# Backup plans
In AWS Backup, a *backup plan* is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements. By default, backup windows are optimized by AWS Backup. You can customize the backup window in the console or programmatically.
AWS Backup efficiently stores your periodic backups incrementally. The first backup of an AWS resource backs up a full copy of your data. For each successive incremental backup, only the changes to your AWS resources are backed up. Incremental backups enable you to benefit from the data protection of frequent backups while minimizing storage costs.
AWS Backup also seamlessly manages your backup plan's lifecycle based on your retention settings, which allows you to restore when needed.
The following sections provide the basics of managing your backup strategy in AWS Backup.
**Topics**
+ [
# Create a backup plan
](creating-a-backup-plan.md)
+ [
# Understanding backup plan summary
](understanding-backup-plan-summaries.md)
+ [
# Select AWS services to backup
](assigning-resources.md)
# Create a backup plan
You can create a backup plan using the AWS Backup console, API, CLI, SDK, or an AWS CloudFormation template.
**Topics**
+ [
## Create backup plans using the AWS Backup console
](#create-backup-plan-console)
+ [
## Create backup plans using the AWS CLI
](#create-backup-plan-cli)
+ [
# Backup plan options and configuration
](plan-options-and-configuration.md)
+ [
# CloudFormation templates for backup plans
](plan-cfn.md)
+ [
# Delete a backup plan
](deleting-a-backup-plan.md)
+ [
# Update a backup plan
](updating-a-backup-plan.md)
## Create backup plans using the AWS Backup console
Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup). From the dashboard, choose **Manage Backup** plans. Or, using the navigation pane, choose **Backup plans** and choose **Create Backup** plan.
**Start options**
You have three choices for your new backup plan:
+ Create a backup plan based on an existing plan
+ Build a new plan
+ [Create a backup plan using the AWS CLI](#create-backup-plan-cli)
In this procedure, we build a new plan. Each part of the configuration has a link to an expanded section further on the page to where you can navigate for more detail.
1. Enter a plan name in **[Backup plan name](plan-options-and-configuration.md#plan-name)**. You can't change the name of a plan after it is created.
If you try to create a backup plan that is identical to an existing plan, you receive an `AlreadyExistsException` error.
1. Optionally, you can add tags to your backup plan.
1. **Backup rule configuration:** In the backup rule configuration section, you will set the backup schedule, window, and lifecycle.
1. **Schedule:**
1. Enter a **backup rule name** in the text field.
1. In the backup vault menu, choose **Default** or choose **Create new Backup vault** to create a vault.
1. In the backup frequency menu, choose how often you want this plan to create a backup.
1. **Backup window:**
1. **Start time** defaults to 12:30 AM (00:30 in 24hr time) in your system’s local timezone.
1. **Start within** defaults to 8 hours. You can change this to specify a window of time for the backup to start.
1. **Complete within** defaults to 7 days. Ensure that there is enough time for the backup up to complete even if the job starts at the end of the start window.
1. **[Continuous backups and point-in-time recovery (PITR)](point-in-time-recovery.md):** You can select **Enable continuous backups for point-in-time recovery (PITR)**. To verify which resources are supported for this type of backup, see the [Feature availability by resource](backup-feature-availability.md#features-by-resource) matrix.
1. **Lifecycle**
1. **Cold storage:** Select this box to let eligible resource types transition to cold storage in accordance with the timetable you specify in the total retention period. To use cold storage, you must have a total retention period of 90 days or greater. However please note the following. Some services support incremental backups. For incremental backups, you must have at least one warm full backup. AWS Backup recommends that you set your lifecycle settings to not move your backup to cold storage until after at least 8 days. If the full backup is transitioned to cold storage too soon (for example, a transition to cold storage after 1 day), AWS Backup will create another warm full backup.
1. **Cold storage for Amazon EBS** is [Amazon EBS Snapshots Archive](https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-archive.html). Snapshots transitioned to archive storage tier will display in the console as cold tier. If cold storage is enabled, and if your backup frequency is monthly or less often, you can have your backup plan transition EBS snapshots.
1. The **total retention period** is the number of days that you store your resource in AWS Backup. It is the total number of days of warm storage plus cold storage.
1. (*Optional*) You can opt in to have a backup index created with each periodic backup of a supported resource type (continuous backups will have daily indexes created). Only recovery points (backups) that have an associated index can be included in a [backup search](backup-search.md).
For example, each time your backup plan creates an S3 backup, you can have a backup index for that backup created, also. This will allow that particular backup to be included in a future search.
Place a check next to the resource type(s) for which you want to have indexes created.
1. (*Optional*) Enable malware scanning to automatically scan backups after they are created. When configuring malware protection, specify which resource types to scan (Amazon EC2, Amazon EBS, Amazon S3, or all supported resources) and the scanning types (full or incremental). Malware scanning applies only to your selected resource types. For example, if your backup plan includes both Amazon S3 and Amazon EC2 resources, but you enable malware scanning only for Amazon EC2, the service will scan only your EC2 backups. For each backup rule, you can configure which scanning type to use. The schedule of the backup rule will determine how frequently the scanning type takes place.
**Important**
Before enabling malware protection, ensure your backup role and scanner role have the required permissions. For more information, see [the permissions documentation](https://docs.aws.amazon.com/aws-backup/latest/devguide/malware-protection.html#malware-access).
1. (*Optional*) Use **Copy to destination** to create a cross-Region copy of eligible resources if you want to store a copy of a backup in a different AWS Region.
1. (*Optional*) Tags added to recovery points.
1. When all sections are set to your specifications, choose **Save Backup rule**.
## Create backup plans using the AWS CLI
You can also define your backup plan in a JSON document and provide it using the AWS Backup console or AWS CLI. The following JSON document contains a sample backup plan that creates a daily backup at 1:00 Pacific time (the local time adjusts to daylight, standard, or summer time conditions if applicable). It automatically deletes a backup after one year.
```
{
"BackupPlan":{
"BackupPlanName":"test-plan",
"Rules":[
{
"RuleName":"test-rule",
"TargetBackupVaultName":"test-vault",
"ScheduleExpression":"cron(0 1 ? * * *)",
"ScheduleExpressionTimezone":"America/Los_Angeles",
"StartWindowMinutes":integer, // Value is in minutes
"CompletionWindowMinutes":integer, // Value is in minutes
"IndexActions": [
{
"ResourceTypes": [ "string" ]
}
],
"Lifecycle":{
"DeleteAfterDays":integer, // Value is in days
}
}
]
}
}
```
You can store your JSON document with a name you choose. The following CLI command shows [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/create-backup-plan.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/create-backup-plan.html) with a JSON named `test-backup-plan.json`:
```
aws backup create-backup-plan --cli-input-json file://PATH-TO-FILE/test-backup-plan.json
```
Note that while some systems number the days of the week from 0 to 6, we number them from 1 to 7. For more information, see [Cron and rate expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html). For more information about timezones, see [TimeZone](https://docs.aws.amazon.com/location/latest/APIReference/API_TimeZone.html) in the *Amazon Location Service API reference*.
# Backup plan options and configuration
When you define a backup plan in the AWS Backup console, you configure the following options:
## Backup plan name
You must provide a name for your backup plan. Names are limited to 50 characters, including alphanumeric characters, dashes, underscores, and periods.
## Backup rules
Backup plans are composed of one or more backup rules. To add backup rules to a backup plan, or to edit existing rules in a backup plan:
1. From the AWS Backup console, in the left navigation pane, choose **Backup plans**.
1. Under **Backup plan name**, select a backup plan.
1. Under the **Backup rules** section:
+ To add a backup rule, choose **Add backup rule**.
+ To edit an existing backup rule, select a rule, then choose **Edit**.
**Note**
If you have a backup plan with multiple rules and the time frames of the two rules overlap, AWS Backup optimizes the backup and takes a backup for the rule with the longer retention time. The optimization takes into account the full start window, not just when the daily backup is taken.
Each backup rule consists of the following elements.
### Backup rule name
Backup rule names are case sensitive. They must contain from 1 to 50 alphanumeric characters or hyphens.
### Backup frequency
The backup frequency determines how often AWS Backup creates a snapshot backup. Using the console, you can choose a frequency of every hour, 12 hours, daily, weekly, or monthly. You can also create a cron expression that creates snapshot backups as frequently as hourly. Using the AWS Backup CLI, you can schedule snapshot backups as frequently as hourly.
If you select weekly, you can specify which days of the week you want backups to be taken. If you select monthly, you can choose a specific day of the month.
You can also check the **Enable continuous backups for supported resources** checkbox to create a point-in-time restore (PITR)-enabled continuous backup rule. Unlike snapshot backups, continuous backups allow you to perform point-in-time restore. To learn more about continuous backups, see [Point-in-Time Recovery](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html).
### Backup window
Backup windows consist of the time that the backup window begins and the duration of the window in hours. Backup jobs are started within this window. The default settings in the console are:
+ **12:30 AM** local to your system’s timezone (0:30 in 24-hour systems)
+ **Start within** 8 hours
+ **Complete within** 7 days
(**complete within** parameter does not apply to Amazon FSx resources)
You can customize the backup frequency and backup window start time using a cron expression. To see the six fields of AWS cron expressions, see [Cron and rate expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html) in the *Amazon EventBridge User Guide*. Two examples of AWS cron expressions are `15 * ? * * *` (take a backup every hour at 15 minutes past the hour) and `0 12 * * ? *` (take a backup every day at 12 noon UTC). For a table of examples, click the preceding link and scroll down the page.
AWS Backup evaluates cron expressions between 00:00 and 23:59. If you create a backup rule for "every 12 hours" but provide a start time of later than 11:59, it will only run once per day.
Backup plans in a timezone that observes daylight savings time might be impacted by the time shift forward. You can switch to UTC or create a manual backup on the day that time shifts forward. For more information see [Daylight savings time on EventBridge Scheduler](https://docs.aws.amazon.com/scheduler/latest/UserGuide/schedule-types.html#daylist-savings-time).
Continuous backups and point-in-time restore (PITR) reference the changes recorded over a period of time; therefore, they cannot be scheduled with a time or cron expression.
In general, AWS database services cannot start backups 1 hour before or during their maintenance window and Amazon FSx cannot start backups 3 hours before or during their maintenance window or automatic backup window (Amazon Aurora is exempt from this maintenance window restriction). Snapshot backups scheduled during those times will fail. An exception occurs when you opt in to using AWS Backup for both snapshot and continuous backups for a supported service. AWS Backup will schedule backup windows automatically to avoid conflicts. See [Point-in-Time Recovery](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html) for a list of supported services and instructions on how to use AWS Backup to take continuous backups.
### Overlapping backup rules
On occasion, a backup plan might contain multiple, overlapping rules. When the start windows of different rules overlap, AWS Backup retains the backup under the rule with the longer retention period. For example, consider a backup plan with two rules:
1. Backup hourly, with a 1-hour start window, and retain for 1 day.
1. Backup every 12 hours, with an 8-hour start window, and retain for 1 week.
After 24 hours, the second rule creates two backups (because it has the longer retention period). The first rule creates eight backups (because the second rule's 8-hour start window prevented more hourly backups from running). Specifically:
| During this Start Window | This Rule Creates 1 Backup |
| --- | --- |
| Midnight to 8AM | 12 hours |
| 8 to 9 | Hourly |
| 9 to 10 | Hourly |
| 10 to 11 | Hourly |
| 11 to Noon | Hourly |
| Noon to 8PM | 12 hours |
| 8 to 9 | Hourly |
| 9 to 10 | Hourly |
| 10 to 11 | Hourly |
| 11 to Midnight | Hourly |
During the start window, the backup job status remains in `CREATED` status until it has successfully begun or until the start window time has run out. If within the start window time AWS Backup receives an error that allows the job to be retried, AWS Backup will automatically retry to begin the job at least every 10 minutes until the backup successfully begins (the job status changes to `RUNNING`) or until the job status changes to `EXPIRED` (which is expected to occur when the start window time is over).
### Lifecycle and storage tiers
Backups are stored for the number of days you specify, known as the backup *lifecycle*. Backups can be restored until the end of their lifecycle.
This is set as the **total retention period** in the lifecycle section of backup rule configuration in the AWS Backup console.
If you use AWS CLI, this is set using the parameter [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html). The retention period for snapshots can range between 1 day and 100 years (or indefinitely if you don't enter one), while the retention period for continuous backups can range from 1 day to 35 days. The creation date of a backup is the date the backup job started, not the date it completed. If your backup job doesn't complete on the same date it started, use the date on which it began to help calculate retention periods.
Backups are maintained in a storage tier. Each tier incurs a different cost for storage and for restore, as outlined by [AWS Backup pricing](https://aws.amazon.com/backup/pricing/). Every backup is created and is stored in warm storage. Depending on how long you choose to store your backup, you may wish to transition your backup to a lower-cost tier called cold storage. [Feature availability by resource](backup-feature-availability.md#features-by-resource) displays which resources have this optional feature.
------
#### [ Console ]
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. Create or edit a backup plan.
1. In the lifecycle section of backup rule configuration, check the box **Move backups from warm to cold storage**.
1. (*optional*) If Amazon EBS is one of the resources you back up and your backup frequency is monthly or less frequent, you can transition them to cold tier using EBS snapshot archival.
1. Input a value (in days) that you want your backups to remain in warm storage. AWS Backup recommends at least 8 days.
1. Input a value (in days) for the total retention period. The difference between total retention period and time in warm storage will be the amount of days the backups remain in cold storage.
------
#### [ AWS CLI ]
1. Use [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/create-backup-plan.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/create-backup-plan.html) or [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/update-backup-plan.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/update-backup-plan.html).
1.
1. Include the Boolean parameter [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html) for EBS resources.
1. Include the parameter [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html).
1. Use the parameter `DeleteAfterDays`. This value must be 90 (days) plus the value you input for `MoveToColdStorageAfterDays`.
------
Cold storage is currently available for the following resource types:
| Resource type | Incremental or Full backup in cold storage |
| --- | --- |
| AWS CloudFormation | Incremental |
| DynamoDB with advanced features | Full; no Incremental backups in any tier |
| Amazon EBS (using EBS Snapshot Archive) | Full; Incremental backups will become Full after transition. |
| Amazon EFS | Incremental |
| SAP HANA databases running on Amazon EC2 instances | Incremental |
| Amazon Timestream | Incremental |
| VMware virtual machines | Incremental |
Once you have enabled transition to cold storage through the console or command line, the following conditions are true for backups in cold storage (or archive):
+ Backups transitioned must be stored in cold storage for a minimum of 90 days, in addition to the time in warm storage. AWS Backup requires the retention to be set for 90 days longer than the “transition to cold after days” setting. You can't change the “transition to cold after days” setting after a backup has been transitioned to cold.
+ Some services support incremental backups. For incremental backups, you must have at least one warm full backup. AWS Backup recommends that you set your lifecycle settings to not move your backup to cold storage until after at least 8 days. If the full backup is transitioned to cold storage too soon (for example, a transition to cold storage after 1 day), AWS Backup will create another warm full backup.
+ For resource types that support incremental backups, AWS Backup transitions data from warm to cold storage if the transitioned data is no longer referenced by warm backups. Data in backups retained in cold storage that is only referenced by other cold backups is billed at cold storage tier prices. Other backups continue at warm storage tier pricing.
### Backup vault
A backup vault is a container to organize your backups in. Backups created by a backup rule are organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to help you organize them. If you don't want to use the default vault, you can create your own. For step-by-step instructions for creating a backup vault, see [Backup vault creation and deletion](create-a-vault.md).
### Copy to Regions
As part of your backup plan, you can optionally create a backup copy in the same or another AWS Region. These copies can be made either in the same account or another account. For more information about backup copies, see [Creating backup copies across AWS Regions](https://docs.aws.amazon.com/aws-backup/latest/devguide/cross-region-backup.html).
When you define a backup copy, you configure the following options:
#### Destination Region
The destination Region for the backup copy.
#### (Advanced Settings) Backup vault
The destination backup vault for the copy.
#### (Advanced Settings) IAM Role
The IAM role that AWS Backup uses when creating the copy. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. If you choose **Default** and the AWS Backup default role is not present in your account, a role is created for you with the correct permissions.
#### (Advanced Settings) Lifecycle
Specifies when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. You can't change this value after a copy has transitioned to cold storage.
**Expire** specifies the number of days after creation that the copy is deleted. This must be greater than 90 days beyond the **Transition to cold storage** value.
If the value for [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CopyAction.html#Backup-Type-CopyAction-Lifecycle](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CopyAction.html#Backup-Type-CopyAction-Lifecycle) (shown as **Expire** in the console) is not specified in the copy settings, the copy will follow the lifecycle settings of the backup from which it is copied.
### Tags added to recovery points
The tags that you list here are automatically added to backups when they are created.
## Tags added to backup plans
These tags are associated with the backup plan itself to help you organize and track your backup plan.
## Advanced backup settings
Advanced backup settings allow you to configure resource-specific backup options for different AWS services.
### Amazon EC2 advanced backup settings
Enables application consistent backups for third-party applications that are running on Amazon EC2 instances. Currently, AWS Backup supports Windows VSS backups. AWS Backup excludes specific Amazon EC2 instance types from Windows VSS backups. For more information, see [Create Windows VSS backups](windows-backups.md).
### Amazon S3 advanced backup settings
AWS Backup provides advanced settings to control what metadata is included in your Amazon S3 backups. You can optionally exclude Access Control Lists (ACLs) and object tags from your backups, which aligns with Amazon S3 best practices of using bucket-level permissions instead of object-level ACLs.
For detailed information on configuring Amazon S3 backup options for ACLs and object tags, see [Advanced Amazon S3 backup settings](s3-backups.md#s3-advanced-backup-settings).
**Important**
When you exclude ACLs from backups, objects restored without ACLs will use the destination bucket's default ownership settings. The destination bucket must have appropriate object ownership configuration.
**Note**
When a continuous backup job is running for an Amazon S3 bucket and you initiate a snapshot backup job, the snapshot will use the same ACL and object tag settings as the continuous backup, regardless of the settings specified for the snapshot job.
## Malware scanning
AWS Backup integrates with Amazon GuardDuty to provide automated malware scanning of your recovery points. When you enable malware scanning in your backup plan, AWS Backup automatically scans your backups for malware and provides scan results to help you make informed decisions about restoring your data.
To configure malware scanning for your backup plan:
1. Create an IAM role that trusts `malware-protection.guardduty.amazonaws.com` and attach the AWS managed policy `AWSBackupGuardDutyRolePolicyForScans`.
1. Attach the AWS managed policy `AWSBackupServiceRolePolicyForScans` to your backup selection's IAM role.
1. In your backup plan configuration, add scanning settings that specify:
+ The scan service (GuardDuty)
+ The resource types to scan (Amazon EC2, Amazon EBS, Amazon S3)
+ The IAM role ARN for GuardDuty to assume
1. Configure scan actions in your backup rules to specify:
+ The scan service (GuardDuty)
+ The scan type (incremental or full scan)
For more information about the managed policies, see [AWSBackupGuardDutyRolePolicyForScans](security-iam-awsmanpol.md#AWSBackupGuardDutyRolePolicyForScans) and [AWSBackupServiceRolePolicyForScans](security-iam-awsmanpol.md#AWSBackupServiceRolePolicyForScans).
# CloudFormation templates for backup plans
We provide three sample CloudFormation templates for your reference. The first template creates a simple backup plan. The second template enables VSS backups in a backup plan. The third template enables Amazon GuardDuty Malware Protection scanning in a backup plan.
**Note**
If you are using the default service role, replace *service-role* with `AWSBackupServiceRolePolicyForBackup`.
```
Description: backup plan template to back up all resources daily at 5am UTC, and tag all recovery points with backup:daily.
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Enabled: True
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
"AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
Action:
- kms:*
Resource: "*"
BackupVaultWithDailyBackups:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: !GetAtt KMSKey.Arn
BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
BackupPlanRule:
- RuleName: "RuleForDailyBackups"
TargetBackupVault: !Ref BackupVaultWithDailyBackups
ScheduleExpression: "cron(0 5 ? * * *)"
DependsOn: BackupVaultWithDailyBackups
DDBTableWithDailyBackupTag:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "TestTable"
AttributeDefinitions:
- AttributeName: "Album"
AttributeType: "S"
KeySchema:
- AttributeName: "Album"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
Tags:
- Key: "backup"
Value: "daily"
BackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "backup.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/service-role"
TagBasedBackupSelection:
Type: "AWS::Backup::BackupSelection"
Properties:
BackupSelection:
SelectionName: "TagBasedBackupSelection"
IamRoleArn: !GetAtt BackupRole.Arn
ListOfTags:
- ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "daily"
BackupPlanId: !Ref BackupPlanWithDailyBackups
DependsOn: BackupPlanWithDailyBackups
```
```
Description: backup plan template to enable Windows VSS and add backup rule to take backup of assigned resources daily at 5am UTC.
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Enabled: True
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
"AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
Action:
- kms:*
Resource: "*"
BackupVaultWithDailyBackups:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: !GetAtt KMSKey.Arn
BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
AdvancedBackupSettings:
- ResourceType: EC2
BackupOptions:
WindowsVSS: enabled
BackupPlanRule:
- RuleName: "RuleForDailyBackups"
TargetBackupVault: !Ref BackupVaultWithDailyBackups
ScheduleExpression: "cron(0 5 ? * * *)"
DependsOn: BackupVaultWithDailyBackups
```
```
Description: Backup plan template with Amazon GuardDuty Malware Protection scanning enabled.
Resources:
BackupVault:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "MalwareScanBackupVault"
BackupPlanWithMalwareScanning:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithMalwareScanning"
BackupPlanRule:
- RuleName: "DailyBackupWithIncrementalScan"
TargetBackupVault: !Ref BackupVault
ScheduleExpression: "cron(0 5 ? * * *)"
Lifecycle:
DeleteAfterDays: 35
ScanActions:
- MalwareScanner: GUARDDUTY
ScanMode: INCREMENTAL_SCAN
- RuleName: "MonthlyBackupWithFullScan"
TargetBackupVault: !Ref BackupVault
ScheduleExpression: "cron(0 5 1 * ? *)"
Lifecycle:
DeleteAfterDays: 365
ScanActions:
- MalwareScanner: GUARDDUTY
ScanMode: FULL_SCAN
ScanSettings:
- MalwareScanner: GUARDDUTY
ResourceTypes:
- EBS
ScannerRoleArn: !GetAtt ScannerRole.Arn
DependsOn: BackupVault
ScannerRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "malware-protection.guardduty.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSBackupGuardDutyRolePolicyForScans"
BackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "backup.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/service-role"
- "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForScans"
TagBasedBackupSelection:
Type: "AWS::Backup::BackupSelection"
Properties:
BackupSelection:
SelectionName: "MalwareScanSelection"
IamRoleArn: !GetAtt BackupRole.Arn
ListOfTags:
- ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "true"
BackupPlanId: !Ref BackupPlanWithMalwareScanning
DependsOn: BackupPlanWithMalwareScanning
```
# Delete a backup plan
You can delete a backup plan only after all associated selections of resources have been deleted. These selections are also known as *resource assignments*. If these have not been deleted prior to deletion of the backup plan, the console will display the error: "Related backup plan selections must be deleted prior to backup plan deletion." Use the console or use [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupSelection.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupSelection.html).
Deleting a backup plan deletes the current version of the plan. The current and previous versions, if any, still exist, but they are no longer listed on the console under **Backup plans**.
**Note**
When a backup plan is deleted, existing backups are not deleted. To remove existing backups, delete them from the backup vault using the steps in [Deleting backups](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-backups.html).
**To delete a backup plan using the AWS Backup console**
1. Sign in to the AWS Management Console, and open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the navigation pane on the left, choose **Backup plans**.
1. Choose your backup plan in the list.
1. Select any resource assignments that are associated with the backup plan.
1. Choose **Delete**.
# Update a backup plan
After creating a backup plan, you can edit the plan—for example, you can add tags, or you can add, edit, or delete backup rules. Any changes that you make to a backup plan have no effect on existing backups created by the backup plan. The changes apply only to backups that are created in the future.
For example, when you update the retention period in a backup rule, the retention period of backups created before you made the update remain the same. Any backups that are created by that rule going forward reflect the updated retention period.
You can't change the name of a plan after it is created.
**To edit a backup plan using the AWS Backup console**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the navigation pane, choose **Backup plans**.
1. Under the second pane, **Backup plans**, existing back plans are displayed. Select the underlined link in the column **Backup plan name** to see details of the chosen backup plan.
1. You can edit a backup rule, view resource assignments, view backup jobs, manage tags, or change Windows VSS settings.
1. To update a backup rule, select the name of the backup rule.
Select **Manage tags** to add or delete tags.
Select **Edit** next to **Advanced backup settings** to turn Windows VSS on or off.
1. Change the setting(s) you prefer, and then select **Save**.
# Understanding backup plan summary
The backup plan summary feature provides a comprehensive view of your backup plan configuration to help you validate that your backup strategy meets your requirements. The summary includes three key components that address common customer challenges when managing complex backup configurations across multiple AWS services.
## Summary components
Each backup plan summary contains the following information:
+ **Next 10 scheduled backup runs**: Shows when your backup rules will execute, including merged rules and proper timezone handling
+ **Feature compatibility notes**: Information about which services support point-in-time recovery (PITR) and cold tier storage if these are part of your backup plan rule.
## Scheduled backup runs preview
The scheduled runs preview shows up to 10 future backup executions based on your backup plan rules. This preview helps you understand when backups will occur and how multiple rules interact with each other.
### How multiple rules are merged
When you have multiple backup rules in a plan, AWS Backup applies merging logic to determine the final backup behavior:
+ **Overlapping backup windows**: It is best practice not to have two rules with conflicting rules. When two rules would execute at the same time, AWS Backup selects one.
+ **PITR and snapshot combinations**: PITR applies to supported resources, while snapshots apply to all resources in the selection
+ **Multiple time zones**: Each rule respects its configured timezone for execution scheduling
+ **Cross-region copy actions**: Copy actions are preserved and displayed with their destination information. Note that if a copy rule is attached to a conflicting schedule rule, the copy rule will only run if the schedule rule has run.
**Example Rule merging example**
Consider a backup plan with two rules:
+ Rule 1: Daily snapshot at 8am PDT, 35-day retention
+ Rule 2: Weekly snapshot at 8am PDT, 90-day retention
When both rules would execute on the same day (such as Sunday), the preview shows Rule 2 because it has longer retention (90 days vs 35 days).
### Execution types
The scheduled runs preview displays different execution types based on your rule configuration:
+ `CONTINUOUS`: Continuous backups for supported services
+ `SNAPSHOTS`: Snapshot (periodic) backups for all resources in the selection
+ `CONTINUOUS_AND_SNAPSHOTS`: Point-in-time-restore (PITR) for resource types which support it; snapshot (periodic) for all other resource types.
## Feature compatibility validation
The summary includes compatibility reminders to help you understand which AWS services support advanced backup features. This prevents configuration errors and unexpected costs.
### Point-in-time recovery support
When you enable continuous backups in a rule, the summary reminds you that PITR is only supported for:
+ Aurora databases
+ Amazon RDS databases
+ SAP HANA databases
+ Amazon S3 buckets
### Cold tier storage support
When you configure cold tier transitions, the summary shows which services support this feature:
+ Amazon DynamoDB tables
+ Amazon Elastic File System file systems
+ SAP HANA databases
+ Amazon Timestream databases
+ VMware virtual machines
## Accessing backup plan summaries
You can view backup plan summaries in the AWS Backup console after creating or updating a backup plan. The summary appears in the plan details page and provides immediate feedback about your configuration.
**To view a backup plan summary**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup/](https://console.aws.amazon.com/backup/).
1. In the navigation pane, choose **Backup plans**.
1. Choose the backup plan you want to review.
1. The backup plan summary appears in the plan details page. Expand the summary to see scheduled runs and compatibility notes.
You can also retrieve backup plan information using the AWS CLI:
```
aws backup get-backup-plan --backup-plan-id 012345678
```
# Select AWS services to backup
## Opt in to services, then assign resources
AWS Backup works with many [different AWS services](backup-feature-availability.md#features-by-resource). Before you decide which services to include in backup plan, use the [AWS Backup console](#backup-optin-console) or [AWS CLI](#backup-optin-cli) to opt in to using AWS Backup to work with those services.
Then, in each backup plan, specify in the [console](assigning-resources-console.md) or through [CLI](assigning-resources-json.md) which resource types to include in that plan.
For example, you can opt in to all services which AWS Backup supports, then include only Amazon S3 buckets and Aurora clusters in a backup plan.
**Topics**
+ [
## Opt in to services, then assign resources
](#w2aac13c17b3)
+ [
## AWS Backup service opt-in
](#backup-service-optin)
+ [
## Backup plan resource assignment
](#backup-resource-assignment)
+ [
# Assign resources using the AWS Backup console
](assigning-resources-console.md)
+ [
# Assign resources with AWS CLI
](assigning-resources-json.md)
+ [
# Assign AWS Backup resources through CloudFormation
](assigning-resources-cfn.md)
+ [
## Backup plan resource assignments quotas
](#assigning-resources-quotas)
## AWS Backup service opt-in
### Service opt-in through the AWS Backup console
**To configure the AWS services to use with AWS Backup**
1. Sign in to the AWS Management Console, and open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the navigation pane, choose **Settings**.
1. On the **Service opt-in** page, choose **Configure resources**.
1. On the **Configure resources** page, use the toggle switches to enable or disable the services that are used with AWS Backup. Choose **Confirm** when your services are configured. Make sure that the AWS service you're opting in is available in your AWS Region.
### Service opt-in through AWS CLI
Use the [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_UpdateRegionSettings.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_UpdateRegionSettings.html) command to change the services (resource types) your account or organization will use AWS Backup to orchestrate backup creation. Use the [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DescribeRegionSettings.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DescribeRegionSettings.html) command to determine which services you have opted into in a specific Region.
## Backup plan resource assignment
Through the [AWS Backup console](assigning-resources-console.md) or through [AWS CLI](assigning-resources-json.md), the resource assignment in your backup plan specifies which resources AWS Backup will include. AWS Backup provides both simple default settings and fine-grained controls to assign resources.
You can assign resources in the following ways:
+ Explicitly assign resource types to the backup plan
+ Include all resources (AWS Backup will then scan for all supported resource types)
+ Use tags to include or exclude resources
If you only use tags for resource assignment, then the service opt-in settings will still apply.
You can further refine the resource assignment using conditions and tags. There are some limits on the number of ARNs, conditions, and tags that can be used in a single resource assignment.
Resource selection through CLI is based on service names and resource types. See [Assign resources with AWS CLI](assigning-resources-json.md) for considerations about resource election.
# Assign resources using the AWS Backup console
**To navigate to the **Assign resources** page:**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. Choose **Backup plans**.
1. Choose **Create Backup plan**.
1. Select any template in the **Choose template** dropdown list, then choose **Create plan**.
1. Type in a **Backup plan name**.
1. Choose **Create plan**.
1. Choose **Assign resources**.
**To begin your resource assignment, in the **General** section:**
1. Type in a **Resource assignment name**.
1. Choose the **Default role** or **Choose an IAM role**.
**Note**
If you choose an IAM role, verify that it has permission to back up all the resources you are about assign. If your role encounters a resource that it doesn't have permission to back up, your backup plan will fail.
To assign your resources, in the **Assign resources** section, choose one of the two options under **Define resource selection**:
+ **Include all resource types**. This option configures your backup plan to protect all current and future AWS Backup-supported resources assigned to your backup plan. Use this option to quickly and easily protect your data estate.
When you choose this option, you can optionally **Refine selection using tags** as the next step.
+ **Include specific resource types**. When you choose this option, you must **Select specific resource types** with the following steps:
1. Using the **Select resource types** dropdown menu, assign one or more resource types.
Once you finish, AWS Backup presents you the list of resource types you selected and its default setting, which is to protect all resources for each selected resource type.
1. Optionally, if you want to exclude specific resources from a resource type you selected:
1. Use the **Choose resources** dropdown menu and deselect the default option.
1. Select the specific resources to assign to your backup plan.
1. Optionally, you can **Exclude specific resource IDs from the selected resource types**. Use this option if you want to exclude one or a few resources out of many, because doing so might be faster than selecting many resources during the previous step. You must include a resource type before you can exclude resources from that resource type. Exclude a resource ID using the following steps:
1. Under **Exclude specific resource IDs from the selected resource types**, choose one or more of the resource types that you included using **Select resource types**.
1. For each resource type, use the **Choose resources** menu to select one or more resources to exclude.
In addition to your previous choices, you can make even more granular selections using the optional **Refine selection using tags** feature. This feature allows you to refine your current selection to include a subset of your resources using tags.
Tags are key-value pairs that you can assign to specific resources to help you identify, organize, and filter your resources. Tags are case sensitive. For more information about tags, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
When you refine your selection using two or more tags, the effect is an AND condition. For example, if you refine your selection using two tags, `env: prod` and `role: application`, you only assign resources with BOTH tags to your backup plan.
**To refine your selection using tags:**
1. Under **Refine selection using tags**, choose a **Key** from the list.
1. Choose a **Condition for value** from the list.
+ *Value* refers to the next input, the value of your key-value pair.
+ **Condition** can be `Equals`, `Contains`, `Begins with`, or `Ends with`, or their inverse: `Does not equal`, `Does not contain`, `Does not begin with`, or `Does not end with`.
1. Choose a **Value** from the list.
1. To further refine using another tag, choose **Add tag**.
# Assign resources with AWS CLI
## Filter by services or resource types
Resource selection is based on service names and resource types. The method of resource selection determines whether a resource is included in the backup. This inclusion depends on service names, resource types, and opt-in settings.
**Selection by service name**
When you specify only a service name in the resource selection, the backup inclusion depends on the opt-in setting for the underlying resource types. For example, with `arn:aws:ec2:*`, EC2 instances will be included in the backup only if the opt-in setting for the EC2 resource type is enabled.
**Selection by resource type**
If you specify the resource selection directly with the resource type, it will be included in the backup regardless of the opt-in setting for that particular service. For example, with `arn:aws:ec2:::instance/*`, EC2 instances will be backed up regardless of the opt-in setting.
**Shared resource types**
When multiple resources share the same resource type, you need to enable opt-in settings for specific resource types to initiate backups.
**Example**
Aurora and RDS Clusters share the ARN format: `arn:aws:rds:::cluster:*`. To backup Aurora databases, you must enable the opt-in setting for Aurora.
FSx and FSx for OpenZFS share the ARN format `arn:aws:fsx:::file-system/*`. Enable the respective opt-in settings to backup these file systems.
## Use a JSON to define backup plan resource assignment
You can define a resource assignment in a JSON document.
You can specify conditions, tags, or resources to define what will be included in your backup plan. For more information to help you determine which parameters to include, see [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BackupSelection.html#Backup-Type-BackupSelection-ListOfTags](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BackupSelection.html#Backup-Type-BackupSelection-ListOfTags).
This sample resource assignment assigns all Amazon EC2 instances to the backup plan *BACKUP-PLAN-ID*:
```
{
"BackupPlanId":"BACKUP-PLAN-ID",
"BackupSelection":{
"SelectionName":"resources-list-selection",
"IamRoleArn":"arn:aws:iam::ACCOUNT-ID:role/IAM-ROLE-ARN",
"Resources":[
"arn:aws:ec2:*:*:instance/*"
]
}
}
```
Assuming this JSON is stored as `backup-selection.json`, you can assign these resources to your backup plan using the following CLI command:
```
aws backup create-backup-selection --cli-input-json file://PATH-TO-FILE/backup-selection.json
```
The following are example resource assignments, along with the corresponding JSON document. To make this table easier for you to read, the examples omit the fields `"BackupPlanId"`, `"SelectionName"`, and `"IamRoleArn"`. The wildcard `*` represents zero or more non-whitespace characters.
**Example: Select all resources in my account**
```
{
"BackupSelection":{
"Resources":[
"*"
]
}
}
```
**Example: Select all resources in my account, but exclude EBS volumes**
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:ec2:*:*:volume/*"
]
}
}
```
**Example: Select all resources tagged with "backup":"true", but exclude EBS volumes**
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:ec2:*:*:volume/*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
]
}
}
}
```
**Important**
RDS, Aurora, Neptune, and DocumentDB ARNs start with `arn:aws:rds:`. Refine your selection with tags and conditional operators if you don't intend to include all those types.
**Example: Select all EBS volumes and RDS DB instances tagged with both "backup":"true" and "stage":"prod"**
The Boolean arithmetic is similar to that in IAM policies, with those in "Resources" combined using a Boolean OR and those in `"Conditions"` combined with a Boolean AND.
The `"Resources"` expression `"arn:aws:rds:*:*:db:*"` only selects RDS DB instances because there are no corresponding Aurora, Neptune, or DocumentDB resources.
```
{
"BackupSelection":{
"Resources":[
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
},
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"prod"
}
]
}
}
}
```
**Example: Select all EBS volumes and RDS instances tagged with "backup":"true" but not "stage":"test"**
```
{
"BackupSelection":{
"Resources":[
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
],
"StringNotEquals":[
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"test"
}
]
}
}
}
```
**Example: Select all resources tagged with "key1" and a value which begins with "include" but not with "key2" and value that contains the word "exclude"**
You can use the wildcard character at the start, end, and middle of a string. Note the use of the wildcard character (\$1) in `include*` and `*exclude*` in the example above. You can also use the wildcard character in the middle of a string as shown in the previous example, `arn:aws:rds:*:*:db:*`.
```
{
"BackupSelection":{
"Resources":[
"*"
],
"Conditions":{
"StringLike":[
{
"ConditionKey":"aws:ResourceTag/key1",
"ConditionValue":"include*"
}
],
"StringNotLike":[
{
"ConditionKey":"aws:ResourceTag/key2",
"ConditionValue":"*exclude*"
}
]
}
}
}
```
**Example: Select all resources tagged with "backup":"true" except FSx file systems and RDS, Aurora, Neptune, and DocumentDB resources**
Items in `NotResources` are combined using the Boolean OR.
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:fsx:*",
"arn:aws:rds:*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
]
}
}
}
```
**Example: Select all resources tagged with a tag "backup" and any value**
```
{
"BackupSelection":{
"Resources":[
"*"
],
"Conditions":{
"StringLike":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"*"
}
]
}
}
}
```
**Example: Select all FSx file systems, the Aurora cluster "my-aurora-cluster", and all resources tagged with "backup":"true", except for resources tagged with "stage":"test"**
```
{
"BackupSelection":{
"Resources":[
"arn:aws:fsx:*",
"arn:aws:rds:*:*:cluster:my-aurora-cluster"
],
"ListOfTags":[
{
"ConditionType":"StringEquals",
"ConditionKey":"backup",
"ConditionValue":"true"
}
],
"Conditions":{
"StringNotEquals":[
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"test"
}
]
}
}
}
```
**Example: Select all resources tagged with tag `"backup":"true"` except for EBS volumes tagged with `"stage":"test"`**
Use two CLI commands to create two selections to select this group of resources. The first selection applies to all resources except for EBS volumes. The second selection applies to EBS volumes.
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:ec2:*:*:volume/*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
]
}
}
}
```
```
{
"BackupSelection":{
"Resources":[
"arn:aws:ec2:*:*:volume/*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
],
"StringNotEquals":[
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"test"
}
]
}
}
}
```
# Assign AWS Backup resources through CloudFormation
This end-to-end CloudFormation template creates a resource assignment, a backup plan, and a destination backup vault:
+ A backup vault named *CloudFormationTestBackupVault*.
+ A backup plan named *CloudFormationTestBackupPlan*. This plan will run two contains two backup rules, both of which take backups daily at 12 noon UTC and retain them for 210 days.
+ A resource selection named *BackupSelectionName*.
+
+ The resource assignment backs up the following resources:
+ Any resource tagged with the key-value pair `backupplan:dsi-sandbox-daily`.
+ Any resource tagged with the value `prod` or values beginning with `prod/`.
+ The resource assignment does not back up the following resources:
+ Any RDS, Aurora, Neptune, or DocumentDB cluster.
+ Any resource tagged with the value `test` or values beginning with `test/`.
```
Description: "Template that creates Backup Selection and its dependencies"
Parameters:
BackupVaultName:
Type: String
Default: "CloudFormationTestBackupVault"
BackupPlanName:
Type: String
Default: "CloudFormationTestBackupPlan"
BackupSelectionName:
Type: String
Default: "CloudFormationTestBackupSelection"
BackupPlanTagValue:
Type: String
Default: "test-value-1"
RuleName1:
Type: String
Default: "TestRule1"
RuleName2:
Type: String
Default: "TestRule2"
ScheduleExpression:
Type: String
Default: "cron(0 12 * * ? *)"
StartWindowMinutes:
Type: Number
Default: 60
CompletionWindowMinutes:
Type: Number
Default: 120
RecoveryPointTagValue:
Type: String
Default: "test-recovery-point-value"
MoveToColdStorageAfterDays:
Type: Number
Default: 120
DeleteAfterDays:
Type: Number
Default: 210
Resources:
CloudFormationTestBackupVault:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: !Ref BackupVaultName
BasicBackupPlan:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: !Ref BackupPlanName
BackupPlanRule:
- RuleName: !Ref RuleName1
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: !Ref ScheduleExpression
StartWindowMinutes: !Ref StartWindowMinutes
CompletionWindowMinutes: !Ref CompletionWindowMinutes
RecoveryPointTags:
test-recovery-point-key-1: !Ref RecoveryPointTagValue
Lifecycle:
MoveToColdStorageAfterDays: !Ref MoveToColdStorageAfterDays
DeleteAfterDays: !Ref DeleteAfterDays
- RuleName: !Ref RuleName2
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: !Ref ScheduleExpression
StartWindowMinutes: !Ref StartWindowMinutes
CompletionWindowMinutes: !Ref CompletionWindowMinutes
RecoveryPointTags:
test-recovery-point-key-1: !Ref RecoveryPointTagValue
Lifecycle:
MoveToColdStorageAfterDays: !Ref MoveToColdStorageAfterDays
DeleteAfterDays: !Ref DeleteAfterDays
BackupPlanTags:
test-key-1: !Ref BackupPlanTagValue
DependsOn: CloudFormationTestBackupVault
TestRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "backup.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
BasicBackupSelection:
Type: 'AWS::Backup::BackupSelection'
Properties:
BackupPlanId: !Ref BasicBackupPlan
BackupSelection:
SelectionName: !Ref BackupSelectionName
IamRoleArn: !GetAtt TestRole.Arn
ListOfTags:
- ConditionType: STRINGEQUALS
ConditionKey: backupplan
ConditionValue: dsi-sandbox-daily
NotResources:
- 'arn:aws:rds:*:*:cluster:*'
Conditions:
StringEquals:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: prod
StringNotEquals:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: test
StringLike:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: prod/*
StringNotLike:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: test/*
```
## Backup plan resource assignments quotas
The following quotas apply to a single resource assignment:
+ 500 Amazon Resource Names (ARNs) without wildcards
+ 30 ARNs with wildcard expressions
+ 30 conditions
+ 30 tags per resource assignment (and an unlimited number of resources per tag)