Namespace Amazon.CDK.AWS.Backup

AWS Backup Construct Library

--- cfn-resources: Stable cdk-constructs: Stable

AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place.

Backup plan and selection

In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.

This module provides ready-made backup plans (similar to the console experience):

// Daily, weekly and monthly with 5 year retention
BackupPlan plan = BackupPlan.DailyWeeklyMonthly5YearRetention(this, "Plan");

Assigning resources to a plan can be done with addSelection():

BackupPlan plan;

ITable myTable = Table.FromTableName(this, "Table", "myTableName");
Construct myCoolConstruct = new Construct(this, "MyCoolConstruct");

plan.AddSelection("Selection", new BackupSelectionOptions {
    Resources = new [] { BackupResource.FromDynamoDbTable(myTable), BackupResource.FromTag("stage", "prod"), BackupResource.FromConstruct(myCoolConstruct) }
});

If not specified, a new IAM role with a managed policy for backup will be created for the selection. The BackupSelection implements IGrantable.

To add rules to a plan, use addRule():

BackupPlan plan;

plan.AddRule(new BackupPlanRule(new BackupPlanRuleProps {
    CompletionWindow = Duration.Hours(2),
    StartWindow = Duration.Hours(1),
    ScheduleExpression = Schedule.Cron(new CronOptions {  // Only cron expressions are supported
        Day = "15",
        Hour = "3",
        Minute = "30" }),
    MoveToColdStorageAfter = Duration.Days(30)
}));

Continuous backup and point-in-time restores (PITR) can be configured. Property deleteAfter defines the retention period for the backup. It is mandatory if PITR is enabled. If no value is specified, the retention period is set to 35 days which is the maximum retention period supported by PITR. Property moveToColdStorageAfter must not be specified because PITR does not support this option. This example defines an AWS Backup rule with PITR and a retention period set to 14 days:

BackupPlan plan;

plan.AddRule(new BackupPlanRule(new BackupPlanRuleProps {
    EnableContinuousBackup = true,
    DeleteAfter = Duration.Days(14)
}));

Ready-made rules are also available:

BackupPlan plan;

plan.AddRule(BackupPlanRule.Daily());
plan.AddRule(BackupPlanRule.Weekly());

By default a new vault is created when creating a plan. It is also possible to specify a vault either at the plan level or at the rule level.

IBackupVault myVault = BackupVault.FromBackupVaultName(this, "Vault1", "myVault");
IBackupVault otherVault = BackupVault.FromBackupVaultName(this, "Vault2", "otherVault");

BackupPlan plan = BackupPlan.Daily35DayRetention(this, "Plan", myVault); // Use `myVault` for all plan rules
plan.AddRule(BackupPlanRule.Monthly1Year(otherVault));

You can backup VSS-enabled Windows applications running on Amazon EC2 instances by setting the windowsVss parameter to true. If the application has VSS writer registered with Windows VSS, then AWS Backup creates a snapshot that will be consistent for that application.

BackupPlan plan = new BackupPlan(this, "Plan", new BackupPlanProps {
    WindowsVss = true
});

Backup vault

In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults.

IKey myKey = Key.FromKeyArn(this, "MyKey", "aaa");
ITopic myTopic = Topic.FromTopicArn(this, "MyTopic", "bbb");

BackupVault vault = new BackupVault(this, "Vault", new BackupVaultProps {
    EncryptionKey = myKey,  // Custom encryption key
    NotificationTopic = myTopic
});

A vault has a default RemovalPolicy set to RETAIN. Note that removing a vault that contains recovery points will fail.

You can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.

Use the accessPolicy property to create a backup vault policy:

BackupVault vault = new BackupVault(this, "Vault", new BackupVaultProps {
    AccessPolicy = new PolicyDocument(new PolicyDocumentProps {
        Statements = new [] {
            new PolicyStatement(new PolicyStatementProps {
                Effect = Effect.DENY,
                Principals = new [] { new AnyPrincipal() },
                Actions = new [] { "backup:DeleteRecoveryPoint" },
                Resources = new [] { "*" },
                Conditions = new Dictionary<string, object> {
                    { "StringNotLike", new Dictionary<string, string[]> {
                        { "aws:userId", new [] { "user1", "user2" } }
                    } }
                }
            }) }
    })
});

Alternativately statements can be added to the vault policy using addToAccessPolicy().

Use the blockRecoveryPointDeletion property or the blockRecoveryPointDeletion() method to add a statement to the vault access policy that prevents recovery point deletions in your vault:

BackupVault backupVault;
new BackupVault(this, "Vault", new BackupVaultProps {
    BlockRecoveryPointDeletion = true
});
backupVault.BlockRecoveryPointDeletion();

By default access is not restricted.

Importing existing backup vault

To import an existing backup vault into your CDK application, use the BackupVault.fromBackupVaultArn or BackupVault.fromBackupVaultName static method. Here is an example of giving an IAM Role permission to start a backup job:

IBackupVault importedVault = BackupVault.FromBackupVaultName(this, "Vault", "myVaultName");

Role role = new Role(this, "Access Role", new RoleProps { AssumedBy = new ServicePrincipal("lambda.amazonaws.com") });

importedVault.Grant(role, "backup:StartBackupJob");

Classes

BackupPlan

A backup plan.
BackupPlanProps

Properties for a BackupPlan.
BackupPlanRule

A backup plan rule.
BackupPlanRuleProps

Properties for a BackupPlanRule.
BackupResource

A resource to backup.
BackupSelection

A backup selection.
BackupSelectionOptions

Options for a BackupSelection.
BackupSelectionProps

Properties for a BackupSelection.
BackupVault

A backup vault.
BackupVaultEvents

Backup vault events.
BackupVaultProps

Properties for a BackupVault.
CfnBackupPlan

A CloudFormation AWS::Backup::BackupPlan.
CfnBackupPlan.AdvancedBackupSettingResourceTypeProperty

Specifies an object containing resource type and backup options.
CfnBackupPlan.BackupPlanResourceTypeProperty

Specifies an object containing properties used to create a backup plan.
CfnBackupPlan.BackupRuleResourceTypeProperty

Specifies an object containing properties used to schedule a task to back up a selection of resources.
CfnBackupPlan.CopyActionResourceTypeProperty

Copies backups created by a backup rule to another vault.
CfnBackupPlan.LifecycleResourceTypeProperty

Specifies an object containing an array of Transition objects that determine how long in days before a recovery point transitions to cold storage or is deleted.
CfnBackupPlanProps

Properties for defining a CfnBackupPlan.
CfnBackupSelection

A CloudFormation AWS::Backup::BackupSelection.
CfnBackupSelection.BackupSelectionResourceTypeProperty

Specifies an object containing properties used to assign a set of resources to a backup plan.
CfnBackupSelection.ConditionResourceTypeProperty

Specifies an object that contains an array of triplets made up of a condition type (such as STRINGEQUALS ), a key, and a value.
CfnBackupSelectionProps

Properties for defining a CfnBackupSelection.
CfnBackupVault

A CloudFormation AWS::Backup::BackupVault.
CfnBackupVault.LockConfigurationTypeProperty

The LockConfigurationType property type specifies configuration for AWS Backup Vault Lock .
CfnBackupVault.NotificationObjectTypeProperty

Specifies an object containing SNS event notification properties for the target backup vault.
CfnBackupVaultProps

Properties for defining a CfnBackupVault.
CfnFramework

A CloudFormation AWS::Backup::Framework.
CfnFramework.ControlInputParameterProperty

A list of parameters for a control.
CfnFramework.FrameworkControlProperty

Contains detailed information about all of the controls of a framework.
CfnFrameworkProps

Properties for defining a CfnFramework.
CfnReportPlan

A CloudFormation AWS::Backup::ReportPlan.
CfnReportPlanProps

Properties for defining a CfnReportPlan.
TagCondition

A tag condition.
TagOperation

An operation that is applied to a key-value pair.

Interfaces

CfnBackupPlan.IAdvancedBackupSettingResourceTypeProperty

Specifies an object containing resource type and backup options.
CfnBackupPlan.IBackupPlanResourceTypeProperty

Specifies an object containing properties used to create a backup plan.
CfnBackupPlan.IBackupRuleResourceTypeProperty

Specifies an object containing properties used to schedule a task to back up a selection of resources.
CfnBackupPlan.ICopyActionResourceTypeProperty

Copies backups created by a backup rule to another vault.
CfnBackupPlan.ILifecycleResourceTypeProperty

Specifies an object containing an array of Transition objects that determine how long in days before a recovery point transitions to cold storage or is deleted.
CfnBackupSelection.IBackupSelectionResourceTypeProperty

Specifies an object containing properties used to assign a set of resources to a backup plan.
CfnBackupSelection.IConditionResourceTypeProperty

Specifies an object that contains an array of triplets made up of a condition type (such as STRINGEQUALS ), a key, and a value.
CfnBackupVault.ILockConfigurationTypeProperty

The LockConfigurationType property type specifies configuration for AWS Backup Vault Lock .
CfnBackupVault.INotificationObjectTypeProperty

Specifies an object containing SNS event notification properties for the target backup vault.
CfnFramework.IControlInputParameterProperty

A list of parameters for a control.
CfnFramework.IFrameworkControlProperty

Contains detailed information about all of the controls of a framework.
IBackupPlan

A backup plan.
IBackupPlanProps

Properties for a BackupPlan.
IBackupPlanRuleProps

Properties for a BackupPlanRule.
IBackupSelectionOptions

Options for a BackupSelection.
IBackupSelectionProps

Properties for a BackupSelection.
IBackupVault

A backup vault.
IBackupVaultProps

Properties for a BackupVault.
ICfnBackupPlanProps

Properties for defining a CfnBackupPlan.
ICfnBackupSelectionProps

Properties for defining a CfnBackupSelection.
ICfnBackupVaultProps

Properties for defining a CfnBackupVault.
ICfnFrameworkProps

Properties for defining a CfnFramework.
ICfnReportPlanProps

Properties for defining a CfnReportPlan.
ITagCondition

A tag condition.