Step 1: Delete restored AWS resources
To delete AWS resources that you restored from a recovery point, such as Amazon Elastic Block Store (Amazon EBS) volumes or Amazon DynamoDB tables, you use the console for that service. For example, to delete an Amazon Elastic File System (Amazon EFS) file system, use the Amazon EFS console.
Note
This information refers to restored resources, not to recovery points stored in a backup vault.Step 2: Delete the backup plan
If you don't want to create scheduled backups, you should delete your backup plans. Before you can delete a backup plan, you must delete all resource assignments to that backup plan.
Follow these steps to delete a backup plan:
To delete a backup plan
1. Open the AWS Backup console at https://console.aws.amazon.com/backup.
2. In the navigation pane, choose Backup plans.
3. On the Backup plans page, choose the backup plan that you want to delete. This takes you to the details page for that backup.
4. To delete the resource assignments for your plan, choose the radio button next to the assignment name, and then choose Delete.
5. To delete the backup plan, choose Delete in the upper-right corner of the page.
6. On the confirmation page, enter the plan name, and choose Delete plan.
Step 3: Delete the recovery points
Step 3: Delete the recovery points
Next, you can delete the backup recovery points that are in your backup vault.
To delete the recovery points
1. On the AWS Backup console, in the navigation pane, choose Backup vaults.
2. On the Backup vaults page, choose the backup vault where you stored the backups.
3. Check the recovery point and choose Delete.
4. If you are deleting more than one recovery point, follow these steps:
a. If your list contains a continuous backup, choose whether to keep or delete your continuous backup data.
b. To delete all the recovery points listed, type delete, and then choose Delete recovery points.
Keep your browser tab open until you see the green success banner at the top of the page.
Prematurely closing this tab will end the deletion process and might leave behind some of the recovery points you wanted to delete. For more information, see Deleting backups.
Step 4: Delete the backup vault
You can't delete the default backup vault in AWS Backup. However, if you created a different backup vault, empty the backup vault by deleting the backups. Then select the backup vault and choose Delete.
Step 5: Delete the report plan
Your report plan automatically sends a new report daily. To prevent this, delete the report plan.
To delete the report plan
1. On the AWS Backup console, in the navigation pane, choose Reports.
2. Under Report plan name, choose the name of your report plan.
3. Choose Delete.
4. Enter your report plan name, and choose Delete report plan.
Step 6: Delete the reports
You can delete your reports by following the instructions for Deleting a single object for each of your reports. If you no longer need your destination S3 bucket, after deleting all the objects from the bucket, you can delete the bucket by following the instructions for Deleting a bucket.
Creating a backup plan
Managing backups using backup plans
In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.
AWS Backup efficiently stores your periodic backups incrementally. The first backup of an AWS resource backs up a full copy of your data. For each successive incremental backup, only the changes to your AWS resources are backed up. Incremental backups enable you to benefit from the data protection of frequent backups while minimizing storage costs.
AWS Backup also seamlessly manages your backup chain, allowing you to restore at any time. This includes after your backup plan's lifecycle automatically deletes your only full backup because it has exceeded the retention period you defined.
The following sections provide the basics of managing your backup strategy in AWS Backup.
Topics
• Creating a backup plan (p. 32)
• Assigning resources to a backup plan (p. 39)
• Deleting a backup plan (p. 49)
• Updating a backup plan (p. 49)
Creating a backup plan
You can create a backup plan using the AWS Backup console, API, CLI, SDK, or an AWS CloudFormation template.
Topics
• Creating backup plans using the AWS Backup console (p. 32)
• Creating backup plans using a JSON document and the AWS Backup CLI (p. 33)
• Backup plan options and configuration (p. 33)
• AWS CloudFormation templates for backup plans (p. 37)
Creating backup plans using the AWS Backup console
AWS Backup provides different ways to get started using the AWS Backup console:
• Start from an existing plan — You can create a new backup plan based on the configurations in an existing plan. Existing plans provided by AWS Backup are based on best practices and common backup policy configurations. When you select an existing backup plan to start from, the configurations from that backup plan are automatically populated for your new backup plan. You can then change any of these configurations according to your backup requirements.
For step-by-step instructions, see Step 1: Create a backup plan based on an existing one (p. 23) in the Getting Started section.
Creating backup plans using a JSON document and the AWS Backup CLI
• Build a new plan from scratch — You can create a new backup plan by specifying each of the backup configuration details described in the following sections. You can choose from the recommended default configurations.
If you try to create a backup plan that is identical to an existing plan, you get an AlreadyExistsException error.
Creating backup plans using a JSON document and the AWS Backup CLI
You can also define your backup plan in a JSON document and provide it using the AWS Backup console or AWS CLI. The following JSON document contains a sample backup plan that creates backups houly on the hour. It automatically deletes a backup after retaining it for one year.
{
"BackupPlan":{
"BackupPlanName":"test-plan", "Rules":[
{
"RuleName":"test-rule",
"TargetBackupVaultName":"test-vault", "ScheduleExpression":"cron(15 * ? * * *)", "StartWindowMinutes":60,
"CompletionWindowMinutes":600, "Lifecycle":{
"DeleteAfterDays":365 }
} ] } }
Assuming you store the preceding JSON document as test-backup-plan.json, You can use the following CLI command to create it in AWS Backup.
aws backup create-backup-plan --cli-input-json file:///PATH-TO-FILE/test-backup-plan.json
Backup plan options and configuration
When you define a backup plan in the AWS Backup console, you configure the following options:
Backup plan name
You must provide a unique backup plan name.
If you choose name that is identical to the name of an existing plan, you will receive an error message.
Backup rules
Backup plans are composed of one or more backup rules. To add backup rules to a backup plan, or to edit existing rules in a backup plan:
1. From the AWS Backup console, in the left navigation pane, choose Backup plans.
2. Under Backup plan name, select a backup plan.
Backup plan options and configuration
3. Under the Backup rules section:
• To add a backup rule, choose Add backup rule.
• To edit an existing backup rule, select a rule, then choose Edit.
Note
If you have a backup plan with multiple rules if the time frame of the two rules overlap, AWS Backup optimizes the backup and takes a backup for the rule with the longer retention time.
The optimization takes into account the full start window, not just when the daily backup is taken.
Each backup rule consists of the following elements.
Backup rule name
Backup rule names are case sensitive. They must contain from 1 to 50 alphanumeric characters or hyphens.
Backup frequency
The backup frequency determines how often AWS Backup creates a snapshot backup. Using the console, you can choose a frequency of every hour, 12 hours, daily, weekly, or monthly. You can also create a cron expression that creates snapshot backups as frequently as hourly. Using the AWS Backup CLI, you can schedule snapshot backups as frequently as hourly.
If you select weekly, you can specify which days of the week you want backups to be taken. If you select monthly, you can choose a specific day of the month.
You can also check the Enable continuous backups for supported resources checkbox to create a point-in-time restore (PITR)-enabled continuous backup rule. Unlike snapshot backups, continuous backups allow you to perform point-in-time restore. To learn more about continuous backups, see Point-in-Time Recovery.
Backup window
Backup windows consist of the time that the backup window begins and the duration of the window in hours. Backup jobs are started within this window. If you are unsure what backup window to use, you can choose to use the default backup window that AWS Backup recommends. The default backup window is set to start at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours.
Note
You can customize the backup frequency and backup window start time using a cron expression.To see the six fields of AWS cron expressions, see Schedule Expressions for Rules in the Amazon CloudWatch Events User Guide. Two examples of AWS cron expressions are 15 * ? * * * (take a backup every hour at 15 minutes past the hour) and 0 12 * * ? * (take a backup every day at 12 noon UTC). For a table of examples, click the preceding link and scroll down the page.
AWS Backup evaluates cron expressions between 00:00 and 23:59 UTC. If you create a backup rule for "every 12 hours" but provide a start time of later than 11:59, it will only run once per day.
Note
In general, AWS database services cannot start backups 1 hour before or during their maintenance window and Amazon FSx cannot start backups 4 hours before or during their maintenance window or automatic backup window. Snapshot backups scheduled during those times will fail. One exception: when you opt in to using AWS Backup for both snapshot and continuous backups for a supported service, you no longer need to worry about those windows because AWS Backup will schedule them for you. See Point-in-Time Recovery for a list of supported services and instructions on how to use AWS Backup to take continuous backups.Backup plan options and configuration
Overlapping backup rules
On occasion, a backup plan might contain multiple, overlapping rules. When the start windows of different rules overlap, AWS Backup retains the backup under the rule with the longer retention period.
For example, consider a backup plan with two rules:
1. Backup hourly, with a 1-hour start window, and retain for 1 day.
2. Backup every 12 hours, with an 8-hour start window, and retain for 1 week.
After 24 hours, the second rule creates two backups (because it has the longer retention period). The first rule creates eight backups (because the second rule's 8-hour start window prevented more hourly backups from running). Specifically:
During this Start Window This Rule Creates 1 Backup
Midnight to 8AM 12 hours
8 to 9 Hourly
9 to 10 Hourly
10 to 11 Hourly
11 to Noon Hourly
Noon to 8PM 12 hours
8 to 9 Hourly
9 to 10 Hourly
10 to 11 Hourly
11 to Midnight Hourly
Lifecycle
The lifecycle defines when a backup is transitioned to cold storage and when it expires. AWS Backup transitions and expires backups automatically according to the lifecycle that you define.
If you want your backups to be incremental, you must have at least one warm backup. Because each backup to cold storage is a full backup, AWS Backup recommends that you set your lifecycle settings to not move your backup to cold storage until after at least 8 days.
If you set your lifecycle to back up to cold storage after 1 day, each of those backups will be a full backup. This might be less cost effective than a less regular transfer to cold storage.
Backups that are transitioned to cold storage must be stored in cold storage for a minimum of 90 days.
Therefore, on the console, the “retention” setting must be 90 days longer than the “transition to cold after days” setting. You can't change the “transition to cold after days” setting after a backup has been transitioned to cold.
Note
• To see the list of resources that you can transition to cold storage, see the "Lifecycle to cold storage" section of the Feature availability by resource (p. 2) table. The cold storage expression is ignored for other resources.
Backup plan options and configuration
• When backups reach the end of their lifecycle and are marked for deletion as part of your lifecycle policy, AWS Backup deletes the backups at a randomly chosen point over the following 8 hours. This 8-hour window helps ensure consistent performance for deletion.
Backup vault
A backup vault is a container to organize your backups in. Backups created by a backup rule are organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to help you organize them. If you don't want to use the default vault, you can create your own. For step-by-step instructions for creating a backup vault, see Step 3: Create a backup vault (p. 24).
Copy to Regions
As part of your backup plan, you can optionally create a backup copy in another AWS Region. For more information about backup copies, see https://docs.aws.amazon.com/aws-backup/latest/devguide/recov-point-create-a-copy.html#create-cross-account-backup.
When you define a backup copy, you configure the following options:
Destination Region
The destination Region for the backup copy.
(Advanced Settings) Backup vault The destination backup vault for the copy.
(Advanced Settings) IAM Role
The IAM role that AWS Backup uses when creating the copy. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. If you choose Default and the AWS Backup default role is not present in your account, a role is created for you with the correct permissions.
(Advanced Settings) Lifecycle
Specifies when to transition the backup copy to cold storage and when to expire (delete) the copy.
Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. You can't change this value after a copy has transitioned to cold storage.
Expire specifies the number of days after creation that the copy is deleted. This must be greater than 90 days beyond the Transition to cold storage value.
Tags added to recovery points
The tags that you list here are automatically added to backups when they are created.
Tags added to backup plans
These tags are associated with the backup plan itself to help you organize and track your backup plan.
Advanced backup settings
Enables application consistent backups for third-party applications that are running on Amazon EC2 instances. Currently, AWS Backup supports Windows VSS backups. AWS Backup excludes specific Amazon EC2 instance types from Windows VSS backups. For more information, see Creating Windows VSS backups (p. 83).
AWS CloudFormation templates for backup plans
AWS CloudFormation templates for backup plans
We provide two sample AWS CloudFormation templates for your reference. The first template creates a simple backup plan. The second template enables VSS backups in a backup plan.
Note
If you are using the default service role, replace service-role with AWSBackupServiceRolePolicyForBackup.Description: backup plan template to back up all resources daily at 5am UTC, and tag all recovery points with backup:daily.
Resources:
KMSKey:
Type: AWS::KMS::Key Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: !GetAtt KMSKey.Arn BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
BackupPlanRule:
RuleName: "RuleForDailyBackups"
TargetBackupVault: !Ref BackupVaultWithDailyBackups ScheduleExpression: "cron(0 5 ? * * *)"
DependsOn: BackupVaultWithDailyBackups DDBTableWithDailyBackupTag:
Type: "AWS::DynamoDB::Table"
Properties:
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
Tags:
- Key: "backup"
Value: "daily"
AWS CloudFormation templates for backup plans
BackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
- "arn:aws:iam::aws:policy/service-role/service-role"
TagBasedBackupSelection:
Type: "AWS::Backup::BackupSelection"
Properties:
BackupSelection:
SelectionName: "TagBasedBackupSelection"
IamRoleArn: !GetAtt BackupRole.Arn ListOfTags:
- ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "daily"
BackupPlanId: !Ref BackupPlanWithDailyBackups DependsOn: BackupPlanWithDailyBackups
Description: backup plan template to enable Windows VSS and add backup rule to take backup of assigned resources daily at 5am UTC.
Resources:
KMSKey:
Type: AWS::KMS::Key Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: !GetAtt KMSKey.Arn BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
AdvancedBackupSettings:
- ResourceType: EC2 BackupOptions:
WindowsVSS: enabled BackupPlanRule:
Assigning resources
RuleName: "RuleForDailyBackups"
TargetBackupVault: !Ref BackupVaultWithDailyBackups ScheduleExpression: "cron(0 5 ? * * *)"
DependsOn: BackupVaultWithDailyBackups
Assigning resources to a backup plan
Resource assignment specifies which resources AWS Backup will protect using your backup plan. AWS Backup gives you both simple default settings and fine-grained controls to assign resources to your backup plan. Each time your backup plan runs, it scans your AWS account for all resources that match your resource assignment criteria. This level of automation allows you to define your backup plan and resource assignment exactly once. AWS Backup abstracts away the work of finding and backing up new resources that fit your earlier-defined resource assignment.
You can assign any AWS Backup-supported resource types that you have opted in for AWS Backup to manage. For instructions on how to opt in to more AWS Backup-supported resource types, see Getting started 1: Service Opt-in.
Your resource assignment can include (or exclude) resource types and resources.
• A resource type includes every instance or resource of an AWS Backup-supported AWS service or third-party application. For example, the DynamoDB resource type refers to all your DynamoDB tables.
• A resource is a single instance of a resource type, such as one of your DynamoDB tables. You can specify a resource using its unique resource ID.
You can further refine your resource assignment using tags and conditional operators.
Topics
• Assigning resources using the console (p. 39)
• Assigning resources programmatically (p. 41)
• Assigning resources using AWS CloudFormation (p. 46)
• Quotas on resource assignment (p. 49)
Assigning resources using the console
To navigate to the Assign resources page:
1. Open the AWS Backup console at https://console.aws.amazon.com/backup.
2. Choose Backup plans.
3. Choose Create Backup plan.
4. Select any template in the Choose template dropdown list, then choose Create plan.
5. Type in a Backup plan name.
6. Choose Create plan.
7. Choose Assign resources.
To begin your resource assignment, in the General section:
1. Type in a Resource assignment name.
Assigning resources using the console
2. Choose the Default role or Choose an IAM role.
Note
If you choose an IAM role, verify that it has permission to back up all the resources you are about assign. If your role encounters a resource that it doesn't have permission to back up, your backup plan will fail.To assign your resources, in the Assign resources section, choose one of the two options under Define resource selection:
• Include all resource types. This option configures your backup plan to protect all current and future AWS Backup-supported resources assigned to your backup plan. Use this option to quickly and easily protect your data estate.
When you choose this option, you can optionally Refine selection using tags as the next step.
• Include specific resource types. When you choose this option, you must Select specific resource types with the following steps:
1. Using the Select resource types dropdown menu, assign one or more resource types.
1. Using the Select resource types dropdown menu, assign one or more resource types.