AWS Backup — Centrally Manage storage compliance
If you are storing data in AWS on various data services like EBS, EFS, RDS and Dynamo you must be using some kind of backup solution to meet the data retention requirements. And this needs a robust solution for scheduling (cloudwatch events), clean up (lifecycle config in S3), common abstraction of API for various services (each service has its own api for snapshot), high availability and ease of maintenance. I have gone through the pain of setting up such solution. AWS Back up helps to ease down the effort.
Let us see how this service fits in the AWS global infrastructure.
So AWS backup works with EBS and RDS which are tied to an AZ while DynamoDb and EFS are regional service. Also Vault is a regional service and can be replicated to a different region which helps in case of region failure.
Now lets us explore the tier diagram of the service.
Lets create each of the sub resources using CFN. First we need to create a Vault.
Now we add the AccessPolicy which similar to S3 bucket policy or resource policy used for other services. This decide who can administor and consume.
Here I have added a Deny policy if the caller in not an ADMIN or APP OWNER.
Next we will createthe back up plan which will the schedule of backup.
Now we will create a IAM role which will be assumed by bakup service.
Finally we will associate resorces with certain tags to be backed up.
And once we deploy this CFN all volumes, DynamoDb Tables, EFS amd RDS which have a tag key BKP_Identifier and Value OU_NAME_APP_BARNCH_BUILD_BKPPLAN, will be backed up on the next schedule (next day at 2:30 UTC). Once done you can see the Job status in console.
As per the AWS docs and re:Invent sessions, what we can infer is that AWS backup uses native service capability to build the solution. What it means is that, when it backs up RDS it uses CreateDBSanpshot API call. And that is why service specific quota applies in here. Also one thing to note here is that although snapshots are visible in respective service console their lifecycle is managed bu Backup and you cant change that from service control plane.
See the API call logs above all are by Backup Service and all calls are service specific control plane calls.
Hope this is useful. Enjoy reading!!
