35 types
AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place.
In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.
This module provides ready-made backup plans (similar to the console experience):
# Daily, weekly and monthly with 5 year retention
plan = AWSCDK::Backup::BackupPlan.daily_weekly_monthly5_year_retention(self, "Plan")
Assigning resources to a plan can be done with add_selection():
plan = nil # AWSCDK::Backup::BackupPlan
vpc = nil # AWSCDK::EC2::VPC
my_table = AWSCDK::DynamoDB::Table.from_table_name(self, "Table", "myTableName")
my_database_instance = AWSCDK::RDS::DatabaseInstance.new(self, "DatabaseInstance", {
engine: AWSCDK::RDS::DatabaseInstanceEngine.mysql({version: AWSCDK::RDS::MysqlEngineVersion.VER_8_0_26}),
vpc: vpc,
})
my_database_cluster = AWSCDK::RDS::DatabaseCluster.new(self, "DatabaseCluster", {
engine: AWSCDK::RDS::DatabaseClusterEngine.aurora_mysql({version: AWSCDK::RDS::AuroraMysqlEngineVersion.VER_2_08_1}),
credentials: AWSCDK::RDS::Credentials.from_generated_secret("clusteradmin"),
instance_props: {
vpc: vpc,
},
})
my_serverless_cluster = AWSCDK::RDS::ServerlessCluster.new(self, "ServerlessCluster", {
engine: AWSCDK::RDS::DatabaseClusterEngine.AURORA_POSTGRESQL,
parameter_group: AWSCDK::RDS::ParameterGroup.from_parameter_group_name(self, "ParameterGroup", "default.aurora-postgresql11"),
vpc: vpc,
})
my_cool_construct = Constructs::Construct.new(self, "MyCoolConstruct")
plan.add_selection("Selection", {
resources: [
AWSCDK::Backup::BackupResource.from_dynamo_db_table(my_table),
AWSCDK::Backup::BackupResource.from_rds_database_instance(my_database_instance),
AWSCDK::Backup::BackupResource.from_rds_database_cluster(my_database_cluster),
AWSCDK::Backup::BackupResource.from_rds_serverless_cluster(my_serverless_cluster),
AWSCDK::Backup::BackupResource.from_tag("stage", "prod"),
AWSCDK::Backup::BackupResource.from_construct(my_cool_construct),
],
})
If not specified, a new IAM role with a managed policy for backup will be
created for the selection. The BackupSelection implements IGrantable.
To disable the plan from assigning the default AWSBackupServiceRolePolicyForBackup backup policy use the disable_default_backup_policy property.
This is useful if you want to avoid granting unnecessary permissions to the role.
plan = nil # AWSCDK::Backup::BackupPlan
role = AWSCDK::IAM::Role.new(self, "BackupRole", {
assumed_by: AWSCDK::IAM::ServicePrincipal.new("backup.amazonaws.com"),
})
# Assign S3-specific backup policy
role.add_managed_policy(AWSCDK::IAM::ManagedPolicy.from_aws_managed_policy_name("AWSBackupServiceRolePolicyForS3Backup"))
plan.add_selection("Selection", {
resources: [
AWSCDK::Backup::BackupResource.from_tag("stage", "prod"),
],
role: role,
disable_default_backup_policy: true,
})
To add rules to a plan, use add_rule():
require 'aws-cdk-lib'
plan = nil # AWSCDK::Backup::BackupPlan
plan.add_rule(AWSCDK::Backup::BackupPlanRule.new({
completion_window: AWSCDK::Duration.hours(2),
start_window: AWSCDK::Duration.hours(1),
schedule_expression: AWSCDK::Events::Schedule.cron({
# Only cron expressions are supported
day: "15",
hour: "3",
minute: "30",
}),
schedule_expression_timezone: AWSCDK::TimeZone.ETC_UTC,
move_to_cold_storage_after: AWSCDK::Duration.days(30),
}))
Continuous backup and point-in-time restores (PITR) can be configured.
Property delete_after defines the retention period for the backup. It is mandatory if PITR is enabled.
If no value is specified, the retention period is set to 35 days which is the maximum retention period supported by PITR.
Property move_to_cold_storage_after must not be specified because PITR does not support this option.
This example defines an AWS Backup rule with PITR and a retention period set to 14 days:
plan = nil # AWSCDK::Backup::BackupPlan
plan.add_rule(AWSCDK::Backup::BackupPlanRule.new({
enable_continuous_backup: true,
delete_after: AWSCDK::Duration.days(14),
}))
Rules can also specify to copy recovery points to another Backup Vault using copy_actions. Copied recovery points can
optionally have move_to_cold_storage_after and delete_after configured.
plan = nil # AWSCDK::Backup::BackupPlan
secondary_vault = nil # AWSCDK::Backup::BackupVault
plan.add_rule(AWSCDK::Backup::BackupPlanRule.new({
copy_actions: [
{
destination_backup_vault: secondary_vault,
move_to_cold_storage_after: AWSCDK::Duration.days(30),
delete_after: AWSCDK::Duration.days(120),
},
],
}))
You can assign your own metadata to the resources that are associated with the rule when restored from backup using recovery_point_tags. Each tag is a key-value pair.
plan = nil # AWSCDK::Backup::BackupPlan
plan.add_rule(AWSCDK::Backup::BackupPlanRule.new({
recovery_point_tags: {
key: "value",
},
}))
Ready-made rules are also available:
plan = nil # AWSCDK::Backup::BackupPlan
plan.add_rule(AWSCDK::Backup::BackupPlanRule.daily)
plan.add_rule(AWSCDK::Backup::BackupPlanRule.weekly)
By default a new vault is created when creating a plan. It is also possible to specify a vault either at the plan level or at the rule level.
my_vault = AWSCDK::Backup::BackupVault.from_backup_vault_name(self, "Vault1", "myVault")
other_vault = AWSCDK::Backup::BackupVault.from_backup_vault_name(self, "Vault2", "otherVault")
plan = AWSCDK::Backup::BackupPlan.daily35_day_retention(self, "Plan", my_vault) # Use `myVault` for all plan rules
plan.add_rule(AWSCDK::Backup::BackupPlanRule.monthly1_year(other_vault))
You can backup
VSS-enabled Windows applications running on Amazon EC2 instances by setting the windows_vss
parameter to true. If the application has VSS writer registered with Windows VSS,
then AWS Backup creates a snapshot that will be consistent for that application.
plan = AWSCDK::Backup::BackupPlan.new(self, "Plan", {
windows_vss: true,
})
In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults.
my_key = AWSCDK::KMS::Key.from_key_arn(self, "MyKey", "aaa")
my_topic = AWSCDK::SNS::Topic.from_topic_arn(self, "MyTopic", "bbb")
vault = AWSCDK::Backup::BackupVault.new(self, "Vault", {
encryption_key: my_key,
# Custom encryption key
notification_topic: my_topic,
})
A vault has a default RemovalPolicy set to RETAIN. Note that removing a vault
that contains recovery points will fail.
You can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.
Use the access_policy property to create a backup vault policy:
vault = AWSCDK::Backup::BackupVault.new(self, "Vault", {
access_policy: AWSCDK::IAM::PolicyDocument.new({
statements: [
AWSCDK::IAM::PolicyStatement.new({
effect: AWSCDK::IAM::Effect::DENY,
principals: [AWSCDK::IAM::AnyPrincipal.new],
actions: ["backup:DeleteRecoveryPoint"],
resources: ["*"],
conditions: {
StringNotLike: {
"aws:userId" => [
"user1",
"user2",
],
},
},
}),
],
}),
})
Alternativately statements can be added to the vault policy using add_to_access_policy().
Use the block_recovery_point_deletion property or the block_recovery_point_deletion() method to add
a statement to the vault access policy that prevents recovery point deletions in your vault:
backup_vault = nil # AWSCDK::Backup::BackupVault
AWSCDK::Backup::BackupVault.new(self, "Vault", {
block_recovery_point_deletion: true,
})
backup_vault.block_recovery_point_deletion
By default access is not restricted.
Use the lock_configuration property to enable AWS Backup Vault Lock:
AWSCDK::Backup::BackupVault.new(self, "Vault", {
lock_configuration: {
min_retention: AWSCDK::Duration.days(30),
},
})
To import an existing backup vault into your CDK application, use the BackupVault.fromBackupVaultArn or BackupVault.fromBackupVaultName
static method. Here is an example of giving an IAM Role permission to start a backup job:
imported_vault = AWSCDK::Backup::BackupVault.from_backup_vault_name(self, "Vault", "myVaultName")
role = AWSCDK::IAM::Role.new(self, "Access Role", {assumed_by: AWSCDK::IAM::ServicePrincipal.new("lambda.amazonaws.com")})
imported_vault.grant(role, "backup:StartBackupJob")