# Select AWS services to backup
## Opt in to services, then assign resources
AWS Backup works with many [different AWS services](backup-feature-availability.md#features-by-resource). Before you decide which services to include in backup plan, use the [AWS Backup console](#backup-optin-console) or [AWS CLI](#backup-optin-cli) to opt in to using AWS Backup to work with those services.
Then, in each backup plan, specify in the [console](assigning-resources-console.md) or through [CLI](assigning-resources-json.md) which resource types to include in that plan.
For example, you can opt in to all services which AWS Backup supports, then include only Amazon S3 buckets and Aurora clusters in a backup plan.
**Topics**
+ [
## Opt in to services, then assign resources
](#w2aac13c17b3)
+ [
## AWS Backup service opt-in
](#backup-service-optin)
+ [
## Backup plan resource assignment
](#backup-resource-assignment)
+ [
# Assign resources using the AWS Backup console
](assigning-resources-console.md)
+ [
# Assign resources with AWS CLI
](assigning-resources-json.md)
+ [
# Assign AWS Backup resources through CloudFormation
](assigning-resources-cfn.md)
+ [
## Backup plan resource assignments quotas
](#assigning-resources-quotas)
## AWS Backup service opt-in
### Service opt-in through the AWS Backup console
**To configure the AWS services to use with AWS Backup**
1. Sign in to the AWS Management Console, and open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. In the navigation pane, choose **Settings**.
1. On the **Service opt-in** page, choose **Configure resources**.
1. On the **Configure resources** page, use the toggle switches to enable or disable the services that are used with AWS Backup. Choose **Confirm** when your services are configured. Make sure that the AWS service you're opting in is available in your AWS Region.
### Service opt-in through AWS CLI
Use the [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_UpdateRegionSettings.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_UpdateRegionSettings.html) command to change the services (resource types) your account or organization will use AWS Backup to orchestrate backup creation. Use the [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DescribeRegionSettings.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DescribeRegionSettings.html) command to determine which services you have opted into in a specific Region.
## Backup plan resource assignment
Through the [AWS Backup console](assigning-resources-console.md) or through [AWS CLI](assigning-resources-json.md), the resource assignment in your backup plan specifies which resources AWS Backup will include. AWS Backup provides both simple default settings and fine-grained controls to assign resources.
You can assign resources in the following ways:
+ Explicitly assign resource types to the backup plan
+ Include all resources (AWS Backup will then scan for all supported resource types)
+ Use tags to include or exclude resources
If you only use tags for resource assignment, then the service opt-in settings will still apply.
You can further refine the resource assignment using conditions and tags. There are some limits on the number of ARNs, conditions, and tags that can be used in a single resource assignment.
Resource selection through CLI is based on service names and resource types. See [Assign resources with AWS CLI](assigning-resources-json.md) for considerations about resource election.
# Assign resources using the AWS Backup console
**To navigate to the **Assign resources** page:**
1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).
1. Choose **Backup plans**.
1. Choose **Create Backup plan**.
1. Select any template in the **Choose template** dropdown list, then choose **Create plan**.
1. Type in a **Backup plan name**.
1. Choose **Create plan**.
1. Choose **Assign resources**.
**To begin your resource assignment, in the **General** section:**
1. Type in a **Resource assignment name**.
1. Choose the **Default role** or **Choose an IAM role**.
**Note**
If you choose an IAM role, verify that it has permission to back up all the resources you are about assign. If your role encounters a resource that it doesn't have permission to back up, your backup plan will fail.
To assign your resources, in the **Assign resources** section, choose one of the two options under **Define resource selection**:
+ **Include all resource types**. This option configures your backup plan to protect all current and future AWS Backup-supported resources assigned to your backup plan. Use this option to quickly and easily protect your data estate.
When you choose this option, you can optionally **Refine selection using tags** as the next step.
+ **Include specific resource types**. When you choose this option, you must **Select specific resource types** with the following steps:
1. Using the **Select resource types** dropdown menu, assign one or more resource types.
Once you finish, AWS Backup presents you the list of resource types you selected and its default setting, which is to protect all resources for each selected resource type.
1. Optionally, if you want to exclude specific resources from a resource type you selected:
1. Use the **Choose resources** dropdown menu and deselect the default option.
1. Select the specific resources to assign to your backup plan.
1. Optionally, you can **Exclude specific resource IDs from the selected resource types**. Use this option if you want to exclude one or a few resources out of many, because doing so might be faster than selecting many resources during the previous step. You must include a resource type before you can exclude resources from that resource type. Exclude a resource ID using the following steps:
1. Under **Exclude specific resource IDs from the selected resource types**, choose one or more of the resource types that you included using **Select resource types**.
1. For each resource type, use the **Choose resources** menu to select one or more resources to exclude.
In addition to your previous choices, you can make even more granular selections using the optional **Refine selection using tags** feature. This feature allows you to refine your current selection to include a subset of your resources using tags.
Tags are key-value pairs that you can assign to specific resources to help you identify, organize, and filter your resources. Tags are case sensitive. For more information about tags, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
When you refine your selection using two or more tags, the effect is an AND condition. For example, if you refine your selection using two tags, `env: prod` and `role: application`, you only assign resources with BOTH tags to your backup plan.
**To refine your selection using tags:**
1. Under **Refine selection using tags**, choose a **Key** from the list.
1. Choose a **Condition for value** from the list.
+ *Value* refers to the next input, the value of your key-value pair.
+ **Condition** can be `Equals`, `Contains`, `Begins with`, or `Ends with`, or their inverse: `Does not equal`, `Does not contain`, `Does not begin with`, or `Does not end with`.
1. Choose a **Value** from the list.
1. To further refine using another tag, choose **Add tag**.
# Assign resources with AWS CLI
## Filter by services or resource types
Resource selection is based on service names and resource types. The method of resource selection determines whether a resource is included in the backup. This inclusion depends on service names, resource types, and opt-in settings.
**Selection by service name**
When you specify only a service name in the resource selection, the backup inclusion depends on the opt-in setting for the underlying resource types. For example, with `arn:aws:ec2:*`, EC2 instances will be included in the backup only if the opt-in setting for the EC2 resource type is enabled.
**Selection by resource type**
If you specify the resource selection directly with the resource type, it will be included in the backup regardless of the opt-in setting for that particular service. For example, with `arn:aws:ec2:::instance/*`, EC2 instances will be backed up regardless of the opt-in setting.
**Shared resource types**
When multiple resources share the same resource type, you need to enable opt-in settings for specific resource types to initiate backups.
**Example**
Aurora and RDS Clusters share the ARN format: `arn:aws:rds:::cluster:*`. To backup Aurora databases, you must enable the opt-in setting for Aurora.
FSx and FSx for OpenZFS share the ARN format `arn:aws:fsx:::file-system/*`. Enable the respective opt-in settings to backup these file systems.
## Use a JSON to define backup plan resource assignment
You can define a resource assignment in a JSON document.
You can specify conditions, tags, or resources to define what will be included in your backup plan. For more information to help you determine which parameters to include, see [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BackupSelection.html#Backup-Type-BackupSelection-ListOfTags](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BackupSelection.html#Backup-Type-BackupSelection-ListOfTags).
This sample resource assignment assigns all Amazon EC2 instances to the backup plan *BACKUP-PLAN-ID*:
```
{
"BackupPlanId":"BACKUP-PLAN-ID",
"BackupSelection":{
"SelectionName":"resources-list-selection",
"IamRoleArn":"arn:aws:iam::ACCOUNT-ID:role/IAM-ROLE-ARN",
"Resources":[
"arn:aws:ec2:*:*:instance/*"
]
}
}
```
Assuming this JSON is stored as `backup-selection.json`, you can assign these resources to your backup plan using the following CLI command:
```
aws backup create-backup-selection --cli-input-json file://PATH-TO-FILE/backup-selection.json
```
The following are example resource assignments, along with the corresponding JSON document. To make this table easier for you to read, the examples omit the fields `"BackupPlanId"`, `"SelectionName"`, and `"IamRoleArn"`. The wildcard `*` represents zero or more non-whitespace characters.
**Example: Select all resources in my account**
```
{
"BackupSelection":{
"Resources":[
"*"
]
}
}
```
**Example: Select all resources in my account, but exclude EBS volumes**
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:ec2:*:*:volume/*"
]
}
}
```
**Example: Select all resources tagged with "backup":"true", but exclude EBS volumes**
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:ec2:*:*:volume/*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
]
}
}
}
```
**Important**
RDS, Aurora, Neptune, and DocumentDB ARNs start with `arn:aws:rds:`. Refine your selection with tags and conditional operators if you don't intend to include all those types.
**Example: Select all EBS volumes and RDS DB instances tagged with both "backup":"true" and "stage":"prod"**
The Boolean arithmetic is similar to that in IAM policies, with those in "Resources" combined using a Boolean OR and those in `"Conditions"` combined with a Boolean AND.
The `"Resources"` expression `"arn:aws:rds:*:*:db:*"` only selects RDS DB instances because there are no corresponding Aurora, Neptune, or DocumentDB resources.
```
{
"BackupSelection":{
"Resources":[
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
},
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"prod"
}
]
}
}
}
```
**Example: Select all EBS volumes and RDS instances tagged with "backup":"true" but not "stage":"test"**
```
{
"BackupSelection":{
"Resources":[
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
],
"StringNotEquals":[
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"test"
}
]
}
}
}
```
**Example: Select all resources tagged with "key1" and a value which begins with "include" but not with "key2" and value that contains the word "exclude"**
You can use the wildcard character at the start, end, and middle of a string. Note the use of the wildcard character (\$1) in `include*` and `*exclude*` in the example above. You can also use the wildcard character in the middle of a string as shown in the previous example, `arn:aws:rds:*:*:db:*`.
```
{
"BackupSelection":{
"Resources":[
"*"
],
"Conditions":{
"StringLike":[
{
"ConditionKey":"aws:ResourceTag/key1",
"ConditionValue":"include*"
}
],
"StringNotLike":[
{
"ConditionKey":"aws:ResourceTag/key2",
"ConditionValue":"*exclude*"
}
]
}
}
}
```
**Example: Select all resources tagged with "backup":"true" except FSx file systems and RDS, Aurora, Neptune, and DocumentDB resources**
Items in `NotResources` are combined using the Boolean OR.
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:fsx:*",
"arn:aws:rds:*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
]
}
}
}
```
**Example: Select all resources tagged with a tag "backup" and any value**
```
{
"BackupSelection":{
"Resources":[
"*"
],
"Conditions":{
"StringLike":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"*"
}
]
}
}
}
```
**Example: Select all FSx file systems, the Aurora cluster "my-aurora-cluster", and all resources tagged with "backup":"true", except for resources tagged with "stage":"test"**
```
{
"BackupSelection":{
"Resources":[
"arn:aws:fsx:*",
"arn:aws:rds:*:*:cluster:my-aurora-cluster"
],
"ListOfTags":[
{
"ConditionType":"StringEquals",
"ConditionKey":"backup",
"ConditionValue":"true"
}
],
"Conditions":{
"StringNotEquals":[
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"test"
}
]
}
}
}
```
**Example: Select all resources tagged with tag `"backup":"true"` except for EBS volumes tagged with `"stage":"test"`**
Use two CLI commands to create two selections to select this group of resources. The first selection applies to all resources except for EBS volumes. The second selection applies to EBS volumes.
```
{
"BackupSelection":{
"Resources":[
"*"
],
"NotResources":[
"arn:aws:ec2:*:*:volume/*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
]
}
}
}
```
```
{
"BackupSelection":{
"Resources":[
"arn:aws:ec2:*:*:volume/*"
],
"Conditions":{
"StringEquals":[
{
"ConditionKey":"aws:ResourceTag/backup",
"ConditionValue":"true"
}
],
"StringNotEquals":[
{
"ConditionKey":"aws:ResourceTag/stage",
"ConditionValue":"test"
}
]
}
}
}
```
# Assign AWS Backup resources through CloudFormation
This end-to-end CloudFormation template creates a resource assignment, a backup plan, and a destination backup vault:
+ A backup vault named *CloudFormationTestBackupVault*.
+ A backup plan named *CloudFormationTestBackupPlan*. This plan will run two contains two backup rules, both of which take backups daily at 12 noon UTC and retain them for 210 days.
+ A resource selection named *BackupSelectionName*.
+
+ The resource assignment backs up the following resources:
+ Any resource tagged with the key-value pair `backupplan:dsi-sandbox-daily`.
+ Any resource tagged with the value `prod` or values beginning with `prod/`.
+ The resource assignment does not back up the following resources:
+ Any RDS, Aurora, Neptune, or DocumentDB cluster.
+ Any resource tagged with the value `test` or values beginning with `test/`.
```
Description: "Template that creates Backup Selection and its dependencies"
Parameters:
BackupVaultName:
Type: String
Default: "CloudFormationTestBackupVault"
BackupPlanName:
Type: String
Default: "CloudFormationTestBackupPlan"
BackupSelectionName:
Type: String
Default: "CloudFormationTestBackupSelection"
BackupPlanTagValue:
Type: String
Default: "test-value-1"
RuleName1:
Type: String
Default: "TestRule1"
RuleName2:
Type: String
Default: "TestRule2"
ScheduleExpression:
Type: String
Default: "cron(0 12 * * ? *)"
StartWindowMinutes:
Type: Number
Default: 60
CompletionWindowMinutes:
Type: Number
Default: 120
RecoveryPointTagValue:
Type: String
Default: "test-recovery-point-value"
MoveToColdStorageAfterDays:
Type: Number
Default: 120
DeleteAfterDays:
Type: Number
Default: 210
Resources:
CloudFormationTestBackupVault:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: !Ref BackupVaultName
BasicBackupPlan:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: !Ref BackupPlanName
BackupPlanRule:
- RuleName: !Ref RuleName1
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: !Ref ScheduleExpression
StartWindowMinutes: !Ref StartWindowMinutes
CompletionWindowMinutes: !Ref CompletionWindowMinutes
RecoveryPointTags:
test-recovery-point-key-1: !Ref RecoveryPointTagValue
Lifecycle:
MoveToColdStorageAfterDays: !Ref MoveToColdStorageAfterDays
DeleteAfterDays: !Ref DeleteAfterDays
- RuleName: !Ref RuleName2
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: !Ref ScheduleExpression
StartWindowMinutes: !Ref StartWindowMinutes
CompletionWindowMinutes: !Ref CompletionWindowMinutes
RecoveryPointTags:
test-recovery-point-key-1: !Ref RecoveryPointTagValue
Lifecycle:
MoveToColdStorageAfterDays: !Ref MoveToColdStorageAfterDays
DeleteAfterDays: !Ref DeleteAfterDays
BackupPlanTags:
test-key-1: !Ref BackupPlanTagValue
DependsOn: CloudFormationTestBackupVault
TestRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "backup.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
BasicBackupSelection:
Type: 'AWS::Backup::BackupSelection'
Properties:
BackupPlanId: !Ref BasicBackupPlan
BackupSelection:
SelectionName: !Ref BackupSelectionName
IamRoleArn: !GetAtt TestRole.Arn
ListOfTags:
- ConditionType: STRINGEQUALS
ConditionKey: backupplan
ConditionValue: dsi-sandbox-daily
NotResources:
- 'arn:aws:rds:*:*:cluster:*'
Conditions:
StringEquals:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: prod
StringNotEquals:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: test
StringLike:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: prod/*
StringNotLike:
- ConditionKey: 'aws:ResourceTag/path'
ConditionValue: test/*
```
## Backup plan resource assignments quotas
The following quotas apply to a single resource assignment:
+ 500 Amazon Resource Names (ARNs) without wildcards
+ 30 ARNs with wildcard expressions
+ 30 conditions
+ 30 tags per resource assignment (and an unlimited number of resources per tag)