Automate comprehensive data protection using AWS CloudFormation StackSets

Automating data protection is critical for streamlining security processes, reducing human errors, proactively mitigating potential threats, and ultimately enhancing data security posture and resilience at scale. As customers look for ways to automate and simplify data protection at scale across all AWS accounts, they sometimes use different tools and custom scripts to automate backups of resources, leaving administrators with limited visibility and control.

Even if administrators have access to account data, understanding and correctly modifying existing backup settings across different tools can be difficult and error-prone. A workaround is implementing blanket organization-wide backup policies. However, using this approach duplicates existing backups and can incur significant storage expenses.

In this post, we show you a simpler solution for ensuring data protection without duplicating existing backups on Amazon Elastic Block Store (Amazon EBS), a high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). Using default policies, a new capability in Amazon Data Lifecycle Manager, you can implement account-level policies that create new Amazon EBS-backed Amazon Machine Images (AMIs) for Amazon EC2 instances and/or Amazon EBS Snapshots for EBS volumes only when recent backups don’t already exist. Better yet, default policies don’t produce new Amazon EBS-backed AMIs or snapshots for the targeted resource(s) if your organization currently employs another method for backup creation.

Previously in the Simple and comprehensive data protection with Amazon Data Lifecycle Manager blog post, we showed you a solution that backs up resources running critical workloads for individual AWS Regions and accounts. Now, we extend this data protection capability to all Amazon EC2 instances and Amazon EBS volumes in all Regions and accounts across your organization or organizational unit (OU) using AWS CloudFormation StackSets. Our goal is to help administrators save hours of management overhead while ensuring that all users and teams within the organization comply with minimum backup requirements.

Note: If you prefer to use StackSets with self-service permissions, or if you want to deploy default policies in multiple Regions and accounts that don’t belong to an organization or OU, see What is Amazon Elastic Block Store?

Solution overview

Our solution shows you how to enable and manage Amazon Data Lifecycle Manager default policies in all Regions in a sample organization (named r-ahrb) within your AWS Organizations account management service. In our example, one of the member accounts (named test-8) already has default policies enabled in the us-east-2 Region.

In the walkthrough, you perform the following steps:

1. Create default policies for the stack set. Using a sample template, you configure multiple options and parameters.
2. Modify default policies for the stack set by updating the creation frequency of default policies to every two days.
3. Optionally deploy the CloudFormation template using a CI/CD pipeline.

To clean up your environment, we show you how to delete the default policies for the stack set.

Prerequisites

Before you enable default policies across all AWS accounts and Regions in your organization or OU, first set up the following required permissions for creating your stack set with self-managed permissions:

• Enable all features in your organization, not just consolidate billing features.
• As administrator of the management account, activate trusted access with AWS Organizations.

This permission allows the management account and delegated administrator accounts to create and manage service-managed stack sets for the organization.

Note: To create default policies in Regions created after March 20, 2019, you must enable the Regions in those accounts before you can use stack sets to create default policies. For details, see Performing stack set operations involving regions that are disabled by default.

Walkthrough

Step 1: Create default policies for the stack set

1. Sign in to your AWS Organizations management account as an administrator.
2. Navigate to the AWS CloudFormation console.
3. From the navigation pane, choose StackSets.
4. At the top of the StackSets page, choose Create StackSet.
5. Under Permissions, choose Service-managed permissions.
6. Under Prerequisite – Prepare template, choose Use a sample template.
7. To enable protection, do one of the following:
   • For Amazon EBS volumes, under Select a sample template, choose Create and manage default policies for EBS Snapshots.
   • For Amazon EC2 instances, in the same menu as the previous step, choose Create and manage default policies for EBS-backed Amazon Machine Images (AMIs).
8. Choose Next.
9. On the Specify StackSet details page:
   1. Provide a name and description to help you identify the stack set. In this post, since we’re creating a default policy to protect Amazon EBS snapshots, our stack set is named DLM-default-policy-snapshots with description DLM Default Policy for EBS snapshots.
   2. In the Parameters section, update the following values:
      • (Recommendation) CreateInterval: For critical workloads, set the value to 1 (daily).
      • (Recommendation) RetainInterval: For critical workloads, set the value to 7 (seven days).
      • Description: Provide a description of the default policy. Our description is Default Policy for EBS Snapshot management – created by CloudFormation.
      • State: Set to ENABLED.
        
   3. Define optional parameters that govern which volume types to exclude and the Regions to copy the created resources.
   4. (Optional) ExcludeVolumeTypes: If you have accounts that run both critical workloads (for example, they use gp3 and io2 Block Express) and non-critical/test workloads (for example, they use st1), and you don’t need backups of the non-critical workloads, specify values to exclude all st1 volumes.Note: To exclude volumes and instances based on tags, create a copy of the stack sets template, add tag(s) of target resources to exclude, and then deploy the custom stack sets template. Default policies don’t back up excluded resources.
   5. Choose Next.
10. On the Configure StackSet options page:
    1. Add tags to help you identify the stack resources.
    2. In the Execution configuration section, for Managed execution, select Active.
    3. Choose Next.
11. On the Set deployment options page:
    1. In the Add stacks to stack set section, select Deploy new stacks.
    2. In the Deployment targets section, select either Deploy to Organization or Deploy to organizational units (OUs), depending on your requirements.
    3. In the Auto-deployment options section, set the Automatic deployment option to Activated.
    4. For the Account removal behavior option, select Retain stacks to ensure that default policies continue to create backups even after the account is removed from the OU.
    5. (Recommendation) In the Specify regions section, choose Add all regions to ensure that resources in all AWS Regions in the organization are protected by default policies.
    6. For Deployment options:
       1. For Maximum concurrent accounts, set the value to 10.
       2. For Failure tolerance, set the value to 10. However, if you have 20 accounts in your organization that already have default policies enabled in at least one Region, set the value to a higher number such as 40 so that CloudFormation continues to create default policies in other accounts and Regions. For more information, see Concurrency Mode parameter and Stack set operation options.
       3. For Region concurrency, select Parallel.
       4. For Concurrency mode, select Soft failure tolerance.
          
    7. Choose Next.
12. On the Review page, review your choices, select I acknowledge that AWS CloudFormation might create IAM resources, and choose Submit. AWS CloudFormation may create IAM role(s) to perform actions required by the default policy.

To see the stack set deployment details, open the Operations tab. When the status changes to SUCCEEDED, the default policies are now created in all accounts and Regions. For more information, see StackSets status codes.

To monitor the creation of stack sets across individual accounts and Regions, open the Stack instances tab.

As we mentioned earlier, the test-8 account already has default policies enabled in the us-east-2 Region. Therefore, we expect the stack instance to fail for that account and Regiony, as shown in the following image. However, given that the total number of failures (1) is less than the failure tolerance number (10) that was set earlier, the stack sets continue to create default policies in all other accounts and Regions.

Step 2: Modify default policies for the stack set

Modify default policy settings across multiple AWS Regions and accounts to update the creation frequency of default policies to every two days.

1. Sign in to your AWS Organization management account as an administrator.
2. Navigate to the AWS CloudFormation console.
3. From the navigation pane, choose StackSets.
4. Choose the DLM-default-policy-snapshots policy. In the Organizational unit IDs section, make note of the r-ahrb ID.  You will use this ID in a later step to propagate updates.
5. Choose Actions, Edit StackSet details.
6. On the Choose a template page:
   1. In the Permissions section, leave the Service-managed permissions selection. This option is selected if you previously deployed the stack set in your organization/organizational unit.
   2. In the Prerequisite – Prepare template section, select Use current template.
   3. Choose Next.
7. On the Specify StackSet details page, in the Parameters section, change the CreateInterval value to 2. Leave all other fields unchanged. Choose Next.
8. On the Configure StackSet options page, leave all fields unchanged, and choose Next.
9. In the Set deployment options page:
   1. In the Organizational units (OUs) section, enter r-ahrb. This is the same OU ID that you made note of earlier. This ID ensures that the number of days between consecutive backups (2) is propagated to all accounts in the AWS Regions specified for that OU. If you add another OU, the default policy is also created in the accounts in the new OU.
   2. In the Specify regions section, select Add all regions.
   3. In the Deployment options section, provide the same values that you entered for step 11 earlier in the Step 1: Create default policy in the stack set section. Choose Next.
10. On the Review page, review your choices, select I acknowledge that AWS CloudFormation might create IAM resources, and choose Submit. AWS CloudFormation may create IAM role(s) to perform actions required by the default policy.

After all stack instances are updated, all accounts and AWS Regions have default policy with a creation frequency set to every two days and a retention frequency of even days.

Note: Deploying the stack set updates the default policies in all AWS Regions and accounts in the organization or OU. If you have previously manually modified a specific default policy in an Region or account, the updated stack set will overwrite those manual changes.

(Optional) Step 3: Deploy CloudFormation template using CI/CD pipeline

To deploy or update your CloudFormation StackSets template using a CI/CD pipeline, using the StackSets template from this walkthrough, follow the instructions in Building a CI/CD pipeline to update an AWS CloudFormation StackSets.

Cleaning up

If you no longer want to apply Amazon Data Lifecycle Manager default policies to all the accounts in your organization or OU, you can use stack sets to delete the policies.

Note: The following procedure deletes all default policies that are created through stack sets. not policies created by other methods. Since our test-8 account already has a default policy in the us-east-2 Region, it won’t be deleted after performing the following steps.

1. (Optional) Update policies to ensure that Data Lifecycle Manager continues to delete all Amazon EBS snapshots and Amazon EBS-backed AMIs after the default policies that created them are deleted. Otherwise, you must manually delete the snapshots and AMIs from your account.
   1. Repeat the steps in the Step 2: Modify default policies for the stack set section with one modification. When you reach the Specify StackSet details page, in the Parameters section, set the ExtendDeletion value true.
   2. Submit the updated stack set and wait until all instances are updated.
2. Repeat steps 1-4 in the Step 2: Modify default policies for the stack set section.
3. Choose Actions, Delete stacks from StackSet.
4. On the Set deployment options page:
   1. In the Organizational units (OUs) section, enter r-ahrb.
   2. In the Specify regions section, select the Regions where you want to delete the default policies.
   3. In the Deployment options section, clear the Retain stacks option to ensure that the stacks are deleted.
5. Choose Next and then Submit. After all operations have completed, the default policies in your accounts are deleted.
6. (Optional) If you don’t need to create default policies with the stack set in the future, delete the stack set:
   1. From the navigation pane, choose StackSets.
   2. Choose the DLM-default-policy-snapshots policy.
   3. Choose Actions, Delete StackSet.
   4. Choose Delete to confirm the deletion.

Conclusion

In this post, you learned how to use stack sets to create Amazon Data Lifecycle Manager default policies in all AWS Regions and accounts in your organization. Default policies provide comprehensive data protection by regularly backing up your Amazon EC2 instances and/or Amazon EBS volumes, eliminating the need to duplicate resources that may incur storage costs. We hope that this solution offers you peace of mind that you’ve met your data protection requirements with all critical workloads in your organization backed up, regardless of different processes used in individual accounts.

Next steps

Ready to try our solution in your own environment? Delegate administrators can use either the CloudFormation console or the AWS CLI to get started.

If you need a refresher about stack sets, see AWS CloudFormation StackSets for customers managing multiple accounts with AWS organizations. You can also learn more about Data Lifecycle Manager default policies by reading the following resources:

• Simple and comprehensive data protection with Amazon Data Lifecycle Manager (blog post)
• Default policies (AWS product documentation)

Thank you for reading this blog post. If you have questions or suggestions, leave them in the comments section.

About the authors