AWS Backup Policy With Examples
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed AWS SCP policy.
https://cloudaffaire.com/aws-service-control-policy-scp-with-examples/
In this blog post, we will discuss AWS backup policy with examples. AWS backup policy helps you standardize and implement a backup strategy for the resources across all of the accounts in your organization. In a backup policy, you can configure and deploy backup plans for your resources.
Elements Of Backup Policy:
The bulk of a backup policy is the backup plan and its rules. The syntax for the backup plan within an AWS Organizations backup policy is structurally identical to the syntax used by AWS Backup, but the key names are different.
- $account variables: In certain text strings in the policies, you can use the $account variable to represent the current AWS account. When AWS Backup runs a plan in the effective policy, it automatically replaces this variable with the current AWS account in which the effective policy and its plans are running.
- Inheritance operators: Inheritance operators control how inherited policies and account policies merge into the account’s effective policy. These operators include value-setting operators and child control operators.
- Value-setting operators: You can use the following value-setting operators to control how your policy interacts with its parent policies:
- @@assign: Overwrites any inherited policy settings with the specified settings. If the specified setting isn’t inherited, this operator adds it to the effective policy.
- @@append: Adds the specified settings (without removing any) to the inherited ones. If the specified setting isn’t inherited, this operator adds it to the effective policy.
- @@remove: Removes the specified inherited settings from the effective policy, if they exist.
- Child control operators: Using child control operators is optional. You can use the @@operators_allowed_for_child_policies operator to control which value-setting operators child policies can use. You can allow all operators, some specific operators, or no operators. By default, all operators (@@all) are allowed.
- “@@operators_allowed_for_child_policies”:[“@@all”]: Child OUs and accounts can use any operator in policies. By default, all operators are allowed in child policies.
- “@@operators_allowed_for_child_policies”:[“@@assign”, “@@append”, “@@remove”]: Child OUs and accounts can use only the specified operators in child policies. You can specify one or more value-setting operators in this child control operator.
- “@@operators_allowed_for_child_policies”:[“@@none”]: Child OUs and accounts can’t use operators in policies. You can use this operator to effectively lock in the values that are defined in a parent policy so that child policies can’t add, append, or remove those values.
- Value-setting operators: You can use the following value-setting operators to control how your policy interacts with its parent policies:
- plans: At the top-level key of the policy is the plans key. A backup policy must always start with this fixed key name at the top of the policy file. You can have one or more backup plans under this key. Each plan can contain the following elements:
- rules: This key contains a collection of rules. Each rule translates to a scheduled task, with a start time and window in which to back up the resources identified by the selections and regions elements in the effective backup policy. The value of the rule key is the following collection of rule elements:
- schedule_expression: This policy key maps to the ScheduleExpression key in an AWS Backup plan.
- target_backup_vault_name: This policy key maps to the TargetBackupVaultName key in an AWS Backup plan.
- start_backup_window_minutes: This policy key maps to the StartWindowMinutes key in an AWS Backup plan.
- complete_backup_window_minutes: This policy key maps to the CompletionWindowMinutes key in an AWS Backup plan.
- enable_continuous_backup: This policy key maps to the EnableContinuousBackup key in an AWS Backup plan.
- lifecycle: This policy key maps to the Lifecycle key in an AWS Backup plan.
- move_to_cold_storage_after_days: This policy key maps to the MoveToColdStorageAfterDays key in an AWS Backup plan.
- delete_after_days: This policy key maps to the DeleteAfterDays key in an AWS Backup plan.
- copy_actions: This policy key maps to the CopyActions key in an AWS Backup plan.
- target_backup_vault_arn: This policy key maps to the DestinationBackupVaultArn key in an AWS Backup plan.
- lifecycle: This policy key maps to the Lifecycle key under the CopyAction key in an AWS Backup plan.
- move_to_cold_storage_after_days: This policy key maps to the MoveToColdStorageAfterDays key in an AWS Backup plan.
- delete_after_days: This policy key maps to the DeleteAfterDays key in an AWS Backup plan.
- recovery_point_tags: This policy key maps to the RecoveryPointTags key in an AWS Backup plan.
- regions: This key contains an array list of AWS Regions whose resources can be backed up by this policy.
- selections: The selections policy key specifies the resources that are backed up by the plan rules in this policy. This key roughly corresponds to the BackupSelection object in AWS Backup.
- tags: Specifies the tags that identify the resources, and the IAM role that has permission to both query the resources and back them up. This key’s value contains one or more of the following elements:
- iam_role_arn: Specifies the IAM role that has permission to access the resources identified by the tag query in the AWS Regions specified by the regions key.
- tag_key: Specifies the tag key name to search for. This key contains the @@assign inheritance value operator and a string value. The value is case sensitive.
- tag_value: Specifies the value that must be associated with a key name that matches tag_key. AWS Backup includes the resource in the backup only if both the tag_key and tag_value match.
- tags: Specifies the tags that identify the resources, and the IAM role that has permission to both query the resources and back them up. This key’s value contains one or more of the following elements:
- rules: This key contains a collection of rules. Each rule translates to a scheduled task, with a start time and window in which to back up the resources identified by the selections and regions elements in the effective backup policy. The value of the rule key is the following collection of rule elements:
- advanced_backup_settings: Specifies settings for specific backup scenarios. This key contains one or more settings. Each setting is a JSON object string with the following elements:
- Object key name: A string that specifies the type of resource to which the following advanced settings apply.
- Object value: A JSON object string that contains one or more backup settings specific to the associated resource type.
- backup_plan_tags: Specifies tags that are attached to the backup plan itself. This does not impact the tags specified in any rules or selections.
- tag_key: Specifies the tag key name to attach to the backup plan. This key contains the @@assign inheritance value operator and a string value.
- tag_value: Specifies the value that is attached to the backup plan and associated with the tag_key. This key contains the @@assign inheritance value operator and a string value.
Example Backup Policy:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
{ "plans": { "My_Backup_Plan": { "regions": { "@@assign": [ "ap-northeast-2", "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 5/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "complete_backup_window_minutes": { "@@assign": "10080" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "180" }, "delete_after_days": { "@@assign": "270" } }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": { "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "120" } } }, "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault": { "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "120" } } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII", "RED" ] } } } }, "advanced_backup_settings": { "ec2": { "windows_vss": { "@@assign": "enabled" } } } } } } |
If no other policies are inherited or attached to the accounts, the effective policy rendered in each applicable AWS account looks like the following example. The CRON expression causes the backup to run once an hour on the hour. The account ID 123456789012 will be the actual account ID for each account.
Next, we are going to discuss how to manage AWS organization backup policy using API.
Prerequisite:
AWS Organization created with multiple OU and member accounts. You can refer below blog post to create the organization. This blog is a continuation from below blog post.
https://cloudaffaire.com/how-to-manage-aws-organization-using-api/
How To Enable Backup Policy In AWS Organization Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 |
## Get your Root OU ID ROOT_OU_ID=$(aws organizations list-roots \ --profile management | jq -r .Roots[0].Id) && echo $ROOT_OU_ID ## Enable Backup Policy in organization aws organizations enable-policy-type \ --root-id $ROOT_OU_ID \ --policy-type BACKUP_POLICY \ --profile management |
How To Create A New Backup Policy Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
## Create a new backup policy file cat <<'EOF' > foundation_backup_policy.json { "plans": { "Foundation_Backup_Plan": { "regions": { "@@assign": [ "ap-northeast-2", "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 5/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "complete_backup_window_minutes": { "@@assign": "10080" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "180" }, "delete_after_days": { "@@assign": "270" } }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary-vault": { "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "10" }, "delete_after_days": { "@@assign": "100" } }, "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary-vault" } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "FOUNDATION" ] } } } } } } } EOF |
How To Attach A Backup Policy To An Organizational Unit Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
## Get "Foundation" OU id FOUNDATION_OU_ID=$(aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $ROOT_OU_ID \ --profile management | jq -r .Children[0].Id) && echo $FOUNDATION_OU_ID ## Attach the backup policy to the "Foundation" OU FOUNDATIONBACKUPPOLICYID=$(aws organizations list-policies \ --filter BACKUP_POLICY \ --query 'Policies[?Name == `FoundationBackupPolicy`].Id' \ --profile management | jq -r .[0] ) && aws organizations attach-policy \ --policy-id $FOUNDATIONBACKUPPOLICYID \ --target-id $FOUNDATION_OU_ID \ --profile management ## View where the backup policy is applied aws organizations list-targets-for-policy \ --policy-id $FOUNDATIONBACKUPPOLICYID \ --profile management |
Next, let us explain Backup policy inheritance with an example. This time we are going to create a new Backup to take monthly backups apply it to “Regulatory” OU.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
## Create a new backup policy file cat <<'EOF' > regulatory_backup_policy.json { "plans": { "Regulatory_Backup_Plan": { "regions": { "@@append": [ "us-east-1", "eu-central-1" ] }, "rules": { "Monthly": { "schedule_expression": { "@@assign": "cron(0 5 1 * ? *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "complete_backup_window_minutes": { "@@assign": "10080" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "365" } }, "target_backup_vault_name": { "@@assign": "Default" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:Default": { "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "365" } }, "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:Default" } } } } }, "selections": { "tags": { "MonthlyDatatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyMonthlyBackupIamRole" }, "tag_key": { "@@assign": "BackupType" }, "tag_value": { "@@assign": [ "MONTHLY", "RED", "REGULATORY" ] } } } } } } } EOF ## Create a new child backup policy aws organizations create-policy \ --content file://regulatory_backup_policy.json \ --name RegulatoryBackupPolicy \ --type BACKUP_POLICY \ --description "Regulatory Backup Policy" \ --profile management ## Get "Regulatory" OU id REGULATORY_OU_ID=$(aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $FOUNDATION_OU_ID \ --profile management | jq -r .Children[0].Id) && echo $REGULATORY_OU_ID ## Attach the child backup policy to the "Regulatory" OU REGULATORYBACKUPPOLICYID=$(aws organizations list-policies \ --filter BACKUP_POLICY \ --profile management \ --query 'Policies[?Name == `RegulatoryBackupPolicy`].Id' | jq -r .[0] ) && aws organizations attach-policy \ --policy-id $REGULATORYBACKUPPOLICYID \ --target-id $REGULATORY_OU_ID \ --profile management ## View where the backup policy is applied aws organizations list-targets-for-policy \ --policy-id $REGULATORYBACKUPPOLICYID \ --profile management ## Check the effective backup policy for account under Regulatory OU REGULATORY_ACCOUNT_ID=$(aws sts get-caller-identity \ --profile member2 | jq -r .Account) && aws organizations describe-effective-policy \ --policy-type BACKUP_POLICY \ --target-id $REGULATORY_ACCOUNT_ID \ --profile management |
Observe, account inside regulatory OU have both the backup policy due to policy inheritance.
How To Update An Backup Policy Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
## Update the child backup policy definition cat <<'EOF' > regulatory_backup_policy.json { "plans": { "Regulatory_Backup_Plan": { "regions": { "@@append": [ "us-east-1", "eu-central-1" ] }, "rules": { "Monthly": { "schedule_expression": { "@@assign": "cron(0 5 1 * ? *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "complete_backup_window_minutes": { "@@assign": "10080" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "700" } }, "target_backup_vault_name": { "@@assign": "Default" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:Default": { "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "700" } }, "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:Default" } } } } }, "selections": { "tags": { "MonthlyDatatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyMonthlyBackupIamRole" }, "tag_key": { "@@assign": "BackupType" }, "tag_value": { "@@assign": [ "MONTHLY", "RED", "REGULATORY" ] } } } } } } } EOF ## Update child backup Policy aws organizations update-policy \ --policy-id $REGULATORYBACKUPPOLICYID \ --content file://regulatory_backup_policy.json \ --profile management |
How To Detach A BackupPolicy From An Organizational Unit Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 |
## Detach child backup policy from Regulatory OU aws organizations detach-policy \ --policy-id $REGULATORYBACKUPPOLICYID \ --target-id $REGULATORY_OU_ID \ --profile management ## Detach parent backup policy from Foundation OU aws organizations detach-policy \ --policy-id $FOUNDATIONBACKUPPOLICYID \ --target-id $FOUNDATION_OU_ID \ --profile management |
How To Delete A Backup Policy Using AWS CLI
|
1 2 3 4 5 6 7 8 9 |
## Delete child backup policy aws organizations delete-policy \ --policy-id $REGULATORYBACKUPPOLICYID \ --profile management ## Delete parent backup policy aws organizations delete-policy \ --policy-id $FOUNDATIONBACKUPPOLICYID \ --profile management |
Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation
https://docs.aws.amazon.com/organizations/index.html