How can I use the AWS CLI to create an AWS Backup plan or run an on-demand job?

Last updated: 2020-05-19

I want to use the AWS Command Line Interface (AWS CLI) to create an AWS Backup plan. Or, I want to use the AWS CLI to run an on-demand job on AWS Backup. How can I do that?

Resolution

Create an AWS Backup plan

Note: The following example AWS Backup plan is set up with a copy job configuration in the backup rule. With this configuration, you create a primary backup vault in the source AWS Region. The primary vault hosts the source recovery points. Then, you create a secondary vault in the destination Region. The secondary vault stores the recovery points that AWS Backup creates as part of the copy configuration in the backup plan.

1.    Run the create-backup-vault command to create a primary vault in the source Region. Then, run the command again to create a secondary vault in the destination Region:

Note: Replace eu-west-1 with your source Region. Then, replace eu-west-2 with your destination Region.

aws backup create-backup-vault --backup-vault-name primary --region eu-west-1

aws backup create-backup-vault --backup-vault-name secondary --region eu-west-2

2.    Create a JSON file with the options and parameters for your backup plan, similar to the following:

{
    "BackupPlanName": "testplan",
    "Rules": [{
        "RuleName": "HalfDayBackups",
        "TargetBackupVaultName": "primary",
        "ScheduleExpression": "cron(0 5/12 ? * * *)",
        "StartWindowMinutes": 480,
        "CompletionWindowMinutes": 10080,
        "Lifecycle": {
            "DeleteAfterDays": 30
        },
        "CopyActions": [{
            "DestinationBackupVaultArn": "arn:aws:backup:eu-west-2:123456789:backup-vault:secondary",
            "Lifecycle": {
                "DeleteAfterDays": 30
            }
        }]
    }]
}

Note: For the ScheduleExpression field, set the value based on the recovery point objective of your organization. For the Lifecycle field, which is optional, you can enter a value based on the retention policy of your backup strategy.

3.    After you create the JSON file, run the create-backup-plan command. Then, pass the JSON file as an input parameter:

aws backup create-backup-plan --backup-plan file://

4.    In the output of the command, note the value for BackupPlanId.

5.    Create a JSON file that sets the parameters for assigning resources to the backup plan, similar to the following:

Note: You can use Amazon Resource Names (ARNs), tags, or both, to specify resources for a backup plan. The following example uses both an ARN and tags.

{
    "SelectionName": "Myselection",
    "IamRoleArn": "arn:aws:iam::123456789:role/service-role/AWSBackupDefaultServiceRole",
    "Resources": ["arn:aws:ec2:eu-west-1:123456789:volume/vol-0abcdef1234"],
    "ListOfTags": [{
        "ConditionType": "STRINGEQUALS",
        "ConditionKey": "backup",
        "ConditionValue": "yes"
    }]
}

6.    After you create the JSON file, run the create-backup-selection command. Then, pass the JSON file as an input parameter:

Note: For the value of --backup-plan-id, enter the BackupPlanId that you got in step 4.

aws backup create-backup-selection --backup-plan-id abcd-efgh-ijkl-mnop --backup-selection file://

Run an on-demand job on AWS Backup

To run an on-demand backup job, run the start-backup-job command. The following example command runs a backup job for the resource vol-0abcdef1234:

aws backup start-backup-job --backup-vault-name primary --resource-arn arn:aws:ec2:eu-west-1:123456789:volume/vol-0abcdef1234 --iam-role-arn arn:aws:iam::123456789:role/service-role/AWSBackupDefaultServiceRole --idempotency-token 623f13d2-78d2-11ea-bc55-0242ac130003 --start-window-minutes 60 --complete-window-minutes 10080 --lifecycle DeleteAfterDays=30 --region eu-west-1

Note: The preceding command includes a value for --idempotency-token. This value is a unique string that you provide to distinguish between StartBackupJob calls. On a Linux operating system, you can generate a unique identifier by running the uuid command:

uuid -r

To run an on-demand copy job, run the start-copy-job command. The following example command runs a job that copies the recovery point for snap-0abcdaf2247b33dbc from the source vault named primary to a destination vault called secondary:

aws backup start-copy-job --recovery-point-arn arn:aws:ec2:eu-west-1::snapshot/snap-0abcdaf2247b33dbc --source-backup-vault-name primary --destination-backup-vault-arn arn:aws:backup:eu-west-2:123456789:backup-vault:secondary --iam-role-arn arn:aws:iam::123456789:role/service-role/AWSBackupDefaultServiceRole --idempotency-token 5aac8974-78d2-11ea-bc55-0242ac130003 --lifecycle DeleteAfterDays=30 --region eu-west-1

To initiate a restore job, run the start-restore-job command. To initiate a restore job for an Amazon Elastic Block Store (Amazon EBS) volume, follow these steps:

1.    Run the get-recovery-point-restore-metadata command on the recovery point that you want to restore:

aws backup get-recovery-point-restore-metadata --backup-vault-name primary --recovery-point-arn arn:aws:ec2:eu-west-1::snapshot/snap-0abcdaf2247b33dbc 

2.    In the output of the command, note the values for volume ID and encryption.

3.    Create a JSON file that sets the parameters for the required --metadata option of the start-restore-job command. For encrypted and volumeId, enter the values that you got in step 2.

{
   "availabilityZone":"eu-west-1a",
   "encrypted":"false",
   "volumeId":"vol-0ck270d4c0b2e44c9",
   "volumeSize":"100",
   "volumeType":"gp2"
}

4.    After you create the JSON file, run the start-restore-job command. Then, pass the JSON file as an input parameter:

aws backup start-restore-job --recovery-point-arn arn:aws:ec2:eu-west-1::snapshot/snap-0abcdaf2247b33dbc  --metadata file:// --iam-role-arn arn:aws:iam::123456789:role/service-role/AWSBackupDefaultServiceRole --idempotency-token 52e602ce-78d2-11ea-bc55-0242ac130003 --resource-type EBS --region eu-west-1

To initiate a restore for an Amazon Elastic File System (Amazon EFS), see How do I restore an Amazon EFS file system from an AWS Backup recovery point using the AWS CLI?


Did this article help you?

Anything we could improve?


Need more help?