How To Create A Backup Vault In AWS Backup
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
Backup vault is a container to store and organize your AWS backups. AWS backup service comes with a default backup vault but you may want to create your own custom backup vault for different backup plans as per your organization RTO/RPO goals. When you create a new backup vault, you should provide KMS keys for encryption and access policy for your backup vault.
How To Create A Backup Vault In AWS Backup:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a KMS key that will be used to encrypt your backup vault.
1 2 3 4 |
## Create a new KMS key KMS_KEY_ARN=$(aws kms create-key \ --tags TagKey=Purpose,TagValue=BackupVault \ --description "Used to encrypt backup vault" | jq -r .KeyMetadata.Arn) |
Step 2: Create a new backup vault in AWS backup.
1 2 3 4 5 |
## Create a new backup vault aws backup create-backup-vault \ --backup-vault-name myvault \ --encryption-key-arn $KMS_KEY_ARN \ --backup-vault-tags sla=gold |
Step 3: Get details on your backup vault.
1 2 3 4 5 6 |
## list all available backup vaults aws backup list-backup-vaults ## Get backup vault details aws backup describe-backup-vault \ --backup-vault-name myvault |
Observe, a backup vault name “Default” already presents in AWS Backup. AWS Backup service comes with a default vault.
Step 4: Create an access policy for backup vault.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create an access policy for backup vault USER_ARN=$(aws sts get-caller-identity | jq -r .Arn) && ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && cat << EOF > backup_access_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "statement ID", "Effect": "Deny", "Principal": "*", "Action": "backup:DeleteRecoveryPoint", "Resource": "*", "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "$USER_ARN", "arn:aws:iam::$ACCOUNT_ID:root" ] } } } ] } EOF ## Add the access policy to the vault aws backup put-backup-vault-access-policy \ --backup-vault-name myvault \ --policy file://backup_access_policy.json ## Get access policy for your vault aws backup get-backup-vault-access-policy \ --backup-vault-name myvault |
Note: You can create an access policy to manage access to your AWS vault.
Step 5: Create an EBS volume that will be used to test backup using the newly created backup vault.
1 2 3 4 5 6 |
## Create a new ebs volume to test backup EBS_VOL_ID=$(aws ec2 create-volume \ --volume-type gp2 \ --availability-zone ap-south-1a \ --tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=myebs}]' \ --size 1 | jq -r .VolumeId) |
Next, we are going to create an IAM role for AWS backup service.
Step 6: Create an IAM role for AWS Backup service.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create assume role policy definition cat <<'EOF'> backup_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name backup_iam_role \ --assume-role-policy-document file://backup_assume_role_policy.json ## Add AWS managed AWS_backupRole policy to the role aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores ## Get the role ARN ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/backup_iam_role && echo $IAM_ROLE_ARN |
Now we are ready to take a new backup using the backup vault we just created.
Step 7: Take a new backup of the EBS volume using your backup vault.
1 2 3 4 5 6 7 8 9 10 |
## Create a backup of the ebs volume aws backup start-backup-job \ --backup-vault-name myvault \ --resource-arn arn:aws:ec2:ap-south-1:$ACCOUNT_ID:volume/$EBS_VOL_ID \ --iam-role-arn $IAM_ROLE_ARN \ --start-window-minutes 60 \ --complete-window-minutes 120 ## List backup jobs aws backup list-backup-jobs |
Note: It will take some time to complete the backup. Please check the backup job state field (from the output of last command) for the status. If the state is “COMPLETED”, your backup is completed. As a result, a new recovery point will be created for your EBS volume which can be restored.
Step 8: Get recovery point details.
1 2 3 4 |
## List recovery point by backup vault aws backup list-recovery-points-by-backup-vault \ --backup-vault-name myvault \ --by-resource-arn arn:aws:ec2:ap-south-1:$ACCOUNT_ID:volume/$EBS_VOL_ID |
We have successfully created a new backup vault and also tested the backup vault by taking a new backup of an EBS volume. Next, we are going to delete all the resources created in this demo.
Step 9: Clean up.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Delete the recovery point RECOVERY_POINT_ARN=$(aws backup list-recovery-points-by-backup-vault \ --by-resource-arn arn:aws:ec2:ap-south-1:$ACCOUNT_ID:volume/$EBS_VOL_ID \ --backup-vault-name myvault | jq -r .RecoveryPoints[0].RecoveryPointArn) && aws backup delete-recovery-point \ --backup-vault-name myvault \ --recovery-point-arn $RECOVERY_POINT_ARN ## Delete the ebs volume aws ec2 delete-volume \ --volume-id $EBS_VOL_ID ## Delete the access policy for backup vault aws backup delete-backup-vault-access-policy \ --backup-vault-name myvault ## Delete the backup vault aws backup delete-backup-vault \ --backup-vault-name myvault ## Delete the IAM role aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores && aws iam delete-role \ --role-name backup_iam_role ## Schedule the KMS key for deletion aws kms schedule-key-deletion \ --key-id $KMS_KEY_ARN \ --pending-window-in-days 7 #min wait period |
Hope you have enjoyed this article. To know more about AWS Backup, please refer below official documentation
https://docs.aws.amazon.com/aws-backup/index.html