Notes on backup plans in AWS Backup
Posted: | Tags: aws storage tilAWS Backup is a service that helps orchestrate, audit, and restore backups within and across AWS accounts. The content of this post are my personal notes on backup plans, and do not reflect the views of my employer.
A core component of the AWS Backup service is the backup plan. The AWS documentation describes a backup plan as:
[…] a policy expression that defines when and how you want to back up your AWS resources.
Empahsis added to the quote are my own. Essentially, this policy—which can also be described in JSON—contains one or more rules. These rules specify the backup window, data retention, which vault the recovery points will be stored in, backup frequency and many other parameters. Using multiple rules in a single plan allows you to define different backup freuencies and retention periods, including various copy destinations to other vaults.
Backup plan versions
Each time you update a backup plan’s definiton a new version is created. The current version ID is visible through the console and all previous version can be listed through the CLI using list-backup-plan-vesrions. This allows you to get some interesting bits of information for each version, such the date it was created and deleted—in the case of an older version.
$ aws backup list-backup-plan-versions --backup-plan-id <backup-plan-id-here>
{
"BackupPlanVersionsList": [
{
"BackupPlanArn": "...",
"BackupPlanId": "...",
"CreationDate": "...",
"VersionId": "...",
"BackupPlanName": "...",
"LastExecutionDate": "..."
},
...
}
With this information you can go back and view older definitions of the backup plan using get-backup-plan, passing in the backup plan and version ID.
It is unclear to me at this time how many versions are stored. My oldest backup plan has all seven versions.
Resources assignment
Once a backup plan is created you can then proceed to tell AWS Backup which AWS resources to target with the plan. If you’re viewing this through the console this is under a section called Resource assignments, and if you’re viewing these options from the CLI or CloudFormation this is called resourse selection. Not sure why the differnet names, this can be confusing at first. These resource assignments/selections are not part of the backup plan definition but rather an attachment to a the plan and so do not affect the plan versions.
These assignments can target specific resouce types, like EC2 or DynamoDB, and offer granular filtering through tags. You can also specify an IAM role to use when creating recovery points for the selected resource. Once defined, an assignment cannot be edited, a new one will have to be created.
Finally, much like backup plans a resource selection can also be defined using JSON.