How to take backup of AWS Elastic File System (EFS) using AWS Backup Service?
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
Today we will discuss how to take ad-hoc or scheduled backup of AWS EFS using AWS Backup service.
Prerequisites:
AWS CLI installed and configured.
Step 1: Create a KMS key that will be used to encrypt your backups.
|
1 2 3 4 |
## Create a new KMS key KMS_KEY_ARN=$(aws kms create-key \ --tags TagKey=Purpose,TagValue=BackupVault \ --description "Used to encrypt backup vault" | jq -r .KeyMetadata.Arn) |
Step 2: Create a backup vault where the backup will be stored.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
## Create a new backup vault aws backup create-backup-vault \ --backup-vault-name myvault \ --encryption-key-arn $KMS_KEY_ARN \ --backup-vault-tags sla=gold ## Create an access policy for backup vault USER_ARN=$(aws sts get-caller-identity | jq -r .Arn) && ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && cat << EOF > backup_access_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "statement ID", "Effect": "Deny", "Principal": "*", "Action": "backup:DeleteRecoveryPoint", "Resource": "*", "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "$USER_ARN", "arn:aws:iam::$ACCOUNT_ID:root" ] } } } ] } EOF ## Add the access policy to the vault aws backup put-backup-vault-access-policy \ --backup-vault-name myvault \ --policy file://backup_access_policy.json |
Step 3: Create a new IAM role that will be used by AWS Backup service to take the backup.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create assume role policy definition cat <<'EOF'> backup_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name backup_iam_role \ --assume-role-policy-document file://backup_assume_role_policy.json ## Add AWS managed AWS_backupRole policy to the role aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores ## Get the role ARN ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/backup_iam_role && echo $IAM_ROLE_ARN |
Step 4: Create a new EFS file share.
|
1 2 3 4 5 6 7 8 9 10 11 |
## Create a EFS fileshare aws efs create-file-system \ --performance-mode generalPurpose \ --throughput-mode bursting \ --no-encrypted \ --no-backup \ --availability-zone-name ap-south-1a \ --tags Key=Name,Value=myfilesystem ## Get the EFS file storage ARN EFS_ARN=$(aws efs describe-file-systems | jq -r .FileSystems[0].FileSystemArn) |
Step 5: Take an ad-hoc (on demand) backup of AWS EFS using AWS Backup service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
## Create a backup of the efs file share aws backup start-backup-job \ --backup-vault-name myvault \ --resource-arn $EFS_ARN \ --iam-role-arn $IAM_ROLE_ARN \ --start-window-minutes 60 \ --complete-window-minutes 120 ## List backup jobs aws backup list-backup-jobs ## Once the "State": "COMPLETED" ## List recovery point by backup vault aws backup list-recovery-points-by-backup-vault \ --backup-vault-name myvault \ --by-resource-arn $EFS_ARN ## Get protected resource details PROTECTED_RESOURCE_ARN=$(aws backup list-protected-resources | jq -r .Results[0].ResourceArn) && aws backup describe-protected-resource \ --resource-arn $PROTECTED_RESOURCE_ARN ## Get recovery point details RECOVERY_POINT_ARN=$(aws backup list-recovery-points-by-backup-vault \ --backup-vault-name myvault \ --by-resource-arn $EFS_ARN | jq -r .RecoveryPoints[0].RecoveryPointArn) && aws backup describe-recovery-point \ --backup-vault-name myvault \ --recovery-point-arn $RECOVERY_POINT_ARN |
You can also take the ad-hoc backup directly from the AWS management console.
Step 5: Create a backup plan for EFS in AWS Backup service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
## Create a new backup plan definition cat << EOF > backup_plan.json { "BackupPlanName": "mybackupplan", "Rules": [ { "RuleName": "DailyBackups", "TargetBackupVaultName": "myvault", "ScheduleExpression": "cron(0 5 ? * * *)", "StartWindowMinutes": 60, "CompletionWindowMinutes": 1400, "CopyActions": [], "EnableContinuousBackup": false, "Lifecycle": { "DeleteAfterDays": 7 } } ] } EOF ## Create a new backup plan aws backup create-backup-plan \ --backup-plan file://backup_plan.json ## Get backup plan details BACKUP_PLAN_ID=$(aws backup list-backup-plans | jq -r .BackupPlansList[0].BackupPlanId) && aws backup get-backup-plan \ --backup-plan-id $BACKUP_PLAN_ID ## Create a backup selection definition cat << EOF > backup_selection.json { "SelectionName": "mybackupselection", "IamRoleArn": "$IAM_ROLE_ARN", "Resources": ["$EFS_ARN"], "ListOfTags": [ { "ConditionType": "STRINGEQUALS", "ConditionKey": "Backup", "ConditionValue": "Daily" } ] } EOF ## Create a backup selection for your backup plan aws backup create-backup-selection \ --backup-plan-id $BACKUP_PLAN_ID \ --backup-selection file://backup_selection.json ## Get details on the backup selection BACKUP_SELECTION_ID=$(aws backup list-backup-selections \ --backup-plan-id $BACKUP_PLAN_ID | jq -r .BackupSelectionsList[0].SelectionId) && aws backup get-backup-selection \ --backup-plan-id $BACKUP_PLAN_ID \ --selection-id $BACKUP_SELECTION_ID ## Add a tag to EFS EFS_FILES_SYSTEM_ID=$(aws efs describe-file-systems | jq -r .FileSystems[0].FileSystemId) && aws efs tag-resource \ --resource-id $EFS_FILES_SYSTEM_ID \ --tags Key=Backup,Value="Daily" ## Wait for the backup to run (05:00 AM UTC) |
You can also create the backup plan and backup selection from the AWS management console
Step 6: Clean up
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
## Delete the backup selection aws backup delete-backup-selection \ --backup-plan-id $BACKUP_PLAN_ID \ --selection-id $BACKUP_SELECTION_ID ## Delete the backup plan aws backup delete-backup-plan \ --backup-plan-id $BACKUP_PLAN_ID ## Delete the recovery point aws backup delete-recovery-point \ --backup-vault-name myvault \ --recovery-point-arn $RECOVERY_POINT_ARN ## Delete the access policy for backup vault aws backup delete-backup-vault-access-policy \ --backup-vault-name myvault ## Delete the backup vault aws backup delete-backup-vault \ --backup-vault-name myvault ## Delete the IAM role aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores && aws iam delete-role \ --role-name backup_iam_role ## Delete the efs aws efs delete-file-system \ --file-system-id $FILE_SYSTEM_ID |
Hope you have enjoyed this article. To get more details in AWS EFS, please refer the below documentation
https://docs.aws.amazon.com/efs/index.html