How can I manage my AWS Backup settings with CloudFormation templates?

4 minute read
0

I want to use AWS Backup to back up my data from other AWS resources. Also, I want to use an AWS CloudFormation template to manage my AWS Backup configurations.

Resolution

To create CloudFormation templates, use the supported AWS Backup resource types. For example, you can use a CloudFormation template to create a backup plan and assign a resource to the backup plan. You can also use a template to create a backup plan, create a backup vault, and assign a resource to the backup plan.

Important: Your backup plan must specify the tag that assigns resources to the backup plan. Before you set the backup plan, decide on the tag. Then, verify that the tag is assigned to the correct resources and that it's written correctly in the backup plan.

Template to create a backup plan and assign a resource to the backup plan

The following example CloudFormation template in YAML performs these tasks:

  • Creates a backup plan that's named BackupPlanWithThinBackups.
  • Sets backups to store in the vault that's named Default.
  • Creates a backup rule that's named RuleForDailyBackups that's scheduled to run a daily backup at 11:25 AM.
  • Turns on Windows VSS.
  • Sets the lifecycle to delete backups seven days after they're created.
  • Sets the CopyAction to copy backups to the us-west-2 AWS Region for disaster recovery.
  • Uses the AWS Identity and Access Management (IAM) role that's named AWSBackupDefaultServiceRole to run the backup job.
  • Assigns the backup plan to all resources that are tagged with the key backupplan and the value dsi-sandbox-daily.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Backup Plan template to back up all resources tagged with backupplan=dsi-sandbox-daily at 11:25am
  UTC.
Resources:
  BackupPlanWithThinBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithThinBackups"
        AdvancedBackupSettings:
          -
            ResourceType: EC2
            BackupOptions:
              WindowsVSS: enabled
        BackupPlanRule:
          -
            RuleName: "RuleForDailyBackups"
            TargetBackupVault: Default
            ScheduleExpression: "cron(25 11 ? * * *)"
            Lifecycle:
              DeleteAfterDays: 7
            CopyActions:
              -
                  DestinationBackupVaultArn: arn:aws:backup:us-west-2:111222333444:backup-vault:Default
                  Lifecycle:
                   DeleteAfterDays: 14
  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !Sub "arn:aws:iam::111222333444:role/service-role/AWSBackupDefaultServiceRole"
        ListOfTags:
         -
           ConditionType: "STRINGEQUALS"
           ConditionKey: "backupplan"
           ConditionValue: "dsi-sandbox-daily"
      BackupPlanId: !Ref BackupPlanWithThinBackups
    DependsOn: BackupPlanWithThinBackups

Template to create a backup plan, create a backup vault, and assign a resource to the backup plan

The following example CloudFormation template in YAML performs these tasks:

  • Creates a backup vault that's named Default.
  • Creates a backup plan that's named BackupPlanWithThinBackups.
  • Sets backups to store in the vault that's named BackupVaultWithThinBackups.
  • Creates a backup rule that's named RuleForDailyBackups that's scheduled to run a daily backup. These backups are deleted seven days after they're created.
  • Turns on Windows VSS.
  • Sets the CopyAction to copy backups to the us-west-2 AWS Region for disaster recovery. These backups are deleted 14 days after they're created.
  • Creates a backup rule that's named RuleForWeeklyBackups that's scheduled to run a weekly backup every Monday at 11:00 AM. These backups are deleted 28 days after they're created.
  • Creates a backup rule that's named RuleForMonthlyBackups that's scheduled to run a backup on the first day of every month at 11:00 AM. These backups are deleted 90 days after they're created.
  • Uses the IAM role that's named AWSBackupDefaultServiceRole to run the backup job.
  • Assigns the backup plan to all resources that are tagged with the key backup and the value thinbackup.
AWSTemplateFormatVersion: "2010-09-09"
Description: "Backup Plan template for thin backups"
Resources:
  BackupVaultWithThinBackups:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithThinBackups"

  BackupPlanWithThinBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithThinBackups"
        AdvancedBackupSettings:
          -
            ResourceType: EC2
            BackupOptions:
              WindowsVSS: enabled
        BackupPlanRule:
          -
            RuleName: "RuleForDailyBackups"
            TargetBackupVault: !Ref BackupVaultWithThinBackups
            ScheduleExpression: "cron(25 11 ? * * *)"
            Lifecycle:
              DeleteAfterDays: 7
            CopyActions:
              -
                  DestinationBackupVaultArn: arn:aws:backup:us-west-2:111222333444:backup-vault:Default
                  Lifecycle:
                   DeleteAfterDays: 14
          -
            RuleName: "RuleForWeeklyBackups"
            TargetBackupVault: !Ref BackupVaultWithThinBackups
            ScheduleExpression: "cron(0 11 ? * 2 *)"
            Lifecycle:
              DeleteAfterDays: 28
            CopyActions:
              -
                  DestinationBackupVaultArn: arn:aws:backup:us-west-2:111222333444:backup-vault:Default
                  Lifecycle:
                   DeleteAfterDays: 14
          -
            RuleName: "RuleForMonthlyBackups"
            TargetBackupVault: !Ref BackupVaultWithThinBackups
            ScheduleExpression: "cron(0 11 1 * ? *)"
            Lifecycle:
              DeleteAfterDays: 90
            CopyActions:
              -
                  DestinationBackupVaultArn: arn:aws:backup:us-west-2:111222333444:backup-vault:Default
                  Lifecycle:
                   DeleteAfterDays: 14
    DependsOn: BackupVaultWithThinBackups

  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBackupDefaultServiceRole"
        ListOfTags:
         -
           ConditionType: "STRINGEQUALS"
           ConditionKey: "backup"
           ConditionValue: "thinbackup"
      BackupPlanId: !Ref BackupPlanWithThinBackups
    DependsOn: BackupPlanWithThinBackups

Related information

Troubleshooting AWS Backup

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago