How can I manage my AWS Backup settings using AWS CloudFormation templates?

Last updated: 2019-10-28

I want to use AWS Backup to back up my data from other AWS resources. Additionally, I want to use an AWS CloudFormation template to manage my AWS Backup configurations. How can I do that?

Short Description

You can create CloudFormation templates using the supported AWS Backup resource types. Example CloudFormation templates that you can create for AWS Backup include:

  • A template to create a backup plan and assign a resource to the backup plan.
  • A template to create a backup plan, create a backup vault, and assign a resource to the backup plan.

Resolution

Important: Your backup plan must specify the tag that assigns resources to the backup plan. Before you set the backup plan, decide on the tag. Then, verify that the tag is assigned to the correct resources and is written correctly in the backup plan.

Template to create a backup plan and assign a resource to the backup plan

The following example CloudFormation template in YAML does the following:

  • Creates a backup plan named BackupPlanWithThinBackups.
  • Sets backups to be stored in the vault named Default.
  • Creates a backup rule named RuleForDailyBackups that's scheduled to run a daily backup at 11:25AM (cron(25 11 ? * * *)).
  • Sets the lifecycle of the backups to be deleted seven days after they're created.
  • Uses the AWS Identity and Access Management (IAM) role named AWSBackupDefaultServiceRole to run the backup job.
  • Assigns the backup plan to all resources that are tagged with the key backupplan and the value dsi-sandbox-daily.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Backup Plan template to back up all resources tagged with backupplan=dsi-sandbox-daily at 11:25am
  UTC.
Resources:
  BackupPlanWithThinBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithThinBackups"
        BackupPlanRule:
          -
            RuleName: "RuleForDailyBackups"
            TargetBackupVault: Default
            ScheduleExpression: "cron(25 11 ? * * *)"
            Lifecycle:
              DeleteAfterDays: 7
  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !Sub "arn:aws:iam::111122223333:role/service-role/AWSBackupDefaultServiceRole"
        ListOfTags:
         -
           ConditionType: "STRINGEQUALS"
           ConditionKey: "backupplan"
           ConditionValue: "dsi-sandbox-daily"
      BackupPlanId: !Ref BackupPlanWithThinBackups
    DependsOn: BackupPlanWithThinBackups

Template to create a backup plan, create a backup vault, and assign a resource to the backup plan

The following example CloudFormation template in YAML does the following:

  • Creates a backup vault named BackupVaultWithThinBackups.
  • Creates a backup plan named BackupPlanWithThinBackups.
  • Sets backups to be stored in the vault BackupVaultWithThinBackups.
  • Creates a backup rule named RuleForDailyBackups that's scheduled to run a daily backup at 11:25AM (cron(25 11 ? * * *)). These backups are set to be deleted seven days after they're created.
  • Creates a backup rule named RuleForWeeklyBackups that's scheduled to run a weekly backup every Monday at 11:00AM (cron(0 11 ? * 2 *)). These backups are set to be deleted 28 days after they're created.
  • Creates a backup rule named RuleForMonthlyBackups that's scheduled to run a backup on the first day of every month at 11:00AM (cron (0 11 1 * ? *)). These backups are set to be deleted 90 days after they're created.
  • Uses the IAM role named AWSBackupDefaultServiceRole to run the backup job.
  • Assigns the backup plan to all resources that are tagged with the key backup and the value thinbackup.

AWSTemplateFormatVersion: "2010-09-09"
Description: "Backup Plan template for thin backups"
Resources:
  BackupVaultWithThinBackups:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithThinBackups"

  BackupPlanWithThinBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithThinBackups"
        BackupPlanRule:
          -
            RuleName: "RuleForDailyBackups"
            TargetBackupVault: !Ref BackupVaultWithThinBackups
            ScheduleExpression: "cron(25 11 ? * * *)"
            Lifecycle:
              DeleteAfterDays: 7
          -
            RuleName: "RuleForWeeklyBackups"
            TargetBackupVault: !Ref BackupVaultWithThinBackups
            ScheduleExpression: "cron(0 11 ? * 2 *)"
            Lifecycle:
              DeleteAfterDays: 28
          -
            RuleName: "RuleForMonthlyBackups"
            TargetBackupVault: !Ref BackupVaultWithThinBackups
            ScheduleExpression: "cron (0 11 1 * ? *)"
            Lifecycle:
              DeleteAfterDays: 90
    DependsOn: BackupVaultWithThinBackups

  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBackupDefaultServiceRole"
        ListOfTags:
         -
           ConditionType: "STRINGEQUALS"
           ConditionKey: "backup"
           ConditionValue: "thinbackup"
      BackupPlanId: !Ref BackupPlanWithThinBackups
    DependsOn: BackupPlanWithThinBackups 

Did this article help you?

Anything we could improve?


Need more help?