Viewing effective backup policies - AWS Organizations

Viewing effective backup policies

You can view the effective backup policy for an account from the AWS Management Console, AWS API, or AWS Command Line Interface. The following section provides a brief overview of the effective backup policy, including an example.

What is the effective backup policy?

The effective backup policy specifies the final backup plan settings that apply to an AWS account. It is the aggregation of any backup policies that the account inherits, plus any backup policy that is directly attached to the account. When you attach a backup policy to the organization's root, it applies to all accounts in your organization. When you attach an backup policy to an organizational unit (OU), it applies to all accounts and OUs that belong to the OU. When you attach a policy directly to an account, it applies only to that one AWS account.

For example, the backup policy attached to the organization root might specify that all accounts in the organization back up all Amazon DynamoDB tables with a default backup frequency of once per week. A separate backup policy attached directly to one member account with critical information in a table can override the frequency with a value of once per day. The combination of these backup policies comprises the effective backup policy. This effective backup policy is determined for each account in the organization individually. In this example, the result is that all accounts in the organization back up their DynamoDB tables once per week, with the exception of one account that backs up its tables daily.

For information about how backup policies are combined into the final effective backup policy, see Policy syntax and inheritance for management policy types.

Viewing the effective backup policy

You can view the effective backup policy for an account by using the AWS Management Console, AWS API, or AWS Command Line Interface.

Minimum permissions

To view the effective backup policy for an account, you must have permission to run the following actions:

  • organizations:DescribeEffectivePolicy

  • organizations:DescribeOrganization – required only when using the Organizations console

New console

To view the effective backup policy for an account

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the AWS accounts page, choose the name of the account for which you want to view the effective backup policy. You might have to expand OUs (choose the ) to find the account that you want.

  3. On the Policies tab, in the Backup policies section, choose View the effective backup policy for this AWS account.

    The console displays the effective policy applied to the specified account.

    Note

    You can't copy and paste an effective policy and use it as the JSON for another backup policy without significant changes. backup policy documents must include the inheritance operators that specify how each setting is merged into the final effective policy.

Old console
Important

We redesigned the AWS Organizations console to make it easier to use. Starting on April 28th, 2021 the old console will no longer be available. We recommend that you switch to the new console and use the procedures in the New console tab instead.

To view the effective backup policy for an account

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Accounts tab, choose the account for which you want to view the effective backup policy.

    Alternatively, you can use the Organize accounts tab, You might have to expand OUs (choose the + next to an OU name) in the navigation pane to find the account that you want. Choose the account for which you want to view the effective backup policy.

  3. In the details pane, choose View effective backup policy.

    The console displays the effective policy applied to the selected account.

    Note

    You can't copy and paste an effective policy and use it as the JSON for another backup policy without significant changes. Tackup policy documents must include the inheritance operators that specify how each setting is merged into the final effective policy.

AWS CLI & AWS SDKs

To view the effective backup policy for an account

You can use one of the following commands to view the effective backup policy:

  • AWS CLI: aws organizations describe-effective-policy

    The following example displays the details of a backup policy.

    $ aws organizations describe-effective-policy \ --policy-type BACKUP_POLICY \ --target-id 123456789012{ "EffectivePolicy": { "LastUpdatedTimestamp": "2020-06-22T14:31:50.748000-07:00", "TargetId": "123456789012", "PolicyType": "BACKUP_POLICY", "PolicyContent": "{\"plans\":{\"pii_backup_plan\":{\"regions\":[\"ap-northeast-2\",\"us-east-1\",\"eu-north-1\"],\ "selections\":{\"tags\":{\"datatype\":{\"iam_role_arn\":\"arn:aws:iam::$account:role/MyIamRole\",\"tag_value\":[\"PII\"],\ "tag_key\":\"dataType\"}}},\"rules\":{\"hourly\":{\"complete_backup_window_minutes\":\"10080\",\"target_backup_vault_name\ ":\"FortKnox\",\"start_backup_window_minutes\":\"480\",\"schedule_expression\":\"cron(0 5/1 ? * * *)\",\"lifecycle\":{\"mo ve_to_cold_storage_after_days\":\"180\",\"delete_after_days\":\"270\"},\"copy_actions\":{\"arn:aws:backup:us-east-1:$accou nt:backup-vault:secondary-vault\":{\"lifecycle\":{\"move_to_cold_storage_after_days\":\"10\",\"delete_after_days\":\"100\" }}}}}}}}" } }
  • AWS SDKs: DescribeEffectivePolicy