Create a Recycle Bin retention rule to protect resources - Amazon EBS

Create a Recycle Bin retention rule to protect resources

When you create a retention rule, you must specify the following required parameters:

  • The resource type that is to be protected by the retention rule.

  • The resources that are to be protected by the retention rule. You can create retention rules at the tag level and the Region level.

    • To create a tag-level retention rule, specify the resource tags that identify the resources to protect. You can specify up to 50 tags for each rule, and add the same tag key and value pair to a maximum of five retention rules.

    • To create a Region-level retention rule, do not specify any tag key and value pairs. In this case, all resources of the specified type are protected.

  • The period to retain the resources in the Recycle Bin after they are deleted. The period can be up to 1 year (365 days).

You can also specify the following optional parameters:

  • An optional name for the retention rule. The name can be up to 255 characters long.

  • An optional description for the retention rule. The description can be up to 255 characters long.

    Note

    We recommend that you do not include personally identifying, confidential, or sensitive information in the retention rule description.

  • Optional retention rule tags to help identify and organize your retention rules. You can assign up to 50 tags to each rule.

You can also optionally lock retention rules on creation. If you lock a retention rule on creation, you must also specify the unlock delay period, which can be 7 to 30 days. Retention rules remain unlocked by default unless you explicitly lock them.

Retention rules function only in the Regions in which they are created. If you intend to use Recycle Bin in other Regions, you must create additional retention rules in those Regions.

You can create a Recycle Bin retention rule using one of the following methods.

Recycle Bin console
To create a retention rule

  1. Open the Recycle Bin console at https://console.aws.amazon.com/rbin/home/

  2. In the navigation pane, choose Retention rules, and then choose Create retention rule.

  3. In the Rule details section, do the following:

    1. (Optional) For Retention rule name, enter a descriptive name for the retention rule.

    2. (Optional) For Retention rule description, enter a brief description for the retention rule.

  4. In the Rule settings section, do the following:

    1. For Resource type, select choose the type of resource for the retention rule to protect. The retention rule will retain only resources of this type in the Recycle Bin.

    2. Do one of the following:

      • To create a Region-level retention rule that matches all deleted resources of the specified type in the Region, select Apply to all resources. The retention rule will retain all deleted resources of the specified in the Recycle Bin upon deletion, even if the resources do not have any tags.

      • To create a tag-level retention rule, for Resource tags to match, enter the tag key and value pairs to use to identify resource of the specified type that are to be retained in the Recycle Bin. Only resources of the specified type that have at least one of the specified tag key and value pairs will be retained by the retention rule.

    3. For Retention period, enter the number of days for which the retention rule is to retain resources in the Recycle Bin.

  5. (Optional) To lock the retention rule, for Rule lock settings, select Lock, and then for Unlock delay period, specify the unlock delay period in days. A locked retention rule can't be modified or deleted. To modify or delete the rule, you must first unlock it and then wait for the unlock delay period to expire. For more information, see Lock a Recycle Bin retention rule to prevent it from being updated or deleted

    To leave the retention rule unlocked, for Rule lock settings, keep Unlock selected. An unlocked retention rule can be modified or deleted at any time. For more information, see Unlock a Recycle Bin retention rule to allow it to be updated or deleted.

  6. (Optional) In the Tags section, do the following:

    1. To tag the rule with custom tags, choose Add tag and then enter the tag key and value pair.

  7. Choose Create retention rule.

AWS CLI
To create a retention rule

Use the create-rule AWS CLI command. For --retention-period, specify the number of days to retain deleted snapshots in the Recycle Bin. For --resource-type, specify EBS_SNAPSHOT for snapshots or EC2_IMAGE for AMIs. To create a tag-level retention rule, for --resource-tags, specify the tags to use to identify the snapshots that are to be retained. To create a Region-level retention rule, omit --resource-tags. To lock a retention rule, include --lock-configuration, and specify the unlock delay period in days.

aws rbin create-rule \
--retention-period RetentionPeriodValue=number_of_days,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT|EC2_IMAGE \
--description "rule_description" \
--lock-configuration 'UnlockDelay={UnlockDelayUnit=DAYS,UnlockDelayValue=unlock_delay_in_days}' \
--resource-tags ResourceTagKey=tag_key,ResourceTagValue=tag_value
Example 1

The following example command creates an unlocked Region-level retention rule that retains all deleted snapshots for a period of 7 days.

aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match all snapshots"
Example 2

The following example command creates a tag-level rule that retains deleted snapshots that are tagged with purpose=production for a period of 7 days.

aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match snapshots with a specific tag" \
--resource-tags ResourceTagKey=purpose,ResourceTagValue=production
Example 3

The following example command creates a locked Region-level retention rule that retains all deleted snapshots for a period of 7 days. The retention rule is locked with an unlock delay period of 7 days.

aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match all snapshots" \
--lock-configuration 'UnlockDelay={UnlockDelayUnit=DAYS,UnlockDelayValue=7}'