Assigning resources to a backup plan - AWS Backup
Assigning resources using the consoleAssigning resources programmaticallyAssigning resources using AWS CloudFormationQuotas on resource assignment

Assigning resources to a backup plan

Resource assignment specifies which resources AWS Backup will protect using your backup plan. AWS Backup gives you both simple default settings and fine-grained controls to assign resources to your backup plan. Each time your backup plan runs, it scans your AWS account for all resources that match your resource assignment criteria. This level of automation allows you to define your backup plan and resource assignment exactly once. AWS Backup abstracts away the work of finding and backing up new resources that fit your earlier-defined resource assignment.

You can assign any AWS Backup-supported resource types that you have opted in for AWS Backup to manage. For instructions on how to opt in to more AWS Backup-supported resource types, see Getting started 1: Service Opt-in.

The AWS Backup console has two ways to include resource types in a backup plan: explicitly assign the resource type in a backup plan or include all resources. See the points below to understand how these selections work with service opt ins.

  • If resource assignments are only based on tags, then service opt-in settings are applied.

  • If a resource type is explicitly assigned to a backup plan, it will be included in the backup even if the opt-in is not enabled for that particular service. This does not apply to Aurora, Neptune, and Amazon DocumentDB. For these services to be included, the opt-in must be enabled.

  • If both a resource type and tags are specified in a resource assignment, the resource type specified in the backup plan takes priority over the tag condition. Service opt-in settings are disregarded in this situation.

  • For Amazon FSx for NetApp ONTAP, when using tag-based resource selection, apply tags to individual volumes instead of the whole file system.

Your resource assignment can include (or exclude) resource types and resources.

  • A resource type includes every instance or resource of an AWS Backup-supported AWS service or third-party application. For example, the DynamoDB resource type refers to all your DynamoDB tables.

  • A resource is a single instance of a resource type, such as one of your DynamoDB tables. You can specify a resource using its unique resource ID.

You can further refine your resource assignment using tags and conditional operators.

Assigning resources using the console

To navigate to the Assign resources page:

  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. Choose Backup plans.

  3. Choose Create Backup plan.

  4. Select any template in the Choose template dropdown list, then choose Create plan.

  5. Type in a Backup plan name.

  6. Choose Create plan.

  7. Choose Assign resources.

To begin your resource assignment, in the General section:

  1. Type in a Resource assignment name.

  2. Choose the Default role or Choose an IAM role.

    Note

    If you choose an IAM role, verify that it has permission to back up all the resources you are about assign. If your role encounters a resource that it doesn't have permission to back up, your backup plan will fail.

To assign your resources, in the Assign resources section, choose one of the two options under Define resource selection:

  • Include all resource types. This option configures your backup plan to protect all current and future AWS Backup-supported resources assigned to your backup plan. Use this option to quickly and easily protect your data estate.

    When you choose this option, you can optionally Refine selection using tags as the next step.

  • Include specific resource types. When you choose this option, you must Select specific resource types with the following steps:

    1. Using the Select resource types dropdown menu, assign one or more resource types.

      Important

      RDS, Aurora, Neptune, and DocumentDB share the same Amazon Resource Name (ARN). Opting in to manage one of these resource types with AWS Backup opts in to all of them when assigning it to a backup plan. To refine your selection, use tags and conditional operators.

      Once you finish, AWS Backup presents you the list of resource types you selected and its default setting, which is to protect all resources for each selected resource type.

    2. Optionally, if you want to exclude specific resources from a resource type you selected:

      1. Use the Choose resources dropdown menu and deselect the default option.

      2. Select the specific resources to assign to your backup plan.

    3. Optionally, you can Exclude specific resource IDs from the selected resource types. Use this option if you want to exclude one or a few resources out of many, because doing so might be faster than selecting many resources during the previous step. You must include a resource type before you can exclude resources from that resource type. Exclude a resource ID using the following steps:

      1. Under Exclude specific resource IDs from the selected resource types, choose one or more of the resource types that you included using Select resource types.

      2. For each resource type, use the Choose resources menu to select one or more resources to exclude.

In addition to your previous choices, you can make even more granular selections using the optional Refine selection using tags feature. This feature allows you to refine your current selection to include a subset of your resources using tags.

Tags are key-value pairs that you can assign to specific resources to help you identify, organize, and filter your resources. Tags are case sensitive. For more information, see Tagging AWS resources in the AWS General Reference.

When you refine your selection using two or more tags, the effect is an AND condition. For example, if you refine your selection using two tags, env: prod and role: application, you only assign resources with BOTH tags to your backup plan.

To refine your selection using tags:

  1. Under Refine selection using tags, choose a Key from the dropdown list.

  2. Choose a Condition for value from the dropdown list.

    • Value refers to the next input, the value of your key-value pair.

    • Condition can be Equals, Contains, Begins with, or Ends with, or their inverse: Does not equal, Does not contain, Does not begin with, or Does not end with.

  3. Choose a Value from the dropdown list.

  4. To further refine using another tag, choose Add tag.

Assigning resources programmatically

You can define a resource assignment in a JSON document. This sample resource assignment assigns all Amazon EC2 instances to the backup plan BACKUP-PLAN-ID:

{
  "BackupPlanId":"BACKUP-PLAN-ID",
  "BackupSelection":{
    "SelectionName":"resources-list-selection", 
    "IamRoleArn":"arn:aws:iam::ACCOUNT-ID:role/IAM-ROLE-ARN",
    "Resources":[
      "arn:aws:ec2:*:*:instance/*"
    ]
  }
}

Assuming this JSON is stored as backup-selection.json, you can assign these resources to your backup plan using the following CLI command:

aws backup create-backup-selection --cli-input-json file://PATH-TO-FILE/backup-selection.json

The following are example resource assignments, along with the corresponding JSON document. To make this table easier for you to read, the examples omit the fields "BackupPlanId", "SelectionName", and "IamRoleArn". The wildcard * represents zero or more non-whitespace characters.

Example: Select all resources in my account
{
  "BackupSelection":{
    "Resources":[
      "*"
    ]
  }
}
Example: Select all resources in my account, but exclude EBS volumes
{
  "BackupSelection":{
    "Resources":[
      "*"
    ],
    "NotResources":[
      "arn:aws:ec2:*:*:volume/*"
    ]
  }
}
Example: Select all resources tagged with "backup":"true", but exclude EBS volumes
{
  "BackupSelection":{
    "Resources":[
      "*"
    ],
    "NotResources":[
      "arn:aws:ec2:*:*:volume/*"
    ],
    "Conditions":{
      "StringEquals":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"true"
        }
      ]
    }
  }
}
Example: Select all EBS volumes and RDS DB instances tagged with both "backup":"true" and "stage":"prod"

The Boolean arithmetic is similar to that in IAM policies, with those in "Resources" combined using a Boolean OR and those in "Conditions" combined with a Boolean AND.

The "Resources" expression "arn:aws:rds:*:*:db:*" only selects RDS DB instances because there are no corresponding Aurora, Neptune, or DocumentDB resources.

{
  "BackupSelection":{
    "Resources":[
      "arn:aws:ec2:*:*:volume/*",
      "arn:aws:rds:*:*:db:*"
    ],
    "Conditions":{
      "StringEquals":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"true"
        },
        {
          "ConditionKey":"aws:ResourceTag/stage",
          "ConditionValue":"prod"
        }
      ]
    }
  }
}
Example: Select all EBS volumes and RDS instances tagged with "backup":"true" but not "stage":"test"
{
  "BackupSelection":{
    "Resources":[
      "arn:aws:ec2:*:*:volume/*",
      "arn:aws:rds:*:*:db:*"
    ],
    "Conditions":{
      "StringEquals":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"true"
        }
      ],
      "StringNotEquals":[
        {
          "ConditionKey":"aws:ResourceTag/stage",
          "ConditionValue":"test"
        }
      ]
    }
  }
}
Example: Select all resources tagged with "key1" and a value which begins with "include" but not with "key2" and value that contains the word "exclude"

You can use the wildcard character at the start, end, and middle of a string. Note the use of the wildcard character (*) in include* and *exclude* in the example above. You can also use the wildcard character in the middle of a string as shown in the previous example, arn:aws:rds:*:*:db:*.

{
  "BackupSelection":{
    "Resources":[
      "*"
    ],
    "Conditions":{
      "StringLike":[
        {
          "ConditionKey":"aws:ResourceTag/key1",
          "ConditionValue":"include*"
        }
      ],
      "StringNotLike":[
        {
          "ConditionKey":"aws:ResourceTag/key2",
          "ConditionValue":"*exclude*"
        }
      ]
    }
  }
}
Example: Select all resources tagged with "backup":"true" except FSx file systems and RDS, Aurora, Neptune, and DocumentDB resources

Items in NotResources are combined using the Boolean OR.

{
  "BackupSelection":{
    "Resources":[
      "*"
    ],
    "NotResources":[
      "arn:aws:fsx:*",
      "arn:aws:rds:*"
    ],
    "Conditions":{
      "StringEquals":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"true"
        }
      ]
    }
  }
}
Example: Select all resources tagged with a tag "backup" and any value
{
  "BackupSelection":{
    "Resources":[
      "*"
    ],
    "Conditions":{
      "StringLike":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"*"
        }
      ]
    }
  }
}
Example: Select all FSx file systems, the Aurora cluster "my-aurora-cluster", and all resources tagged with "backup":"true", except for resources tagged with "stage":"test"
{
  "BackupSelection":{
    "Resources":[
      "arn:aws:fsx:*",
      "arn:aws:rds:*:*:cluster:my-aurora-cluster"
    ],
    "ListOfTags":[
      {
        "ConditionType":"StringEquals",
        "ConditionKey":"backup",
        "ConditionValue":"true"
      }
    ],
    "Conditions":{
      "StringNotEquals":[
        {
          "ConditionKey":"aws:ResourceTag/stage",
          "ConditionValue":"test"
        }
      ]
    }
  }
}
Example: Select all resources tagged with tag "backup":"true" except for EBS volumes tagged with "stage":"test"

Use two CLI commands to create two selections to select this group of resources. The first selection applies to all resources except for EBS volumes. The second selection applies to EBS volumes.

{
  "BackupSelection":{
    "Resources":[
      "*"
    ],
    "NotResources":[
      "arn:aws:ec2:*:*:volume/*"
    ],
    "Conditions":{
      "StringEquals":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"true"
        }
      ]
    }
  }
}
{
  "BackupSelection":{
    "Resources":[
      "arn:aws:ec2:*:*:volume/*"
    ],
    "Conditions":{
      "StringEquals":[
        {
          "ConditionKey":"aws:ResourceTag/backup",
          "ConditionValue":"true"
        }
      ],
      "StringNotEquals":[
        {
          "ConditionKey":"aws:ResourceTag/stage",
          "ConditionValue":"test"
        }
      ]
    }
  }
}

Assigning resources using AWS CloudFormation

This end-to-end AWS CloudFormation template creates a resource assignment, a backup plan, and a destination backup vault:

  • A backup vault named CloudFormationTestBackupVault.

  • A backup plan named CloudFormationTestBackupPlan. This plan will run two contains two backup rules, both of which take backups daily at 12 noon UTC and retain them for 210 days.

  • A resource selection named BackupSelectionName.

    • The resource assignment backs up the following resources:

      • Any resource tagged with the key-value pair backupplan:dsi-sandbox-daily.

      • Any resource tagged with the value prod or values beginning with prod/.

    • The resource assignment does not back up the following resources:

      • Any RDS, Aurora, Neptune, or DocumentDB cluster.

      • Any resource tagged with the value test or values beginning with test/.

Description: "Template that creates Backup Selection and its dependencies"
Parameters:
  BackupVaultName:
    Type: String
    Default: "CloudFormationTestBackupVault"
  BackupPlanName:
    Type: String
    Default: "CloudFormationTestBackupPlan"
  BackupSelectionName: 
    Type: String
    Default: "CloudFormationTestBackupSelection"
  BackupPlanTagValue:
    Type: String
    Default: "test-value-1"
  RuleName1:
    Type: String
    Default: "TestRule1"
  RuleName2:
    Type: String
    Default: "TestRule2"
  ScheduleExpression:
    Type: String
    Default: "cron(0 12 * * ? *)"
  StartWindowMinutes:
    Type: Number
    Default: 60
  CompletionWindowMinutes:
    Type: Number
    Default: 120
  RecoveryPointTagValue:
    Type: String
    Default: "test-recovery-point-value"
  MoveToColdStorageAfterDays:
    Type: Number
    Default: 120
  DeleteAfterDays:
    Type: Number
    Default: 210
Resources:
  CloudFormationTestBackupVault:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: !Ref BackupVaultName
  BasicBackupPlan:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: !Ref BackupPlanName
        BackupPlanRule:
          - RuleName: !Ref RuleName1
            TargetBackupVault: !Ref BackupVaultName
            ScheduleExpression: !Ref ScheduleExpression
            StartWindowMinutes: !Ref StartWindowMinutes
            CompletionWindowMinutes: !Ref CompletionWindowMinutes
            RecoveryPointTags:
              test-recovery-point-key-1: !Ref RecoveryPointTagValue
            Lifecycle:
              MoveToColdStorageAfterDays: !Ref MoveToColdStorageAfterDays
              DeleteAfterDays: !Ref DeleteAfterDays
          - RuleName: !Ref RuleName2
            TargetBackupVault: !Ref BackupVaultName
            ScheduleExpression: !Ref ScheduleExpression
            StartWindowMinutes: !Ref StartWindowMinutes
            CompletionWindowMinutes: !Ref CompletionWindowMinutes
            RecoveryPointTags:
              test-recovery-point-key-1: !Ref RecoveryPointTagValue
            Lifecycle:
              MoveToColdStorageAfterDays: !Ref MoveToColdStorageAfterDays
              DeleteAfterDays: !Ref DeleteAfterDays
      BackupPlanTags:
        test-key-1: !Ref BackupPlanTagValue
    DependsOn: CloudFormationTestBackupVault
 
  TestRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "backup.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  BasicBackupSelection:
    Type: 'AWS::Backup::BackupSelection'
    Properties:
      BackupPlanId: !Ref BasicBackupPlan
      BackupSelection:
        SelectionName: !Ref BackupSelectionName
        IamRoleArn: !GetAtt TestRole.Arn
        ListOfTags:
          - ConditionType: STRINGEQUALS
            ConditionKey: backupplan
            ConditionValue: dsi-sandbox-daily
        NotResources:
          - 'arn:aws:rds:*:*:cluster:*'
        Conditions:
          StringEquals:
            - ConditionKey: 'aws:ResourceTag/path'
              ConditionValue: prod
          StringNotEquals:
            - ConditionKey: 'aws:ResourceTag/path'
              ConditionValue: test
          StringLike:
            - ConditionKey: 'aws:ResourceTag/path'
              ConditionValue: prod/*
          StringNotLike:
            - ConditionKey: 'aws:ResourceTag/path'
              ConditionValue: test/*

Quotas on resource assignment

The following quotas apply to a single resource assignment:

  • 500 Amazon Resource Names (ARNs) without wildcards

  • 30 ARNs with wildcard expressions

  • 30 conditions

  • 30 tags per resource assignment (and an unlimited number of resources per tag)