Package software.amazon.awscdk.services.backup
AWS Backup Construct Library
---
AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2.
For more information on how to migrate, see the Migrating to AWS CDK v2 guide.
AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place.
Backup plan and selection
In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.
This module provides ready-made backup plans (similar to the console experience):
// Daily, weekly and monthly with 5 year retention BackupPlan plan = BackupPlan.dailyWeeklyMonthly5YearRetention(this, "Plan");
Assigning resources to a plan can be done with addSelection():
BackupPlan plan;
ITable myTable = Table.fromTableName(this, "Table", "myTableName");
Construct myCoolConstruct = new Construct(this, "MyCoolConstruct");
plan.addSelection("Selection", BackupSelectionOptions.builder()
.resources(List.of(BackupResource.fromDynamoDbTable(myTable), BackupResource.fromTag("stage", "prod"), BackupResource.fromConstruct(myCoolConstruct)))
.build());
If not specified, a new IAM role with a managed policy for backup will be
created for the selection. The BackupSelection implements IGrantable.
To add rules to a plan, use addRule():
BackupPlan plan;
plan.addRule(BackupPlanRule.Builder.create()
.completionWindow(Duration.hours(2))
.startWindow(Duration.hours(1))
.scheduleExpression(Schedule.cron(CronOptions.builder() // Only cron expressions are supported
.day("15")
.hour("3")
.minute("30").build()))
.moveToColdStorageAfter(Duration.days(30))
.build());
Continuous backup and point-in-time restores (PITR) can be configured.
Property deleteAfter defines the retention period for the backup. It is mandatory if PITR is enabled.
If no value is specified, the retention period is set to 35 days which is the maximum retention period supported by PITR.
Property moveToColdStorageAfter must not be specified because PITR does not support this option.
This example defines an AWS Backup rule with PITR and a retention period set to 14 days:
BackupPlan plan;
plan.addRule(BackupPlanRule.Builder.create()
.enableContinuousBackup(true)
.deleteAfter(Duration.days(14))
.build());
Ready-made rules are also available:
BackupPlan plan; plan.addRule(BackupPlanRule.daily()); plan.addRule(BackupPlanRule.weekly());
By default a new vault is created when creating a plan. It is also possible to specify a vault either at the plan level or at the rule level.
IBackupVault myVault = BackupVault.fromBackupVaultName(this, "Vault1", "myVault"); IBackupVault otherVault = BackupVault.fromBackupVaultName(this, "Vault2", "otherVault"); BackupPlan plan = BackupPlan.daily35DayRetention(this, "Plan", myVault); // Use `myVault` for all plan rules plan.addRule(BackupPlanRule.monthly1Year(otherVault));
You can backup
VSS-enabled Windows applications running on Amazon EC2 instances by setting the windowsVss
parameter to true. If the application has VSS writer registered with Windows VSS,
then AWS Backup creates a snapshot that will be consistent for that application.
BackupPlan plan = BackupPlan.Builder.create(this, "Plan")
.windowsVss(true)
.build();
Backup vault
In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults.
IKey myKey = Key.fromKeyArn(this, "MyKey", "aaa");
ITopic myTopic = Topic.fromTopicArn(this, "MyTopic", "bbb");
BackupVault vault = BackupVault.Builder.create(this, "Vault")
.encryptionKey(myKey) // Custom encryption key
.notificationTopic(myTopic)
.build();
A vault has a default RemovalPolicy set to RETAIN. Note that removing a vault
that contains recovery points will fail.
You can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.
Use the accessPolicy property to create a backup vault policy:
BackupVault vault = BackupVault.Builder.create(this, "Vault")
.accessPolicy(PolicyDocument.Builder.create()
.statements(List.of(
PolicyStatement.Builder.create()
.effect(Effect.DENY)
.principals(List.of(new AnyPrincipal()))
.actions(List.of("backup:DeleteRecoveryPoint"))
.resources(List.of("*"))
.conditions(Map.of(
"StringNotLike", Map.of(
"aws:userId", List.of("user1", "user2"))))
.build()))
.build())
.build();
Alternativately statements can be added to the vault policy using addToAccessPolicy().
Use the blockRecoveryPointDeletion property or the blockRecoveryPointDeletion() method to add
a statement to the vault access policy that prevents recovery point deletions in your vault:
BackupVault backupVault;
BackupVault.Builder.create(this, "Vault")
.blockRecoveryPointDeletion(true)
.build();
backupVault.blockRecoveryPointDeletion();
By default access is not restricted.
Importing existing backup vault
To import an existing backup vault into your CDK application, use the BackupVault.fromBackupVaultArn or BackupVault.fromBackupVaultName
static method. Here is an example of giving an IAM Role permission to start a backup job:
IBackupVault importedVault = BackupVault.fromBackupVaultName(this, "Vault", "myVaultName");
Role role = Role.Builder.create(this, "Access Role").assumedBy(new ServicePrincipal("lambda.amazonaws.com")).build();
importedVault.grant(role, "backup:StartBackupJob");
-
ClassDescriptionA backup plan.A fluent builder for
BackupPlan.Properties for a BackupPlan.A builder forBackupPlanPropsAn implementation forBackupPlanPropsA backup plan rule.A fluent builder forBackupPlanRule.Properties for a BackupPlanRule.A builder forBackupPlanRulePropsAn implementation forBackupPlanRulePropsA resource to backup.A fluent builder forBackupResource.A backup selection.A fluent builder forBackupSelection.Options for a BackupSelection.A builder forBackupSelectionOptionsAn implementation forBackupSelectionOptionsProperties for a BackupSelection.A builder forBackupSelectionPropsAn implementation forBackupSelectionPropsA backup vault.A fluent builder forBackupVault.Backup vault events.Properties for a BackupVault.A builder forBackupVaultPropsAn implementation forBackupVaultPropsA CloudFormationAWS::Backup::BackupPlan.Specifies an object containing resource type and backup options.A builder forCfnBackupPlan.AdvancedBackupSettingResourceTypePropertyAn implementation forCfnBackupPlan.AdvancedBackupSettingResourceTypePropertySpecifies an object containing properties used to create a backup plan.A builder forCfnBackupPlan.BackupPlanResourceTypePropertyAn implementation forCfnBackupPlan.BackupPlanResourceTypePropertySpecifies an object containing properties used to schedule a task to back up a selection of resources.A builder forCfnBackupPlan.BackupRuleResourceTypePropertyAn implementation forCfnBackupPlan.BackupRuleResourceTypePropertyA fluent builder forCfnBackupPlan.Copies backups created by a backup rule to another vault.A builder forCfnBackupPlan.CopyActionResourceTypePropertyAn implementation forCfnBackupPlan.CopyActionResourceTypePropertySpecifies an object containing an array ofTransitionobjects that determine how long in days before a recovery point transitions to cold storage or is deleted.A builder forCfnBackupPlan.LifecycleResourceTypePropertyAn implementation forCfnBackupPlan.LifecycleResourceTypePropertyProperties for defining aCfnBackupPlan.A builder forCfnBackupPlanPropsAn implementation forCfnBackupPlanPropsA CloudFormationAWS::Backup::BackupSelection.Specifies an object containing properties used to assign a set of resources to a backup plan.A builder forCfnBackupSelection.BackupSelectionResourceTypePropertyAn implementation forCfnBackupSelection.BackupSelectionResourceTypePropertyA fluent builder forCfnBackupSelection.Includes information about tags you define to assign tagged resources to a backup plan.A builder forCfnBackupSelection.ConditionParameterPropertyAn implementation forCfnBackupSelection.ConditionParameterPropertySpecifies an object that contains an array of triplets made up of a condition type (such asSTRINGEQUALS), a key, and a value.A builder forCfnBackupSelection.ConditionResourceTypePropertyAn implementation forCfnBackupSelection.ConditionResourceTypePropertyContains information about which resources to include or exclude from a backup plan using their tags.A builder forCfnBackupSelection.ConditionsPropertyAn implementation forCfnBackupSelection.ConditionsPropertyProperties for defining aCfnBackupSelection.A builder forCfnBackupSelectionPropsAn implementation forCfnBackupSelectionPropsA CloudFormationAWS::Backup::BackupVault.A fluent builder forCfnBackupVault.TheLockConfigurationTypeproperty type specifies configuration for AWS Backup Vault Lock .A builder forCfnBackupVault.LockConfigurationTypePropertyAn implementation forCfnBackupVault.LockConfigurationTypePropertySpecifies an object containing SNS event notification properties for the target backup vault.A builder forCfnBackupVault.NotificationObjectTypePropertyAn implementation forCfnBackupVault.NotificationObjectTypePropertyProperties for defining aCfnBackupVault.A builder forCfnBackupVaultPropsAn implementation forCfnBackupVaultPropsA CloudFormationAWS::Backup::Framework.A fluent builder forCfnFramework.A list of parameters for a control.A builder forCfnFramework.ControlInputParameterPropertyAn implementation forCfnFramework.ControlInputParameterPropertyA framework consists of one or more controls.A builder forCfnFramework.ControlScopePropertyAn implementation forCfnFramework.ControlScopePropertyContains detailed information about all of the controls of a framework.A builder forCfnFramework.FrameworkControlPropertyAn implementation forCfnFramework.FrameworkControlPropertyProperties for defining aCfnFramework.A builder forCfnFrameworkPropsAn implementation forCfnFrameworkPropsA CloudFormationAWS::Backup::ReportPlan.A fluent builder forCfnReportPlan.Contains information from your report plan about where to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports.A builder forCfnReportPlan.ReportDeliveryChannelPropertyAn implementation forCfnReportPlan.ReportDeliveryChannelPropertyContains detailed information about a report setting.A builder forCfnReportPlan.ReportSettingPropertyAn implementation forCfnReportPlan.ReportSettingPropertyProperties for defining aCfnReportPlan.A builder forCfnReportPlanPropsAn implementation forCfnReportPlanPropsA backup plan.Internal default implementation forIBackupPlan.A proxy class which represents a concrete javascript instance of this type.A backup vault.Internal default implementation forIBackupVault.A proxy class which represents a concrete javascript instance of this type.A tag condition.A builder forTagConditionAn implementation forTagConditionAn operation that is applied to a key-value pair.