Skip navigation links

Package software.amazon.awscdk.services.backup

AWS Backup Construct Library

See: Description

Package software.amazon.awscdk.services.backup Description

AWS Backup Construct Library

---

cfn-resources: Stable

cdk-constructs: Stable


AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place.

Backup plan and selection

In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.

This module provides ready-made backup plans (similar to the console experience):

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 // Daily, weekly and monthly with 5 year retention
 Object plan = backup.BackupPlan.dailyWeeklyMonthly5YearRetention(this, "Plan");
 

Assigning resources to a plan can be done with addSelection():

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 ITable myTable = dynamodb.Table.fromTableName(this, "Table", "myTableName");
 Construct myCoolConstruct = new Construct(this, "MyCoolConstruct");
 
 plan.addSelection("Selection", new BackupSelectionOptions()
         .resources(asList(backup.BackupResource.fromDynamoDbTable(myTable), backup.BackupResource.fromTag("stage", "prod"), backup.BackupResource.fromConstruct(myCoolConstruct))));
 

If not specified, a new IAM role with a managed policy for backup will be created for the selection. The BackupSelection implements IGrantable.

To add rules to a plan, use addRule():

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 plan.addRule(new BackupPlanRule(new BackupPlanRuleProps()
         .completionWindow(Duration.hours(2))
         .startWindow(Duration.hours(1))
         .scheduleExpression(events.Schedule.cron(new CronOptions()// Only cron expressions are supported
                 .day("15")
                 .hour("3")
                 .minute("30")))
         .moveToColdStorageAfter(Duration.days(30))));
 

Ready-made rules are also available:

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 plan.addRule(backup.BackupPlanRule.daily());
 plan.addRule(backup.BackupPlanRule.weekly());
 

By default a new vault is created when creating a plan. It is also possible to specify a vault either at the plan level or at the rule level.

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 Object myVault = backup.BackupVault.fromBackupVaultName(this, "Vault1", "myVault");
 Object otherVault = backup.BackupVault.fromBackupVaultName(this, "Vault2", "otherVault");
 
 Object plan = backup.BackupPlan.daily35DayRetention(this, "Plan", myVault);// Use `myVault` for all plan rules
 plan.addRule(backup.BackupPlanRule.monthly1Year(otherVault));
 

Backup vault

In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults.

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 Object myKey = kms.Key.fromKeyArn(this, "MyKey", "aaa");
 ITopic myTopic = sns.Topic.fromTopicArn(this, "MyTopic", "bbb");
 
 Object vault = BackupVault.Builder.create(this, "Vault")
         .encryptionKey(myKey)// Custom encryption key
         .notificationTopic(myTopic)
         .build();
 

A vault has a default RemovalPolicy set to RETAIN. Note that removing a vault that contains recovery points will fail.

You can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.

Use the accessPolicy property to create a backup vault policy:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object vault = BackupVault.Builder.create(this, "Vault")
         .accessPolicy(new PolicyDocument(new PolicyDocumentProps()
                 .statements(asList(
                     new PolicyStatement(new PolicyStatementProps()
                             .effect(iam.Effect.getDENY())
                             .principals(asList(new AnyPrincipal()))
                             .actions(asList("backup:DeleteRecoveryPoint"))
                             .resources(asList("*"))
                             .conditions(Map.of(
                                     "StringNotLike", Map.of(
                                             "aws:userId", asList("user1", "user2")))))))))
         .build();
 

Use the blockRecoveryPointDeletion property to add statements to the vault access policy that prevents recovery point deletions in your vault:

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 BackupVault.Builder.create(this, "Vault")
         .blockRecoveryPointDeletion(true)
         .build();
 

By default access is not restricted.

Importing existing backup vault

To import an existing backup vault into your CDK application, use the BackupVault.fromBackupVaultArn or BackupVault.fromBackupVaultName static method. Here is an example of giving an IAM Role permission to start a backup job:

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 Object importedVault = backup.BackupVault.fromBackupVaultName(this, "Vault", "myVaultName");
 
 Role role = new Role(this, "Access Role", new RoleProps().assumedBy(new ServicePrincipal("lambda.amazonaws.com")));
 
 importedVault.grant(role, "backup:StartBackupJob");
 
Skip navigation links