AWS Backup Construct Library¶--- ![cfn-resources: Stable](/cdk/api/latest/img/cfn--resources-stable-success.svg?style=for-the-badge) > All classes with the `Cfn` prefix in this module ([CFN Resources](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) are always stable and safe to use. ![cdk-constructs: Experimental](/cdk/api/latest/img/cdk--constructs-experimental-important.svg?style=for-the-badge) > The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. ---
AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place.
Backup plan and selection¶
In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.
This module provides ready-made backup plans (similar to the console experience):
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 import aws_cdk.aws_backup as backup # Daily, weekly and monthly with 5 year retention plan = backup.BackupPlan.daily_weekly_monthly5_year_retention(self, "Plan")
Assigning resources to a plan can be done with
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 plan.add_selection("Selection", resources=[ backup.BackupResource.from_dynamo_db_table(my_table), # A DynamoDB table backup.BackupResource.from_tag("stage", "prod"), # All resources that are tagged stage=prod in the region/account backup.BackupResource.from_construct(my_cool_construct) ] )
If not specified, a new IAM role with a managed policy for backup will be
created for the selection. The
To add rules to a plan, use
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 plan.add_rule(BackupPlanRule( completion_window=Duration.hours(2), start_window=Duration.hours(1), schedule_expression=events.Schedule.cron(# Only cron expressions are supported day="15", hour="3", minute="30"), move_to_cold_storage_after=Duration.days(30) ))
Ready-made rules are also available:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 plan.add_rule(BackupPlanRule.daily()) plan.add_rule(BackupPlanRule.weekly())
By default a new vault is created when creating a plan. It is also possible to specify a vault either at the plan level or at the rule level.
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 plan = backup.BackupPlan.daily35_day_retention(self, "Plan", my_vault)# Use `myVault` for all plan rules plan.add_rule(BackupPlanRule.monthly1_year(other_vault))
In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults.
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 vault = BackupVault(stack, "Vault", encryption_key=my_key, # Custom encryption key notification_topic=my_topic )
A vault has a default
RemovalPolicy set to
RETAIN. Note that removing a vault
that contains recovery points will fail.