AWS Backup Policy With Examples

AWS Backup Policy With Examples

AWS Backup Policy With Examples

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed AWS SCP policy.

https://cloudaffaire.com/aws-service-control-policy-scp-with-examples/

In this blog post, we will discuss AWS backup policy with examples. AWS backup policy helps you standardize and implement a backup strategy for the resources across all of the accounts in your organization. In a backup policy, you can configure and deploy backup plans for your resources.

Elements Of Backup Policy:

The bulk of a backup policy is the backup plan and its rules. The syntax for the backup plan within an AWS Organizations backup policy is structurally identical to the syntax used by AWS Backup, but the key names are different.

  • $account variables: In certain text strings in the policies, you can use the $account variable to represent the current AWS account. When AWS Backup runs a plan in the effective policy, it automatically replaces this variable with the current AWS account in which the effective policy and its plans are running.
  • Inheritance operators: Inheritance operators control how inherited policies and account policies merge into the account’s effective policy. These operators include value-setting operators and child control operators.
    • Value-setting operators: You can use the following value-setting operators to control how your policy interacts with its parent policies:
      • @@assign: Overwrites any inherited policy settings with the specified settings. If the specified setting isn’t inherited, this operator adds it to the effective policy.
      • @@append: Adds the specified settings (without removing any) to the inherited ones. If the specified setting isn’t inherited, this operator adds it to the effective policy.
      • @@remove: Removes the specified inherited settings from the effective policy, if they exist.
    • Child control operators: Using child control operators is optional. You can use the @@operators_allowed_for_child_policies operator to control which value-setting operators child policies can use. You can allow all operators, some specific operators, or no operators. By default, all operators (@@all) are allowed.
      • “@@operators_allowed_for_child_policies”:[“@@all”]: Child OUs and accounts can use any operator in policies. By default, all operators are allowed in child policies.
      • “@@operators_allowed_for_child_policies”:[“@@assign”, “@@append”, “@@remove”]: Child OUs and accounts can use only the specified operators in child policies. You can specify one or more value-setting operators in this child control operator.
      • “@@operators_allowed_for_child_policies”:[“@@none”]: Child OUs and accounts can’t use operators in policies. You can use this operator to effectively lock in the values that are defined in a parent policy so that child policies can’t add, append, or remove those values.
  • plans: At the top-level key of the policy is the plans key. A backup policy must always start with this fixed key name at the top of the policy file. You can have one or more backup plans under this key. Each plan can contain the following elements:
    • rules: This key contains a collection of rules. Each rule translates to a scheduled task, with a start time and window in which to back up the resources identified by the selections and regions elements in the effective backup policy. The value of the rule key is the following collection of rule elements:
      • schedule_expression: This policy key maps to the ScheduleExpression key in an AWS Backup plan.
      • target_backup_vault_name: This policy key maps to the TargetBackupVaultName key in an AWS Backup plan.
      • start_backup_window_minutes: This policy key maps to the StartWindowMinutes key in an AWS Backup plan.
      • complete_backup_window_minutes: This policy key maps to the CompletionWindowMinutes key in an AWS Backup plan.
      • enable_continuous_backup: This policy key maps to the EnableContinuousBackup key in an AWS Backup plan.
      • lifecycle: This policy key maps to the Lifecycle key in an AWS Backup plan.
        • move_to_cold_storage_after_days: This policy key maps to the MoveToColdStorageAfterDays key in an AWS Backup plan.
        • delete_after_days: This policy key maps to the DeleteAfterDays key in an AWS Backup plan.
      • copy_actions: This policy key maps to the CopyActions key in an AWS Backup plan.
        • target_backup_vault_arn: This policy key maps to the DestinationBackupVaultArn key in an AWS Backup plan.
        • lifecycle: This policy key maps to the Lifecycle key under the CopyAction key in an AWS Backup plan.
          • move_to_cold_storage_after_days: This policy key maps to the MoveToColdStorageAfterDays key in an AWS Backup plan.
          • delete_after_days: This policy key maps to the DeleteAfterDays key in an AWS Backup plan.
      • recovery_point_tags: This policy key maps to the RecoveryPointTags key in an AWS Backup plan.
    • regions: This key contains an array list of AWS Regions whose resources can be backed up by this policy.
    • selections: The selections policy key specifies the resources that are backed up by the plan rules in this policy. This key roughly corresponds to the BackupSelection object in AWS Backup.
      • tags: Specifies the tags that identify the resources, and the IAM role that has permission to both query the resources and back them up. This key’s value contains one or more of the following elements:
        • iam_role_arn: Specifies the IAM role that has permission to access the resources identified by the tag query in the AWS Regions specified by the regions key.
        • tag_key: Specifies the tag key name to search for. This key contains the @@assign inheritance value operator and a string value. The value is case sensitive.
        • tag_value: Specifies the value that must be associated with a key name that matches tag_key. AWS Backup includes the resource in the backup only if both the tag_key and tag_value match.
  • advanced_backup_settings: Specifies settings for specific backup scenarios. This key contains one or more settings. Each setting is a JSON object string with the following elements:
    • Object key name: A string that specifies the type of resource to which the following advanced settings apply.
    • Object value: A JSON object string that contains one or more backup settings specific to the associated resource type.
  • backup_plan_tags: Specifies tags that are attached to the backup plan itself. This does not impact the tags specified in any rules or selections.
    • tag_key: Specifies the tag key name to attach to the backup plan. This key contains the @@assign inheritance value operator and a string value.
    • tag_value: Specifies the value that is attached to the backup plan and associated with the tag_key. This key contains the @@assign inheritance value operator and a string value.

Example Backup Policy:

If no other policies are inherited or attached to the accounts, the effective policy rendered in each applicable AWS account looks like the following example. The CRON expression causes the backup to run once an hour on the hour. The account ID 123456789012 will be the actual account ID for each account.

Next, we are going to discuss how to manage AWS organization backup policy using API.

Prerequisite:

AWS Organization created with multiple OU and member accounts. You can refer below blog post to create the organization. This blog is a continuation from below blog post.

https://cloudaffaire.com/how-to-manage-aws-organization-using-api/

How To Enable Backup Policy In AWS Organization Using AWS CLI

How To Create A New Backup Policy Using AWS CLI

How To Attach A Backup Policy To An Organizational Unit Using AWS CLI

Next, let us explain Backup policy inheritance with an example. This time we are going to create a new Backup to take monthly backups apply it to “Regulatory” OU.

Observe, account inside regulatory OU have both the backup policy due to policy inheritance.

How To Update An Backup Policy Using AWS CLI

How To Detach A BackupPolicy From An Organizational Unit Using AWS CLI

How To Delete A Backup Policy Using AWS CLI

Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation

https://docs.aws.amazon.com/organizations/index.html

Leave a Reply

Close Menu