Skip to content

Instantly share code, notes, and snippets.

@anorth848

anorth848/AWS_Backup.yaml

Last active August 13, 2021 19:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anorth848/d519a99144f9f2586cf562b8da0bf42c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anorth848/d519a99144f9f2586cf562b8da0bf42c to your computer and use it in GitHub Desktop.
Download ZIP
Example AWS Backup cloudformation template including IAM and SNS resources
Raw
README.md

Example AWS Backup Cloudformation template

  • Creates an SNS Topic to send events to the email address specified in NotificationEmail parameter
  • Creates an IAM role with necessary permissions for AWS Backup to assume
  • Creates all AWS Backup related resources
    • Parameter ResourceArns is a CommaDelimitedList of resource ARNs to backup
    • EG: '"arn:aws:rds:us-east-1:12345678901:db:foo-bar,arn:aws:dynamodb:us-east-1:12345678901:table/FooBar"'

Parameters/Capabilities

{
    "Parameters": [
        {
            "ParameterKey": "NotificationEmail",
            "Type": String
            "NoEcho": false
        },
        {
            "ParameterKey": "ResourceArns",
            "Type": CommaDelimitedList
            "NoEcho": false
        }
    ],
    "Description": "Sample AWS Backup cloudformation template including IAM and SNS resources",
    "Capabilities": [
        "CAPABILITY_IAM"
    ],
    "CapabilitiesReason": "The following resource(s) require capabilities: [AWS::IAM::Role]"
}

Configuration and usage

Configuration

  • Update the ScheduleExpression: "cron(00 04 * * ?)" to refelct the schedule you want (GMT timezone)
    • If you need backups to run at different times, add multiple rules to BackupPlanRule
  • Resource attributes currently set to AWS::NoValue will likely need to be considered for Production deployments, update as needed

Usage

Example usage to configure AWS backup for a DynamoDB Table and an RDS Instance:

aws cloudformation create-stack --stack-name my-backup-stack --parameters ParameterKey=NotificationEmail,[email protected] ParameterKey=ResourceArns,ParameterValue='"arn:aws:rds:us-east-1:12345678901:db:foo-bar,arn:aws:dynamodb:us-east-1:12345678901:table/FooBar"' --template-body file://awsbackup.yaml --capabilities CAPABILITY_NAMED_IAM
Raw
AWS_Backup.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: Example AWS Backup resources including IAM and SNS
Parameters:
NotificationEmail:
Type: String
AllowedPattern: '(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)'
Description: "Email address for notification on job completions"
ResourceArns:
Type: CommaDelimitedList
Description: "Comma delimited string of resource ARNs to backup"
Resources:
SnsTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: AWS Backup topic
Tags:
- Key: use-case
Value: aws-backup
SnsTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
Service: backup.amazonaws.com
Action: sns:Publish
Resource: !Ref SnsTopic
Topics:
- !Ref SnsTopic
SnsSubscriptionEmail:
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref NotificationEmail
Protocol: email
TopicArn: !Ref SnsTopic
BackupIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Description: "Role for use by AWS Backup"
# NOTE: rather than using the AWS provided managed policies, consider creating your own policies with POLP
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
BackupVault:
Type: AWS::Backup::BackupVault
Properties:
# Configure AccessPolicy resource policy for the vault based on access requirements: https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html
AccessPolicy: !Ref "AWS::NoValue"
BackupVaultName: "database-backup-vault"
BackupVaultTags:
"vault-contents": "databases"
# If you have specific encryption requirements, update that here, otherwise AWS Backup will use AWS Managed CMK aws/backup
EncryptionKeyArn: !Ref "AWS::NoValue"
Notifications:
BackupVaultEvents: [ BACKUP_JOB_STARTED, BACKUP_JOB_COMPLETED ]
SNSTopicArn: !Ref SnsTopic
BackupPlan:
Type: AWS::Backup::BackupPlan
Properties:
BackupPlan:
# Configure any advanced backup settings here
AdvancedBackupSettings: !Ref "AWS::NoValue"
BackupPlanName: database-backup-plan
BackupPlanRule:
- RuleName: database-backup-plan-rule
# if the backup needs to complete within a specific window, set that here
CompletionWindowMinutes: !Ref "AWS::NoValue"
# Customize lifecycle based on retention requirements
Lifecycle:
DeleteAfterDays: 7
MoveToColdStorageAfterDays: !Ref "AWS::NoValue"
# Enable continuous backup if PITR is required based on RPO/RTO
EnableContinuousBackup: False
RecoveryPointTags:
"plan-type" : "databases"
# 8 am GMT every day, update for your use case
ScheduleExpression: "cron(00 08 * * ?)"
StartWindowMinutes: !Ref "AWS::NoValue"
TargetBackupVault: !Ref BackupVault
# If you would like to copy the backup to an additional vault, EG: in another region do that in CopyActions
CopyActions: !Ref "AWS::NoValue"
BackupSelection:
Type: AWS::Backup::BackupSelection
Properties:
BackupPlanId: !GetAtt BackupPlan.BackupPlanId
BackupSelection:
SelectionName: 'database-backup-selection'
IamRoleArn: !GetAtt BackupIamRole.Arn
Resources: !Ref ResourceArns
Raw
LICENSE.txt
MIT License
Copyright (c) [year] [fullname]
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment