updated objects from a source bucket to one or more destination buckets in different AWS regions. Unlike snapshots which capture point-in-time state, replication is continuous and near-real-time.

Replication Mechanics

  1. Object Upload Trigger: When an object is created or updated in the source bucket, S3 automatically initiates replication based on configured rules
  2. Versioning Requirement: Both source and destination buckets MUST have versioning enabled (mandatory for replication to function)
  3. Replication Rules: Define what gets replicated using prefix filters (e.g., "documents/"), object tags, or replicate entire bucket
  4. Cross-Account IAM: S3 assumes an IAM replication role with permissions to read source objects and write to destination bucket
  5. Async Transfer: Objects are replicated asynchronously, typically within minutes (99.99% within 15 minutes with RTC)
  6. Metadata Preservation: Object metadata, tags, ACLs, and storage class are replicated along with object data

Replication Time Control (RTC)

S3 Replication Time Control provides a 15-minute SLA for object replication with a 99.99% guarantee. This feature includes:

15-Minute SLA

99.99% of objects replicated within 15 minutes of upload

Replication Metrics

CloudWatch metrics track replication latency and pending object counts

Event Notifications

S3 Event Notifications trigger on replication completion for workflow automation

S3 Storage Lens

Advanced analytics showing replication status and efficiency metrics

Versioning and Delete Behavior

Versioning is MANDATORY

S3 replication requires versioning to be enabled on both source and destination buckets. Without versioning, replication rules cannot be configured. This ensures that:

  • Every object version is uniquely identified and replicated
  • Overwriting an object creates a new version (both versions replicated)
  • Version history is preserved in both buckets
  • Accidental deletions can be recovered from version history

Delete Marker Replication

When an object is deleted in the source bucket (without specifying a version ID), S3 creates a "delete marker" instead of permanently deleting the object. Delete marker replication behavior can be configured:

  • Enabled: Delete markers are replicated to destination, making the object "invisible" in both locations
  • Disabled: Delete markers are NOT replicated; object remains visible in destination bucket (recommended for immutable backups)

For air-gap protection, we typically disable delete marker replication to ensure attackers cannot delete replicated data by deleting source objects.

Encryption Handling

S3 replication supports multiple encryption methods with automatic re-encryption in the destination bucket:

SSE-S3 (AES-256)

AWS-managed encryption keys, automatically replicated and re-encrypted

SSE-KMS (Customer Keys)

Customer-managed KMS keys with cross-account grants for replication

Dual-Layer KMS

S3 Bucket Keys reduce KMS API calls by 99% for cost efficiency

⚠️ SSE-C Not Supported

Customer-provided encryption keys (SSE-C) cannot be replicated

KMS Re-Encryption for Air-Gap Security

When replicating encrypted objects to the vault account, S3 automatically decrypts with the source KMS key and re-encrypts with the destination KMS key. This ensures:

  1. Vault account uses separate KMS keys that source account cannot access
  2. Source account compromise does NOT expose vault encryption keys
  3. Destination objects can only be decrypted by vault account principals
  4. KMS CloudTrail logs track all encryption key usage for compliance

Replication Rules and Filters

Fine-grained control over what gets replicated using flexible rule configurations:

  • Prefix Filters: Replicate only objects matching path prefix (e.g., "production/", "backups/")
  • Tag Filters: Replicate objects with specific tags (e.g., Environment=Production)
  • Combined Filters: Use both prefix AND tag filters for precise selection (logical AND)
  • Multiple Rules: Configure multiple replication rules per bucket with different destinations
  • Two-Way Replication: Bi-directional replication supported between two buckets (requires conflict resolution)

Replication Metrics and Monitoring

CloudWatch Metrics

BytesPendingReplication, OperationsPendingReplication, ReplicationLatency

S3 Storage Lens

Cross-bucket analytics, replication efficiency, cost allocation

S3 Event Notifications

Trigger Lambda, SNS, or SQS on replication completion

Batch Replication

Replicate existing objects created before replication was enabled

Replication Workflow

End-to-End Replication Process

  1. Enable Versioning: Enable versioning on both source and destination buckets
  2. Create IAM Role: S3 replication role with permissions to read source and write destination
  3. KMS Key Policy: Grant replication role permission to use source and destination KMS keys
  4. Configure Replication Rule: Define source bucket replication rule with destination bucket ARN
  5. Enable RTC (Optional): Activate Replication Time Control for 15-minute SLA
  6. Object Lock (Recommended): Enable S3 Object Lock on destination for immutability
  7. Monitor Metrics: Track replication latency and pending objects in CloudWatch

Incremental Cost Model

S3 CRR only transfers changed data. If you upload a 1GB file, only 1GB is transferred. If you modify 1MB of that file, only the new version is replicated. This dramatically reduces data transfer costs compared to full-copy backup solutions. Combined with S3 Intelligent-Tiering in the destination bucket, long-term storage costs are minimized automatically.

EFS Replication

Amazon EFS (Elastic File System) uses continuous replication to protect NFS file systems, providing cross-region disaster recovery for shared file storage workloads.

How EFS Replication Works

File-Level Continuous Replication

EFS replication creates and maintains an up-to-date copy of your file system in a different AWS region. Unlike snapshots, EFS replication is continuous and automatic, with changes replicated asynchronously to the destination file system.

Replication Mechanics

  1. One-Time Setup: Configure replication from source EFS to automatically create destination EFS in target region
  2. Initial Sync: All existing files and directories are replicated to destination (full copy)
  3. Continuous Updates: New files, modifications, and deletions are replicated asynchronously
  4. Metadata Preservation: File permissions, ownership, timestamps, and extended attributes are replicated
  5. Consistency: Destination file system is eventually consistent, typically within minutes
  6. Cross-Account Support: Can replicate to EFS in vault organization's account

Recovery Point Objective (RPO)

15-Minute RPO

Most files replicated within 15 minutes under normal conditions

Automatic Sync

No manual intervention required, replication happens continuously

Application Transparent

Applications continue using NFS mount, no configuration changes needed

Monitoring

CloudWatch metrics track replication lag and last sync time

The 15-minute RPO means that in a disaster scenario, you could lose up to 15 minutes of file changes. For most shared file system workloads (home directories, shared application data, media files), this is acceptable. For databases or critical transactional data, use RDS/EBS snapshots instead.

Encryption and Security

Multi-Layer Encryption

  1. In Transit: All replication traffic encrypted with TLS 1.2+ between regions
  2. At Rest (Source): Source EFS encrypted with source account KMS key
  3. At Rest (Destination): Destination EFS encrypted with destination account KMS key
  4. Key Isolation: Destination KMS key cannot be accessed from source account

Replication Configuration

Configuration Options

  • Source File System: Any existing EFS file system (Standard or One Zone)
  • Destination Region: Any AWS region (cross-region replication only, same-region not supported)
  • Destination Storage Class: Standard (Multi-AZ) or One Zone (cost-optimized)
  • Lifecycle Policies: Independent lifecycle policies for source and destination
  • Performance Mode: General Purpose (default) or Max I/O (high parallelism)
  • Throughput Mode: Elastic (auto-scaling) or Provisioned (fixed capacity)

Failover and Recovery

Disaster Recovery Workflow

  1. Detect Failure: Source region becomes unavailable or data is compromised
  2. Verify Destination: Check CloudWatch metrics to confirm destination is up-to-date
  3. Update DNS/Mount Points: Point applications to destination EFS endpoint
  4. Resume Operations: Applications mount destination EFS and resume file operations
  5. Reverse Replication (Optional): After source recovery, configure replication in opposite direction

Important: One-Way Replication Only

EFS replication is one-way only. The destination file system is read-only for replication purposes. If you need to fail back to the original region after recovery, you must configure reverse replication (destination → source) and re-sync all data. Bi-directional replication is NOT supported.

Cost Considerations

  • Destination Storage: Same per-GB pricing as source region (Standard or One Zone)
  • Data Transfer: Cross-region data transfer charges apply (typically $0.02/GB)
  • Replication Overhead: No additional replication service charges (only storage + transfer)
  • Lifecycle Policies: Use Infrequent Access (IA) storage class on destination for cost savings

Cost Optimization Strategy

Configure destination file system to use EFS Intelligent-Tiering or lifecycle policies to automatically move files to IA storage class after 30-90 days without access. This can reduce destination storage costs by up to 92% compared to Standard storage, making EFS replication highly cost-effective for disaster recovery.

Snapshot-Based Protection

For databases and block storage, we use AWS-native snapshot capabilities to create point-in-time backups and share them cross-account to your vault organization. Unlike continuous replication, snapshots capture a consistent state at a specific moment in time.

How EBS Snapshots Work

Block-Level Incremental Technology

Amazon EBS snapshots use block-level incremental backup technology stored in AWS-managed S3 infrastructure. After the first full snapshot, subsequent snapshots only store changed blocks since the last snapshot, dramatically reducing storage costs and snapshot creation time.

Snapshot Mechanics

  1. First Snapshot (Full): All data blocks from the EBS volume are copied to S3-backed storage managed by AWS
  2. Subsequent Snapshots (Incremental): Only blocks that changed since the last snapshot are copied
  3. Reference Chains: Snapshots reference previous snapshots to reconstruct full volume state
  4. Deletion Behavior: Deleting a snapshot only removes blocks not needed by other snapshots (AWS manages reference counting)
  5. Compression: AWS automatically compresses snapshot data to minimize storage costs
  6. Performance Impact: Minimal on SSD volumes (io1, io2, gp3), brief I/O pause on HDD volumes (st1, sc1) during snapshot initiation

Crash-Consistent vs Application-Consistent Snapshots

Crash-Consistent (Default)

Captures data in flight to volume at snapshot moment, like pulling power plug - consistent but may require fsck/journal replay

Application-Consistent (Recommended)

Flush application buffers and freeze filesystem before snapshot (using pre-snapshot scripts or VSS on Windows)

For databases running on EBS volumes, application-consistent snapshots require coordination with the database engine to flush buffers and achieve a clean state before snapshot creation. For RDS databases, AWS handles this automatically.

EBS Snapshot Storage and Cross-Region Copying

Storage in AWS-Managed S3

EBS snapshots are stored in AWS-managed S3 infrastructure (not accessible via your S3 console) with 11 9's of durability (99.999999999%). AWS handles all redundancy, replication within the region, and storage management automatically. You are charged per GB-month of snapshot data stored (after compression).

Cross-Region Copy Mechanics

When copying an EBS snapshot to another region, AWS performs an incremental copy if:

  • A previous snapshot from the same volume was already copied to the target region
  • The previous snapshot still exists in the target region
  • The source snapshot is incremental to the previously copied snapshot

If these conditions are met, only changed blocks are transferred across regions, significantly reducing data transfer costs. Otherwise, a full snapshot copy is performed.

How RDS Snapshots Work

Storage-Level Volume Snapshot Technology

Amazon RDS snapshots are storage-level volume snapshots of the entire database instance, including data files, transaction logs, and configuration. RDS uses the underlying EBS snapshot technology but handles all coordination with the database engine to ensure consistent backups.

Automated vs Manual Snapshots

  • Automated Backups: Daily full backups during maintenance window + continuous transaction log backups (enables PITR)
  • Manual Snapshots: User-initiated snapshots that persist until explicitly deleted (survive instance deletion)
  • Cross-Account Sharing: Only manual snapshots can be shared with other AWS accounts (automated backups cannot)
  • Retention: Automated backups: 1-35 days (configurable), Manual snapshots: indefinite

Multi-AZ Snapshot Behavior

Single-AZ Instance

Brief I/O suspension during snapshot (seconds to minutes), affects production workload

Multi-AZ Instance

Snapshot taken from standby replica, NO performance impact on primary database

For production databases, Multi-AZ deployment is strongly recommended not only for high availability but also to eliminate snapshot performance impact. Automated backups and manual snapshots are taken from the standby replica without affecting primary workload.

Point-in-Time Recovery (PITR)

Transaction Log-Based Recovery

RDS continuously backs up transaction logs to S3 every 5 minutes, enabling point-in-time recovery to any second within the retention period (1-35 days). PITR works by:

  1. Restore Base Snapshot: Restore from the latest automated snapshot before the target time
  2. Replay Transaction Logs: Apply transaction logs forward to the exact target timestamp
  3. Granularity: Recover to any second within retention window (5-minute granularity for Aurora)

This is critical for recovering from logical errors (e.g., accidental DELETE query) where you need to restore to the moment before the error occurred.

RDS Snapshot Lifecycle and Retention

Retention Policies

  • Automated Backups: Configurable retention 1-35 days (default 7 days)
  • Transaction Logs: Retained for same period as automated backups (enables PITR)
  • Manual Snapshots: Retained indefinitely until explicitly deleted (survive instance deletion)
  • Final Snapshot: Created automatically when deleting DB instance (optional, recommended)
  • Archive Tier: Not available for RDS (use S3 export for long-term archive)

Encrypted Snapshot Handling

KMS Encryption Requirements

RDS snapshots inherit encryption from the source DB instance. If the instance uses KMS encryption, all snapshots are automatically encrypted with the same KMS key. For cross-account snapshot sharing:

  1. Source Account: KMS key policy must grant destination account permission to use the key
  2. Snapshot Sharing: Encrypted snapshots can be shared with destination account
  3. Destination Copy: Destination account copies snapshot and re-encrypts with its own KMS key
  4. Key Isolation: After re-encryption, source account cannot decrypt destination snapshot

RDS Performance Impact Summary

Automated Backups

Multi-AZ: No impact (from standby). Single-AZ: Brief I/O pause during daily backup window

Manual Snapshots

Same as automated: Multi-AZ no impact, Single-AZ brief pause

Transaction Logs

Continuous every 5 minutes, no perceptible impact on database performance

Snapshot Restore

Creates new DB instance, no impact on existing instance during restore

Supported Database Services

Amazon RDS Snapshots

Automated and manual snapshots of RDS databases (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server)

  • Automated daily snapshots with configurable retention
  • Cross-account snapshot sharing to vault organization
  • Encrypted snapshots using AWS KMS
  • Instant restore to new RDS instance in any region

Amazon Aurora Snapshots

Cluster snapshots for Aurora MySQL and Aurora PostgreSQL

  • Continuous incremental backups to Amazon S3
  • Point-in-time recovery (PITR) up to the last 5 minutes
  • Cross-account cluster snapshot sharing
  • Backtrack feature for MySQL (rewind without restore)

Amazon EBS Snapshots

Block-level snapshots of EBS volumes attached to EC2 instances

  • Incremental snapshots (only changed blocks are saved)
  • Cross-account and cross-region snapshot sharing
  • EBS Direct APIs for fast snapshot recovery
  • Archive tier for long-term retention at 75% lower cost

Cross-Account Snapshot Workflow

  1. Snapshot Creation: AWS creates a snapshot of your database or volume in your source account (automated on a schedule).
  2. Snapshot Sharing: The snapshot is shared with your vault organization's account ID using AWS's built-in snapshot sharing.
  3. Snapshot Copy: A Lambda function in the vault account automatically copies the shared snapshot, creating an independent copy owned by the vault account.
  4. Immutability Enforcement: IAM policies and Service Control Policies (SCPs) prevent deletion of snapshots before retention period expires.
  5. Encryption: Snapshots are re-encrypted using a KMS key owned by the vault account, ensuring source account cannot access data.

Cross-Account Snapshot Protection

EBS and RDS snapshots can be shared across AWS accounts to provide true air-gap protection. Unlike S3 replication which operates continuously, snapshots are point-in-time copies that are shared and copied to your vault organization.

EBS Snapshot Sharing

Amazon EBS snapshots support unlimited cross-account sharing with powerful features for enterprise disaster recovery.

Unlimited Accounts

Share snapshots with any number of AWS accounts simultaneously

Cross-Region Support

Copy snapshots to any AWS region for geographic redundancy

DLM Automation

Data Lifecycle Manager automates snapshot creation and sharing schedules

Customer-Managed KMS

Use your own KMS keys for encryption sovereignty and compliance

EBS Snapshot Workflow

  1. Automated Creation: DLM policy creates snapshots on schedule (hourly, daily, weekly)
  2. Cross-Account Share: Snapshot automatically shared with vault account ID
  3. Cross-Region Copy: Vault account copies snapshot to target region
  4. KMS Re-Encryption: Snapshot re-encrypted with vault account's customer-managed KMS key
  5. Retention Management: Lifecycle policies enforce immutability and retention periods

RDS Snapshot Sharing

Amazon RDS snapshots have different constraints compared to EBS, requiring careful architecture for cross-account protection.

RDS Snapshot Limitations

  • 20 Account Limit: Each RDS snapshot can only be shared with up to 20 AWS accounts
  • Same-Region Only: Shared snapshots cannot be copied to different regions directly
  • Manual Snapshots Only: Only manual snapshots can be shared (automated backups cannot)
  • Copy Before Cross-Region: Must copy to vault account first, then copy to another region

RDS Snapshot Workflow

  1. Manual Snapshot: Lambda creates manual snapshot from automated backup or live database
  2. Same-Region Share: Snapshot shared with vault account in same region
  3. Vault Account Copy: Vault account copies shared snapshot (now owned by vault)
  4. Cross-Region Copy: After vault ownership, copy to target region if needed
  5. KMS Re-Encryption: Each copy re-encrypted with vault account's KMS key
  6. Source Cleanup: Original manual snapshot can be deleted after vault copy completes

Why the Two-Step Copy?

RDS doesn't support direct cross-region sharing. The shared snapshot must first be copied within the same region to transfer ownership to the vault account. Only after the vault account owns the snapshot can it be copied cross-region. This ensures true air-gap isolation since the vault account has independent ownership.

Customer-Managed Encryption

Both EBS and RDS snapshots support customer-managed KMS keys, providing encryption sovereignty critical for regulatory compliance.

Key Isolation

Vault account uses separate KMS keys that source account cannot access

Automated Rotation

KMS automatic key rotation enabled without disrupting snapshots

CloudTrail Audit

All KMS key usage logged for compliance and forensics

Zero-Knowledge

Only you control encryption keys - MSP cannot decrypt your data

Encrypted Snapshot Sharing Requirements

When sharing encrypted snapshots, specific KMS key permissions are required. Air Gap Recover handles this automatically. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowVaultAccountToUseKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::VAULT-ACCOUNT-ID:root"
      },
      "Action": [
        "kms:DescribeKey",
        "kms:CreateGrant"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": [
            "ec2.us-east-1.amazonaws.com",
            "rds.us-east-1.amazonaws.com"
          ]
        }
      }
    }
  ]
}

Example KMS key policy for encrypted snapshot sharing (source account)

Security Benefits of Snapshot Sharing

Defense in Depth

  1. One-Way Transfer: Snapshots flow from source to vault only - vault cannot access source data directly
  2. Independent Ownership: Vault account owns copied snapshots - source account deletion doesn't affect vault
  3. Separate Encryption: Vault uses distinct KMS keys that source account cannot decrypt
  4. Immutability Enforcement: SCPs in vault organization prevent deletion before retention expires
  5. Air-Gap Isolation: Vault organization has no trust relationship with source organization

Automation with Data Lifecycle Manager

For EBS volumes, AWS Data Lifecycle Manager (DLM) provides enterprise-grade automation for snapshot creation and cross-account sharing.

  • Tag-Based Selection: Automatically create snapshots for volumes tagged with DisasterRecovery:Protection=true
  • Flexible Schedules: Hourly, daily, weekly, or monthly snapshot creation
  • Automatic Sharing: Share snapshots with vault account automatically upon creation
  • Retention Management: Automatically delete old snapshots after retention period
  • Cross-Region Copy: Replicate snapshots to multiple regions simultaneously
  • Fast Snapshot Restore: Pre-warm snapshots for instant volume creation

Tag-Based Discovery

Customers control exactly what gets protected by adding AWS resource tags. Simply tag an EBS volume or RDS database with DisasterRecovery:Protection=true and it will automatically be included in the next snapshot cycle. No manual configuration required.

Recovery Scenarios

Point-in-Time Recovery

Restore from any snapshot in your retention window

  • EBS: Restore volume from any hourly/daily snapshot
  • RDS: Restore database to any manual snapshot point
  • Choose recovery point based on known-good state before incident
  • Launch in vault account for quarantine testing before production restore

Cross-Region Failover

Launch infrastructure in alternate AWS region from snapshots

  • Snapshots already replicated to target region
  • Launch new EC2 instances or RDS databases from snapshots
  • Complete environment recovery in different geography
  • Protects against region-wide AWS outages or disasters

Clean Room Recovery

Launch snapshots in isolated environment for malware scanning

  • Restore data to quarantined VPC with no production connectivity
  • Run antivirus and security scanning before production restoration
  • Forensic analysis without risking production environment
  • Discard if compromised, retry with earlier snapshot

Security & Governance

The vault organization is secured using AWS Control Tower, Service Control Policies (SCPs), and strict IAM policies to ensure data cannot be tampered with or deleted.

AWS Control Tower

Your vault organization is governed by AWS Control Tower, which provides:

Account Factory

Automated provisioning of vault accounts with pre-configured security guardrails

Guardrails

Preventive and detective controls enforced across all accounts

Centralized Logging

CloudTrail and Config logs aggregated in a secure log archive account

Compliance Dashboard

Real-time visibility into compliance status and drift detection

Service Control Policies (SCPs)

SCPs enforce organization-wide restrictions that cannot be overridden, even by the account root user: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": "arn:aws:s3:::vault-*/*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalOrgID": "o-vaultorgid"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "rds:DeleteDBSnapshot",
        "rds:DeleteDBClusterSnapshot",
        "ec2:DeleteSnapshot"
      ],
      "Resource": "*"
    }
  ]
}

Example SCP preventing deletion of vault objects and snapshots

Encryption Architecture

Multi-Layer Encryption

  1. In Transit: All replication uses TLS 1.2+ with perfect forward secrecy
  2. At Rest (Source): Data encrypted with source account KMS keys
  3. At Rest (Vault): Data re-encrypted with vault account KMS keys (AES-256)
  4. Key Isolation: Vault KMS keys cannot be accessed from source organization

Access Controls

Access to the vault organization requires:

  • Separate AWS Account: Vault organization has no trust relationship with source organization
  • MFA Enforcement: All human access requires hardware MFA (U2F or TOTP)
  • IP Allowlisting: API access restricted to known corporate IP ranges
  • CloudTrail Monitoring: All API calls logged and monitored for anomalies

AWS Services Used

Air Gap Recover exclusively uses AWS-managed services. Here's the complete list of AWS services that power the solution:

Storage & Data

  • Amazon S3 (Cross-Region Replication)
  • Amazon RDS (Snapshots)
  • Amazon Aurora (Backtrack & Snapshots)
  • Amazon EBS (Volume Snapshots)
  • Amazon EFS (Replication)

Security & Governance

  • AWS Control Tower (Organization Governance)
  • AWS Organizations (Account Management)
  • AWS IAM (Access Control)
  • AWS KMS (Encryption Key Management)
  • AWS CloudTrail (API Logging)
  • AWS Config (Compliance Monitoring)

Automation & Orchestration

  • AWS Lambda (Serverless Functions)
  • Amazon EventBridge (Event Routing)
  • AWS Step Functions (Workflow Orchestration)
  • AWS Systems Manager (Parameter Store)
  • Terraform - Infrastructure as Code

Monitoring & Alerting

  • Amazon CloudWatch (Metrics & Logs)
  • Amazon SNS (Notifications)
  • AWS X-Ray (Distributed Tracing)
  • Amazon GuardDuty (Threat Detection)

Zero Custom Infrastructure

Notice what's NOT on this list: No EC2 instances, no custom databases, no third-party agents, no proprietary storage systems. Every component is a fully-managed AWS service with AWS SLAs.

Service Support Matrix

Service Protection Method Cross-Account
Amazon S3 Cross-Region Replication
Amazon RDS Automated Snapshots
Amazon Aurora Cluster Snapshots
Amazon EBS Volume Snapshots
Amazon EFS EFS Replication
FSx for Windows/Lustre FSx Backups

Ready to Protect Your AWS Infrastructure?

Talk to our team and see how easy AWS-native disaster recovery can be.

Schedule a Call