This is an AWS Backup implementation using Terraform with security and operational best practices in mind.
The following services are supported:
- RDS
- EBS
- EFS
- DynamoDB
-
AWS Backup selects resources to backup using resource tags. The resource tags determine the backup plan to use.
-
A lambda function identifies resources without the
backup_policytag, auto-tags those resources with the default backup plan and notifies the operations team. -
Backups are performed using the AWS Backup service. All backups are stored in a backup vault named
backup_vault.
This terraform config adds extra security to the AWS backup vault setup by applying a resource policy that prevents any user from:
- Removing the recovery points
- Removing the backup vault
- Changing or removing the resource policy which imposes the previous restrictions
This means that only the root account
will ever be able to remove this backup vault! The backup vault will survive even
in a scenario where a privileged IAM principal with *:* permissions is compromised.
Review the backup-plan.tf file and customize the aws_backup_plan resources
to match your company policies. This is an example resource definition:
resource "aws_backup_plan" "daily_two_weeks" {
name = "daily_two_weeks"
rule {
rule_name = "daily_two_weeks"
target_vault_name = "${aws_backup_vault.backup_vault.name}"
# every day at 3am
schedule = "cron(0 3 * * ? *)"
lifecycle {
delete_after = "14"
}
}
}
Customize the name, schedule and lifecycle to match your company requirements.
Then create a selector similar to the following:
resource "aws_backup_selection" "daily_two_weeks_selection" {
plan_id = "${aws_backup_plan.daily_two_weeks.id}"
name = "daily_two_weeks_selection"
iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-role/AWSBackupDefaultServiceRole"
selection_tag {
type = "STRINGEQUALS"
key = "backup_policy"
value = "daily_two_weeks"
}
}
The aws_backup_selection resource is used to match the resources for the
aws_backup_plan. In this case the resources with backup_policy tag with
value daily_two_weeks are selected and associated with the plan_id.
The backup-plan.tf file contains a more complex backup plan which is inspired
on the Grandfather-father-son strategy.
Edit the variables.tf configuration to define the to and from email
addresses to use by the Lambda function to send notifications.
The from email address will require you to perform an SES verification.
In other words, after applying these terraform configs you will have to go
to the email inbox for the from email address and click on a verification link
that will allow the Lambda function to send emails from this address.
After customization, configure your credentials in ~/.aws/credentials and use
the following commands to deploy:
cd aws-backup/
terraform init
terraform plan -var profile=awsbackup -var region=us-east-1
terraform apply -var profile=awsbackup -var region=us-east-1
Manually tag all resources in your infrastructure using a tag named backup_policy
containing one of aws_backup_plan as values. Any resources that AWS backup can
manage and were not manually tagged will be notified by the lambda function to
the operations team.
AWS Backup will select resources per-region, this solution needs to be deployed multiple times, one for each region where your company is creating resources.
It is possible to disable backups for a specific resource using the tag backup_policy
with value none. This will prevent AWS Backup from running backups on the resource
and the Lambda function from sending notifications.
The lambda function is run every day and inspects the infrastructure looking for
resources which have no backups enabled (no backup_policy tag). When such a resource
is found the lambda function will:
- auto tag it with
backup_policy: daily_two_weeks - Notify the infrastructure team, as they might want to change the backup policy and update the terraform configs.
The recommended steps for restoring a backup can be found in the AWS documentation
terraform fmt