AWS Storage Blog
Enhance resource selection in AWS Backup Policies in AWS Organizations
In today’s digital landscape, businesses rely on consistent and secure backups for data protection and disaster recovery (DR). A centralized backup policy enables organizations to enforce uniform data protection standards across departments and workloads, helping to maintain compliance and minimize risks. In the cloud, organizations use backup policies to manage data protection from a central account, streamline backup automation, and maintain consistent scheduling, retention, and recovery across member accounts. Policy-based backups reduce human error and help to scale data protection of critical assets across organizations’ cloud estate.
AWS Backup is a fully managed and cost-effective policy-based backup service that streamlines and automates data backup across AWS services. Additionally, using AWS Backup’s integration with AWS Organizations, administrators can use backup policies to centrally manage backup schedules and retention, and monitor backup statuses from the management account. And now, AWS Backup allows you to protect specific resources by selecting resource types and exclude them based on resource type or tag.
In this post, we provide step-by-step guidance on how to create a backup policy with advanced selection in the AWS Backup console. We walk you through the process of using a JSON editor to create a backup policy. This enables you to achieve a more granular resource selection that goes beyond using tags to determine which resources should be backed up across their accounts.
How AWS Backup policies work
In June 2020, AWS Backup launched integration with AWS Organizations, enabling the ability to create backup policies across accounts in your organizations from the management account. This Cross-Account Management feature allows you to standardize backup rules, lifecycle management, and resource assignments using tags throughout the AWS Organizations.
AWS Backup policies are a set of rules and configurations that define how and when data backups are created, retained, and managed within AWS Backup. While backup plans only work within accounts, backup policies work at the organizational level to provide backup across accounts within AWS Organizations.
The key features and capabilities of AWS Backup policies include:
- Backup rules: These establish schedules, frequencies, and retention periods for backups. They also facilitate lifecycle management, enabling organizations to tier backup to cost-effective cold storage, specify retention durations, and determine deletion timelines. By using these features, businesses can optimize storage expenses while maintaining robust backup strategies that align with their data management objectives.
- Resource assignment: Policies allow you to associate supported AWS resources with a backup plan using tags.
- Backup copies: The cross-account and cross-Region copy feature means that policies can be configured to create backups in multiple AWS Regions and accounts for enhanced DR and compliance.
Use these tools to monitor the health of backup, copy, and restore jobs or track events related to backup policies.
- Console dashboard: You can log in to the AWS Backup console to monitor the health of backup, copy, and restore jobs.
- Cross-account monitoring: You can turn on this functionality using AWS Backup console/API without other settings to monitor backup, copy, and restore jobs.
- AWS Backup Audit Manager: AWS Backup offers pre-built, customizable frameworks to evaluate your policies against your business/compliance requirements. You can also use AWS CloudFormation to automatically deploy selected frameworks to accounts in your organization.
- Logging cross-account management events: AWS Backup generates these AWS CloudTrail events when you create, update, or delete an AWS Organizations backup policy, or when there is an invalid organizational backup plan.
Flexible resource selection in backup policies
With the launch of the advanced selection capability of AWS Backup policies, you can now:
- Specify advanced resource selection criteria: You can go beyond using tags to determine which resources should be backed up across their accounts. They can dynamically assign policies to specific resource groups or resources types without the need for tags.
- Exclude resources with tags or resource selection.
- Apply multiple tags to backup policies.
Prerequisites
The following prerequisites are necessary to follow along with this solution:
-
- AWS accounts: Prepare accounts to which you can attach the backup policy.
- AWS Organizations: The aforementioned AWS accounts should belong to the same AWS organization. This is a mandatory requirement for backup policies.
- Knowledge of backup policies.
- Existing backup vault to store the recovery points.
- Existing AWS resources created within these accounts that can be used in a backup policy.
- Opting in for the select services that you want to integrate with AWS Backup.
- Knowledge of writing JSON.
- Make sure that you have enabled the features in AWS Organizations and backup policies through the AWS Organizations console.
Walkthrough
In this section, we walk you through a couple of examples to achieve advance selection for backup policies.
- Log in to the management or delegated admin account and open the AWS Backup console, as shown in Figure 1.0.
Figure 1.0: Search for AWS backup in the console
2. In the AWS Backup console, choose backup policies, as shown in Figure 1.1.
Figure 1.1: Choose Backup policies from the menu
3. Choose Create backup policy to begin the creation of the backup policy, as shown in Figure 1.2.
Figure 1.2: Create the backup policy
4. Insert the Policy name and Policy description. To create backup policy configuration, you use JSON instead of the visual editor. Choose JSON. Insert or create the JSON policy. Choose save policy to create this backup policy, as shown in the Figure 1.3.
Figure 1.3: Presenting a backup policy in JSON format
The following are examples of backup policies that can be used. For an overview of advanced resource selection parameters, visit this documentation.
Example 1: This backup policy allows you to select all resources in your account.
{
"plans":{
"PII_Backup_Plan_Weekly":{
"regions":{
"@@assign":[
"us-east-1",
"us-east-2",
"ap-southeast-2"
]
},
"rules":{
"PII_Backup_Plan_Weekly":{
"schedule_expression":{
"@@assign":"cron(0 5 ? * 7 *)"
},
"lifecycle":{
"move_to_cold_storage_after_days":{
"@@assign":"21"
},
"delete_after_days":{
"@@assign":"180"
}
},
"target_backup_vault_name":{
"@@assign":"PII_Backup"
}
}
},
"selections":{
"resources":{
"all_resources":{
"iam_role_arn":{
"@@assign":"arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole"
},
"resource_types":{
"@@assign":[
"*"
]
}
}
}
}
}
}
}Example 2: This backup policy allows you to select the resources in your account, but exclude EBS volumes using resource selection without tags.
{ "plans":{ "PII_Backup_Plan_Weekly":{ "regions":{ "@@assign":[ "us-east-1", "us-east-2", "ap-southeast-2" ] }, "rules":{ "PII_Backup_Plan_Weekly":{ "schedule_expression":{ "@@assign":"cron(0 5 ? * 7 *)" }, "lifecycle":{ "move_to_cold_storage_after_days":{ "@@assign":"21" }, "delete_after_days":{ "@@assign":"180" } }, "target_backup_vault_name":{ "@@assign":"PII_Backup" } } }, "selections":{ "resources":{ "all_resources":{ "iam_role_arn":{ "@@assign":"arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole" }, "resource_types":{ "@@assign":[ "*" ] }, "not_resource_types":{ "@@assign":[ "arn:aws:ec2:*:*:volume/*" ] } } } } } } }
Example 3: This backup policy allows you to select the Amazon EBS volumes and Amazon RDS instances tagged with “backup”:”true” but not “stage”:”test”.
{ "plans": { "PII_Backup_Plan_Weekly": { "regions": { "@@assign": [ "us-east-1", "us-east-2", "ap-southeast-2" ] }, "rules": { "PII_Backup_Plan_Weekly": { "schedule_expression": { "@@assign": "cron(0 5 ? * 7 *)" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "21" }, "delete_after_days": { "@@assign": "180" } }, "target_backup_vault_name": { "@@assign": "PII_Backup" } } }, "selections": { "resources": { "all_resources": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole" }, "resource_types": { "@@assign": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:rds:*:*:db:*" ] }, "conditions": { "string_equals": { "test1": { "condition_key": { "@@assign": "aws:ResourceTag/backup" }, "condition_value": { "@@assign": "true" } } }, "string_not_equals": { "test1": { "condition_key": { "@@assign": "aws:ResourceTag/stage" }, "condition_value": { "@@assign": "test" } } } } } } } } } }
5. After creating the backup policy, choose attach to apply the policy to the root (the entire organization), the preferred organizational units (OUs), or specific accounts, as shown in Figure 1.4.
Figure 1.4: Created backup policy with no accounts or OU targets selected yet
6. Choose where you are going to apply this policy and choose attach, as shown in Figure 1.5.
Figure 1.5: Choose the individual accounts or OUs to be protected by the backup policy
Cleaning up
To make sure of cost-effective storage management, delete the backups that you no longer need. The backups created in each account must be independently deleted.
- Sign in to the console with your management or delegated admin account.
- Go in to the AWS Backup console.
- In the AWS Backup console, choose Backup Vaults and choose the vault created.
- Select the recovery points in the vault and on the actions menu, choose Delete.
- Confirm you choose to delete the recovery points by entering “delete” and choose Delete recovery points.
- In the backup vault, choose Delete Vault, enter the vault name to confirm, and choose Delete Backup Vault. Vaults can only be deleted when empty.
- In the menu on the left, choose backup policy.
- Choose the backup policy created and choose Delete.
- Confirm you choose to delete the policy by entering “delete”, and choose Delete Backup Policy.
Conclusion
In this post, we demonstrated how to create an AWS Backup policy with advanced resource selection using the JSON editor from the AWS Backup console. By providing step-by-step guidance, this post aims to help you better use the available backup management tools. You can also use this advanced feature with AWS Backup APIs through the AWS Command Line Interface (AWS CLI). Read more about implementing the feature using the CLI here.
To learn more about backup policies, refer to the AWS Backup documentation.
Thank you for reading this post. Leave any thoughts or questions in the comments section.