AWS Backup — Centrally Manage storage compliance

Amit Singh Rathore
Aug 3, 2020 · 3 min read

If you are storing data in AWS on various data services like EBS, EFS, RDS and Dynamo you must be using some kind of backup solution to meet the data retention requirements. And this needs a robust solution for scheduling (cloudwatch events), clean up (lifecycle config in S3), common abstraction of API for various services (each service has its own api for snapshot), high availability and ease of maintenance. I have gone through the pain of setting up such solution. AWS Back up helps to ease down the effort.

Let us see how this service fits in the AWS global infrastructure.

Image for post
Image for post

So AWS backup works with EBS and RDS which are tied to an AZ while DynamoDb and EFS are regional service. Also Vault is a regional service and can be replicated to a different region which helps in case of region failure.

Now lets us explore the tier diagram of the service.

Image for post
Image for post

Lets create each of the sub resources using CFN. First we need to create a Vault.

Image for post
Image for post

Now we add the AccessPolicy which similar to S3 bucket policy or resource policy used for other services. This decide who can administor and consume.

Here I have added a Deny policy if the caller in not an ADMIN or APP OWNER.

Image for post
Image for post

Next we will createthe back up plan which will the schedule of backup.

Image for post
Image for post

Now we will create a IAM role which will be assumed by bakup service.

Image for post
Image for post

Finally we will associate resorces with certain tags to be backed up.

Image for post
Image for post

And once we deploy this CFN all volumes, DynamoDb Tables, EFS amd RDS which have a tag key BKP_Identifier and Value OU_NAME_APP_BARNCH_BUILD_BKPPLAN, will be backed up on the next schedule (next day at 2:30 UTC). Once done you can see the Job status in console.

Image for post
Image for post

As per the AWS docs and re:Invent sessions, what we can infer is that AWS backup uses native service capability to build the solution. What it means is that, when it backs up RDS it uses CreateDBSanpshot API call. And that is why service specific quota applies in here. Also one thing to note here is that although snapshots are visible in respective service console their lifecycle is managed bu Backup and you cant change that from service control plane.

Image for post
Image for post

See the API call logs above all are by Backup Service and all calls are service specific control plane calls.

Hope this is useful. Enjoy reading!!

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store