AWSBackup DG PDF

AWS Backup
Developer Guide
AWS Backup Developer Guide
AWS Backup: Developer Guide

Copyright © 2020 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
Table of Contents
What Is AWS Backup? ......................................................................................................................... 1
Supported Resources .................................................................................................................. 1
AWS Backup Overview ................................................................................................................ 1
Centralized Backup Management ......................................................................................... 1
Cross-Region Backup .......................................................................................................... 2
Policy-Based Backup Solutions ............................................................................................. 2
Tag-Based Backup Policies ................................................................................................... 2
Backup Activity Monitoring .................................................................................................. 2
Lifecycle Management Policies ............................................................................................. 2
Backup Access Policies ........................................................................................................ 2
Getting Started .......................................................................................................................... 3
How it Works .................................................................................................................................... 4
Working with Other Services ....................................................................................................... 4
Working with Amazon EC2 .................................................................................................. 5
Working with Amazon RDS .................................................................................................. 6
Working with AWS Storage Gateway .................................................................................... 7
Cross-Region Backups ................................................................................................................. 7
Metering Backup and Pricing Usage .............................................................................................. 7
Blogs, Videos, and Other Resources .............................................................................................. 7
Setting Up ........................................................................................................................................ 8
Sign up for AWS ........................................................................................................................ 8
Create an IAM User .................................................................................................................... 8
Getting Started ................................................................................................................................ 10
Prerequisites ............................................................................................................................ 10
Step 1: Create an On-Demand Backup ........................................................................................ 11
Next Steps ....................................................................................................................... 12
Step 2: Create a Scheduled Backup ............................................................................................ 12
Create a Backup Plan by Modifying an Existing One .............................................................. 12
Assign Resources to a Backup Plan ..................................................................................... 13
Create a Backup Vault ....................................................................................................... 14
Next Steps ....................................................................................................................... 14
Step 3: Monitor Your Backup Jobs .............................................................................................. 15
View the Status of Backup Jobs ......................................................................................... 15
View All Backups in a Vault ............................................................................................... 15
View Details of Protected Resources ................................................................................... 15
Next Steps ....................................................................................................................... 16
Step 4: Restore a Backup .......................................................................................................... 16
Next Steps ....................................................................................................................... 18
Step 5: Clean Up ...................................................................................................................... 18
Delete Restored AWS Resources ......................................................................................... 18
Delete the Backup Plan ..................................................................................................... 18
Delete the Recovery Points ................................................................................................ 18
Delete the Backup Vault .................................................................................................... 19
Backup Plans ................................................................................................................................... 20
Creating a Backup Plan ............................................................................................................. 20
Creating Backup Plans Using the AWS Management Console .................................................. 20
Backup Plan Options and Configuration .............................................................................. 21
Assigning Resources .................................................................................................................. 22
Deleting a Backup Plan ............................................................................................................. 23
Updating a Backup Plan ............................................................................................................ 23
Backup Vaults .................................................................................................................................. 24
Creating a Backup Vault ............................................................................................................ 24
Backup Vault Name .......................................................................................................... 24
KMS Encryption Master Key ............................................................................................... 24
iii
Backup Vault Tags ............................................................................................................ 25

Setting Access Policies on Backup Vaults and Recovery Points ........................................................ 25
Deny Access to a Resource Type in a Backup Vault ................................................................ 25
Deny Access to a Backup Vault ........................................................................................... 26
Deny Access to Delete Recovery Points in a Backup Vault ...................................................... 26
Deleting a Backup Vault ............................................................................................................ 27
Backups .......................................................................................................................................... 28
Creating a Backup .................................................................................................................... 28
On-Demand Backups ........................................................................................................ 29
Backup Copies ................................................................................................................. 30
Restoring a Backup ................................................................................................................... 31
Restoring a Backup Using the Console ................................................................................ 31
Restoring a Backup Using the AWS CLI or the AWS Backup API ............................................... 33
Stopping a Backup Job ............................................................................................................. 35
Viewing a List of Backups .......................................................................................................... 35
Listing Backups by Protected Resource ................................................................................ 35
Listing Backups by Backup Vault ........................................................................................ 36
Editing a Backup ...................................................................................................................... 36
Security ........................................................................................................................................... 37
Data Protection ........................................................................................................................ 37
Encryption for Backups in AWS .......................................................................................... 38
Identity and Access Management ............................................................................................... 40
Authentication ................................................................................................................. 40
Access Control ................................................................................................................. 41
IAM Service Roles ............................................................................................................. 52
Logging and Monitoring ............................................................................................................ 53
Compliance Validation .............................................................................................................. 53
Resilience ................................................................................................................................ 54
Infrastructure Security .............................................................................................................. 54
Quotas ............................................................................................................................................ 55
Using Amazon SNS to Track Events .................................................................................................... 56
AWS Backup Notification APIs .................................................................................................... 56
Completed Events .................................................................................................................... 56
Examples: Completed Events ............................................................................................. 57
AWS Backup Notification Command Examples ............................................................................. 58
Example Put Backup Vault Notification ............................................................................... 58
Example Get Backup Vault Notification ............................................................................... 58
Example Delete Backup Vault Notification ........................................................................... 58
Specifying AWS Backup as a Service Principal .............................................................................. 59
Logging AWS Backup API Calls with AWS CloudTrail ............................................................................. 61
AWS Backup Information in CloudTrail ........................................................................................ 61
Understanding AWS Backup Log File Entries ................................................................................ 62
Using AWS CloudFormation Templates with AWS Backup ...................................................................... 65
Integrating AWS Backup with AWS CloudFormation ...................................................................... 65
Troubleshooting AWS Backup ............................................................................................................ 68
Troubleshooting General Issues .................................................................................................. 68
Troubleshooting Creating Resources ........................................................................................... 68
Troubleshooting Deleting Resources ........................................................................................... 69
AWS Backup API .............................................................................................................................. 70
Actions .................................................................................................................................... 70
CreateBackupPlan ............................................................................................................. 72
CreateBackupSelection ...................................................................................................... 75
CreateBackupVault ............................................................................................................ 78
DeleteBackupPlan ............................................................................................................. 81
DeleteBackupSelection ...................................................................................................... 84
DeleteBackupVault ........................................................................................................... 86
DeleteBackupVaultAccessPolicy .......................................................................................... 88
iv
DeleteBackupVaultNotifications .......................................................................................... 90
DeleteRecoveryPoint ......................................................................................................... 92
DescribeBackupJob ........................................................................................................... 94
DescribeBackupVault ......................................................................................................... 98
DescribeCopyJob ............................................................................................................ 101
DescribeProtectedResource .............................................................................................. 103
DescribeRecoveryPoint .................................................................................................... 105
DescribeRestoreJob ......................................................................................................... 110
ExportBackupPlanTemplate .............................................................................................. 113
GetBackupPlan ............................................................................................................... 115
GetBackupPlanFromJSON ................................................................................................ 118
GetBackupPlanFromTemplate ........................................................................................... 121
GetBackupSelection ........................................................................................................ 123
GetBackupVaultAccessPolicy ............................................................................................. 126
GetBackupVaultNotifications ............................................................................................ 128
GetRecoveryPointRestoreMetadata .................................................................................... 131
GetSupportedResourceTypes ............................................................................................ 133
ListBackupJobs ............................................................................................................... 135
ListBackupPlans .............................................................................................................. 138
ListBackupPlanTemplates ................................................................................................. 140
ListBackupPlanVersions ................................................................................................... 142
ListBackupSelections ....................................................................................................... 144
ListBackupVaults ............................................................................................................. 146
ListCopyJobs .................................................................................................................. 148
ListProtectedResources .................................................................................................... 151
ListRecoveryPointsByBackupVault ..................................................................................... 153
ListRecoveryPointsByResource .......................................................................................... 156
ListRestoreJobs .............................................................................................................. 159
ListTags ......................................................................................................................... 161
PutBackupVaultAccessPolicy ............................................................................................. 163
PutBackupVaultNotifications ............................................................................................ 165
StartBackupJob .............................................................................................................. 167
StartCopyJob ................................................................................................................. 171
StartRestoreJob .............................................................................................................. 174
StopBackupJob ............................................................................................................... 177
TagResource ................................................................................................................... 179
UntagResource ............................................................................................................... 181
UpdateBackupPlan .......................................................................................................... 183
UpdateRecoveryPointLifecycle .......................................................................................... 186
Data Types ............................................................................................................................ 188
BackupJob ..................................................................................................................... 190
BackupPlan .................................................................................................................... 193
BackupPlanInput ............................................................................................................ 194
BackupPlansListMember .................................................................................................. 195
BackupPlanTemplatesListMember ..................................................................................... 197
BackupRule .................................................................................................................... 198
BackupRuleInput ............................................................................................................ 200
BackupSelection ............................................................................................................. 202
BackupSelectionsListMember ........................................................................................... 203
BackupVaultListMember .................................................................................................. 205
CalculatedLifecycle ......................................................................................................... 207
Condition ....................................................................................................................... 208
CopyAction .................................................................................................................... 209
CopyJob ........................................................................................................................ 210
Lifecycle ........................................................................................................................ 213
ProtectedResource .......................................................................................................... 214
RecoveryPointByBackupVault ........................................................................................... 215
v
RecoveryPointByResource ................................................................................................ 218

RecoveryPointCreator ...................................................................................................... 220
RestoreJobsListMember ................................................................................................... 221
Common Errors ...................................................................................................................... 222
AWS Glossary ................................................................................................................................. 225
Document History .......................................................................................................................... 226
vi
Supported Resources
What Is AWS Backup?

AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup
of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup
policies and monitor backup activity for your AWS resources in one place. AWS Backup automates and
consolidates backup tasks that were previously performed service-by-service, and removes the need to
create custom scripts and manual processes. With just a few clicks on the AWS Backup console, you can
create backup policies that automate backup schedules and retention management.
AWS Backup provides a fully managed backup service and a policy-based backup solution that simplifies
your backup management and enables you to meet your business and regulatory backup compliance
requirements.
Supported Resources
The following are AWS resources that you can back up and restore using AWS Backup.
Supported Service Supported Resource
Amazon Elastic File System Amazon EFS file systems

(Amazon EFS)
Amazon DynamoDB DynamoDB tables

(DynamoDB)
Amazon Elastic Compute Amazon EC2 instances*

Cloud (Amazon EC2)
Amazon Elastic Block Store Amazon EBS volumes

(Amazon EBS)
Amazon Relational Amazon RDS databases**

Database Service (Amazon
RDS)
AWS Storage Gateway AWS Storage Gateway volumes

(Volume Gateway)
*AWS Backup does not support Amazon EC2 instance store-backed instances.
**AWS Backup currently supports all Amazon RDS database engines except Amazon Aurora.
AWS Backup Overview

AWS Backup provides the following features and capabilities.
Centralized Backup Management

AWS Backup provides a centralized backup console, a set of backup APIs, and the AWS Command Line
Interface (AWS CLI) to manage backups across the AWS services that your applications use. With AWS
1
Cross-Region Backup
Backup, you can centrally manage backup policies that meet your backup requirements. You can then
apply them to your AWS resources across AWS services, enabling you to back up your application data in
a consistent and compliant manner. The AWS Backup centralized backup console offers a consolidated
view of your backups and backup activity logs, making it easier to audit your backups and ensure
compliance.
Cross-Region Backup
Using AWS Backup, you can copy backups to multiple different AWS Regions on demand or automatically
as part of a scheduled backup plan. Cross-Region backup is particularly valuable if you have business
continuity or compliance requirements to store backups a minimum distance away from your production
data.
Policy-Based Backup Solutions

With AWS Backup, you can create backup policies known as backup plans. Use these backup plans to
define your backup requirements and then apply them to the AWS resources that you want to protect
across the AWS services that you use. You can create separate backup plans that each meet specific
business and regulatory compliance requirements. This helps ensure that each AWS resource is backed up
according to your requirements. Backup plans make it easy to enforce your backup strategy across your
organization and across your applications in a scalable manner.
Tag-Based Backup Policies

You can use AWS Backup to apply backup plans to your AWS resources by tagging them. Tagging makes
it easier to implement your backup strategy across all your applications and to ensure that all your AWS
resources are backed up and protected. AWS tags are a great way to organize and classify your AWS
resources. Integration with AWS tags enables you to quickly apply a backup plan to a group of AWS
resources, so that they are backed up in a consistent and compliant manner.
Backup Activity Monitoring

AWS Backup provides a dashboard that makes it simple to audit backup and restore activity across AWS
services. With just a few clicks on the AWS Backup console, you can view the status of recent backup
jobs. You can also restore jobs across AWS services to ensure that your AWS resources are properly
protected.
AWS Backup integrates with AWS CloudTrail. CloudTrail gives you a consolidated view of backup activity
logs that make it quick and easy to audit how your resources are backed up. AWS Backup also integrates
with Amazon Simple Notification Service (Amazon SNS), providing you with backup activity notifications,
such as when a backup succeeds or a restore has been initiated.
Lifecycle Management Policies

AWS Backup enables you to meet compliance requirements while minimizing backup storage costs by
storing backups in a low-cost cold storage tier. You can configure lifecycle policies that automatically
transition backups from warm storage to cold storage according to a schedule that you define.
Backup Access Policies

AWS Backup offers resource-based access policies for your backup vaults to define who has access
to your backups. You can define access policies for a backup vault that define who has access to the
backups within that vault and what actions they can take. This provides a simple and secure way to
control access to your backups across AWS services, helping you meet your compliance requirements.
2
Getting Started
Getting Started
To learn more about AWS Backup, we recommend that you start with the following sections:
• AWS Backup: How It Works (p. 4)

• Getting Started with AWS Backup (p. 10)
3
Working with Other Services
AWS Backup: How It Works

AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backing
up of data across AWS services. With AWS Backup, you can create backup policies called backup plans.
You can use these plans to define your backup requirements, such as how frequently to back up your
data and how long to retain those backups.
AWS Backup lets you apply backup plans to your AWS resources by simply tagging them. AWS Backup
then automatically backs up your AWS resources according to the backup plan that you defined.
The following sections describe how AWS Backup works, its implementation details, and security
considerations.
Topics
• How AWS Backup Works with Other AWS Services (p. 4)
• Cross-Region Backups (p. 7)
• Metering Backup and Pricing Usage (p. 7)
• AWS Backup Blogs, Videos, and Other Resources (p. 7)
How AWS Backup Works with Other AWS Services

Many AWS services offer backup features that help you protect your data. These features include
Amazon Elastic Block Store (Amazon EBS) snapshots, Amazon Relational Database Service (Amazon RDS)
snapshots, Amazon DynamoDB backups, and AWS Storage Gateway snapshots.
AWS Backup uses existing backup capabilities of AWS services to implement its centralized features. For
example, when you create a backup plan, AWS Backup uses the EBS snapshot capabilities when creating
backups on your behalf according to your backup plan.
All per-service backup capabilities continue to be available. For example, you can make snapshots of
your EBS volumes using the Amazon Elastic Compute Cloud (Amazon EC2) API. AWS Backup provides
a common way to manage backups across AWS services both in the AWS Cloud and on premises. AWS
Backup provides a centralized backup console that offers backup scheduling, retention management, and
backup monitoring.
Note
Backups created with AWS Backup cannot be deleted with APIs belonging to the backed-
up resource. For information about deleting recovery points using the AWS Backup API, see
DeleteRecoveryPoint (p. 92).
For more information about how AWS Backup works with other AWS services, see the following:
• Amazon EC2 Related Services

• Using AWS Backup with Amazon EFS
• On-Demand Backup and Restore for DynamoDB
• Amazon EBS Snapshots
• Backing Up and Restoring Amazon RDS DB Instances
• Backing Up Your Volumes in AWS Storage Gateway
4
Working with Amazon EC2
Working with Amazon EC2

Using AWS Backup, you can schedule or perform on-demand backup jobs that include entire EC2
instances, along with associated configuration data. This limits the need for you to interact with the
storage (Amazon EBS) layer. Similarly, you can restore an entire Amazon EC2 instance from a single
recovery point. A job can only have one resource, so you can have a job to back up an EC2 instance, and it
will back up the root volume, all data volumes, and the associated instance configurations.
Backing Up Amazon EC2 Resources
When backing up an Amazon EC2 instance, AWS Backup takes a snapshot of the root Amazon EBS
storage volume, the launch configurations, and all associated EBS volumes. AWS Backup stores certain
configuration parameters of the EC2 instance, including instance type, security groups, Amazon VPC,
monitoring configuration, and tags. The backup data is stored as an Amazon EBS volume-backed AMI
(Amazon Machine Image).
AWS Backup will not back up the following:
• Configuration of the elastic inference accelerator, if it is attached to the instance.

• User data used when the instance was launched.
Note
For all instance types, only Amazon EBS backed EC2 instances are supported. Ephemeral storage
instances (that is, instance store-backed instances) are not supported.
AWS Backup can encrypt EBS snapshots associated with an Amazon EC2 backup. This is similar to how it
encrypts EBS snapshots. AWS Backup uses the same encryption applied on the underlying EBS volumes
when creating a snapshot of the Amazon EC2 AMI, and the configuration parameters of the original
instance are persisted in the restore metadata.
A snapshot derives its encryption from the volume as you have defined, and the same encryption is
applied to the corresponding snapshots. EBS snapshots of a copied AMI will always be encrypted. If you
use a KMS key during the copy, the key will be applied. If you don't use a KMS key, a default KMS key is
applied.
Restoring Amazon EC2 Resources
You can restore Amazon EC2 resources using the AWS Backup console, AWS Command Line Interface
(AWS CLI), or API.
The console provides an interactive user interface for restoring resources, but its functionality is limited.
Currently, you can't use the AWS Backup console to configure the following restore parameters.
NetworkInterfaces = [{
"AssociatePublicIpAddress": true,
"DeleteOnTermination": false,
"Description": "test network interface",
"DeviceIndex": 1,
"Groups": ["your nic_groups_id"],
"Ipv6AddressCount": 1,
"Ipv6Addresses": [{
"Ipv6Address1": "ipv6_address2"
}],
"NetworkInterfaceId": "your nic_interface_id",
"PrivateIpAddress": "your private_ip_address",
"PrivateIpAddresses": [{
"Primary": true,
"PrivateIpAddress": "private_ip_address_1"
5
Working with Amazon RDS
}, {
"Primary": false,
"PrivateIpAddress": "private_ip_address_2"
}],
"SecondaryPrivateIpAddressCount": 1,
"SubnetId": "nic_subnet_id",
"InterfaceType": "interface"
}],
ElasticGpuSpecification = [{
"Type": "test_elastic_gpu_type"
}],
CapacityReservationSpecification = {
"CapacityReservationPreference": "none"
},
InstanceMarketOptions = {
"MarketType": "spot",
"SpotOptions": {
"MaxPrice": "test_spot_price_value",
"SpotInstanceType": "persistent",
"BlockDurationMinutes": 20,
"ValidUntil": "2019-12-16T12:34:56.000Z",
"InstanceInterruptionBehavior": "hibernate"
}
},
LicenseSpecifications = [{
"LicenseConfigurationArn": "your_license_configuration_arn"
}],
However, you can use the AWS CLI and the API to perform a full restore. For more information about
restore parameters, see run-instances.
All the restore configurations for an EC2 instance should be provided as restore metadata, which is a map
of key-value pairs. The key is the name of the configuration, and value as is a JSON serialized string.
Note
When restoring a backup, AWS Backup doesn’t allow mutation of the SSH key pair, so you can
only restore using a backed-up key pair.
AWS Backup doesn't allow you to modify the instance profile to prevent the possibility of
privilege escalations. You can choose not to apply this from AWS Backup, but if you want to
change it, you can apply it from EC2.
To successfully do a restore with the original instance profile, you must edit the restore policy. If you
apply an instance profile during the restore, you have to update the operator role and add PassRole
permissions of the underlying instance profile role to Amazon EC2. Otherwise, Amazon EC2 can't
authorize the instance launch, and it will fail.
Note
When you are restoring from AWS Backup, all quotas and restrictions of the configuration that
can be used to launch an instance from an EC2 run instance API apply.
Working with Amazon RDS

AWS Backup currently supports all Amazon RDS database engines except Amazon Aurora.
6
Working with AWS Storage Gateway
Working with AWS Storage Gateway

Amazon EBS snapshots can be restored as AWS Storage Gateway volumes. For information about
restoring resources, see Backups (p. 28).
Cross-Region Backups
Using AWS Backup, you can copy backups to multiple AWS Regions on demand or automatically as
part of a scheduled backup plan. Cross-Region replication is particularly valuable if you have business
continuity or compliance requirements to store backups a minimum distance away from your production
data.
You can use the AWS Backup console, the AWS Command Line Interface (AWS CLI), or the AWS Backup
API to copy your backups for the following resources, defining different backup lifecycles in different
Regions as appropriate:
• Amazon Elastic File System (Amazon EFS) file systems

Note
Copy rules are at the plan level. If you want to apply a different copy rule to a subset of file
systems, you should create a new plan.
• Amazon Elastic Block Store (Amazon EBS) volumes
• Amazon Relational Database Service (Amazon RDS) databases
• AWS Storage Gateway volumes
You can also recover from backups stored in different Regions. For information about creating copies, see
Creating a Backup Copy (p. 30).
Cross-Region backups are available in all AWS Regions that are available in AWS Backup except Asia
Pacific (Hong Kong) and Middle East (Bahrain).
Metering Backup and Pricing Usage

Backup usage for existing backup capabilities (except Amazon EFS) will continue to be metered and
billed by their respective service, and the pricing remains unchanged. There is no additional charge to
use the AWS Backup centralized backup features beyond the existing backup storage pricing charged by
AWS services, such as Amazon EBS snapshot storage fees. There is no additional charge for Amazon EC2
instance backups.
For services that introduce backup capabilities on AWS Backup, such as Amazon EFS, backup usage is
metered and billed by AWS Backup. For more information, see AWS Backup pricing.
AWS Backup Blogs, Videos, and Other Resources

For more information about AWS Backup, including benefits, use cases, blogs, and videos, see the
following:
• AWS Backup
7
Sign up for AWS
Setting Up
Before you use AWS Backup for the first time, complete the following tasks:
1. Sign up for AWS (p. 8)

2. Create an IAM User (p. 8)
Sign up for AWS

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all
services in AWS, including AWS Backup. You are charged only for the services that you use.
For more information about AWS Backup usage rates, see the AWS Backup Pricing page. If you are a new
AWS customer, you can get started with AWS Backup for free. For more information, see AWS Free Usage
Tier.
If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the
following procedure to create one.
To create an AWS account
1. Open https://portal.aws.amazon.com/billing/signup.
2. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the
phone keypad.
Note your AWS account number, because you'll need it for the next task.
Create an IAM User

Services in AWS, such as AWS Backup, require that you provide credentials when you access them, so
that the service can determine whether you have permissions to access its resources. AWS recommends
that you do not use the AWS account root user to make requests. Instead, create an IAM user, and grant
that user full access. We refer to these users as administrator users. You can use the administrator
user credentials, instead of the AWS account root user credentials, to interact with AWS and perform
tasks, such as create a bucket, create users, and grant them permissions. For more information, see
AWS Account Root User Credentials vs. IAM User Credentials in the AWS General Reference and IAM Best
Practices in the IAM User Guide.
If you signed up for AWS but have not created an IAM user for yourself, you can create one using the IAM
console.
To create an administrator user for yourself and add the user to an administrators group
(console)
1. Use your AWS account email address and password to sign in as the AWS account root user to the
IAM console at https://console.aws.amazon.com/iam/.
8
Create an IAM User
Note
We strongly recommend that you adhere to the best practice of using the Administrator
IAM user below and securely lock away the root user credentials. Sign in as the root user
only to perform a few account and service management tasks.
2. In the navigation pane, choose Users and then choose Add user.
3. For User name, enter Administrator.
4. Select the check box next to AWS Management Console access. Then select Custom password, and
then enter your new password in the text box.
5. (Optional) By default, AWS requires the new user to create a new password when first signing in. You
can clear the check box next to User must create a new password at next sign-in to allow the new
user to reset their password after they sign in.
6. Choose Next: Permissions.
7. Under Set permissions, choose Add user to group.
8. Choose Create group.
9. In the Create group dialog box, for Group name enter Administrators.
10. Choose Filter policies, and then select AWS managed -job function to filter the table contents.
11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.
Note
You must activate IAM user and role access to Billing before you can use the
AdministratorAccess permissions to access the AWS Billing and Cost Management
console. To do this, follow the instructions in step 1 of the tutorial about delegating access
to the billing console.
12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to
see the group in the list.
13. Choose Next: Tags.
14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information
about using tags in IAM, see Tagging IAM Entities in the IAM User Guide.
15. Choose Next: Review to see the list of group memberships to be added to the new user. When you
are ready to proceed, choose Create user.
You can use this same process to create more groups and users and to give your users access to your AWS
account resources. To learn about using policies that restrict user permissions to specific AWS resources,
see Access Management and Example Policies.
To sign in as this new IAM user, sign out of the AWS Management Console. Then use the following URL,
where your_aws_account_id is your AWS account number without the hyphens (for example, if your AWS
account number is 1234-5678-9012, your AWS account ID is 123456789012):
https://your_aws_account_id.signin.aws.amazon.com/console/
Enter the IAM user name and password that you just created. When you're signed in, the navigation bar
displays your_user_name@your_aws_account_id.
If you don't want the URL for your sign-in page to contain your AWS account ID, you can create an
account alias. From the IAM dashboard, click Create Account Alias and enter an alias, such as your
company name. To sign in after you create an account alias, use the following URL:
https://your_account_alias.signin.aws.amazon.com/console/
To verify the sign-in link for IAM users for your account, open the IAM console and check under AWS
Account Alias on the dashboard.
9
Prerequisites
Getting Started with AWS Backup

This tutorial shows you how to perform the tasks necessary to back up and restore your resources using
AWS Backup.
Topics
• Prerequisites (p. 10)
• Step 1: Create an On-Demand Backup (p. 11)
• Step 2: Create a Scheduled Backup (p. 12)
• Step 3: Monitor Your Backup Jobs and Verify That Your Resources Are Protected (p. 15)
• Step 4: Restore a Backup (p. 16)
• Step 5: Clean Up Resources (p. 18)
Prerequisites
Before you begin, ensure that you have the following:
• An AWS account. For more information, see Setting Up (p. 8).

• An Amazon Elastic Block Store (Amazon EBS) volume. For information about Amazon EBS, see Amazon
Elastic Block Store (Amazon EBS) in the Amazon EC2 User Guide for Linux Instances.
For information about creating an Amazon EBS volume, see Creating an Amazon EBS Volume in the
Amazon EC2 User Guide for Linux Instances.
• You should be familiar with the services that you are backing up. You also need a set of resources that
you will protect with AWS Backup.
AWS Backup currently supports the following services:

• Amazon Elastic Compute Cloud (Amazon EC2)
For information about getting started with Amazon EC2 and creating Amazon EC2 resources, see
Getting Started with Amazon EC2 Windows Instances in the Amazon EC2 User Guide for Windows
Instances or Getting Started with Amazon EC2 Linux Instances in the Amazon EC2 User Guide for
Linux Instances.
• Amazon Elastic File System (Amazon EFS)
For information about getting started with Amazon EFS and creating Amazon EFS resources, see
Getting Started with Amazon Elastic File System in the Amazon Elastic File System User Guide.
• Amazon DynamoDB
For information about setting up and creating DynamoDB resources, see Getting Started with
DynamoDB in the Amazon DynamoDB Developer Guide.
• Amazon Relational Database Service (Amazon RDS)
For information about getting started with Amazon RDS, see Getting Started with Amazon RDS in
the Amazon RDS User Guide.
Note
AWS Backup currently supports all Amazon RDS database engines except Amazon Aurora.
• AWS Storage Gateway
10
Step 1: Create an On-Demand Backup
For information about creating a volume gateway, see Creating a Volume Gateway in the AWS
Storage Gateway User Guide.
• Your resources are all in the same AWS Region. This tutorial uses the US East (N. Virginia) Region (us-
east-1).
• You have AWS resources that you will be backing up in the Region that you're using for this tutorial.
To complete this tutorial, you can use your AWS account root user to sign in to the AWS Management
Console. However, AWS Identity and Access Management (IAM) recommends that you not use the AWS
account root user. Instead, create an administrator in your account and use those credentials to manage
resources in your account. For more information, see Setting Up (p. 8).
Step 1: Create an On-Demand Backup

On the AWS Backup console, the Protected resources page lists resources that have been backed up by
AWS Backup at least once. If you’re using AWS Backup for the first time, there aren’t any resources, such
as Amazon EBS volumes or Amazon RDS databases, listed on this page. This is true even if that resource
was assigned to a backup plan if that backup plan has not run a scheduled backup job at least once.
In this first step, you create an on-demand backup of one of your resources. You will then see this
resource listed on the Protected resources page.
To create an on-demand backup
1. Sign in to the AWS Management Console, and open the AWS Backup console at https://
console.aws.amazon.com/backup.
2. From the dashboard, choose Create on-demand backup. Or, using the navigation pane, choose
Protected resources, and then Create on-demand backup.
3. On the Create on-demand backup page, choose the resource type that you want to back up; for
example, choose DynamoDB for Amazon DynamoDB tables.
4. Choose the name or ID of the resource that you want to protect; for example, VideoMetadataTable.
5. Ensure that Create backup now is selected. This initiates a backup immediately and enables you to
see your saved resource sooner on the Protected resources page.
6. Specify a transition to cold storage value (if appropriate) and an expire value.
Note
Only Amazon EFS backups support transition to cold storage. All other resource types are
saved to warm storage. The expire value is valid for all resource types.
7. Choose an existing backup vault. Choosing Create new backup vault opens a new page to create a
vault and then returns you to the Create on-demand backup page when you are finished.
8. Under IAM role, choose Default role.
Note
If the AWS Backup default role is not present in your account, a role is created for you with
the correct permissions.
9. If you want to assign one or more tags to your on-demand backup, enter a key and optional value,
and choose Add tag.
Note
When creating a tag-based backup plan, if you choose a role other than Default role, make
sure that it has the necessary permissions to back up all tagged resources. AWS Backup tries
to process all resources with the selected tags. If it encounters a resource that it doesn't
have permission to access, the backup plan fails.
11
Next Steps
10. Choose Create on-demand backup. This takes you to the Jobs page, where you will see a list of jobs.
11. Choose the Backup job ID for the resource that you chose to back up to see the details of that job.
Next Steps
To verify the status and monitor the details of your backup activity, proceed to Step 2: Create a
Scheduled Backup (p. 12).
Step 2: Create a Scheduled Backup

In this step of the AWS Backup tutorial, you create a backup plan, assign resources to it, and then create
a backup vault.
Before you begin, ensure that you have the required prerequisites. For more information, see Getting
Started with AWS Backup (p. 10).
Topics
• Create a Backup Plan by Modifying an Existing One (p. 12)
• Assign Resources to a Backup Plan (p. 13)
• Create a Backup Vault (p. 14)
• Next Steps (p. 14)
Create a Backup Plan by Modifying an Existing One

A backup plan is a policy expression that defines when and how you want to back up your AWS
resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems.
You assign resources to backup plans, and AWS Backup then automatically backs up and retains backups
for those resources according to the backup plan. For more information, see Managing Backups Using
Backup Plans (p. 20).
There are two ways to create a new backup plan: You can build one from scratch or build one based
on an existing backup plan. This example uses the AWS Backup console to create a backup plan by
modifying an existing backup plan.
To create a backup plan from an existing one
2. From the dashboard, choose Manage Backup plans. Or, using the navigation pane, choose Backup
plans.
3. Choose a plan from the list (for example, Daily-Monthly-1yr-Retention), and enter a name in
the Backup plan name box.
Note
If you try to create a backup plan that is identical to an existing plan, you get an
AlreadyExistsException error.
4. On the plan summary page, choose the radio button for the backup rule and then choose Edit.
Review and choose the values that you want for your rule. For example, you can extend the
retention period of the backup in the Monthly rule to three years instead of one year.
5. For the backup vault, choose Default.
12
Assign Resources to a Backup Plan
6. When you have finished editing the rule, choose Save.
On the Summary page, choose Assign resources to prepare for the next section.
Assign Resources to a Backup Plan

To apply backup plans to your AWS resources, you choose a backup plan and assign resources to it
by using tags or listing the resource IDs directly. For more information about resources, see Assigning
Resources to a Backup Plan (p. 22).
If you don’t already have existing AWS resources that you want to assign to a backup plan, create some
new resources to use for this exercise. You can create multiple resources from several or all of the
supported services. These resources can include the following:
• DynamoDB tables
• Amazon EBS volumes
• Amazon EC2 instances
• Amazon EFS file systems
• Amazon RDS instances
• AWS Storage Gateway volumes
Note
To assign resources by tags, you must apply tags to your resources. For example, you
might want to tag all of the resources for this exercise with the key-value pair of
BackupPlan:MissionCritical.
To assign resources to a backup plan
1. On the AWS Backup console dashboard, choose Manage Backup plans. Or, using the navigation
pane, choose Backup plans.
2. Choose a plan from the list; for example, Daily-Monthly-1yr-Retention.
3. On the plan summary page, choose Assign resources.
4. In the Resource assignment name field, choose a name for the resource assignment.
For example, you can name your resource selection, ApplicationFoo. You can then assign all the
AWS resources used for this application, which might be a mix of Amazon EBS volumes, Amazon EFS
file systems, and Amazon RDS tables.
5. Under IAM role, choose Default role.
Note
If you choose a role other than Default role, the role name must include either the string
AwsBackup or AWSBackup. Role names without one of those strings don't have sufficient
permissions to perform the operation. Also, make sure that your custom role has the
necessary permissions to back up all tagged resources. For more information, see Assigning
Resources to a Backup Plan (p. 22).
6. In the Assign resources section, ensure that the Assign by control displays Tags. Enter a key and
value that your resources are tagged with; for example, BackupPlan:MissionCritical. Choose
Add assignment to add all resources that are tagged with your chosen key-value pair.
Note
13
Create a Backup Vault
to process all resources with the selected tags. If it encounters a resource that it doesn't
have permission to access, the backup plan fails.
Any supported resource in the selected Region that is tagged with this key-value pair is
automatically assigned to this backup plan.
7. When a new Assign by control appears below your first resource assignment, change the value to
Resource ID.
8. Choose the resource type that you want to add to your selection, for example, EBS. Place your cursor
in the Volume ID field, and the available resources for this type will appear.
9. Choose a resource from the list, and then choose Add assignment.
10. When you have finished adding resources, choose Assign resources.
You then return to the plan summary page, which contains information about your backup plan, your
backup rules, your resource assignments, and any backup plan tags.
Create a Backup Vault

Instead of using the default backup vault that is automatically created for you on the AWS Backup
console, you can create specific backup vaults to save and organize groups of backups in the same vault.
For more information about backup vaults, see Organizing Backups Using Backup Vaults (p. 24).
To create a backup vault
1. On the AWS Backup console, in the navigation pane, choose Backup vaults.
Note
If the navigation pane is not visible on the left side, you can open it by choosing the menu
icon in the upper-left corner of the AWS Backup console.
2. Choose Create backup vault.
3. Enter a name for your backup vault. You can name your vault to reflect what you will store
in it, or to make it easier to search for the backups you need. For example, you could name it
FinancialBackups.
4. Select an AWS KMS key. You can use either a key that you already created, or select the default AWS
Backup master key.
Note
The AWS KMS key that is specified here applies only to backups of services that support
AWS Backup encryption. Currently only Amazon Elastic File System (Amazon EFS) is
supported.
5. Optionally, add tags that will help you search for and identify your backup vault. For example, you
could add a BackupType:Financial tag.
6. Choose Create Backup vault.
7. In the navigation pane, choose Backup vaults, and verify that your backup vault has been added.
Note
You can now edit a backup rule in one of your backup plans to store backups created by that
rule in the backup vault you just created.
Next Steps
To verify the status and monitor the details of your backup activity, proceed to Step 3: Monitor Your
Backup Jobs and Verify That Your Resources Are Protected (p. 15).
14
Step 3: Monitor Your Backup Jobs
Step 3: Monitor Your Backup Jobs and Verify That

Your Resources Are Protected
AWS Backup enables you to view the status and other details of backup and restore activity across the
AWS services that you use.
On the AWS Backup dashboard, you can manage backup plans, create on-demand backups, restore
backups, and view the status of backup and restore jobs.
Topics
• View the Status of Backup Jobs (p. 15)
• View All Backups in a Vault (p. 15)
• View Details of Protected Resources (p. 15)
• Next Steps (p. 16)
View the Status of Backup Jobs

Use the AWS Backup dashboard to quickly view the status of your backup and restore activity.
To view backup job status
1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

2. In the navigation pane, choose Dashboard.
3. To view the status of your backup jobs, choose Backup jobs details. This takes you to the Backup
jobs page, where you can view tables containing backup jobs and restore jobs.
4. You can filter the jobs that are displayed by time. For example, jobs created in the last 24 hours, the
last week, or the last 30 days. You can also set the number of jobs to display per page by choosing
the gear icon.
View All Backups in a Vault

Follow these steps to view the backups that were created in a specified vault in AWS Backup.
To view all backups in a vault
2. Choose the vault that you used when creating an on-demand or scheduled backup, and view all the
backups that were created in this vault.
View Details of Protected Resources

On the Protected resources page, you can explore details of the resources that are backed up in AWS
Backup.
To view protected resources
1. On the AWS Backup console, in the navigation pane, choose Protected resources.
15
Next Steps
2. View the AWS resources that are being backed up. Choose a resource in the list to explore your
backups for that resource.
Next Steps
After monitoring and verifying the backups for your resource, proceed to Step 4: Restore a
Backup (p. 16).
Step 4: Restore a Backup

After a resource has been backed up at least once, it is considered protected and is available to be
restored using AWS Backup.
Follow these steps to restore a resource using the AWS Backup console.
For additional information on restore parameters for specific services or restoring a backup using the
AWS CLI or the AWS Backup API, see https://docs.aws.amazon.com/aws-backup/latest/devguide/
restoring-a-backup.html.
To restore a resource

2. In the navigation pane, choose Protected resources and the resource ID you want to restore.
3. A list of your recovery points, including the resource type, is displayed by Resource ID. Choose a
resource to open the Resource details page.
4. To restore a resource, in the Backups pane, choose the radio button next to the recovery point ID of
the resource. In the upper-right corner of the pane, choose Restore.
5. Specify the restore parameters. The restore parameters shown are specific to the resource type that
is selected.
Note
If you only keep one backup, you can only restore to the state of the file system at the time
you took that backup. You can't restore to prior incremental backups.
Amazon Elastic Block Store (Amazon EBS)
For example, if you are restoring an Amazon Elastic Block Store (Amazon EBS) snapshot, you can
choose to restore the snapshot as an EBS volume or as an AWS Storage Gateway volume. This is
because AWS Backup integrates with both services, and any Amazon EBS snapshot can be restored
to either an EBS volume or an AWS Storage Gateway volume.
For more information on restoring with Amazon EBS, see https://docs.aws.amazon.com/AWSEC2/

latest/UserGuide/ebs-restoring-volume.html
Amazon Elastic File System (Amazon EFS)
If you are restoring an Amazon Elastic File System (Amazon EFS) instance, you can perform a Full
restore, which restores the entire file system. Or, you can restore specific files and directories using
an Item-level restore.
For more information, including restoring an Amazon EFS) recovery point to a different directory in
case of a disaster recovery situation, see Restore a Recovery Point at https://docs.aws.amazon.com/
efs/latest/ug/awsbackup.html.
Full restore
16
Step 4: Restore a Backup
To perform a full restore, follow the Amazon EFS instructions at https://docs.aws.amazon.com/efs/

latest/ug/awsbackup.html.
Item-level restore
To restore a specific file or directory, you must specify the relative path related to the mount point.
For example, if the file system is mounted to /user/home/myname/efs and the file path is user/
home/myname/efs/file1, enter /file1.
Paths are case sensitive and cannot contain special characters, wildcards, and regex strings.
For more information, see the Restore a Recovery Point section at https://docs.aws.amazon.com/efs/
latest/ug/awsbackup.html
Storage Gateway
To restore a Storage Gateway volume using AWS Backup, see https://docs.aws.amazon.com/

storagegateway/latest/userguide/backing-up-volumes.html.
DynamoDB
To restore a DynamoDB table, see https://docs.aws.amazon.com/amazondynamodb/latest/

developerguide/Restore.Tutorial.html.
Amazon Elastic Compute Cloud (Amazon EC2)
To restore an Amazon EC2instance, see https://docs.aws.amazon.com/AWSEC2/latest/

WindowsGuide/ebs-restoring-volume.html .
6. For Restore role, choose Default role.
Note
7. Choose Restore backup.
The Restore jobs pane appears. A message at the top of the page provides information about the
restore job.
Note
When you perform a restore to restore specific items within an Amazon EFS instance, you can
restore those items to either a new or an existing file system. If you restore the items to an
existing file system, AWS Backup creates a new Amazon EFS directory off of the root directory
to contain the items. The full hierarchy of the specified items is preserved in the recovery
directory. For example, if directory A contains subdirectories B, C, and D, AWS Backup retains the
hierarchical structure when A, B, C, and D are recovered.
Regardless of whether you perform an Amazon EFS partial restore to an existing file system
or to new file system, each restore attempt creates a new recovery directory off of the root
directory to contain the restored files. If you attempt multiple restores for the same path,
several directories containing the restored items might exist.
To restore an Amazon Elastic File System (Amazon EFS)
Item-level restore. For information restoring a specific resource, see Restoring a Backup Using the
Console (p. 31)
17
Next Steps
For detailed information about restore, see Restoring a Backup (p. 31).
Next Steps
After you verify your restore results, we recommend that you delete any AWS resources that you don't
need to keep, so as not to incur unnecessary charges. For more information, see Step 5: Clean Up
Resources (p. 18).
Step 5: Clean Up Resources

After you perform all the tasks in Getting Started with AWS Backup (p. 10), you might want to clean
up what you have created to avoid incurring any unnecessary charges.
Topics
• Delete Restored AWS Resources (p. 18)
• Delete the Backup Plan (p. 18)
• Delete the Recovery Points (p. 18)
• Delete the Backup Vault (p. 19)
Delete Restored AWS Resources

To delete AWS resources that you restored from a recovery point, such as Amazon Elastic Block Store
(Amazon EBS) volumes or Amazon DynamoDB tables, you use the console for that service. For example,
to delete an Amazon Elastic File System (Amazon EFS) file system, use the Amazon EFS console.
Note
This refers to restored resources, not recovery points stored in a backup vault.
Delete the Backup Plan

If you don't want to create scheduled backups, you should delete your backup plans. You must delete all
resource assignments for a backup plan before the plan can be deleted.
Follow these steps to delete a backup plan:
To delete a backup plan

2. In the navigation pane, choose Backup plans.
3. On the Backup plans page, choose the backup plan that you want to delete. This takes you to the
details page for that backup.
4. To delete the resource assignments for your plan, choose the radio button next to the assignment
name, and then choose Delete.
5. To delete the backup plan, choose Delete in the upper-right corner of the page.
6. On the confirmation page, enter the plan name, and choose Delete plan.
Delete the Recovery Points

Next, you can delete the backup recovery points that are in your backup vault.
18
Delete the Backup Vault
To delete the recovery points
2. On the Backup vaults page, choose the backup vault where you stored the backups.
3. Choose the recovery points and delete them one by one.
Delete the Backup Vault

You can't delete the default backup vault in AWS Backup. However, if you created a different backup
vault, empty the backup vault by deleting the backups. Then select the backup vault and choose Delete.
19
Creating a Backup Plan
Managing Backups Using Backup

Plans
In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up
your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file
systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains
backups for those resources according to the backup plan. You can create multiple backup plans if you
have workloads with different backup requirements.
The following sections provide the basics of managing your backup strategy in AWS Backup.
Topics
• Creating a Backup Plan (p. 20)
• Assigning Resources to a Backup Plan (p. 22)
• Deleting a Backup Plan (p. 23)
• Updating a Backup Plan (p. 23)
Creating a Backup Plan

When you create a backup plan, it is added to the set of plans in your account. You can also use the AWS
CloudFormation template to create a backup plan. For information, see AWS Backup Resource Type
Reference in the AWS CloudFormation User Guide.
Topics
• Creating Backup Plans Using the AWS Management Console (p. 20)
• Backup Plan Options and Configuration (p. 21)
Creating Backup Plans Using the AWS Management

Console
AWS Backup provides two ways to get started using the AWS Backup console:
• Start from an existing plan — You can create a new backup plan based on the configurations in an
existing plan. Be aware that backup plans created by AWS Backup are based on backup best practices
and common backup policy configurations. When you select an existing backup plan to start from, the
configurations from that backup plan are automatically populated for your new backup plan. You can
then change any of these configurations according to your backup requirements.
For step-by-step instructions, see Create a Backup Plan by Modifying an Existing One (p. 12) in the
Getting Started section.
• Build a new plan from scratch — You can create a new backup plan by specifying each of the backup
configuration details, as described in the next section. You can choose from the recommended default
configurations.
Note
20
Backup Plan Options and Configuration
Backup Plan Options and Configuration

When you define a backup plan in the AWS Backup console, you configure the following options:
Backup Plan Name

You must provide a unique backup plan name.
Note
Backup Rules
Backup plans are composed of one or more backup rules. Each backup rule consists of the following
elements.
Backup Rule Name

Backup rule names are case sensitive. They must contain from 1 to 63 alphanumeric characters or
hyphens.
Backup Frequency
The backup frequency determines how often a backup is created. You can choose a frequency of every
12 hours, daily, weekly, or monthly. When selecting weekly, you can specify which days of the week you
want backups to be taken. When selecting monthly, you can choose a specific day of the month.
Backup Window
Backup windows consist of the time that the backup window begins and the duration of the window in
hours. Backup jobs are started within this window. If you are unsure what backup window to use, you can
choose to use the default backup window that AWS Backup recommends. The default backup window is
set to start at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours.
Note
You can customize the backup frequency and backup window start time using a cron expression.
For more information about cron expressions, see Schedule Expressions for Rules in the Amazon
CloudWatch Events User Guide.
Lifecycle
The lifecycle defines when a backup is transitioned to cold storage and when it expires. AWS Backup
transitions and expires backups automatically according to the lifecycle that you define. Backups
transitioned to cold storage must be stored in cold storage for a minimum of 90 days. Therefore, on the
console, the “expire after days” setting must be 90 days greater than the “transition to cold after days”
setting. You can't change the “transition to cold after days” setting after a backup has been transitioned
to cold.
Note
Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold
storage expression is ignored for the backups of Amazon Elastic Block Store (Amazon EBS),
Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, and AWS Storage
Gateway.
Backup Vault
A backup vault is a container to organize your backups in. Backups created by a backup rule are
organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the
21
Assigning Resources
AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup
vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to
help you organize them. If you don't want to use the default vault, you can create your own. For step-by-
step instructions for creating a backup vault, see Create a Backup Vault (p. 14).
Copy to Regions
As part of your backup plan, you can optionally create a backup copy in another AWS Region. For more
information about backup copies, see Cross-Region Backups (p. 7).
When you define a backup copy, you configure the following options:
Destination Region
The destination Region for the backup copy.
(Advanced Settings) Backup Vault
The destination backup vault for the copy.
(Advanced Settings) IAM Role
The IAM role that AWS Backup uses when creating the copy. The role must also have AWS Backup listed
as a trusted entity, which enables AWS Backup to assume the role. If you choose Default and the AWS
Backup default role is not present in your account, a role is created for you with the correct permissions.
(Advanced Settings) Lifecycle
Specifies when to transition the backup copy to cold storage and when to expire (delete) the copy.
Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. You can't
change this value after a copy has transitioned to cold storage.
Expire specifies the number of days after creation that the copy is deleted. This must be greater than 90
days beyond the Transition to cold storage value.
Tags Added to Recovery Points

The tags that you list here are automatically added to backups when they are created.
Tags Added to Backup Plans

These tags are associated with the backup plan itself to help you organize and track your backup plan.
Assigning Resources to a Backup Plan

When you assign a resource to a backup plan, that resource is backed up automatically according to the
backup plan. The backups for that resource are managed according to the backup plan. You can assign
resources using tags or resource IDs.
Using tags to assign resources is a simple and scalable way to back up multiple resources. Any resources
with the tags that you specify in the resource assignment are assigned to the backup plan. For example,
if you include the tag values "July" and "August," your backup will include all resources tagged with the
selected months.
For example, you can define a backup plan that meets your backup requirements for mission
critical data and create a resource assignment with the tag key "Classification" and tag value
22
Deleting a Backup Plan
"MissionCritical." Then any of your resources with that tag are automatically assigned to your
mission critical backup plan.
Note
to process all resources with the selected tags. If it encounters a resource that it doesn't have
permission to access, the backup plan fails.
For step-by-step instructions for assigning resources to a backup plan, see Assign Resources to a Backup
Plan (p. 13) in the Getting Started section.
Deleting a Backup Plan

You can delete a backup plan only after all associated selections of resources have been deleted.
Deleting a backup plan deletes the current version of the plan. The current and previous versions, if any,
still exist, but they are no longer listed on the console under Backup plans.
Note
When a backup plan is deleted, existing backups are not deleted. To remove existing backups,
delete them from the backup vault.
To delete a backup plan using the AWS Backup console
2. In the navigation pane on the left, choose Backup plans.
3. Choose your backup plan in the list.
4. Select any resource assignments that are associated with the backup plan.
5. Choose Delete.
Updating a Backup Plan

After creating a backup plan, you can edit the plan—for example, you can add tags, or you can add, edit,
or delete backup rules. Any changes that you make to a backup plan have no effect on existing backups
created by the backup plan. The changes apply only to backups that are created in the future.
For example, when you update the retention period in a backup rule, the retention period of backups
created before you made the update remain the same. Any backups that are created by that rule going
forward reflect the updated retention period.
To edit a backup plan using the AWS Backup console

2. In the navigation pane, choose Backup plans.
3. Choose a backup rule and choose Edit.
4. In the backup rule, change the settings that you want, and then choose Save.
23
Creating a Backup Vault
Organizing Backups Using Backup

Vaults
In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup
vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt
backups in the backup vault and to control access to the backups in the backup vault. If you require
different encryption keys or access policies for different groups of backups, you can optionally create
multiple backup vaults. Otherwise, you can have all your backups organized in the default backup vault.
This section provides an overview of how to manage your backup vaults in AWS Backup.
Topics
• Creating a Backup Vault (p. 24)
• Setting Access Policies on Backup Vaults and Recovery Points (p. 25)
• Deleting a Backup Vault (p. 27)
Creating a Backup Vault

An AWS account can create up to 100 backup vaults per AWS Region.
For step-by-step instructions for creating a backup vault, see Create a Backup Vault (p. 14) in the Getting
Started guide.
When creating a backup vault, you can define the following elements.
Backup Vault Name

Backup vault names are case sensitive. They must contain from 2 to 50 alphanumeric characters or
hyphens.
KMS Encryption Master Key

The AWS KMS encryption master key is used to protect your backups in this backup vault. By default,
AWS Backup creates a master key with the alias aws/backup for you. You can choose that key or choose
any other key in your account.
You can create a new master encryption key by going to the Encryption keys section of the AWS
Identity and Access Management (IAM) console. For more information, see Creating Keys in the AWS Key
Management Service Developer Guide.
After you create a backup vault and set the AWS KMS encryption master key, you can no longer edit the
key for that backup vault.
The encryption key that is specified in an AWS Backup vault applies to the backups of certain resource
types. For more information about backup encryption, see Encryption for Backups in AWS (p. 38)
24
Backup Vault Tags
in the Security section. Backups of all other resource types are backed up using the key that is used to
encrypt the source resource.
Backup Vault Tags

These tags are associated with the backup vault to help you organize and track your backup vaults.
Setting Access Policies on Backup Vaults and

Recovery Points
With AWS Backup, you can assign a policy to a role, user, or group that restricts access to backup vaults
and the resources they contain. Assigning policies allows you to do things like grant access to users
to create backup plans and on-demand backups, but limit their ability to delete recovery points after
they're created.
For information about using policies to grant or restrict access to resources, see Identity-Based Policies
and Resource-Based Policies in the IAM User Guide. You can use the following example policies as a guide
to limit access to resources when you are working with AWS Backup vaults.
For a list of Amazon Resource Names (ARNs) that you can use to identify recovery points for different
resource types, see AWS Backup Resource ARNs (p. 42) for resource-specific recovery point ARNs.
Topics
• Deny Access to a Resource Type in a Backup Vault (p. 25)
• Deny Access to a Backup Vault (p. 26)
• Deny Access to Delete Recovery Points in a Backup Vault (p. 26)
Deny Access to a Resource Type in a Backup Vault

This policy denies access to the specified API operations for all Amazon EBS snapshots in a backup vault.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement ID",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::Account ID:role/MyRole"
},
"Action": [
"backup:UpdateRecoveryPointLifecycle",
"backup:DescribeRecoveryPoint",
"backup:DeleteRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:StartRestoreJob",
"backup:DescribeRecoveryPoint"
],
"Resource": ["arn:aws:ec2:Region:::snapshot/*"]
}
]
}
25
Deny Access to a Backup Vault
Note
This access policy only controls user access to AWS Backup APIs. Some backup types, such as
Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon
RDS) snapshots, can also be accessed using the APIs of those services. You can create separate
access policies in IAM that control access to those APIs in order to fully control the access to
backups.
Deny Access to a Backup Vault

This policy denies access to the specified API operations targeting a backup vault.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::Account ID:role/MyRole"
},
"Action": [
"backup:DescribeBackupVault",
"backup:DeleteBackupVault",
"backup:PutBackupVaultAccessPolicy",
"backup:DeleteBackupVaultAccessPolicy",
"backup:GetBackupVaultAccessPolicy",
"backup:StartBackupJob",
"backup:GetBackupVaultNotifications",
"backup:PutBackupVaultNotifications",
"backup:DeleteBackupVaultNotifications",
"backup:ListRecoveryPointsByBackupVault"
],
"Resource": "arn:aws:backup:Region::Account ID::backup-vault:backup vault name"
}
]
}
Deny Access to Delete Recovery Points in a Backup

Vault
Access to vaults and the ability to delete recovery points stored in them is determined by the access that
you grant your users.
Follow these steps to create a resource-based access policy on a backup vault that prevents the deletion
of any backups in the backup vault.
To create a resource-based access policy on a backup vault
2. In the navigation pane on the left, choose Backup vaults.
3. Choose a backup vault in the list.
4. In the Access policy section, paste the following JSON example. This policy prevents anyone who is
not the principal from deleting a recovery point in the target backup vault. Replace statement ID,
Account ID, and principal type (role/MyRole) with values for your environment.
26
Deleting a Backup Vault
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "backup:DeleteRecoveryPoint",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:userId": [
"arn:aws:iam::Account ID:role/MyRole""
]
}
}
}
]
}
For information on getting a unique ID for an IAM entity, see Getting the Unique ID
If you want to limit this to specific resource types, instead of "Resource": "*" you can explicitly
include the recovery point types to deny, for example, for Amazon EBS snapshots, change the
resource type to:
"Resource": ["arn:aws:ec2:Region:::snapshot/*"]
5. Choose Attach policy.
Deleting a Backup Vault

You can delete a backup vault in AWS Backup only after all associated backups have been deleted.
To delete a backup vault using the AWS Backup console
2. In the navigation pane, choose Backup vault.
3. Choose the backup vault that you want to delete.
4. Choose and delete any backups that are associated with the backup vault, and then choose Delete.
Note
When you delete a backup vault, update your backup plans to point to new backup vaults. A
backup plan that points to a deleted backup vault will cause the backup creation to fail.
27
Creating a Backup
Backups
A backup, or recovery point, represents the content of a resource, such as an Amazon Elastic Block Store
(Amazon EBS) volume or Amazon DynamoDB table, at a specified time. Recovery point is a term that
refers generally to the different backups in AWS services, such as Amazon EBS snapshots and DynamoDB
backups. The terms recovery point and backup are used interchangeably.
In AWS Backup, recovery points are saved in backup vaults, which you can organize according to your
business needs. For example, you can save a set of resources that contain financial information for fiscal
year 2016. When you need to recover a resource, you can use either the AWS Backup console or the AWS
Command Line Interface (AWS CLI) to find and recover the resource you need.
Each recovery point has a unique ID. The following table contains the AWS resource types that AWS
Backup supports and examples of their corresponding recovery point ID.
Resource Type Backup Name Recovery Point ID Example
Amazon Elastic Compute Cloud Amazon EC2 backup image/

(Amazon EC2) instance ami-0ecdf967356c809c7
Amazon EBS volume Amazon EBS snapshot snapshot/

snap-05f426fd8kdjb4224
Amazon RDS database Amazon RDS snapshot awsbackup:job-

be59cf2a-2343-4402-
bd8b-226993d23453
Amazon EFS file system Amazon EFS backup d99699e7-e183-477e-bfcd-

ccb1c6e5455e
DynamoDB table DynamoDB backup table/MyDynamoDBTable/

backup/01547087347000-
c8b6kdk3
AWS Storage Gateway volume Amazon EBS snapshot** snapshot/

snap-0d40e49137e31d9e0
**When you back up an AWS Storage Gateway volume, an Amazon EBS snapshot is created. This
snapshot can then be restored either as an Amazon EBS volume or as an AWS Storage Gateway volume.
The following sections provide an overview of the basic backup management tasks in AWS Backup.
Topics
• Creating a Backup (p. 28)
• Restoring a Backup (p. 31)
• Stopping a Backup Job (p. 35)
• Viewing a List of Backups (p. 35)
• Editing a Backup (p. 36)
Creating a Backup
In AWS Backup, you can create backups automatically using backup plans or manually by initiating an
on-demand backup.
28
On-Demand Backups
When backups are created automatically by backup plans, they are configured with the lifecycle settings
that are defined in the backup plan. They are organized in the backup vault that is specified in the
backup plan. They are also assigned the tags that are listed in the backup plan. For more information
about backup plans, see Managing Backups Using Backup Plans (p. 20).
When you create an on-demand backup, you can configure these settings for the backup that is being
created. When a backup is created either automatically or manually, a backup job is initiated. Each
backup job has a unique ID—for example, D48D8717-0C9D-72DF-1F56-14E703BF2345.
You can view the status of a backup job on the Jobs page of the AWS Backup console. Backup job
statuses include created, pending, running, aborting, aborted, completed, failed, and expired.
For more information about creating backup plans, see Creating a Backup Plan (p. 20).
Topics
• Creating an On-Demand Backup (p. 29)
• Creating a Backup Copy (p. 30)
Creating an On-Demand Backup

On the AWS Backup console, the Protected resources page lists resources that have been backed up by
AWS Backup at least once. If you’re using AWS Backup for the first time, there aren’t any resources (such
as Amazon EBS volumes or Amazon RDS databases) listed on this page. This is true even if a resource was
assigned to a backup plan and that backup plan has not run a scheduled backup job at least once.
To create an on-demand backup

2. In the navigation pane, choose Protected resources.
3. Choose Create on-demand backup.
4. On the Create on-demand backup page, choose the resource type that you want to back up; for
example, choose DynamoDB for Amazon DynamoDB tables.
5. Choose the name or ID of the resource that you want to protect; for example, VideoMetadataTable.
6. Ensure that Create backup now is selected. This initiates a backup immediately and enables you to
see your saved resource sooner on the Protected resources page.
7. Specify a transition to cold storage value (if appropriate) and an expire value.
Note
Only Amazon EFS backups support transition to cold storage. All other resource types are
saved to warm storage. The expire value is valid for all resource types.
8. Choose an existing backup vault or create a new one. Choosing Create new backup vault opens a
new page to create a vault and then returns you to the Create on-demand backup page when you
are finished.
9. Under IAM role, choose Default role or a role of your choice.
Note
If the AWS Backup default role is not present in your account, one will be created for you
with the correct permissions.
10. If you want to assign one or more tags to your on-demand backup, enter a Key and optional Value,
and then choose Add tag.
11. Choose Create on-demand backup. This takes you to the Jobs page, where you will see a list of jobs.
12. Choose the Backup job Id for the resource that you chose to back up. On the job details page, pause
on Status to view the details of your job status.
29
Backup Copies
Copying Tags onto Backups

The tags that are assigned to your resources can be associated with your recovery points that are stored
in backup vaults. Tags are automatically assigned to your backups with the following exceptions:
• DynamoDB does not support assigning tags to backups.

• Tags that are originally associated with a resource and tags that are assigned during backup are
assigned to recovery points stored in a backup vault, up to a maximum of 50. Tags that are assigned
during backup have priority, and both sets of tags are selected in alphabetical order.
• For a list of resource-specific permissions that are required to save metadata tags on backups, see
Permissions Required to Assign Tags To Backups (p. 43).
If you copy your backup to another AWS Region, AWS Backup copies all tags of the original backup to the
destination AWS Region.
Creating a Backup Copy

You can copy backups to multiple AWS Regions on demand or automatically as part of a scheduled
backup plan. For more information about backup plans, see Creating a Backup Plan (p. 20).
Note
AWS Backup doesn't support option groups when you are copying Amazon RDS databases.
To copy an existing backup on-demand

2. Choose Backup vaults.
3. Choose a vault and choose a recovery point from the vault.
4. Choose the Copy button.
5. Enter the following values:
Destination region
Choose the destination AWS Region for the copy. You can add a new copy rule per copy to a new
destination.
Note
Copying Amazon DynamoDB tables across AWS Regions is not supported.
(Advanced settings) Backup vault
Choose the destination backup vault for the copy.

(Advanced settings) IAM role
Choose the IAM role that AWS Backup will use when creating the copy. The role must also have
AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. If you
choose Default and the AWS Backup default role is not present in your account, one will be
created for you with the correct permissions.
(Advanced settings) Lifecycle
Choose when to transition the backup copy to cold storage and when to expire (delete) the copy.
Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.
This value cannot be changed after a copy has transitioned to cold storage.
Expire specifies the number of days after creation that the copy is deleted. This value must be
greater than 90 days beyond the Transition to cold storage value.
30
Restoring a Backup
6. Choose Create backup copy.
For information about applying tags to your backup copy, see Copying Tags onto Backups (p. 30).
When you copy a backup to a new AWS Region for the first time, AWS Backup copies the backup in full. If
a service supports incremental backups, subsequent copies of that backup in the same AWS Region will
be incremental.
Note
Backup copies are automatically be encrypted for all supported resources.
Restoring a Backup
When you restore a backup in AWS Backup, a new resource is created based on the backup that you are
restoring. For each restore, you must specify the restore parameters.
Restore parameters are specific to a resource type, such as the volume size when restoring an Amazon
Elastic Block Store (Amazon EBS) snapshot. When you restore a backup using the AWS Backup console,
the service-specific restore parameters are presented automatically. For each restore, a restore job is
created with a unique job ID—for example, 1323657E-2AA4-1D94-2C48-5D7A423E7394.
You can view the status of a restore job on the Jobs page of the AWS Backup console. Restore job
statuses include created, pending, running, aborting, aborted, completed, failed, and expired.
For step-by-step instructions for restoring a backup using the AWS Backup console, see Step 4: Restore a
Backup (p. 16) in the Getting Started section.
Topics
• Restoring a Backup Using the Console (p. 31)
• Restoring a Backup Using the AWS CLI or the AWS Backup API (p. 33)
Restoring a Backup Using the Console

After a resource has been backed up at least once, it is considered protected and is available to be
restored using AWS Backup. The restore parameters you use are specific to the resource type that is
backed up. You can restore any of the resources AWS Backup supports.
Topics
• Restoring an Amazon EBS Volume (p. 31)
• Restoring an Amazon EFS File System (p. 32)
Restoring an Amazon EBS Volume

If you are restoring an Amazon Elastic Block Store (Amazon EBS) snapshot, you can choose to restore
the snapshot as an EBS volume or as an AWS Storage Gateway volume. This is because AWS Backup
integrates with both services, and any Amazon EBS snapshot can be restored to either an EBS volume or
an AWS Storage Gateway volume.
To restore an Amazon EBS volume follow these steps
31
Restoring a Backup Using the Console
5. Specify the restore parameters for your resource. The restore parameters you enter are specific to
the resource type that you selected.
For Resource type, choose the AWS resource to create when restoring this backup.
6. If you choose EBS volume, provide the values for Volume type and Availability zone.
If you choose Storage Gateway volume, choose the gateway you want to restore to and enter the
iSCSI target name.
Note
restore job.
Restoring an Amazon EFS File System

If you are restoring an Amazon Elastic File System (Amazon EFS) instance, you can perform a full restore
or item-level restore.
Full Restore
When you perform Full restore, the entire file system is restore.
Item-Level Restore
When you perform item-level restore AWS Backup restore a specific file or directory. You must specify
the relative path related to the mount point. For example, if the file system is mounted to /user/home/
myname/efs and the file path is user/home/myname/efs/file1, you enter /file1. Paths are case
sensitive. Wildcards and regex strings are not supported.
You can restore those items to either a new or existing file system. If you restore the items to an existing
file system, AWS Backup creates a new Amazon EFS directory off of the root directory to contain the
items. The full hierarchy of the specified items is preserved in the recovery directory. For example, if
directory A contains subdirectories B, C, and D, AWS Backup retains the hierarchical structure when A,
B, C, and D are recovered. Regardless of whether you perform an Amazon EFS item-level restore to an
existing file system or to a new file system, each restore attempt creates a new recovery directory off
of the root directory to contain the restored files. If you attempt multiple restores for the same path,
several directories containing the restored items might exist.
Note
If you only keep one weekly backup, you can only restore to the state of the file system at the
time you took that backup. You can't restore to prior incremental backups.
To restore an Amazon EFS file system follow these steps.

32
Restoring a Backup Using the
AWS CLI or the AWS Backup API
5. Specify the restore parameters for your resource. The restore parameters you enter are specific to
the resource type that you selected.
To restore an Amazon Elastic File System (Amazon EFS)
Item-level restore.
• Choose the Full restore option to restore the filesystem in its entirety including all root level
folders and files.
• Choose the Item-level restore option to restore a specific file or directory. You select and restore
up to 5 items within your Elastic File System.
To restore a specific file or directory, you must specify the relative path related to the mount
point. For example, if the file system is mounted to /user/home/myname/efs and the file path
is user/home/myname/efs/file1, enter /file1. Paths are case sensitive and cannot contain
special characters, wildcards, and regex strings.
1. In the Item path text box, enter the path for your file or folder.
2. Choose Add item to add additional files or directories. You can select and restore up to 5 items
within your Elastic File System.
6. For Restore location:
• Choose the Restore to directory in source file system option, if you want to restore to the source
file system.
• Choose the Restore to a new file system option, if you want to restore to a different file system.
• (Recommended) For Performance, choose General purpose.
• Choose Enable encryption, if you want to encrypt your file system. Master key ids and aliases
appear in the list after they have been created using the Key Management Service(KMS) console.
7. In the Master key text box, choose the key you want to use from the list.
Note
restore job.
Note
If you only keep one weekly backup, you can only restore to the state of the file system at
the time you took that backup. You can't restore to prior incremental backups.
Restoring a Backup Using the AWS CLI or the AWS

Backup API
To restore a backup using the AWS Command Line Interface (AWS CLI) or the AWS Backup API, you
typically pass configuration information for your resource to the StartRestoreJob (p. 174) API
operation.
33
Restoring a Backup Using the
AWS CLI or the AWS Backup API
The configuration information that you need to restore your resource varies depending on the service
that you want to restore. To get the configuration metadata that your backup was created with, you can
call GetRecoveryPointRestoreMetadata (p. 131), but you might need more information to restore your
resource. Each service requires different configuration values to restore a recovery point.
Amazon EFS Restore Metadata

When restoring an Amazon EFS instance, you can restore an entire file system or specific files or
directories. To restore Amazon EFS resources, you need the following information:
• file-system-id — The ID of the Amazon EFS file system that is backed up by AWS Backup.
Returned in GetRecoveryPointRestoreMetadata.
• Encrypted — A Boolean value that, if true, specifies that the file system is encrypted. If KmsKeyId is
specified, Encrypted must be set to true.
• ItemsToRestore — A serialized list of up to five strings, where each string is a file path. Use
ItemsToRestore to restore specific files or directories, rather than the entire file system.
• KmsKeyId — Specifies the AWS KMS key that is used to encrypt the restored file system.
• PerformanceMode — Specifies the throughput mode of the file system.
• CreationToken — A user-supplied value that ensures the uniqueness (idempotency) of the request.
• newFileSystem — A Boolean value that, if true, specifies that the recovery point is restored to a new
Amazon EFS file system. For more information about restoring to a new or existing file system, see the
note in the previous section, Restoring a Backup Using the Console (p. 31).
For more information about Amazon EFS configuration values, see create-file-system.
Amazon EC2 Restore Options

You can restore an Amazon EC2 instance using the AWS Backup console, the SDK, or the AWS CLI.
When using the console, you have the following two options:
Restore with default settings
This is the recommended option. This option restores an Amazon EC2 instance with the parameters
and settings that can be customized on the console. These parameters include the following:
• Instance type
• Amazon VPC
• Subnet
• Security groups
• IAM role
• Shutdown behavior
• Stop–hibernate behavior
• Termination protection
• T2/T3 unlimited
• Placement group name
• EBS-optimized instance
• Tenancy
• RAM disk ID
• Kernel ID
• User data
34
Stopping a Backup Job
• Deletion on termination
These parameters are prefilled to match the original backup. You can change them before restoring
the instance. AWS Backup identifies parameters with values that might not be valid or that might
result in an invalid restore.
Major restore
This option restores all 38 parameters, including the 22 parameters that are not customizable on the
console. This is suitable if you require all 38 parameters and are comfortable restoring parameters
without validation or customization.
You can also restore an Amazon EC2 instance without including any stored parameters. This option is
available on the Protected resource tab on the AWS Backup console.
Stopping a Backup Job

You can stop a backup job in AWS Backup after it has been initiated. When you do this, the backup is not
created, and the backup job record is retained with the status of aborted.
To abort a backup job using the AWS Backup console
2. In the navigation pane on the left, choose Jobs.
3. Choose the backup job that you want to stop.
4. In the backup job details pane, choose Stop.
Viewing a List of Backups

There are two ways to view a list of your backups using the AWS Backup console. You can view the
backups that are associated with a particular AWS resource. Or, you can view all the backups that are
organized in a single backup vault, which can be across multiple AWS resources and different resource
types.
Topics
• Listing Backups by Protected Resource (p. 35)
• Listing Backups by Backup Vault (p. 36)
Listing Backups by Protected Resource

Follow these steps to view a list of backups of a particular resource on the AWS Backup console.
2. In the navigation pane, choose Protected resources.
3. Choose a protected resource in the list to view the list of backups. Only resources that have been
backed up by AWS Backup are listed under Protected resources.
You can view all the backups for the resource, even the ones that were not created by AWS Backup. From
this view, you can also choose a backup and restore it.
35
Listing Backups by Backup Vault
Listing Backups by Backup Vault

Follow these steps to view a list of backups organized in a backup vault.

2. In the navigation pane, choose Backup vaults.
3. In the Backups section, view the list of all the backups organized in this backup vault. In this view,
you can select a backup and edit it, delete it, or restore it.
Editing a Backup
After you create a backup using AWS Backup, you can change the lifecycle or tags of the backup.
The lifecycle defines when a backup is transitioned to cold storage and when it expires. AWS Backup
transitions and expires backups automatically according to the lifecycle that you define.
Note
Editing the tags of a backup using AWS Backup is only supported for backups of Amazon Elastic
File System (Amazon EFS) file systems. You can still edit the tags of other services' backups
using the service’s console or API.
Backups that are transitioned to cold storage must be stored in cold storage for a minimum of 90 days.
Therefore, the “expire after days” setting must be 90 days greater than the “transition to cold after days”
setting. When you update the “transition to cold after days” setting, the value must be a minimum of the
backup’s age plus one day. The “transition to cold after days” setting cannot be changed after a backup
has been transitioned to cold.
The following is an example of how to update the lifecycle of a backup.
To edit the lifecycle of a backup
2. In the navigation pane, choose Backup vaults.
3. In the Backups section, choose a backup.
4. On the backup details page, choose Edit.
5. Configure the lifecycle settings, and then choose Save.
36
Data Protection
Security in AWS Backup

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and
network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The shared responsibility model describes this
as security of the cloud and security in the cloud:
• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in
the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors
regularly test and verify the effectiveness of our security as part of the AWS compliance programs.
To learn about the compliance programs that apply to AWS Backup, see AWS Services in Scope by
Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also
responsible for other factors including the sensitivity of your data, your company's requirements, and
applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using
AWS Backup. The following topics show you how to configure AWS Backup to meet your security and
compliance objectives. You also learn how to use other AWS services that help you monitor and secure
your AWS Backup resources.
Topics
• Data Protection in AWS Backup (p. 37)
• Identity and Access Management in AWS Backup (p. 40)
• Logging and Monitoring in AWS Backup (p. 53)
• Compliance Validation for AWS Backup (p. 53)
• Resilience in AWS Backup (p. 54)
• Infrastructure Security in AWS Backup (p. 54)
Data Protection in AWS Backup

AWS Backup conforms to the AWS shared responsibility model, which includes regulations and
guidelines for data protection. AWS is responsible for protecting the global infrastructure that runs all
the AWS services. AWS maintains control over data hosted on this infrastructure, including the security
configuration controls for handling customer content and personal data. AWS customers and AWS
Partner Network (APN) partners, acting either as data controllers or data processors, are responsible for
any personal data that they put in the AWS Cloud.
For data protection purposes, we recommend that you protect AWS account credentials and set up
individual user accounts with AWS Identity and Access Management (IAM). This helps ensure that each
user is given only the permissions necessary to fulfill their job duties. We also recommend that you
secure your data in the following ways:
• Use multi-factor authentication (MFA) with each account.

• Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources.
37
Encryption for Backups in AWS
• Use AWS encryption solutions, along with all default security controls within AWS services.
We strongly recommend that you never put sensitive identifying information, such as your customers'
account numbers, into free-form fields such as a Name field. This includes when you work with AWS
Backup or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into
AWS Backup or other services might get picked up for inclusion in diagnostic logs. When you provide a
URL to an external server, don't include credentials information in the URL to validate your request to
that server.
For more information about data protection, see the AWS Shared Responsibility Model and GDPR blog
post on the AWS Security Blog.

All backups in AWS are encrypted using AWS KMS managed keys (SSE-KMS). The way to configure
encryption differs depending on the resource type. Certain resource types support the ability to encrypt
your backups using a separate encryption key from the key used to encrypt the source resource. This
capability adds another layer of protection for your backups.
The following table lists each supported resource type, how encryption is configured for backups, and
whether independent encryption for backups is supported.
Resource Type How to Configure Encryption Independent Backup

Encryption
Amazon Elastic Block Store Amazon EBS snapshots are Not supported
(Amazon EBS) automatically encrypted with
the same encryption key that
was used to encrypt the source
EBS volume. Snapshots of
unencrypted EBS volumes are
also unencrypted.
Amazon Relational Database Amazon RDS snapshots are Not supported

Service (Amazon RDS) automatically encrypted with
the same encryption key
that was used to encrypt the
source Amazon RDS database.
Snapshots of unencrypted
Amazon RDS databases are also
unencrypted.
Note
AWS Backup currently
supports all Amazon
RDS database engines
except Amazon Aurora.
Amazon Elastic File System Amazon EFS backups are always Supported
(Amazon EFS) encrypted. The AWS KMS
encryption key for Amazon
EFS backups is configured in
the AWS Backup vault that the
Amazon EFS backups are stored
in.
Amazon DynamoDB DynamoDB backups are always Not supported

encrypted. DynamoDB backups
38
Resource Type How to Configure Encryption Independent Backup

Encryption
are automatically encrypted
with the same encryption
key that was used to encrypt
the source DynamoDB table.
Snapshots of unencrypted
DynamoDB tables are also
unencrypted.
AWS Storage Gateway AWS Storage Gateway snapshots Not supported

are automatically encrypted
with the same encryption
key that was used to encrypt
the source AWS Storage
Gateway volume. Snapshots
of unencrypted AWS Storage
Gateway volumes are also
unencrypted.
Note
You don't need to use
a customer master key
(CMK) across all services
to enable AWS Storage
Gateway. You only need
to copy the Storage
Gateway backup to a
vault that configured
a CMK. This is because
Storage Gateway does
not have a service-
specific AWS KMS
managed key.
Encryption for Backup Copies

AWS Backup encrypts backup copies by default whenever possible, even if the original backup is
unencrypted.
You have two options for encrypting backup copies:
• Use the default AWS managed CMK for the destination backup vault. The default key is different for
each service and is managed by AWS.
• Designate a customer managed CMK across all services to be used by the copy job. This is the only
supported option for AWS Storage Gateway backups.
For more information about AWS KMS, see What is AWS Key Management Service?
To learn more about backup encryption for each of the services that AWS Backup supports, see the
following topics:
• Encrypting Your Data Using AWS Key Management Service in the AWS Storage Gateway User Guide.
• Encrypting Amazon RDS Resources in the Amazon RDS User Guide
39
Identity and Access Management
Identity and Access Management in AWS Backup

Access to AWS Backup requires credentials. Those credentials must have permissions to access AWS
resources, such as an Amazon DynamoDB database or an Amazon EBS volume. The following sections
provide details on how you can use AWS Identity and Access Management (IAM) and AWS Backup to help
secure access to your resources.
Topics
• Authentication (p. 40)
• Access Control (p. 41)
• IAM Service Roles (p. 52)
Authentication
Access to AWS Backup or the AWS services that you are backing up requires credentials that AWS can use
to authenticate your requests. You can access AWS as any of the following types of identities:
• AWS account root user – When you sign up for AWS, you provide an email address and password
that is associated with your AWS account. This is your AWS account root user. Its credentials provide
complete access to all of your AWS resources.
Important
For security reasons, we recommend that you use the root user only to create an
administrator. The administrator is an IAM user with full permissions to your AWS account.
You can then use this administrator user to create other IAM users and roles with limited
permissions. For more information, see IAM Best Practices and Creating Your First IAM Admin
User and Group in the IAM User Guide.
• IAM user – An IAM user is an identity within your AWS account that has specific custom permissions
(for example, permissions to create a backup vault to store your backups in). You can use an IAM user
name and password to sign in to secure AWS webpages like the AWS Management Console, AWS
Discussion Forums, or the AWS Support Center.
In addition to a user name and password, you can also generate access keys for each user. You can use
these keys when you access AWS services programmatically, either through one of the several SDKs
or by using the AWS Command Line Interface (AWS CLI). The SDK and AWS CLI tools use the access
keys to cryptographically sign your request. If you don't use the AWS tools, you must sign the request
yourself. For more information about authenticating requests, see Signature Version 4 Signing Process
in the AWS General Reference.

• IAM role – An IAM role is another IAM identity that you can create in your account that has specific
permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role
enables you to obtain temporary access keys that can be used to access AWS services and resources.
IAM roles with temporary credentials are useful in the following situations:

• Federated user access – Instead of creating an IAM user, you can use pre-existing user identities from
AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as
federated users. AWS assigns a role to a federated user when access is requested through an identity
provider. For more information about federated users, see Federated Users and Roles in the IAM User
Guide.
40
Access Control
• Cross-account administration – You can use an IAM role in your account to grant another AWS
account permissions to administer your account's resources. For an example, see Tutorial: Delegate
Access Across AWS Accounts Using IAM Roles in the IAM User Guide.

• AWS service access – You can use an IAM role in your account to grant an AWS service permissions to
access your account's resources. For more information, see Creating a Role to Delegate Permissions
to an AWS Service in the IAM User Guide.

• Applications running on Amazon Elastic Compute Cloud (Amazon EC2) – You can use an IAM role
to manage temporary credentials for applications running on an Amazon EC2 instance and making
AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS
role to an EC2 instance and make it available to all of its applications, you create an instance profile
that is attached to the instance. An instance profile contains the role and enables programs running
on the EC2 instance to get temporary credentials. For more information, see Using an IAM Role to
Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide.
Access Control
You can have valid credentials to authenticate your requests, but unless you have the appropriate
permissions, you can't access AWS Backup resources such as backup vaults. You also can't back up AWS
resources such as Amazon Elastic Block Store (Amazon EBS) volumes.
Every AWS resource is owned by an AWS account, and permissions to create or access a resource are
governed by permissions policies. An account administrator can attach permissions policies to AWS
Identity and Access Management (IAM) identities (that is, users, groups, and roles). And some services
also support attaching permissions policies to resources.
Note
An account administrator (or administrator user) is a user with administrator permissions. For
more information, see IAM Best Practices in the IAM User Guide.
When granting permissions, you decide who is getting the permissions, the resources they get
permissions for, and the specific actions that you want to allow on those resources.
The following sections cover how access policies work and how you use them to protect your backups.
Topics
• Resources and Operations (p. 41)
• Resource Ownership (p. 42)
• Specifying Policy Elements: Actions, Effects, and Principals (p. 42)
• Specifying Conditions in a Policy (p. 43)
• AWS Backup API Permissions: Actions, Resources, and Conditions Reference (p. 43)
• Access Policies (p. 44)
• Managed Policies (p. 44)
Resources and Operations

A resource is an object that exists within a service. AWS Backup resources include backup plans, backup
vaults, and backups. Backups is a general term that refers to the various types of backup resources that
exist in AWS. For example, Amazon EBS snapshots, Amazon Relational Database Service (Amazon RDS)
snapshots, and Amazon DynamoDB backups are all types of backup resources.
41
Access Control
In AWS Backup, backups are also referred to as recovery points. When using AWS Backup, you also work
with the resources from other AWS services that you are trying to protect, such as Amazon EBS volumes
or DynamoDB tables. These resources have unique Amazon Resource Names (ARNs) associated with
them. ARNs uniquely identify AWS resources. You must have an ARN when you need to specify a resource
unambiguously across all of AWS, such as in IAM policies or API calls.
The following table lists resources, subresources, and ARN format.
AWS Backup Resource ARNs
Resource Type ARN Format
Backup plan arn:aws:backup:region:account-id:backup-plan:*
Backup vault arn:aws:backup:region:account-id:backup-vault:*
Recovery point for Amazon arn:aws:ec2:region::snapshot/*

EBS
Recovery point for Amazon arn:aws:backup:region:account-id:recovery-point:*

EFS
Recovery point for Amazon arn:aws:rds:region:account-id::snapshot:awsbackup:*

RDS
Recovery point for AWS arn:aws:ec2:region::snapshot/*

Storage Gateway
Recovery point for arn:aws:dynamodb:region:account-id::table/*/backup/*

DynamoDB
AWS Backup provides a set of operations to work with AWS Backup resources. For a list of available
operations, see AWS Backup Actions (p. 70).
Resource Ownership
The AWS account owns the resources that are created in the account, regardless of who created the
resources. Specifically, the resource owner is the AWS account of the principal entity (that is, the AWS
account root user, an IAM user, or an IAM role) that authenticates the resource creation request. The
following examples illustrate how this works:
• If you use the AWS account root user credentials of your AWS account to create a backup vault, your
AWS account is the owner of the vault.
• If you create an IAM user in your AWS account and grant permissions to create a backup vault to that
user, the user can create a backup vault. However, your AWS account, to which the user belongs, owns
the backup vault resource.
• If you create an IAM role in your AWS account with permissions to create a backup vault, anyone who
can assume the role can create a vault. Your AWS account, to which the role belongs, owns the backup
vault resource.
Specifying Policy Elements: Actions, Effects, and Principals

For each AWS Backup resource (see Resources and Operations (p. 41)), the service defines a set of API
operations (see Actions (p. 70)). To grant permissions for these API operations, AWS Backup defines a
set of actions that you can specify in a policy. Performing an API operation can require permissions for
more than one action.
42
Access Control
The following are the most basic policy elements:
• Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the
policy applies. For more information, see Resources and Operations (p. 41).
• Action – You use action keywords to identify resource operations that you want to allow or deny.
• Effect – You specify the effect when the user requests the specific action—this can be either allow or
deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also
explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even
if a different policy grants access.
• Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit
principal. For resource-based policies, you specify the user, account, service, or other entity that you
want to receive permissions (applies to resource-based policies only).
To learn more about IAM policy syntax and descriptions, see IAM JSON Policy Reference in the IAM User
Guide.
For a table showing all of the AWS Backup API actions, see AWS Backup API Permissions: Actions,
Resources, and Conditions Reference (p. 43).
Specifying Conditions in a Policy

When you grant permissions, you can use the IAM policy language to specify the conditions when a
policy should take effect. For example, you might want a policy to be applied only after a specific date.
For more information about specifying conditions in a policy language, see Condition in the IAM User
Guide.
To express conditions, you use predefined condition keys. There are no condition keys specific to AWS
Backup. However, there are AWS-wide condition keys that you can use as appropriate. For a complete list
of AWS-wide keys, see AWS Global Condition Context Keys in the IAM User Guide.
Note
AWS Backup does not support tag or context key conditions in access policies for any of its
actions.
AWS Backup API Permissions: Actions, Resources, and

Conditions Reference
When you are setting up Access Control (p. 41) and writing a permissions policy that you can attach
to an IAM identity (identity-based policies), you can use the following list as a reference. The list includes
each AWS Backup API operation, the corresponding actions for which you can grant permissions to
perform the action, and the AWS resource for which you can grant the permissions. You specify the
actions in the policy's Action field, and you specify the resource value in the policy's Resource field.
You can use AWS-wide condition keys in your AWS Backup policies to express conditions. For a complete
list of AWS-wide keys, see Available Keys in the IAM User Guide.
To save metadata tags on resources that are stored in a backup vault, the following permissions are
required for the specified resource types.
Permissions Required to Assign Tags to Backups
Resource Type Required Permission
Amazon EFS file system elasticfilesystem:DescribeTags
Amazon EBS volume ec2:DescribeTags
43
Access Control
Resource Type Required Permission
Amazon RDS database rds:ListTagsForResource
AWS Storage Gateway volume storagegateway:ListTagsForResource
Access Policies
A permissions policy describes who has access to what. Policies attached to an IAM identity are referred
to as identity-based policies (IAM policies). Policies attached to a resource are referred to as resource-
based policies. AWS Backup supports both identity-based policies and resource-based policies.
Note
This section discusses using IAM in the context of AWS Backup. It doesn't provide detailed
information about the IAM service. For complete IAM documentation, see What Is IAM? in the
IAM User Guide. For information about IAM policy syntax and descriptions, see IAM JSON Policy
Reference in the IAM User Guide.
Identity-Based Policies (IAM Policies)

Identity-based policies are policies that you can attach to IAM identities, such as users or roles. For
example, you can define a policy that allows a user to view and back up AWS resources, but prevents
them from restoring backups.
For more information about users, groups, roles, and permissions, see Identities (Users, Groups, and
Roles) in the IAM User Guide.
For information about how to use IAM policies to control access to backups, see Managed
Policies (p. 44).
Resource-Based Policies
AWS Backup supports resource-based access policies for backup vaults. This enables you to define an
access policy that can control which users have what kind of access to any of the backups organized in a
backup vault. Resource-based access policies for backup vaults provide an easy way to control access to
your backups.
Backup vault access policies control user access when you use AWS Backup APIs. Some backup types,
such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon
RDS) snapshots, can also be accessed using those services' APIs. You can create separate access policies in
IAM that control access to those APIs in order to fully control access to backups.
To learn how to create an access policy for backup vaults, see Setting Access Policies on Backup Vaults
and Recovery Points (p. 25).
Managed Policies
Managed policies are standalone identity-based policies that you can attach to multiple users, groups,
and roles in your AWS account. You can use AWS managed policies or customer managed policies to
control access to backups in AWS Backup.
AWS Managed Policies

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed
policies are designed to provide permissions for many common use cases. AWS managed policies make it
easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the
policies yourself.
44
Access Control
You can't change the permissions defined in AWS managed policies. AWS occasionally updates the
permissions defined in an AWS managed policy. When this occurs, the update affects all principal entities
(users, groups, and roles) that the policy is attached to.
AWS Backup provides several AWS managed policies for common use cases. These policies make it easier
to define the right permissions and control access to your backups. There are two types of managed
policies. One type is designed to be assigned to users to control their access to AWS Backup. The
other type of managed policy is designed to be attached to roles that you pass to AWS Backup. These
policies are predefined with the appropriate permissions that AWS Backup requires to perform backup
operations on your behalf.
The following table lists all the managed policies that AWS Backup provides and describes how they are
defined. You can find these managed policies in the Policies section of the IAM console.
Policy Name IAM Managed Policy Name Description
Backup Administrator IAM Policy AWSBackupFullAccess The backup administrator has

full access to AWS Backup
operations, including creating or
editing backup plans, assigning
AWS resources to backup plans,
and restoring backups. Backup
administrators are responsible
for determining and enforcing
backup compliance by defining
backup plans that meet their
organization's business and
regulatory requirements. Backup
administrators also ensure
that their organization's AWS
resources are assigned to the
appropriate plan.
Backup Operator IAM Policy AWSBackupOperatorAccess Backup operators are users

that are responsible for
ensuring the resources that
they are responsible for are
properly backed up. Backup
operators have permissions to
assign AWS resources to the
backup plans that the backup
administrator creates. They also
have permissions to create on-
demand backups of their AWS
resources and to configure the
retention period of on-demand
backups. Backup operators do
not have permissions to create
or edit backup plans or to delete
scheduled backups after they
are created. Backup operators
can restore backups. You can
limit the resource types that a
backup operator can assign to
a backup plan or restore from a
backup. You do this by allowing
only certain service roles to
be passed to AWS Backup that
45
Access Control
Policy Name IAM Managed Policy Name Description

have permissions for a certain
resource type.
Default Service Role Policy for AWSBackupServiceRolePolicyForBackup

Provides AWS Backup
Backups permissions to create backups of
all supported resource types on
your behalf.
Default Service Role Policy for AWSBackupServiceRolePolicyForRestores

Provides AWS Backup
Restores permissions to restore backups
of all supported resource types
on your behalf.
Customer Managed Policies

You can create standalone policies that you administer in your own AWS account. These policies are
referred to as customer managed policies. You can then attach the policies to multiple principal entities
in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions
that are defined in the policy.
One way to create a customer managed policy is to start by copying an existing AWS managed policy.
That way you know that the policy is correct at the beginning, and all you need to do is customize it to
your environment.
The following policies specify backup and restore permissions for individual AWS services. They can be
customized and attached to roles that you create to further limit access to AWS resources.
Backup and Restore Policies for Individual Services
Service Backup Policy Service Restore Policy
DynamoDB Backup Policy DynamoDB Restore Policy
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Action": [ "Action": [
"dynamodb:DescribeTable", "dynamodb:DescribeBackup",
"dynamodb:CreateBackup" "dynamodb:DescribeTable",
],
"Resource": "dynamodb:RestoreTableFromBackup",
"arn:aws:dynamodb:*:*:table/*", "dynamodb:Scan",
"Effect": "Allow" "dynamodb:Query",
}, "dynamodb:UpdateItem",
{ "dynamodb:PutItem",
"Action": [ "dynamodb:GetItem",
"dynamodb:DescribeBackup", "dynamodb:DeleteItem",
"dynamodb:DeleteBackup" "dynamodb:BatchWriteItem"
], ],
"Resource": "Resource":
"arn:aws:dynamodb:*:*:table/*/backup/*", "arn:aws:dynamodb:*:*:table/*",
"Effect": "Allow" "Effect": "Allow"
} },
] {
} "Action": [
"dynamodb:RestoreTableFromBackup"
46
Access Control

],
"Resource":
"arn:aws:dynamodb:*:*:table/*/backup/*",
"Effect": "Allow"
}
]
}
Amazon EBS Backup Policy Amazon EBS Restore Policy
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": "ec2:CreateTags", "Action": [
"Resource": "ec2:CreateVolume",
"arn:aws:ec2:*::snapshot/*" "ec2:DeleteVolume"
}, ],
{ "Resource": [
"Effect": "Allow", "arn:aws:ec2:*::snapshot/*",
"Action": [ "arn:aws:ec2:*:*:volume/*"
"ec2:CreateSnapshot", ]
"ec2:DeleteSnapshot" },
], {
"Resource": [ "Effect": "Allow",
"arn:aws:ec2:*::snapshot/ "Action": [
*", "ec2:DescribeSnapshots",
"arn:aws:ec2:*:*:volume/*" "ec2:DescribeVolumes"
] ],
}, "Resource": "*"
{ }
"Effect": "Allow", ]
"Action": [ }
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Action": [
"tag:GetResources"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
47
Access Control
Amazon EFS Backup Policy Amazon EFS Restore Policy
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
{ {
"Action": [ "Effect": "Allow",
"elasticfilesystem:Backup" "Action": [
], "elasticfilesystem:Restore",
"Resource":
"arn:aws:elasticfilesystem:*:*:file- "elasticfilesystem:CreateFilesystem",
system/*",
"Effect": "Allow" "elasticfilesystem:DescribeFilesystems",
},
{ "elasticfilesystem:DeleteFilesystem"
"Action": [ ],
"tag:GetResources" "Resource":
], "arn:aws:elasticfilesystem:*:*:file-system/
"Resource": "*", *"
"Effect": "Allow" }
} ]
] }
}
48
Access Control
Amazon RDS Backup Policy Amazon RDS Restore Policy
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"rds:AddTagsToResource", "rds:DescribeDBInstances",
"rds:ListTagsForResource", "rds:DescribeDBSnapshots",
"rds:DescribeDBSnapshots", "rds:ListTagsForResource",
"rds:CreateDBSnapshot",
"rds:CopyDBSnapshot", "rds:RestoreDBInstanceFromDBSnapshot",
"rds:DescribeDBInstances" "rds:DeleteDBInstance",
], "rds:AddTagsToResource"
"Resource": "*" ],
}, "Resource": "*"
{ }
"Effect": "Allow", ]
"Action": [ }
"rds:DeleteDBSnapshot"
],
"Resource": [
"arn:aws:rds:*:*:snapshot:awsbackup:*"
]
},
{
"Action": [
"tag:GetResources"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
49
Access Control
AWS Storage Gateway Backup Policy AWS Storage Gateway Restore Policy
"Version": "2012-10-17", {
"Statement": [ "Version": "2012-10-17",
{ "Statement": [
"Effect": "Allow", {
"Action": [ "Effect": "Allow",
"Action": [
"storagegateway:CreateSnapshot"
], "storagegateway:DeleteVolume",
"Resource":
"arn:aws:storagegateway:*:*:gateway/*/ "storagegateway:DescribeCachediSCSIVolumes",
volume/*"
}, "storagegateway:DescribeStorediSCSIVolumes"
{ ],
"Effect": "Allow", "Resource":
"Action": [ "arn:aws:storagegateway:*:*:gateway/*/
"ec2:CreateTags", volume/*"
"ec2:DeleteSnapshot" },
], {
"Resource": "Effect": "Allow",
"arn:aws:ec2:*::snapshot/*" "Action": [
},
{ "storagegateway:DescribeGatewayInformation",
"Effect": "Allow",
"Action": [ "storagegateway:CreateStorediSCSIVolume",
], "storagegateway:CreateCachediSCSIVolume"
"Resource": "*" ],
}, "Resource":
{ "arn:aws:storagegateway:*:*:gateway/*"
"Action": [ },
"tag:GetResources" {
], "Effect": "Allow",
"Resource": "*", "Action": [
"Effect": "Allow" "storagegateway:ListVolumes"
} ],
] "Resource":
} "arn:aws:storagegateway:*:*:*"
}
]
}
50
Access Control
Amazon EC2 Backup Policy Amazon EC2 Restore Policy
{ {
"Version":"2012-10-17", "Version":"2012-10-17",
"Statement":[ "Statement":[
{ {
"Effect":"Allow", "Effect":"Allow",
"Action":[ "Action":[
"ec2:CreateTags", "ec2:CreateVolume",
"ec2:DeleteSnapshot" "ec2:DeleteVolume"
], ],
"Resource":[
"Resource":"arn:aws:ec2:*::snapshot/*" "arn:aws:ec2:*::snapshot/*",
}, "arn:aws:ec2:*:*:volume/*"
{ ]
"Effect":"Allow", },
"Action":[ {
"ec2:CreateImage", "Effect":"Allow",
"ec2:DeregisterImage" "Action":[
], "ec2:DescribeSnapshots",
"Resource":"*" "ec2:DescribeVolumes"
}, ],
{ "Resource":"*"
"Action":[ {
"ec2:CreateTags" "Effect":"Allow",
], "Action":[
"Resource":"arn:aws:ec2:*:*:image/ "ec2:DescribeImages",
*" "ec2:DescribeInstances"
}, ],
{ "Resource":"*"
"Action":[ {
"ec2:DescribeSnapshots", "Action":[
"ec2:DescribeTags", "ec2:RunInstances"
"ec2:DescribeImages", ],
"ec2:DescribeInstances", "Effect":"Allow",
"Resource":"*"
"ec2:DescribeInstanceAttribute", },
{
"ec2:DescribeInstanceCreditSpecifications", "Action":[
"ec2:TerminateInstances"
"ec2:DescribeNetworkInterfaces", ],
"ec2:DescribeElasticGpus", "Effect":"Allow",
"ec2:DescribeSpotInstanceRequests" "Resource":"arn:aws:ec2:*:*:instance/*"
], },
"Resource":"*" {
}, "Action":"iam:PassRole",
{ "Resource":"arn:aws:iam::<account-
"Effect":"Allow", id>:role/<role-name>",
"Action":[ "Effect":"Allow"
"ec2:CreateSnapshot", }
"ec2:DeleteSnapshot", ]
"ec2:DescribeVolumes", }
],
"Resource":[
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:volume/*"
]
},
51
IAM Service Roles

{
"Action":[
"tag:GetResources"
],
"Resource":"*",
"Effect":"Allow"
}
]
}
IAM Service Roles

An AWS Identity and Access Management (IAM) role is similar to a user, in that it is an AWS identity with
permissions policies that determine what the identity can and cannot do in AWS. However, instead of
being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
A service role is a role that an AWS service assumes to perform actions on your behalf. As a service that
performs backup operations on your behalf, AWS Backup requires that you pass it a role to assume when
performing backup operations on your behalf. For more information about IAM roles, see IAM Roles in
the IAM User Guide.
The role that you pass to AWS Backup must have an IAM policy with the permissions that enable AWS
Backup to perform actions associated with backup operations, such as creating, restoring, or expiring
backups. Different permissions are required for each of the AWS services that AWS Backup supports. The
role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role.
You pass a role to AWS Backup when restoring or creating a backup. You also specify a role when
assigning your AWS resources to a backup plan. This is the role that AWS Backup assumes when creating
and expiring backups on your behalf according to the backup plan that you assigned the resource to.
Using AWS Roles to Control Access to Backups

You can use roles to control access to your backups by defining narrowly scoped roles and by specifying
who can pass that role to AWS Backup. For example, you could create a role that only grants permissions
to back up Amazon Relational Database Service (Amazon RDS) databases and only grant Amazon RDS
database owners permission to pass that role to AWS Backup. AWS Backup provides several predefined
managed policies for each of the supported services. You can attach these managed policies to roles that
you create. This makes it easier to create service-specific roles that have the correct permissions that
AWS Backup needs.
For more information about AWS managed policies for AWS Backup, see Managed Policies (p. 44).
Default Service Roles for AWS Backup

When using AWS Backup for the first time, you can choose to have AWS Backup create a default service
role for you. This role has the permissions that AWS Backup requires to perform backup operations for
all the AWS services that it supports. You should use the default role if you are okay with using the same
role for all of the resource types that you want to back up. If you prefer to use separate roles for different
resource types for security reasons, you can also create your own roles to pass to AWS Backup rather
than using the default roles.
Note
If you are a first-time user of AWS Backup, you must create the role, list the role, and pass the
role permissions. After the role is created, only list role and pass role permissions are required.
There are two separate default roles that AWS Backup can create for you. One is for creating backups,
and the other is for restoring backups.
52
Logging and Monitoring
AWS Backup Default Service Role for Backups

This role includes an IAM policy that grants AWS Backup permissions to describe the resource being
backed up, the ability to create, delete, or describe a backup, and the ability to add tags to the backup.
This IAM policy includes the necessary permissions for all the resource types that AWS Backup supports.
AWS Backup Default Service Role for Restores

This role includes an IAM policy that grants AWS Backup permissions to create, delete, or describe
the new resource being created from a backup. It also includes permissions to tag the newly created
resource. This IAM policy includes the necessary permissions for all the resource types that AWS Backup
supports.
Logging and Monitoring in AWS Backup

Monitoring is an important part of maintaining the reliability, availability, and performance of AWS
Backup and your AWS solutions. You should collect monitoring data from all parts of your AWS solution
so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for
monitoring your AWS Backup resources and responding to potential incidents:
AWS CloudTrail Logs
CloudTrail provides a record of actions taken by a user, role, or an AWS service in AWS Backup.
Using the information collected by CloudTrail, you can determine the request that was made to
AWS Backup, the IP address from which the request was made, who made the request, when it was
made, and additional details. For more information, see Logging AWS Backup API Calls with AWS
CloudTrail (p. 61).
AWS Trusted Advisor
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS
customers. Trusted Advisor inspects your AWS environment and then makes recommendations
when opportunities exist to save money, improve system availability and performance, or help
close security gaps. All AWS customers have access to five Trusted Advisor checks. Customers with a
Business or Enterprise support plan can view all Trusted Advisor checks. For more information, see
AWS Trusted Advisor.
Compliance Validation for AWS Backup

Third-party auditors assess the security and compliance of AWS Backup as part of multiple AWS
compliance programs, such as SOC, PCI, FedRAMP, HIPAA, and others.
For a list of AWS services in scope of specific compliance programs, see AWS Services in Scope by
Compliance Program. For general information, see AWS Compliance Programs.
You can download third-party audit reports using AWS Artifact. For more information, see Downloading
Reports in AWS Artifact in the AWS Artifact User Guide.
Your compliance responsibility when using AWS Backup is determined by the sensitivity of your data,
your organization's compliance objectives, and applicable laws and regulations. If your use of AWS
Backup is subject to compliance with standards like HIPAA, PCI, or FedRAMP, AWS provides resources to
help:
• Security and Compliance Quick Start Guides – These deployment guides discuss architectural
considerations and provide steps for deploying security- and compliance-focused baseline
environments on AWS.
53
Resilience
• Architecting for HIPAA Security and Compliance Whitepaper – This whitepaper describes how
companies can use AWS to create HIPAA-compliant applications.
• AWS Compliance Resources – This collection of workbooks and guides might apply to your industry
and location.
• AWS Config – This AWS service assesses how well your resource configurations comply with internal
practices, industry guidelines, and regulations.
• AWS Security Hub – This AWS service provides a comprehensive view of your security state within AWS
that helps you check your compliance with security industry standards and best practices.
Resilience in AWS Backup

The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide
multiple physically separated and isolated Availability Zones, which are connected with low-latency,
high-throughput, and highly redundant networking. With Availability Zones, you can design and operate
applications and databases that automatically fail over between Availability Zones without interruption.
Availability Zones are more highly available, fault tolerant, and scalable than traditional single or
multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see AWS Global Infrastructure.
Infrastructure Security in AWS Backup

As a managed service, AWS Backup is protected by the AWS global network security procedures that are
described in the Amazon Web Services: Overview of Security Processes whitepaper.
You use AWS published API calls to access AWS Backup through the network. Clients must support
Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support
cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve
Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated
with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary
security credentials to sign requests.
54
AWS Backup Quotas

Following are the resource quotas when working with AWS Backup.
Resource Quota
Number of backup vaults per account 100
Number of concurrent backup copies (per service) 5*

to a destination AWS Region per account
Number of backup plans per account 100
Number of versions per backup plan 2,000
Number of concurrent backup jobs per resource 1
Number of resource assignments per backup plan 100**
Number of metadata tags per saved resource 50
Number of recovery points per backup vault 1,000,000
*AWS Backup supports up to 50 concurrent backup copies of Amazon EC2 AMIs to a destination AWS
Region per account.
**This quota applies to the number of resource assignment documents associated with a backup plan.
There is no quota for the number of resources referenced in the assignment document.
Note
For services other than Amazon EFS, you might also encounter quotas imposed by those
services.
55
AWS Backup Notification APIs
Using Amazon SNS to Track AWS

Backup Events
AWS Backup is designed to take advantage of the robust notifications delivered by Amazon Simple
Notification Service (Amazon SNS). You configure Amazon SNS to send notifications for AWS Backup
events from the Amazon SNS console. For more information, see Getting Started with Amazon SNS in
the Amazon Simple Notification Service Developer Guide.
Topics
• AWS Backup Notification APIs (p. 56)
• Completed Events (p. 56)
• AWS Backup Notification Command Examples (p. 58)
• Specifying AWS Backup as a Service Principal (p. 59)
AWS Backup Notification APIs

After creating your topics using the Amazon SNS console or AWS Command Line Interface (AWS CLI), you
can use the following AWS Backup API operations to manage your backup notifications.
• DeleteBackupVaultNotifications (p. 90) — Deletes event notifications for the specified backup vault.
• GetBackupVaultNotifications (p. 128) — Lists all event notifications for the specified backup vault.
• PutBackupVaultNotifications (p. 165) — Turns on notifications for the specified topic and events.
The following events are supported:
Backup jobs
• BACKUP_JOB_STARTED
• BACKUP_JOB_COMPLETED
Restore jobs
• RESTORE_JOB_STARTED
• RESTORE_JOB_COMPLETED
Recovery points
• RECOVERY_POINT_MODIFIED
Completed Events
Completed notifications include a STATE attribute indicating the specific type of completion.
56
Examples: Completed Events
Examples: Completed Events
{
"Type" : "Notification",
"MessageId" : "12345678-abcd-123a-def0-abcd1a234567",
"TopicArn" : "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic",
"Subject" : "Notification from AWS Backup",
"Message" : "An AWS Backup job was completed successfully. Recovery point ARN:
arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012d. Resource ARN :
arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-
f22c-4dab-5eb6-bbc7890ed123",
"Timestamp" : "2019-08-02T18:46:02.788Z",
"MessageAttributes" : {
"EventType" : {"Type":"String","Value":"BACKUP_JOB"},
"State" : {"Type":"String","Value":"COMPLETED"},
"AccountId" : {"Type":"String","Value":"123456789012"},
"Id" : {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"},
"StartTime" : {"Type":"String","Value":"2019-09-02T13:48:52.226Z"}
}
}
{
"Message" : "An AWS Backup job failed. Resource ARN : arn:aws:ec2:us-
west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-
bbc7890ed123",
"Timestamp" : "2019-08-02T18:46:02.788Z",
"State" : {"Type":"String","Value":"FAILED"},
}
}
{
"Message" : "An AWS Backup job failed to complete in time. Resource ARN :
arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-
f22c-4dab-5eb6-bbc7890ed123",
"Timestamp" : "2019-08-02T18:46:02.788Z",
"State" : {"Type":"String","Value":"EXPIRED"},
}
}
57
AWS Backup Notification Command Examples
AWS Backup Notification Command Examples

You can use AWS CLI commands to subscribe to, list, and delete Amazon SNS notifications for your AWS
Backup events.
Example Put Backup Vault Notification

The following command subscribes to an Amazon SNS topic for the specified backup vault that notifies
you when a restore job is started or completed, or when a recovery point is modified.
aws backup --endpoint-url https://backup.region.amazonaws.com put-backup-vault-

notifications
--backup-vault-name --sns-topic-arn arn:aws:sns:region:account-id:myBackupTopic
--backup-vault-events RESTORE_JOB_STARTED RESTORE_JOB_COMPLETED RECOVERY_POINT_MODIFIED
Example Get Backup Vault Notification

The following command lists all events currently subscribed to an Amazon SNS topic for the specified
backup vault.
aws backup --endpoint-url https://backup.region.amazonaws.com get-backup-vault-

notifications
--backup-vault-name myVault
The sample output is as follows:
{
"SNSTopicArn": "arn:aws:sns:region:account-id:myBackupTopic",
"BackupVaultEvents": [
"RESTORE_JOB_STARTED",
"RESTORE_JOB_COMPLETED",
"RECOVERY_POINT_MODIFIED"
],
"BackupVaultName": "myVault",
"BackupVaultArn": "arn:aws:backup:region:account-id:backup-vault:myVault"
}
Example Delete Backup Vault Notification

The following command unsubscribes from an Amazon SNS topic for the specified backup vault.
aws backup --endpoint-url https://backup.region.amazonaws.com delete-backup-vault-

notifications
--backup-vault-name myVault
58
Specifying AWS Backup as a Service Principal

Note
To allow AWS Backup to publish SNS topics on your behalf, you must specify AWS Backup as a
service principal.
Include the following JSON in the access policy of the Amazon SNS topic that you use to track AWS
Backup events. You must specify the resource Amazon Resource Name (ARN) of your topic.
{
"Sid": "My-statement-id",
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:region:account-id:myTopic"
}
The following sample JSON is an example of a basic Amazon SNS access policy that includes AWS Backup
as a service principal. You must specify your own AWS account ID and the resource ARN of your topic.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Condition": {
"STRINGEQUALS": {
"AWS:SourceOwner": "account-id"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:region:account-id:myTopic"
}
59
]
}
For more information about specifying a service principal in an Amazon SNS access policy, see Allowing
Any AWS Resource to Publish to a Topic in the Amazon Simple Notification Service Developer Guide.
Note
If your topic is encrypted, you must include additional permissions in your policy to allow AWS
Backup to publish to it. For more information about enabling services to publish to encrypted
topics, see Enable Compatibility between Event Sources from AWS Services and Encrypted
Topics in the Amazon Simple Notification Service Developer Guide.
60
AWS Backup Information in CloudTrail
Logging AWS Backup API Calls with

AWS CloudTrail
AWS Backup is integrated with AWS CloudTrail, a service that provides a record of actions taken by a
user, role, or an AWS service in AWS Backup. CloudTrail captures all API calls for AWS Backup as events.
The calls captured include calls from the AWS Backup console and code calls to the AWS Backup API
operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3
bucket, including events for AWS Backup. If you don't configure a trail, you can still view the most recent
events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can
determine the request that was made to AWS Backup, the IP address from which the request was made,
who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the AWS CloudTrail User Guide.
AWS Backup Information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS
Backup, that activity is recorded in a CloudTrail event along with other AWS service events in Event
history. You can view, search, and download recent events in your AWS account. For more information,
see Viewing Events with CloudTrail Event History.
For an ongoing record of events in your AWS account, including events for AWS Backup, create a trail.
A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a
trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the
AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can
configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information, see the following:
• Overview for Creating a Trail

• CloudTrail Supported Services and Integrations
• Configuring Amazon SNS Notifications for CloudTrail
• Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple
Accounts
All AWS Backup actions are logged by CloudTrail and are documented in AWS Backup API
Actions (p. 70).
Every event or log entry contains information about who generated the request. The identity
information helps you determine the following:
• Whether the request was made with root or AWS Identity and Access Management (IAM) user
credentials.
• Whether the request was made with temporary security credentials for a role or federated user.
• Whether the request was made by another AWS service.
For more information, see the CloudTrail userIdentity Element.
61
Understanding AWS Backup Log File Entries

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you
specify. CloudTrail log files contain one or more log entries. An event represents a single request from
any source and includes information about the requested action, the date and time of the action, request
parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they
don't appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates the StartBackupJob,
StartRestoreJob, and DeleteRecoveryPoint actions and also the BackupJobCompleted event.
{
"eventVersion": "1.05",
"userIdentity": {
"type": "Root",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012",
"accessKeyId": AKIAIOSFODNN7EXAMPLE,
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-01-10T12:24:50Z"
}
}
},
"eventTime": "2019-01-10T13:45:24Z",
"eventSource": "backup.amazonaws.com",
"eventName": "StartBackupJob",
"awsRegion": "us-east-1",
"sourceIPAddress": "12.34.567.89",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.465
Linux/4.9.124-0.1.ac.198.73.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.192-b12
java/1.8.0_192",
"requestParameters": {
"backupVaultName": "Default",
"resourceArn": "arn:aws:ec2:us-east-1:123456789012:volume/vol-00a422a05b9c6asd3",
"iamRoleArn": "arn:aws:iam::123456789012:role/AWSBackup",
"startWindowMinutes": 60
},
"responseElements": {
"backupJobId": "8a3c2a87-b23e-4d56-b045-fa9e88ede4e6",
"creationDate": "Jan 10, 2019 1:45:24 PM"
},
"requestID": "98cf4d59-8c76-49f7-9201-790743931234",
"eventID": "fe8146a5-7812-4a95-90ad-074498be1234",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
,
{
"userIdentity": {
"type": "Root",
"principalId": "123456789012",
"accountId": "123456789012",
"accessKeyId": "ASIAQLTPYK3BWHVZP45U",
"sessionContext": {
"attributes": {
"creationDate": "2019-01-10T12:24:50Z"
62
}
}
},
"eventTime": "2019-01-10T13:49:50Z",
"eventName": "StartRestoreJob",
java/1.8.0_192",
"recoveryPointArn": "arn:aws:ec2:us-east-1::snapshot/snap-00a129455bdbc9d99",
"metadata": {
"volumeType": "gp2",
"availabilityZone": "us-east-1b",
"volumeSize": "100"
},
"idempotencyToken": "a9c8b4fb-d369-4a58-944b-942e442a8fe3",
"resourceType": "EBS"
},
"responseElements": {
"restoreJobId": "9808E090-8C76-CCB8-4CEA-407CF6AC4C43"
},
"requestID": "783ddddc-6d7e-4539-8fab-376aa9668543",
"eventID": "ff35ddea-7577-4aec-a132-964b7e9dd423",
}
,
{
"userIdentity": {
"type": "Root",
"principalId": "123456789012",
"accountId": "123456789012",
"accessKeyId": "ASIAQLTPYK3BWHVZP45U",
"sessionContext": {
"attributes": {
"creationDate": "2019-01-10T12:24:50Z"
}
}
},
"eventTime": "2019-01-10T14:52:42Z",
"eventName": "DeleteRecoveryPoint",
java/1.8.0_192",
"backupVaultName": "Default",
"recoveryPointArn": "arn:aws:ec2:us-east-1::snapshot/snap-05f426fd9daab3433"
},
"responseElements": null,
"requestID": "f1f1b33a-48da-436c-9a8f-7574f1ab5fd7",
"eventID": "2dd70080-5aba-4a79-9a0f-92647c9f0846",
}
,
{
63
"userIdentity": {
"accountId": "123456789012",
"invokedBy": "backup.amazonaws.com"
},
"eventTime": "2019-01-10T08:24:39Z",
"eventName": "BackupJobCompleted",
"sourceIPAddress": "backup.amazonaws.com",
"userAgent": "backup.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"eventID": "2e7e4fcf-0c52-467f-9fd0-f61c2fcf7d17",
"eventType": "AwsServiceEvent",
"recipientAccountId": "123456789012",
"serviceEventDetails": {
"completionDate": {
"seconds": 1547108091,
"nanos": 906000000
},
"state": "COMPLETED",
"percentDone": 100,
"backupJobId": "8A8E738B-A8C5-E058-8224-90FA323A3C0E",
"backupVaultName": "BackupVault",
"backupVaultArn": "arn:aws:backup:us-east-1:123456789012:backup-vault:BackupVault",
"recoveryPointArn": "arn:aws:ec2:us-east-1::snapshot/snap-07ce8c3141d361233",
"resourceArn": "arn:aws:ec2:us-east-1:123456789012:volume/vol-06692095a6a421233",
"creationDate": {
"seconds": 1547101638,
"nanos": 272000000
},
"backupSizeInBytes": 8589934592,
"resourceType": "EBS"
}
}
64
Integrating AWS Backup with AWS CloudFormation
Using AWS CloudFormation

Templates with AWS Backup
The following information describes how to use AWS CloudFormation templates to simplify and
automate tasks related to your backup plans, backup vaults, and resource selections.
Integrating AWS Backup with AWS

CloudFormation
With AWS CloudFormation, you can provision and manage your AWS resources in a safe, repeatable
manner using templates that you create. You can use AWS CloudFormation templates to manage
your backup plans, backup resource selections, and backup vaults. For information about using AWS
CloudFormation, see How Does AWS CloudFormation Work? in the AWS CloudFormation User Guide.
Before you create your AWS CloudFormation stack, you should consider the following:
• We recommend that you create separate templates for your backup plans and your backup vaults.
Because backup vaults can be deleted only if they are empty, you can't delete a stack that includes
backup vaults if they contain any recovery points.
• Be sure that you have a service role available before you create your stack. The AWS Backup default
service role is created for you the first time you assign resources to a backup plan. If you haven't done
this yet, the default service role is not available. You can also specify a custom role that you create. For
more information about roles, see IAM Service Roles (p. 52).
Following is a sample template that creates a backup plan.
Description: "Backup Plan template to back up all resources tagged with backup=daily
daily at 5am UTC."
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Enabled: True
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
"AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
Action:
- kms:*
Resource: "*"
BackupVaultWithDailyBackups:
Type: "AWS::Backup::BackupVault"
Properties:
65
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: !GetAtt KMSKey.Arn
BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
BackupPlanRule:
-
RuleName: "RuleForDailyBackups"
TargetBackupVault: !Ref BackupVaultWithDailyBackups
ScheduleExpression: "cron(0 5 ? * * *)"
DependsOn: BackupVaultWithDailyBackups
DDBTableWithDailyBackupTag:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "TestTable"
AttributeDefinitions:
-
AttributeName: "Album"
AttributeType: "S"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
Tags:
-
Key: "backup"
Value: "daily"
BackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "backup.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
-
"arn:aws:iam::aws:policy/service-role/service role"
TagBasedBackupSelection:
Type: "AWS::Backup::BackupSelection"
Properties:
BackupSelection:
SelectionName: "TagBasedBackupSelection"
IamRoleArn: !GetAtt BackupRole.Arn
ListOfTags:
-
ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "daily"
BackupPlanId: !Ref BackupPlanWithDailyBackups
DependsOn: BackupPlanWithDailyBackups
66
If you are using the default service role, replace service role with
AWSBackupServiceRolePolicyForBackup.
For information about using AWS CloudFormation with AWS Backup, see AWS Backup Resource Type
Reference in the AWS CloudFormation User Guide.
For information about controlling access to AWS service resources when using AWS CloudFormation, see
Controlling Access with AWS Identity and Access Management in the AWS CloudFormation User Guide.
67
Troubleshooting General Issues
Troubleshooting AWS Backup

When you use AWS Backup, you might encounter issues when working with backup plans, resources, and
backup vaults. The following sections can help you troubleshoot some common issues that might occur.
For general questions about AWS Backup, see the AWS Backup FAQ. You can also search for answers and
post questions in the AWS Backup forum.
Topics
• Troubleshooting General Issues (p. 68)
• Troubleshooting Creating Resources (p. 68)
• Troubleshooting Deleting Resources (p. 69)
Troubleshooting General Issues

When you back up and restore resources, you not only need permission to use AWS Backup, you must
also have permission to access the resources that you want to protect. For more information about access
control using AWS Identity and Access Management (IAM) with AWS Backup, see Access Control (p. 41).
If you run into issues with backing up and restoring a particular resource type, it can be helpful to review
the troubleshooting topic for that resource. For more information about troubleshooting other AWS
services, see the following:
• Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide
• On-Demand Backup and Restore for DynamoDB in the Amazon DynamoDB Developer Guide
• Amazon EBS Snapshots in the Amazon EC2 User Guide for Linux Instances
• Backing Up and Restoring Amazon RDS DB Instances in the Amazon RDS User Guide
• Backing Up Your Volumes in the AWS Storage Gateway User Guide
If AWS Backup fails to create or delete a resource, you can learn more about the issue by using AWS
CloudTrail to view error messages or logs. For more information about using CloudTrail with AWS
Backup, see Logging AWS Backup API Calls with AWS CloudTrail (p. 61).
Troubleshooting Creating Resources

The following information can help you troubleshoot problems with creating backups.
• Creating backups for DynamoDB tables will fail while tables are being created. Creating a DynamoDB
table typically takes a couple of minutes.
• Backing up Amazon EFS file systems can take up to 7 days when the file systems are very large. Only
one concurrent backup at a time can be queued for an Amazon EFS file system. If a subsequent backup
is queued while a previous one is still in progress, the backup window can expire and no backup is
created.
• Amazon EBS has a soft quota of 100,000 backups per AWS Region per account, and additional backups
fail when this quota is reached. If you reach this quota, you can delete excess backups or request a
quota increase. For more information about requesting a quota increase, see AWS Service Quotas.
• When creating Amazon RDS backups, consider the following:
68
Troubleshooting Deleting Resources
• Amazon RDS has a soft quota of 100 backups per AWS Region per account, and additional backups
will fail when this quota is reached. If you reach this quota, you can delete excess backups or request
a quota increase. For more information about requesting a quota increase, see AWS Service Quotas.
• If you initiate a backup either through a backup plan or by creating an on-demand backup, it will fail
if it is scheduled during the daily user-configurable 30-minute backup window. For more information
about automated Amazon RDS backups, see Working With Backups in the Amazon RDS User Guide.
• Consecutive backups for Amazon RDS must be scheduled at least 6 hours apart.
• Backups that are initiated during a maintenance window will fail. For more information about
Amazon RDS maintenance windows, see Maintaining a DB Instance in the Amazon RDS User Guide.
Troubleshooting Deleting Resources

Recovery points that are created by AWS Backup cannot be deleted in the console window of the
protected resource. You can delete them on the AWS Backup console by selecting them in the vault
where they are stored and then choosing Delete.
To delete a recovery point or a backup vault, you need the appropriate permissions. For more
information about access control using IAM with AWS Backup, see Access Control (p. 41).
69
Actions
AWS Backup API

Actions
The following actions are supported:
• CreateBackupPlan (p. 72)

• CreateBackupSelection (p. 75)
• CreateBackupVault (p. 78)
• DeleteBackupPlan (p. 81)
• DeleteBackupSelection (p. 84)
• DeleteBackupVault (p. 86)
• DeleteBackupVaultAccessPolicy (p. 88)
• DeleteBackupVaultNotifications (p. 90)
• DeleteRecoveryPoint (p. 92)
• DescribeBackupJob (p. 94)
• DescribeBackupVault (p. 98)
• DescribeCopyJob (p. 101)
• DescribeProtectedResource (p. 103)
• DescribeRecoveryPoint (p. 105)
• DescribeRestoreJob (p. 110)
• ExportBackupPlanTemplate (p. 113)
• GetBackupPlan (p. 115)
• GetBackupPlanFromJSON (p. 118)
• GetBackupPlanFromTemplate (p. 121)
• GetBackupSelection (p. 123)
• GetBackupVaultAccessPolicy (p. 126)
• GetBackupVaultNotifications (p. 128)
• GetRecoveryPointRestoreMetadata (p. 131)
• GetSupportedResourceTypes (p. 133)
• ListBackupJobs (p. 135)
• ListBackupPlans (p. 138)
• ListBackupPlanTemplates (p. 140)
• ListBackupPlanVersions (p. 142)
• ListBackupSelections (p. 144)
• ListBackupVaults (p. 146)
• ListCopyJobs (p. 148)
• ListProtectedResources (p. 151)
• ListRecoveryPointsByBackupVault (p. 153)
• ListRecoveryPointsByResource (p. 156)
• ListRestoreJobs (p. 159)
• ListTags (p. 161)
• PutBackupVaultAccessPolicy (p. 163)
70
Actions
• PutBackupVaultNotifications (p. 165)

• StartBackupJob (p. 167)
• StartCopyJob (p. 171)
• StartRestoreJob (p. 174)
• StopBackupJob (p. 177)
• TagResource (p. 179)
• UntagResource (p. 181)
• UpdateBackupPlan (p. 183)
• UpdateRecoveryPointLifecycle (p. 186)
71
CreateBackupPlan
CreateBackupPlan
Backup plans are documents that contain information that AWS Backup uses to schedule tasks that
create recovery points of resources.
If you call CreateBackupPlan with a plan that already exists, an AlreadyExistsException is

returned.
Request Syntax
PUT /backup/plans/ HTTP/1.1
Content-type: application/json
{
"BackupPlan": {
"BackupPlanName": "string",
"Rules": [
{
"CompletionWindowMinutes": number,
"CopyActions": [
{
"DestinationBackupVaultArn": "string",
"Lifecycle": {
"DeleteAfterDays": number,
"MoveToColdStorageAfterDays": number
}
}
],
"Lifecycle": {
},
"RecoveryPointTags": {
"string" : "string"
},
"RuleName": "string",
"ScheduleExpression": "string",
"StartWindowMinutes": number,
"TargetBackupVaultName": "string"
}
]
},
"BackupPlanTags": {
"string" : "string"
},
"CreatorRequestId": "string"
}
URI Request Parameters

The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
BackupPlan (p. 72)
Specifies the body of a backup plan. Includes a BackupPlanName and one or more sets of Rules.
Type: BackupPlanInput (p. 194) object
72
CreateBackupPlan
Required: Yes
BackupPlanTags (p. 72)
To help organize your resources, you can assign your own metadata to the resources that you create.
Each tag is a key-value pair. The specified tags are assigned to all backups created with this plan.
Type: String to string map
Required: No
CreatorRequestId (p. 72)
Identifies the request and allows failed requests to be retried without the risk of executing the
operation twice. If the request includes a CreatorRequestId that matches an existing backup
plan, that plan is returned. This parameter is optional.
Type: String
Required: No
Response Syntax
HTTP/1.1 200
{
"BackupPlanArn": "string",
"BackupPlanId": "string",
"CreationDate": number,
"VersionId": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
BackupPlanArn (p. 73)
An Amazon Resource Name (ARN) that uniquely identifies a backup plan; for example,
arn:aws:backup:us-east-1:123456789012:plan:8F81F553-3A74-4A3F-B93D-
B3360DC80C50.
Type: String
BackupPlanId (p. 73)
Uniquely identifies a backup plan.
Type: String
CreationDate (p. 73)
The date and time that a backup plan is created, in Unix format and Coordinated Universal
Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value
1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
Type: Timestamp
73
CreateBackupPlan
VersionId (p. 73)
Unique, randomly generated, Unicode, UTF-8 encoded strings that are at most 1,024 bytes long.
They cannot be edited.
Type: String
Errors
For information about the errors that are common to all actions, see Common Errors (p. 222).
AlreadyExistsException
The required resource already exists.
HTTP Status Code: 400

InvalidParameterValueException
Indicates that something is wrong with a parameter's value. For example, the value is out of range.

LimitExceededException
A limit in the request has been exceeded; for example, a maximum number of items allowed in a
request.

MissingParameterValueException
Indicates that a required parameter is missing.

ServiceUnavailableException
The request failed due to a temporary failure of the server.
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface

• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
74
CreateBackupSelection
Creates a JSON document that specifies a set of resources to assign to a backup plan. Resources can be
included by specifying patterns for a ListOfTags and selected Resources.
For example, consider the following patterns:
• Resources: "arn:aws:ec2:region:account-id:volume/volume-id"
• ConditionKey:"department"
ConditionValue:"finance"
ConditionType:"STRINGEQUALS"
• ConditionKey:"importance"
ConditionValue:"critical"
ConditionType:"STRINGEQUALS"
Using these patterns would back up all Amazon Elastic Block Store (Amazon EBS) volumes that are
tagged as "department=finance", "importance=critical", in addition to an EBS volume with the
specified volume Id.
Resources and conditions are additive in that all resources that match the pattern are selected. This
shouldn't be confused with a logical AND, where all conditions must match. The matching patterns are
logically 'put together using the OR operator. In other words, all patterns that match are selected for
backup.
Request Syntax
PUT /backup/plans/backupPlanId/selections/ HTTP/1.1
{
"BackupSelection": {
"IamRoleArn": "string",
"ListOfTags": [
{
"ConditionKey": "string",
"ConditionType": "string",
"ConditionValue": "string"
}
],
"Resources": [ "string" ],
"SelectionName": "string"
},
"CreatorRequestId": "string"
}

The request requires the following URI parameters.
backupPlanId (p. 75)
Uniquely identifies the backup plan to be associated with the selection of resources.
75
Request Body
BackupSelection (p. 75)
Specifies the body of a request to assign a set of resources to a backup plan.
Type: BackupSelection (p. 202) object
Required: Yes
A unique string that identifies the request and allows failed requests to be retried without the risk of
executing the operation twice.
Type: String
Required: No
Response Syntax
HTTP/1.1 200
{
"SelectionId": "string"
}
Response Elements
Type: String
The date and time a backup selection is created, in Unix format and Coordinated Universal
Type: Timestamp
SelectionId (p. 76)
Uniquely identifies the body of a request to assign a set of resources to a backup plan.
Type: String
Errors
76


request.


See Also

• AWS SDK for C++
• AWS SDK for Go
77
CreateBackupVault
CreateBackupVault
Creates a logical container where backups are stored. A CreateBackupVault request includes a name,
optionally one or more resource tags, an encryption key, and a request ID.
Note
Sensitive data, such as passport numbers, should not be included the name of a backup vault.
Request Syntax
PUT /backup-vaults/backupVaultName HTTP/1.1
{
"BackupVaultTags": {
"string" : "string"
},
"CreatorRequestId": "string",
"EncryptionKeyArn": "string"
}

backupVaultName (p. 78)
The name of a logical container where backups are stored. Backup vaults are identified by names
that are unique to the account used to create them and the AWS Region where they are created.
They consist of lowercase letters, numbers, and hyphens.
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
BackupVaultTags (p. 78)
Metadata that you can assign to help organize the resources that you create. Each tag is a key-value
pair.
Required: No
Type: String
Required: No
EncryptionKeyArn (p. 78)
The server-side encryption key that is used to protect your backups; for example,
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
78
CreateBackupVault
Type: String
Required: No
Response Syntax
HTTP/1.1 200
{
"BackupVaultArn": "string",
"BackupVaultName": "string",
"CreationDate": number
}
Response Elements
BackupVaultArn (p. 79)
An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example,
arn:aws:backup:us-east-1:123456789012:vault:aBackupVault.
Type: String
BackupVaultName (p. 79)
that are unique to the account used to create them and the Region where they are created. They
consist of lowercase letters, numbers, and hyphens.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
The date and time a backup vault is created, in Unix format and Coordinated Universal Time (UTC).
The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087
represents Friday, January 26, 2018 12:11:30.087 AM.
Type: Timestamp
Errors

79
CreateBackupVault

request.


See Also

• AWS SDK for C++
• AWS SDK for Go
80
DeleteBackupPlan
DeleteBackupPlan
Deletes a backup plan. A backup plan can only be deleted after all associated selections of resources
have been deleted. Deleting a backup plan deletes the current version of a backup plan. Previous
versions, if any, will still exist.
Request Syntax
DELETE /backup/plans/backupPlanId HTTP/1.1

Request Body
The request does not have a request body.
Response Syntax
HTTP/1.1 200
{
"DeletionDate": number,
}
Response Elements
B3360DC80C50.
Type: String
Type: String
81
DeleteBackupPlan
DeletionDate (p. 81)
The date and time a backup plan is deleted, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
VersionId (p. 81)
Version Ids cannot be edited.
Type: String
Errors

InvalidRequestException
Indicates that something is wrong with the input to the request. For example, a parameter is of the
wrong type.


ResourceNotFoundException
A resource that is required for the action doesn't exist.

See Also

• AWS SDK for C++
• AWS SDK for Go
82
DeleteBackupPlan

83
DeleteBackupSelection
Deletes the resource selection associated with a backup plan that is specified by the SelectionId.
Request Syntax
DELETE /backup/plans/backupPlanId/selections/selectionId HTTP/1.1


selectionId (p. 84)
Request Body
Response Syntax
HTTP/1.1 200
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors



84
See Also

• AWS SDK for C++
• AWS SDK for Go
85
DeleteBackupVault
DeleteBackupVault
Deletes the backup vault identified by its name. A vault can be deleted only if it is empty.
Request Syntax
DELETE /backup-vaults/backupVaultName HTTP/1.1

Request Body
Response Syntax
HTTP/1.1 200
Response Elements
Errors

wrong type.


86
DeleteBackupVault

See Also

• AWS SDK for C++
• AWS SDK for Go
87
DeleteBackupVaultAccessPolicy
Deletes the policy document that manages permissions on a backup vault.
Request Syntax
DELETE /backup-vaults/backupVaultName/access-policy HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
Response Syntax
HTTP/1.1 200
Response Elements
Errors



88
See Also

• AWS SDK for C++
• AWS SDK for Go
89
DeleteBackupVaultNotifications
Deletes event notifications for the specified backup vault.
Request Syntax
DELETE /backup-vaults/backupVaultName/notification-configuration HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
Response Syntax
HTTP/1.1 200
Response Elements
Errors



90
See Also

• AWS SDK for C++
• AWS SDK for Go
91
DeleteRecoveryPoint
DeleteRecoveryPoint
Deletes the recovery point specified by a recovery point ID.
Request Syntax
DELETE /backup-vaults/backupVaultName/recovery-points/recoveryPointArn HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
recoveryPointArn (p. 92)
An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example,
arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-
A80B-108B488B0D45.
Request Body
Response Syntax
HTTP/1.1 200
Response Elements
Errors

wrong type.
92
DeleteRecoveryPoint


See Also

• AWS SDK for C++
• AWS SDK for Go
93
DescribeBackupJob
DescribeBackupJob
Returns metadata associated with creating a backup of a resource.
Request Syntax
GET /backup-jobs/backupJobId HTTP/1.1

backupJobId (p. 94)
Uniquely identifies a request to AWS Backup to back up a resource.
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupJobId": "string",
"BackupSizeInBytes": number,
"BytesTransferred": number,
"CompletionDate": number,
"CreatedBy": {
"BackupPlanVersion": "string",
"BackupRuleId": "string"
},
"ExpectedCompletionDate": number,
"PercentDone": "string",
"RecoveryPointArn": "string",
"ResourceArn": "string",
"ResourceType": "string",
"StartBy": number,
"State": "string",
"StatusMessage": "string"
}
Response Elements
94
DescribeBackupJob
BackupJobId (p. 94)
Type: String
BackupSizeInBytes (p. 94)
The size, in bytes, of a backup.
Type: Long
Type: String
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
BytesTransferred (p. 94)
The size in bytes transferred to a backup vault at the time that the job status was queried.
Type: Long
CompletionDate (p. 94)
The date and time that a job to create a backup job is completed, in Unix format and Coordinated
Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the
value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
Type: Timestamp
CreatedBy (p. 94)
Contains identifying information about the creation of a backup job, including the BackupPlanArn,
BackupPlanId, BackupPlanVersion, and BackupRuleId of the backup plan that is used to
create it.
Type: RecoveryPointCreator (p. 220) object

The date and time that a backup job is created, in Unix format and Coordinated Universal
Type: Timestamp
ExpectedCompletionDate (p. 94)
The date and time that a job to back up resources is expected to be completed, in Unix format
and Coordinated Universal Time (UTC). The value of ExpectedCompletionDate is accurate
to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018
12:11:30.087 AM.
Type: Timestamp
95
DescribeBackupJob
IamRoleArn (p. 94)
Specifies the IAM role ARN used to create the target recovery point; for example,
arn:aws:iam::123456789012:role/S3Access.
Type: String
PercentDone (p. 94)
Contains an estimated percentage that is complete of a job at the time the job status was queried.
Type: String
RecoveryPointArn (p. 94)
An ARN that uniquely identifies a recovery point; for example, arn:aws:backup:us-

east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.
Type: String
ResourceArn (p. 94)
An ARN that uniquely identifies a saved resource. The format of the ARN depends on the resource
type.
Type: String
ResourceType (p. 94)
The type of AWS resource to be backed up; for example, an Amazon Elastic Block Store (Amazon
EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
StartBy (p. 94)
Specifies the time in Unix format and Coordinated Universal Time (UTC) when a backup job must be
started before it is canceled. The value is calculated by adding the start window to the scheduled
time. So if the scheduled time were 6:00 PM and the start window is 2 hours, the StartBy time
would be 8:00 PM on the date specified. The value of StartBy is accurate to milliseconds. For
example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
Type: Timestamp
State (p. 94)
The current state of a resource recovery point.
Type: String
Valid Values: CREATED | PENDING | RUNNING | ABORTING | ABORTED | COMPLETED |

FAILED | EXPIRED
StatusMessage (p. 94)
A detailed message explaining the status of the job to back up a resource.
Type: String
Errors
96
DescribeBackupJob
DependencyFailureException
A dependent AWS service or resource returned an error to the AWS Backup service, and the action
cannot be completed.




See Also

• AWS SDK for C++
• AWS SDK for Go
97
DescribeBackupVault
DescribeBackupVault
Returns metadata about a backup vault specified by its name.
Request Syntax
GET /backup-vaults/backupVaultName HTTP/1.1

Request Body
Response Syntax
HTTP/1.1 200
{
"EncryptionKeyArn": "string",
"NumberOfRecoveryPoints": number
}
Response Elements
Type: String
Type: String
98
DescribeBackupVault
The date and time that a backup vault is created, in Unix format and Coordinated Universal
Type: Timestamp
Type: String
Type: String
NumberOfRecoveryPoints (p. 98)
The number of recovery points that are stored in a backup vault.
Type: Long
Errors



See Also

99
DescribeBackupVault
• AWS SDK for C++

• AWS SDK for Go
100
DescribeCopyJob
DescribeCopyJob
Returns metadata associated with creating a copy of a resource.
Request Syntax
GET /copy-jobs/copyJobId HTTP/1.1

copyJobId (p. 101)
Uniquely identifies a copy job.
Request Body
Response Syntax
HTTP/1.1 200
{
"CopyJob": {
"CopyJobId": "string",
"CreatedBy": {
},
"DestinationRecoveryPointArn": "string",
"SourceBackupVaultArn": "string",
"SourceRecoveryPointArn": "string",
"State": "string",
}
}
Response Elements
CopyJob (p. 101)
Contains detailed information about a copy job.
101
DescribeCopyJob
Type: CopyJob (p. 210) object
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
102
DescribeProtectedResource
Returns information about a saved resource, including the last time it was backed up, its Amazon
Resource Name (ARN), and the AWS service type of the saved resource.
Request Syntax
GET /resources/resourceArn HTTP/1.1

resourceArn (p. 103)
An Amazon Resource Name (ARN) that uniquely identifies a resource. The format of the ARN
depends on the resource type.
Request Body
Response Syntax
HTTP/1.1 200
{
"LastBackupTime": number,
"ResourceType": "string"
}
Response Elements
LastBackupTime (p. 103)
The date and time that a resource was last backed up, in Unix format and Coordinated Universal
Time (UTC). The value of LastBackupTime is accurate to milliseconds. For example, the value
Type: Timestamp
ResourceArn (p. 103)
An ARN that uniquely identifies a resource. The format of the ARN depends on the resource type.
Type: String
The type of AWS resource saved as a recovery point; for example, an EBS volume or an Amazon RDS
database.
103
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
104
DescribeRecoveryPoint
Returns metadata associated with a recovery point, including ID, status, encryption, and lifecycle.
Request Syntax
GET /backup-vaults/backupVaultName/recovery-points/recoveryPointArn HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
A80B-108B488B0D45.
Request Body
Response Syntax
HTTP/1.1 200
{
"CalculatedLifecycle": {
"DeleteAt": number,
"MoveToColdStorageAt": number
},
"CreatedBy": {
},
"IsEncrypted": boolean,
"LastRestoreTime": number,
"Lifecycle": {
105
},
"Status": "string",
"StorageClass": "string"
}
Response Elements
Type: Long
An ARN that uniquely identifies a backup vault; for example, arn:aws:backup:us-

east-1:123456789012:vault:aBackupVault.
Type: String
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
CalculatedLifecycle (p. 105)
A CalculatedLifecycle object containing DeleteAt and MoveToColdStorageAt timestamps.
Type: CalculatedLifecycle (p. 207) object

The date and time that a job to create a recovery point is completed, in Unix format and Coordinated
Universal Time (UTC). The value of CompletionDate is accurate to milliseconds. For example, the
Type: Timestamp
CreatedBy (p. 105)
Contains identifying information about the creation of a recovery point, including the
BackupPlanArn, BackupPlanId, BackupPlanVersion, and BackupRuleId of the backup plan
used to create it.

The date and time that a recovery point is created, in Unix format and Coordinated Universal
106
Type: Timestamp
The server-side encryption key used to protect your backups; for example, arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
Type: String
IamRoleArn (p. 105)
Type: String
IsEncrypted (p. 105)
A Boolean value that is returned as TRUE if the specified recovery point is encrypted, or FALSE if the
recovery point is not encrypted.
Type: Boolean
LastRestoreTime (p. 105)
The date and time that a recovery point was last restored, in Unix format and Coordinated Universal
Time (UTC). The value of LastRestoreTime is accurate to milliseconds. For example, the value
Type: Timestamp
Lifecycle (p. 105)
The lifecycle defines when a protected resource is transitioned to cold storage and when it expires.
AWS Backup transitions and expires backups automatically according to the lifecycle that you define.
Backups that are transitioned to cold storage must be stored in cold storage for a minimum of 90
days. Therefore, the “expire after days” setting must be 90 days greater than the “transition to cold
after days” setting. The “transition to cold after days” setting cannot be changed after a backup has
been transitioned to cold.
Type: Lifecycle (p. 213) object


Type: String
An ARN that uniquely identifies a saved resource. The format of the ARN depends on the resource
type.
Type: String
The type of AWS resource to save as a recovery point; for example, an Amazon Elastic Block Store
(Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
107
Status (p. 105)
A status code specifying the state of the recovery point.

Note
A partial status indicates that the recovery point was not successfully re-created and must
be retried.
Type: String
Valid Values: COMPLETED | PARTIAL | DELETING | EXPIRED

StorageClass (p. 105)
Specifies the storage class of the recovery point. Valid values are WARM or COLD.
Type: String
Valid Values: WARM | COLD | DELETED
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
108
109
DescribeRestoreJob
DescribeRestoreJob
Returns metadata associated with a restore job that is specified by a job ID.
Request Syntax
GET /restore-jobs/restoreJobId HTTP/1.1

restoreJobId (p. 110)
Uniquely identifies the job that restores a recovery point.
Request Body
Response Syntax
HTTP/1.1 200
{
"CreatedResourceArn": "string",
"ExpectedCompletionTimeMinutes": number,
"RestoreJobId": "string",
"Status": "string",
}
Response Elements
The size, in bytes, of the restored resource.
Type: Long
The date and time that a job to restore a recovery point is completed, in Unix format and
Coordinated Universal Time (UTC). The value of CompletionDate is accurate to milliseconds. For
110
DescribeRestoreJob
Type: Timestamp
CreatedResourceArn (p. 110)
An Amazon Resource Name (ARN) that uniquely identifies a resource whose recovery point is being
restored. The format of the ARN depends on the resource type of the backed-up resource.
Type: String
The date and time that a restore job is created, in Unix format and Coordinated Universal
Type: Timestamp
ExpectedCompletionTimeMinutes (p. 110)
The amount of time in minutes that a job restoring a recovery point is expected to take.
Type: Long
IamRoleArn (p. 110)
Type: String
PercentDone (p. 110)
Contains an estimated percentage that is complete of a job at the time the job status was queried.
Type: String

Type: String
RestoreJobId (p. 110)
Type: String
Status (p. 110)
Status code specifying the state of the job that is initiated by AWS Backup to restore a recovery
point.
Type: String
Valid Values: PENDING | RUNNING | COMPLETED | ABORTED | FAILED

StatusMessage (p. 110)
A detailed message explaining the status of a job to restore a recovery point.
Type: String
Errors
111
DescribeRestoreJob
DependencyFailureException
A dependent AWS service or resource returned an error to the AWS Backup service, and the action
cannot be completed.




See Also

• AWS SDK for C++
• AWS SDK for Go
112
ExportBackupPlanTemplate
Returns the backup plan that is specified by the plan ID as a backup template.
Request Syntax
GET /backup/plans/backupPlanId/toTemplate/ HTTP/1.1

Request Body
Response Syntax
HTTP/1.1 200
{
"BackupPlanTemplateJson": "string"
}
Response Elements
BackupPlanTemplateJson (p. 113)
The body of a backup plan template in JSON format.

Note
This is a signed JSON document that cannot be modified before being passed to
GetBackupPlanFromJSON.
Type: String
Errors
113


See Also

• AWS SDK for C++
• AWS SDK for Go
114
GetBackupPlan
GetBackupPlan
Returns the body of a backup plan in JSON format, in addition to plan metadata.
Request Syntax
GET /backup/plans/backupPlanId/?versionId=VersionId HTTP/1.1


VersionId (p. 115)
Version IDs cannot be edited.
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupPlan": {
"Rules": [
{
"CopyActions": [
{
"Lifecycle": {
}
}
],
"Lifecycle": {
},
"string" : "string"
},
"RuleId": "string",
}
]
115
GetBackupPlan
},
"LastExecutionDate": number,
}
Response Elements
BackupPlan (p. 115)
Type: BackupPlan (p. 193) object

B3360DC80C50.
Type: String
Type: String
The date and time that a backup plan is created, in Unix format and Coordinated Universal
Type: Timestamp
Type: String
DeletionDate (p. 115)
The date and time that a backup plan is deleted, in Unix format and Coordinated Universal
Type: Timestamp
LastExecutionDate (p. 115)
The last time a job to back up resources was executed with this backup plan. A date and time, in
Unix format and Coordinated Universal Time (UTC). The value of LastExecutionDate is accurate
12:11:30.087 AM.
116
GetBackupPlan
Type: Timestamp
VersionId (p. 115)
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
117
GetBackupPlanFromJSON
Returns a valid JSON document specifying a backup plan or an error.
Request Syntax
POST /backup/template/json/toPlan HTTP/1.1
{
"BackupPlanTemplateJson": "string"
}

Request Body
BackupPlanTemplateJson (p. 118)
A customer-supplied backup plan document in JSON format.
Type: String
Required: Yes
Response Syntax
HTTP/1.1 200
{
"BackupPlan": {
"Rules": [
{
"CopyActions": [
{
"Lifecycle": {
}
}
],
"Lifecycle": {
},
"string" : "string"
},
"RuleId": "string",
118
}
]
}
}
Response Elements
BackupPlan (p. 118)
Errors

wrong type.

request.


See Also
119

• AWS SDK for C++
• AWS SDK for Go
120
GetBackupPlanFromTemplate
Returns the template specified by its templateId as a backup plan.
Request Syntax
GET /backup/template/plans/templateId/toPlan HTTP/1.1

templateId (p. 121)
Uniquely identifies a stored backup plan template.
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupPlanDocument": {
"Rules": [
{
"CopyActions": [
{
"Lifecycle": {
}
}
],
"Lifecycle": {
},
"string" : "string"
},
"RuleId": "string",
}
]
}
}
121
Response Elements
BackupPlanDocument (p. 121)
Returns the body of a backup plan based on the target template, including the name, rules, and
backup vault of the plan.
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
122
GetBackupSelection
GetBackupSelection
Returns selection metadata and a document in JSON format that specifies a list of resources that are
associated with a backup plan.
Request Syntax
GET /backup/plans/backupPlanId/selections/selectionId HTTP/1.1


selectionId (p. 123)
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupSelection": {
"ListOfTags": [
{
"ConditionKey": "string",
"ConditionType": "string",
"ConditionValue": "string"
}
],
"Resources": [ "string" ],
},
"SelectionId": "string"
}
Response Elements
123
GetBackupSelection
Type: String
BackupSelection (p. 123)
Specifies the body of a request to assign a set of resources to a backup plan.
Type: BackupSelection (p. 202) object

The date and time a backup selection is created, in Unix format and Coordinated Universal
Type: Timestamp
Type: String
SelectionId (p. 123)
Type: String
Errors



See Also

124
GetBackupSelection
• AWS SDK for C++

• AWS SDK for Go
125
GetBackupVaultAccessPolicy
Returns the access policy document that is associated with the named backup vault.
Request Syntax
GET /backup-vaults/backupVaultName/access-policy HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
Response Syntax
HTTP/1.1 200
{
"Policy": "string"
}
Response Elements
Type: String
Type: String
126
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Policy (p. 126)
The backup vault access policy document in JSON format.
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
127
GetBackupVaultNotifications
Returns event notifications for the specified backup vault.
Request Syntax
GET /backup-vaults/backupVaultName/notification-configuration HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupVaultEvents": [ "string" ],
"SNSTopicArn": "string"
}
Response Elements
Type: String
BackupVaultEvents (p. 128)
An array of events that indicate the status of jobs to back up resources to the backup vault.
Type: Array of strings
Valid Values: BACKUP_JOB_STARTED | BACKUP_JOB_COMPLETED | BACKUP_JOB_SUCCESSFUL

| BACKUP_JOB_FAILED | BACKUP_JOB_EXPIRED | RESTORE_JOB_STARTED |
128
RESTORE_JOB_COMPLETED | RESTORE_JOB_SUCCESSFUL | RESTORE_JOB_FAILED

| COPY_JOB_STARTED | COPY_JOB_SUCCESSFUL | COPY_JOB_FAILED |
RECOVERY_POINT_MODIFIED | BACKUP_PLAN_CREATED | BACKUP_PLAN_MODIFIED
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
SNSTopicArn (p. 128)
An ARN that uniquely identifies an Amazon Simple Notification Service (Amazon SNS) topic; for
example, arn:aws:sns:us-west-2:111122223333:MyTopic.
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
129

130
GetRecoveryPointRestoreMetadata
Returns a set of metadata key-value pairs that were used to create the backup.
Request Syntax
GET /backup-vaults/backupVaultName/recovery-points/recoveryPointArn/restore-metadata
HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
A80B-108B488B0D45.
Request Body
Response Syntax
HTTP/1.1 200
{
"RestoreMetadata": {
"string" : "string"
}
}
Response Elements

Type: String
131

Type: String
RestoreMetadata (p. 131)
The set of metadata key-value pairs that describes the original configuration of the backed-up
resource. These values vary depending on the service that is being restored.
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
132
GetSupportedResourceTypes
Returns the AWS resource types supported by AWS Backup.
Request Syntax
GET /supported-resource-types HTTP/1.1

Request Body
Response Syntax
HTTP/1.1 200
{
"ResourceTypes": [ "string" ]
}
Response Elements
ResourceTypes (p. 133)
Contains a string with the supported AWS resource types:

• EBS for Amazon Elastic Block Store
• Storage Gateway for AWS Storage Gateway
• RDS for Amazon Relational Database Service
• DDB for Amazon DynamoDB
• EFS for Amazon Elastic File System
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Errors
133
See Also

• AWS SDK for C++
• AWS SDK for Go
134
ListBackupJobs
ListBackupJobs
Returns metadata about your backup jobs.
Request Syntax
GET /backup-jobs/?
backupVaultName=ByBackupVaultName&createdAfter=ByCreatedAfter&createdBefore=ByCreatedBefore&maxResults=
HTTP/1.1

ByBackupVaultName (p. 135)
Returns only backup jobs that will be stored in the specified backup vault. Backup vaults are
identified by names that are unique to the account used to create them and the AWS Region where
they are created. They consist of lowercase letters, numbers, and hyphens.
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ByCreatedAfter (p. 135)
Returns only backup jobs that were created after the specified date.
ByCreatedBefore (p. 135)
Returns only backup jobs that were created before the specified date.
ByResourceArn (p. 135)
Returns only backup jobs that match the specified resource Amazon Resource Name (ARN).
ByResourceType (p. 135)
Returns only backup jobs for the specified resources:

• DynamoDB for Amazon DynamoDB
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ByState (p. 135)
Returns only backup jobs that are in the specified state.

FAILED | EXPIRED
MaxResults (p. 135)
The maximum number of items to be returned.
Valid Range: Minimum value of 1. Maximum value of 1000.
135
ListBackupJobs
NextToken (p. 135)
The next item following a partial list of returned items. For example, if a request is made to return
maxResults number of items, NextToken allows you to return more items in your list starting at
the location pointed to by the next token.
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupJobs": [
{
"BytesTransferred": number,
"CreatedBy": {
},
"ExpectedCompletionDate": number,
"StartBy": number,
"State": "string",
}
],
"NextToken": "string"
}
Response Elements
BackupJobs (p. 136)
An array of structures containing metadata about your backup jobs returned in JSON format.
Type: Array of BackupJob (p. 190) objects

NextToken (p. 136)
136
ListBackupJobs
Type: String
Errors

wrong type.

See Also

• AWS SDK for C++
• AWS SDK for Go
137
ListBackupPlans
ListBackupPlans
Returns metadata of your saved backup plans, including Amazon Resource Names (ARNs), plan IDs,
creation and deletion dates, version IDs, plan names, and creator request IDs.
Request Syntax
GET /backup/plans/?includeDeleted=IncludeDeleted&maxResults=MaxResults&nextToken=NextToken
HTTP/1.1

IncludeDeleted (p. 138)
A Boolean value with a default value of FALSE that returns deleted backup plans when set to TRUE.
MaxResults (p. 138)

NextToken (p. 138)
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupPlansList": [
{
}
],
}
Response Elements
138
ListBackupPlans
BackupPlansList (p. 138)
An array of backup plan list items containing metadata about your saved backup plans.
Type: Array of BackupPlansListMember (p. 195) objects

NextToken (p. 138)
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
139
ListBackupPlanTemplates
Returns metadata of your saved backup plan templates, including the template ID, name, and the
creation and deletion dates.
Request Syntax
GET /backup/template/plans?maxResults=MaxResults&nextToken=NextToken HTTP/1.1

MaxResults (p. 140)

NextToken (p. 140)
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupPlanTemplatesList": [
{
"BackupPlanTemplateId": "string",
"BackupPlanTemplateName": "string"
}
],
}
Response Elements
BackupPlanTemplatesList (p. 140)
An array of template list items containing metadata about your saved templates.
Type: Array of BackupPlanTemplatesListMember (p. 197) objects
140
NextToken (p. 140)
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
141
ListBackupPlanVersions
Returns version metadata of your backup plans, including Amazon Resource Names (ARNs), backup plan
IDs, creation and deletion dates, plan names, and version IDs.
Request Syntax
GET /backup/plans/backupPlanId/versions/?maxResults=MaxResults&nextToken=NextToken HTTP/1.1


MaxResults (p. 142)

NextToken (p. 142)
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupPlanVersionsList": [
{
}
],
}
Response Elements
142
BackupPlanVersionsList (p. 142)
An array of version list items containing metadata about your backup plans.
Type: Array of BackupPlansListMember (p. 195) objects

NextToken (p. 142)
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
143
ListBackupSelections
Returns an array containing metadata of the resources associated with the target backup plan.
Request Syntax
GET /backup/plans/backupPlanId/selections/?maxResults=MaxResults&nextToken=NextToken
HTTP/1.1


MaxResults (p. 144)

NextToken (p. 144)
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupSelectionsList": [
{
"SelectionId": "string",
}
],
}
Response Elements
144
BackupSelectionsList (p. 144)
An array of backup selection list items containing metadata about each resource in the list.
Type: Array of BackupSelectionsListMember (p. 203) objects

NextToken (p. 144)
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
145
ListBackupVaults
ListBackupVaults
Returns a list of recovery point storage containers along with information about them.
Request Syntax
GET /backup-vaults/?maxResults=MaxResults&nextToken=NextToken HTTP/1.1

MaxResults (p. 146)

NextToken (p. 146)
Request Body
Response Syntax
HTTP/1.1 200
{
"BackupVaultList": [
{
"NumberOfRecoveryPoints": number
}
],
}
Response Elements
BackupVaultList (p. 146)
An array of backup vault list members containing vault metadata, including Amazon Resource Name
(ARN), display name, creation date, number of saved recovery points, and encryption information if
the resources saved in the backup vault are encrypted.
146
ListBackupVaults
Type: Array of BackupVaultListMember (p. 205) objects

NextToken (p. 146)
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
147
ListCopyJobs
ListCopyJobs
Returns metadata about your copy jobs.
Request Syntax
GET /copy-jobs/?
createdAfter=ByCreatedAfter&createdBefore=ByCreatedBefore&destinationVaultArn=ByDestinationVaultArn&max
HTTP/1.1

Returns only copy jobs that were created after the specified date.
Returns only copy jobs that were created before the specified date.
ByDestinationVaultArn (p. 148)
An Amazon Resource Name (ARN) that uniquely identifies a source backup vault to copy from; for
example, arn:aws:backup:us-east-1:123456789012:vault:aBackupVault.
Returns only copy jobs that match the specified resource Amazon Resource Name (ARN).
Returns only backup jobs for the specified resources:

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ByState (p. 148)
Returns only copy jobs that are in the specified state.
Valid Values: CREATED | RUNNING | COMPLETED | FAILED

MaxResults (p. 148)

NextToken (p. 148)
maxResults number of items, NextToken allows you to return more items in your list starting at the
location pointed to by the next token.
Request Body
148
ListCopyJobs
Response Syntax
HTTP/1.1 200
{
"CopyJobs": [
{
"CreatedBy": {
},
"DestinationRecoveryPointArn": "string",
"SourceBackupVaultArn": "string",
"SourceRecoveryPointArn": "string",
"State": "string",
}
],
}
Response Elements
CopyJobs (p. 149)
An array of structures containing metadata about your copy jobs returned in JSON format.
Type: Array of CopyJob (p. 210) objects

NextToken (p. 149)
maxResults number of items, NextToken allows you to return more items in your list starting at the
location pointed to by the next token.
Type: String
Errors
149
ListCopyJobs
See Also

• AWS SDK for C++
• AWS SDK for Go
150
ListProtectedResources
Returns an array of resources successfully backed up by AWS Backup, including the time the resource was
saved, an Amazon Resource Name (ARN) of the resource, and a resource type.
Request Syntax
GET /resources/?maxResults=MaxResults&nextToken=NextToken HTTP/1.1

MaxResults (p. 151)

NextToken (p. 151)
Request Body
Response Syntax
HTTP/1.1 200
{
"NextToken": "string",
"Results": [
{
"LastBackupTime": number,
}
]
}
Response Elements
NextToken (p. 151)
151
Type: String
Results (p. 151)
An array of resources successfully backed up by AWS Backup including the time the resource was
saved, an Amazon Resource Name (ARN) of the resource, and a resource type.
Type: Array of ProtectedResource (p. 214) objects
Errors

See Also

• AWS SDK for C++
• AWS SDK for Go
152
ListRecoveryPointsByBackupVault
Returns detailed information about the recovery points stored in a backup vault.
Request Syntax
GET /backup-vaults/backupVaultName/recovery-points/?
backupPlanId=ByBackupPlanId&createdAfter=ByCreatedAfter&createdBefore=ByCreatedBefore&maxResults=MaxRes
HTTP/1.1

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ByBackupPlanId (p. 153)
Returns only recovery points that match the specified backup plan ID.
Returns only recovery points that were created after the specified timestamp.
Returns only recovery points that were created before the specified timestamp.
Returns only recovery points that match the specified resource Amazon Resource Name (ARN).
Returns only recovery points that match the specified resource type.
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
MaxResults (p. 153)

NextToken (p. 153)
Request Body
Response Syntax
HTTP/1.1 200
153
{
"RecoveryPoints": [
{
"DeleteAt": number,
},
"CreatedBy": {
},
"IsEncrypted": boolean,
"LastRestoreTime": number,
"Lifecycle": {
},
"Status": "string"
}
]
}
Response Elements
NextToken (p. 153)
Type: String
RecoveryPoints (p. 153)
An array of objects that contain detailed information about recovery points saved in a backup vault.
Type: Array of RecoveryPointByBackupVault (p. 215) objects
Errors
154



See Also

• AWS SDK for C++
• AWS SDK for Go
155
ListRecoveryPointsByResource
Returns detailed information about recovery points of the type specified by a resource Amazon Resource
Name (ARN).
Request Syntax
GET /resources/resourceArn/recovery-points/?maxResults=MaxResults&nextToken=NextToken
HTTP/1.1

MaxResults (p. 156)

NextToken (p. 156)
Request Body
Response Syntax
HTTP/1.1 200
{
"RecoveryPoints": [
{
"BackupSizeBytes": number,
"Status": "string"
}
]
}
Response Elements
156
NextToken (p. 156)
Type: String
RecoveryPoints (p. 156)
An array of objects that contain detailed information about recovery points of the specified resource
type.
Type: Array of RecoveryPointByResource (p. 218) objects
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
157
158
ListRestoreJobs
ListRestoreJobs
Returns a list of jobs that AWS Backup initiated to restore a saved resource, including metadata about
the recovery process.
Request Syntax
GET /restore-jobs/?maxResults=MaxResults&nextToken=NextToken HTTP/1.1

MaxResults (p. 159)

NextToken (p. 159)
Request Body
Response Syntax
HTTP/1.1 200
{
"RestoreJobs": [
{
"CreatedResourceArn": "string",
"ExpectedCompletionTimeMinutes": number,
"RestoreJobId": "string",
"Status": "string",
}
]
}
Response Elements
159
ListRestoreJobs
NextToken (p. 159)
Type: String
RestoreJobs (p. 159)
An array of objects that contain detailed information about jobs to restore saved resources.
Type: Array of RestoreJobsListMember (p. 221) objects
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
160
ListTags
ListTags
Returns a list of key-value pairs assigned to a target recovery point, backup plan, or backup vault.
Note
ListTags are currently only supported with Amazon EFS backups.
Request Syntax
GET /tags/resourceArn/?maxResults=MaxResults&nextToken=NextToken HTTP/1.1

MaxResults (p. 161)

NextToken (p. 161)
depends on the type of resource. Valid targets for ListTags are recovery points, backup plans, and
backup vaults.
Request Body
Response Syntax
HTTP/1.1 200
{
"Tags": {
"string" : "string"
}
}
Response Elements
161
ListTags
NextToken (p. 161)
Type: String
Tags (p. 161)
To help organize your resources, you can assign your own metadata to the resources you create. Each
tag is a key-value pair.
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
162
PutBackupVaultAccessPolicy
Sets a resource-based policy that is used to manage access permissions on the target backup vault.
Requires a backup vault name and an access policy document in JSON format.
Request Syntax
PUT /backup-vaults/backupVaultName/access-policy HTTP/1.1
{
"Policy": "string"
}

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
Policy (p. 163)
The backup vault access policy document in JSON format.
Type: String
Required: No
Response Syntax
HTTP/1.1 200
Response Elements
Errors
163



See Also

• AWS SDK for C++
• AWS SDK for Go
164
PutBackupVaultNotifications
Turns on notifications on a backup vault for the specified topic and events.
Request Syntax
PUT /backup-vaults/backupVaultName/notification-configuration HTTP/1.1
{
"BackupVaultEvents": [ "string" ],
"SNSTopicArn": "string"
}

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Request Body
BackupVaultEvents (p. 165)
An array of events that indicate the status of jobs to back up resources to the backup vault.
Valid Values: BACKUP_JOB_STARTED | BACKUP_JOB_COMPLETED | BACKUP_JOB_SUCCESSFUL

| BACKUP_JOB_FAILED | BACKUP_JOB_EXPIRED | RESTORE_JOB_STARTED |
RESTORE_JOB_COMPLETED | RESTORE_JOB_SUCCESSFUL | RESTORE_JOB_FAILED
| COPY_JOB_STARTED | COPY_JOB_SUCCESSFUL | COPY_JOB_FAILED |
RECOVERY_POINT_MODIFIED | BACKUP_PLAN_CREATED | BACKUP_PLAN_MODIFIED
Required: Yes
SNSTopicArn (p. 165)
The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events; for example,
arn:aws:sns:us-west-2:111122223333:MyVaultTopic.
Type: String
Required: Yes
Response Syntax
HTTP/1.1 200
165
Response Elements
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
166
StartBackupJob
StartBackupJob
Starts a job to create a one-time backup of the specified resource.
Request Syntax
PUT /backup-jobs HTTP/1.1
{
"CompleteWindowMinutes": number,
"IdempotencyToken": "string",
"Lifecycle": {
},
"string" : "string"
},
"StartWindowMinutes": number
}

Request Body
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
CompleteWindowMinutes (p. 167)
A value in minutes after a backup job is successfully started before it must be completed or it will be
canceled by AWS Backup. This value is optional.
Type: Long
Required: No
IamRoleArn (p. 167)
Type: String
167
StartBackupJob
Required: Yes
IdempotencyToken (p. 167)
A customer chosen string that can be used to distinguish between calls to StartBackupJob.
Type: String
Required: No
Lifecycle (p. 167)
AWS Backup will transition and expire backups automatically according to the lifecycle that you
define.
Therefore, the “expire after days” setting must be 90 days greater than the “transition to cold after
days” setting. The “transition to cold after days” setting cannot be changed after a backup has been
transitioned to cold.
Required: No
RecoveryPointTags (p. 167)
Each tag is a key-value pair.
Required: No
Type: String
Required: Yes
StartWindowMinutes (p. 167)
A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start
successfully. This value is optional.
Type: Long
Required: No
Response Syntax
HTTP/1.1 200
{
"RecoveryPointArn": "string"
168
StartBackupJob
Response Elements
BackupJobId (p. 168)
Type: String
The date and time that a backup job is started, in Unix format and Coordinated Universal
Type: Timestamp

Type: String
Errors

request.



169
StartBackupJob
See Also

• AWS SDK for C++
• AWS SDK for Go
170
StartCopyJob
StartCopyJob
Starts a job to create a one-time copy of the specified resource.
Request Syntax
PUT /copy-jobs HTTP/1.1
{
"Lifecycle": {
},
"SourceBackupVaultName": "string"
}

Request Body
DestinationBackupVaultArn (p. 171)
An Amazon Resource Name (ARN) that uniquely identifies a destination backup vault to copy to; for
example, arn:aws:backup:us-east-1:123456789012:vault:aBackupVault.
Type: String
Required: Yes
IamRoleArn (p. 171)
Specifies the IAM role ARN used to copy the target recovery point; for example,
Type: String
Required: Yes
A customer chosen string that can be used to distinguish between calls to StartCopyJob.
Type: String
Required: No
Lifecycle (p. 171)
Contains an array of Transition objects specifying how long in days before a recovery point
transitions to cold storage or is deleted.
171
StartCopyJob
Therefore, on the console, the “expire after days” setting must be 90 days greater than the
“transition to cold after days” setting. The “transition to cold after days” setting cannot be changed
after a backup has been transitioned to cold.
Required: No
An ARN that uniquely identifies a recovery point to use for the copy job; for example,
A80B-108B488B0D45.
Type: String
Required: Yes
SourceBackupVaultName (p. 171)
The name of a logical source container where backups are stored. Backup vaults are identified by
names that are unique to the account used to create them and the AWS Region where they are
created. They consist of lowercase letters, numbers, and hyphens.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
Response Syntax
HTTP/1.1 200
{
"CreationDate": number
}
Response Elements
CopyJobId (p. 172)
Type: String
The date and time that a copy job is started, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
172
StartCopyJob
Errors

request.



See Also

• AWS SDK for C++
• AWS SDK for Go
173
StartRestoreJob
StartRestoreJob
Recovers the saved resource identified by an Amazon Resource Name (ARN).
If the resource ARN is included in the request, then the last complete backup of that resource is
recovered. If the ARN of a recovery point is supplied, then that recovery point is restored.
Request Syntax
PUT /restore-jobs HTTP/1.1
{
"Metadata": {
"string" : "string"
},
}

Request Body
IamRoleArn (p. 174)
The Amazon Resource Name (ARN) of the IAM role that AWS Backup uses to create the target
recovery point; for example, arn:aws:iam::123456789012:role/S3Access.
Type: String
Required: Yes
A customer chosen string that can be used to distinguish between calls to StartRestoreJob.
Type: String
Required: No
Metadata (p. 174)
A set of metadata key-value pairs. Contains information, such as a resource name, required to
restore a recovery point.
You can get configuration metadata about a resource at the time it was backed up by calling
GetRecoveryPointRestoreMetadata. However, values in addition to those provided by
GetRecoveryPointRestoreMetadata might be required to restore a resource. For example, you
might need to provide a new resource name if the original already exists.
You need to specify specific metadata to restore an Amazon Elastic File System (Amazon EFS)
instance:
174
StartRestoreJob
• file-system-id: ID of the Amazon EFS file system that is backed up by AWS Backup. Returned
in GetRecoveryPointRestoreMetadata.
• Encrypted: A Boolean value that, if true, specifies that the file system is encrypted. If KmsKeyId
is specified, Encrypted must be set to true.
• KmsKeyId: Specifies the AWS KMS key that is used to encrypt the restored file system.
• PerformanceMode: Specifies the throughput mode of the file system.
• CreationToken: A user-supplied value that ensures the uniqueness (idempotency) of the
request.
• newFileSystem: A Boolean value that, if true, specifies that the recovery point is restored to a
new Amazon EFS file system.
Required: Yes

Type: String
Required: Yes
Starts a job to restore a recovery point for one of the following resources:
• DDB for Amazon DynamoDB
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
Response Syntax
HTTP/1.1 200
{
"RestoreJobId": "string"
}
Response Elements
RestoreJobId (p. 175)
175
StartRestoreJob
Type: String
Errors



See Also

• AWS SDK for C++
• AWS SDK for Go
176
StopBackupJob
StopBackupJob
Attempts to cancel a job to create a one-time backup of a resource.
Request Syntax
POST /backup-jobs/backupJobId HTTP/1.1

backupJobId (p. 177)
Request Body
Response Syntax
HTTP/1.1 200
Response Elements
Errors

wrong type.


177
StopBackupJob
See Also

• AWS SDK for C++
• AWS SDK for Go
178
TagResource
TagResource
Assigns a set of key-value pairs to a recovery point, backup plan, or backup vault identified by an
Amazon Resource Name (ARN).
Request Syntax
POST /tags/resourceArn HTTP/1.1
{
"Tags": {
"string" : "string"
}
}

An ARN that uniquely identifies a resource. The format of the ARN depends on the type of the
tagged resource.
Request Body
Tags (p. 179)
Key-value pairs that are used to help organize your resources. You can assign your own metadata to
the resources you create.
Required: Yes
Response Syntax
HTTP/1.1 200
Response Elements
Errors
179
TagResource

request.



See Also

• AWS SDK for C++
• AWS SDK for Go
180
UntagResource
UntagResource
Removes a set of key-value pairs from a recovery point, backup plan, or backup vault identified by an
Amazon Resource Name (ARN)
Request Syntax
POST /untag/resourceArn HTTP/1.1
{
"TagKeyList": [ "string" ]
}

An ARN that uniquely identifies a resource. The format of the ARN depends on the type of the
tagged resource.
Request Body
TagKeyList (p. 181)
A list of keys to identify which key-value tags to remove from a resource.
Required: Yes
Response Syntax
HTTP/1.1 200
Response Elements
Errors
181
UntagResource


See Also

• AWS SDK for C++
• AWS SDK for Go
182
UpdateBackupPlan
UpdateBackupPlan
Replaces the body of a saved backup plan identified by its backupPlanId with the input document in
JSON format. The new version is uniquely identified by a VersionId.
Request Syntax
POST /backup/plans/backupPlanId HTTP/1.1
{
"BackupPlan": {
"Rules": [
{
"CopyActions": [
{
"Lifecycle": {
}
}
],
"Lifecycle": {
},
"string" : "string"
},
}
]
}
}

Request Body
BackupPlan (p. 183)
Type: BackupPlanInput (p. 194) object
Required: Yes
183
UpdateBackupPlan
Response Syntax
HTTP/1.1 200
{
}
Response Elements
B3360DC80C50.
Type: String
Type: String
The date and time a backup plan is updated, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
VersionId (p. 184)
Version Ids cannot be edited.
Type: String
Errors

184
UpdateBackupPlan


See Also

• AWS SDK for C++
• AWS SDK for Go
185
UpdateRecoveryPointLifecycle
Sets the transition lifecycle of a recovery point.
The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. AWS
Backup transitions and expires backups automatically according to the lifecycle that you define.
Request Syntax
POST /backup-vaults/backupVaultName/recovery-points/recoveryPointArn HTTP/1.1
{
"Lifecycle": {
}
}

Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
A80B-108B488B0D45.
Request Body
Lifecycle (p. 186)
Required: No
186
Response Syntax
HTTP/1.1 200
{
"DeleteAt": number,
},
"Lifecycle": {
},
"RecoveryPointArn": "string"
}
Response Elements

Type: String
CalculatedLifecycle (p. 187)

Lifecycle (p. 187)

A80B-108B488B0D45.
Type: String
Errors
187
Data Types



See Also

• AWS SDK for C++
• AWS SDK for Go
Data Types
The following data types are supported:
• BackupJob (p. 190)

• BackupPlan (p. 193)
• BackupPlanInput (p. 194)
• BackupPlansListMember (p. 195)
• BackupPlanTemplatesListMember (p. 197)
• BackupRule (p. 198)
• BackupRuleInput (p. 200)
• BackupSelection (p. 202)
• BackupSelectionsListMember (p. 203)
• BackupVaultListMember (p. 205)
• CalculatedLifecycle (p. 207)
188
Data Types
• Condition (p. 208)

• CopyAction (p. 209)
• CopyJob (p. 210)
• Lifecycle (p. 213)
• ProtectedResource (p. 214)
• RecoveryPointByBackupVault (p. 215)
• RecoveryPointByResource (p. 218)
• RecoveryPointCreator (p. 220)
• RestoreJobsListMember (p. 221)
189
BackupJob
BackupJob
Contains detailed information about a backup job.
Contents
BackupJobId
Type: String
Required: No
BackupSizeInBytes
Type: Long
Required: No
BackupVaultArn
Type: String
Required: No
BackupVaultName
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
BytesTransferred
The size in bytes transferred to a backup vault at the time that the job status was queried.
Type: Long
Required: No
CompletionDate
The date and time a job to create a backup job is completed, in Unix format and Coordinated
Type: Timestamp
Required: No
CreatedBy
Contains identifying information about the creation of a backup job, including the BackupPlanArn,
BackupPlanId, BackupPlanVersion, and BackupRuleId of the backup plan used to create it.
190
BackupJob
Required: No
CreationDate
The date and time a backup job is created, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
Required: No
ExpectedCompletionDate
The date and time a job to back up resources is expected to be completed, in Unix format and
Coordinated Universal Time (UTC). The value of ExpectedCompletionDate is accurate to
milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018
12:11:30.087 AM.
Type: Timestamp
Required: No
IamRoleArn
Type: String
Required: No
PercentDone
Contains an estimated percentage complete of a job at the time the job status was queried.
Type: String
Required: No
RecoveryPointArn

Type: String
Required: No
ResourceArn
Type: String
Required: No
ResourceType
The type of AWS resource to be backed up; for example, an Amazon Elastic Block Store (Amazon
EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
191
BackupJob
Required: No
StartBy
Specifies the time in Unix format and Coordinated Universal Time (UTC) when a backup job must be
started before it is canceled. The value is calculated by adding the start window to the scheduled
time. So if the scheduled time were 6:00 PM and the start window is 2 hours, the StartBy time
would be 8:00 PM on the date specified. The value of StartBy is accurate to milliseconds. For
Type: Timestamp
Required: No
State
The current state of a resource recovery point.
Type: String

FAILED | EXPIRED
Required: No
StatusMessage
A detailed message explaining the status of the job to back up a resource.
Type: String
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
192
BackupPlan
BackupPlan
Contains an optional backup plan display name and an array of BackupRule objects, each of which
specifies a backup rule. Each rule in a backup plan is a separate scheduled task and can back up a
different selection of AWS resources.
Contents
BackupPlanName
The display name of a backup plan.
Type: String
Required: Yes
Rules
An array of BackupRule objects, each of which specifies a scheduled task that is used to back up a
selection of resources.
Type: Array of BackupRule (p. 198) objects
Required: Yes
See Also
• AWS SDK for C++

• AWS SDK for Go
193
BackupPlanInput
BackupPlanInput
Contains an optional backup plan display name and an array of BackupRule objects, each of which
specifies a backup rule. Each rule in a backup plan is a separate scheduled task and can back up a
different selection of AWS resources.
Contents
BackupPlanName
The display name of a backup plan.
Type: String
Required: Yes
Rules
An array of BackupRule objects, each of which specifies a scheduled task that is used to back up a
selection of resources.
Type: Array of BackupRuleInput (p. 200) objects
Required: Yes
See Also
• AWS SDK for C++

• AWS SDK for Go
194
BackupPlansListMember
Contains metadata about a backup plan.
Contents
BackupPlanArn
B3360DC80C50.
Type: String
Required: No
BackupPlanId
Type: String
Required: No
BackupPlanName
The display name of a saved backup plan.
Type: String
Required: No
CreationDate
The date and time a resource backup plan is created, in Unix format and Coordinated Universal
Type: Timestamp
Required: No
CreatorRequestId
Type: String
Required: No
DeletionDate
The date and time a backup plan is deleted, in Unix format and Coordinated Universal Time (UTC).
The value of DeletionDate is accurate to milliseconds. For example, the value 1516925490.087
Type: Timestamp
Required: No
LastExecutionDate
The last time a job to back up resources was executed with this rule. A date and time, in Unix
format and Coordinated Universal Time (UTC). The value of LastExecutionDate is accurate
195
12:11:30.087 AM.
Type: Timestamp
Required: No
VersionId
Type: String
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
196
BackupPlanTemplatesListMember
BackupPlanTemplatesListMember
An object specifying metadata associated with a backup plan template.
Contents
BackupPlanTemplateId
Uniquely identifies a stored backup plan template.
Type: String
Required: No
BackupPlanTemplateName
The optional display name of a backup plan template.
Type: String
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
197
BackupRule
BackupRule
Specifies a scheduled task used to back up a selection of resources.
Contents
CompletionWindowMinutes
Type: Long
Required: No
CopyActions
An array of CopyAction objects, which contains the details of the copy operation.
Type: Array of CopyAction (p. 209) objects
Required: No
Lifecycle
Required: No
RecoveryPointTags
An array of key-value pair strings that are assigned to resources that are associated with this rule
when restored from backup.
Required: No
RuleId
Uniquely identifies a rule that is used to schedule the backup of a selection of resources.
Type: String
Required: No
RuleName
An optional display name for a backup rule.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
198
BackupRule
ScheduleExpression
A CRON expression specifying when AWS Backup initiates a backup job.
Type: String
Required: No
StartWindowMinutes
Type: Long
Required: No
TargetBackupVaultName
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
See Also
• AWS SDK for C++

• AWS SDK for Go
199
BackupRuleInput
BackupRuleInput
Specifies a scheduled task used to back up a selection of resources.
Contents
CompletionWindowMinutes
Type: Long
Required: No
CopyActions
An array of CopyAction objects, which contains the details of the copy operation.
Type: Array of CopyAction (p. 209) objects
Required: No
Lifecycle
AWS Backup will transition and expire backups automatically according to the lifecycle that you
define.
Required: No
RecoveryPointTags
Each tag is a key-value pair.
Required: No
RuleName
An optional display name for a backup rule.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
ScheduleExpression
A CRON expression specifying when AWS Backup initiates a backup job.
Type: String
Required: No
200
BackupRuleInput
StartWindowMinutes
Type: Long
Required: No
TargetBackupVaultName
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
See Also
• AWS SDK for C++

• AWS SDK for Go
201
BackupSelection
BackupSelection
Used to specify a set of resources to a backup plan.
Contents
IamRoleArn
The ARN of the IAM role that AWS Backup uses to authenticate when restoring the target resource;
for example, arn:aws:iam::123456789012:role/S3Access.
Type: String
Required: Yes
ListOfTags
An array of conditions used to specify a set of resources to assign to a backup plan; for example,
"STRINGEQUALS": {"ec2:ResourceTag/Department": "accounting".
Type: Array of Condition (p. 208) objects
Required: No
Resources
An array of strings that contain Amazon Resource Names (ARNs) of resources to assign to a backup
plan.
Required: No
SelectionName
The display name of a resource selection document.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: Yes
See Also
• AWS SDK for C++

• AWS SDK for Go
202
BackupSelectionsListMember
Contains metadata about a BackupSelection object.
Contents
BackupPlanId
Type: String
Required: No
CreationDate
The date and time a backup plan is created, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
Required: No
CreatorRequestId
Type: String
Required: No
IamRoleArn
Specifies the IAM role Amazon Resource Name (ARN) to create the target recovery point; for
example, arn:aws:iam::123456789012:role/S3Access.
Type: String
Required: No
SelectionId
Uniquely identifies a request to assign a set of resources to a backup plan.
Type: String
Required: No
SelectionName
The display name of a resource selection document.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
See Also
203
• AWS SDK for C++

• AWS SDK for Go
204
BackupVaultListMember
Contains metadata about a backup vault.
Contents
BackupVaultArn
Type: String
Required: No
BackupVaultName
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
CreationDate
The date and time a resource backup is created, in Unix format and Coordinated Universal
Type: Timestamp
Required: No
CreatorRequestId
Type: String
Required: No
EncryptionKeyArn
Type: String
Required: No
NumberOfRecoveryPoints
The number of recovery points that are stored in a backup vault.
Type: Long
Required: No
205
See Also
• AWS SDK for C++

• AWS SDK for Go
206
CalculatedLifecycle
CalculatedLifecycle
Contains DeleteAt and MoveToColdStorageAt timestamps, which are used to specify a lifecycle for a
recovery point.
The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. AWS
Backup transitions and expires backups automatically according to the lifecycle that you define.
Contents
DeleteAt
A timestamp that specifies when to delete a recovery point.
Type: Timestamp
Required: No
MoveToColdStorageAt
A timestamp that specifies when to transition a recovery point to cold storage.
Type: Timestamp
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
207
Condition
Condition
Contains an array of triplets made up of a condition type (such as STRINGEQUALS), a key, and a value.
Conditions are used to filter resources in a selection that is assigned to a backup plan.
Contents
ConditionKey
The key in a key-value pair. For example, in "ec2:ResourceTag/Department": "accounting",

"ec2:ResourceTag/Department" is the key.
Type: String
Required: Yes
ConditionType
An operation, such as STRINGEQUALS, that is applied to a key-value pair used to filter resources in a
selection.
Type: String
Valid Values: STRINGEQUALS
Required: Yes
ConditionValue
The value in a key-value pair. For example, in "ec2:ResourceTag/Department":

"accounting", "accounting" is the value.
Type: String
Required: Yes
See Also
• AWS SDK for C++

• AWS SDK for Go
208
CopyAction
CopyAction
The details of the copy operation.
Contents
DestinationBackupVaultArn
An Amazon Resource Name (ARN) that uniquely identifies the destination

backup vault for the copied backup. For example, arn:aws:backup:us-
Type: String
Required: Yes
Lifecycle
Contains an array of Transition objects specifying how long in days before a recovery point
transitions to cold storage or is deleted.
Therefore, on the console, the “expire after days” setting must be 90 days greater than the
“transition to cold after days” setting. The “transition to cold after days” setting cannot be changed
after a backup has been transitioned to cold.
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
209
CopyJob
CopyJob
Contains detailed information about a copy job.
Contents
BackupSizeInBytes
The size, in bytes, of a copy job.
Type: Long
Required: No
CompletionDate
The date and time a copy job is completed, in Unix format and Coordinated Universal Time (UTC).
The value of CompletionDate is accurate to milliseconds. For example, the value 1516925490.087
Type: Timestamp
Required: No
CopyJobId
Type: String
Required: No
CreatedBy
Contains information about the backup plan and rule that AWS Backup used to initiate the recovery
point backup.
Required: No
CreationDate
The date and time a copy job is created, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
Required: No
DestinationBackupVaultArn
An Amazon Resource Name (ARN) that uniquely identifies a destination copy vault; for example,
Type: String
Required: No
DestinationRecoveryPointArn
An ARN that uniquely identifies a destination recovery point; for example, arn:aws:backup:us-
210
CopyJob
Type: String
Required: No
IamRoleArn
Specifies the IAM role ARN used to copy the target recovery point; for example,
Type: String
Required: No
ResourceArn
The AWS resource to be copied; for example, an Amazon Elastic Block Store (Amazon EBS) volume or
an Amazon Relational Database Service (Amazon RDS) database.
Type: String
Required: No
ResourceType
The type of AWS resource to be copied; for example, an Amazon Elastic Block Store (Amazon EBS)
volume or an Amazon Relational Database Service (Amazon RDS) database.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
SourceBackupVaultArn
An Amazon Resource Name (ARN) that uniquely identifies a source copy vault; for example,
Type: String
Required: No
SourceRecoveryPointArn
An ARN that uniquely identifies a source recovery point; for example, arn:aws:backup:us-
Type: String
Required: No
State
The current state of a copy job.
Type: String
Valid Values: CREATED | RUNNING | COMPLETED | FAILED
Required: No
StatusMessage
A detailed message explaining the status of the job to copy a resource.
Type: String
211
CopyJob
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
212
Lifecycle
Lifecycle
Contains an array of Transition objects specifying how long in days before a recovery point transitions
to cold storage or is deleted.
Therefore, on the console, the “expire after days” setting must be 90 days greater than the “transition to
cold after days” setting. The “transition to cold after days” setting cannot be changed after a backup has
been transitioned to cold.
Contents
DeleteAfterDays
Specifies the number of days after creation that a recovery point is deleted. Must be greater than 90
days plus MoveToColdStorageAfterDays.
Type: Long
Required: No
MoveToColdStorageAfterDays
Specifies the number of days after creation that a recovery point is moved to cold storage.
Type: Long
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
213
ProtectedResource
ProtectedResource
A structure that contains information about a backed-up resource.
Contents
LastBackupTime
The date and time a resource was last backed up, in Unix format and Coordinated Universal
Time (UTC). The value of LastBackupTime is accurate to milliseconds. For example, the value
Type: Timestamp
Required: No
ResourceArn
Type: String
Required: No
ResourceType
The type of AWS resource; for example, an Amazon Elastic Block Store (Amazon EBS) volume or an
Amazon Relational Database Service (Amazon RDS) database.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
214
RecoveryPointByBackupVault
Contains detailed information about the recovery points stored in a backup vault.
Contents
BackupSizeInBytes
Type: Long
Required: No
BackupVaultArn

Type: String
Required: No
BackupVaultName
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
CalculatedLifecycle
Required: No
CompletionDate
The date and time a job to restore a recovery point is completed, in Unix format and Coordinated
Type: Timestamp
Required: No
CreatedBy
Contains identifying information about the creation of a recovery point, including the
BackupPlanArn, BackupPlanId, BackupPlanVersion, and BackupRuleId of the backup plan
that is used to create it.
Required: No
215
CreationDate
The date and time a recovery point is created, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
Required: No
EncryptionKeyArn
Type: String
Required: No
IamRoleArn
Type: String
Required: No
IsEncrypted
A Boolean value that is returned as TRUE if the specified recovery point is encrypted, or FALSE if the
recovery point is not encrypted.
Type: Boolean
Required: No
LastRestoreTime
The date and time a recovery point was last restored, in Unix format and Coordinated Universal
Time (UTC). The value of LastRestoreTime is accurate to milliseconds. For example, the value
Type: Timestamp
Required: No
Lifecycle
Required: No
RecoveryPointArn
A80B-108B488B0D45.
216
Type: String
Required: No
ResourceArn
Type: String
Required: No
ResourceType
The type of AWS resource saved as a recovery point; for example, an Amazon Elastic Block Store
(Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
Status
Type: String
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
217
RecoveryPointByResource
Contains detailed information about a saved recovery point.
Contents
BackupSizeBytes
Type: Long
Required: No
BackupVaultName
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
Required: No
CreationDate
The date and time a recovery point is created, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
Required: No
EncryptionKeyArn
Type: String
Required: No
RecoveryPointArn
A80B-108B488B0D45.
Type: String
Required: No
Status
Type: String
Required: No
218
See Also
• AWS SDK for C++

• AWS SDK for Go
219
RecoveryPointCreator
RecoveryPointCreator
Contains information about the backup plan and rule that AWS Backup used to initiate the recovery
point backup.
Contents
BackupPlanArn
B3360DC80C50.
Type: String
Required: No
BackupPlanId
Type: String
Required: No
BackupPlanVersion
Version IDs are unique, randomly generated, Unicode, UTF-8 encoded strings that are at most 1,024
bytes long. They cannot be edited.
Type: String
Required: No
BackupRuleId
Uniquely identifies a rule used to schedule the backup of a selection of resources.
Type: String
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
220
RestoreJobsListMember
RestoreJobsListMember
Contains metadata about a restore job.
Contents
BackupSizeInBytes
The size, in bytes, of the restored resource.
Type: Long
Required: No
CompletionDate
The date and time a job to restore a recovery point is completed, in Unix format and Coordinated
Type: Timestamp
Required: No
CreatedResourceArn
Type: String
Required: No
CreationDate
The date and time a restore job is created, in Unix format and Coordinated Universal Time (UTC).
Type: Timestamp
Required: No
ExpectedCompletionTimeMinutes
The amount of time in minutes that a job restoring a recovery point is expected to take.
Type: Long
Required: No
IamRoleArn
Type: String
Required: No
PercentDone
Contains an estimated percentage complete of a job at the time the job status was queried.
221
Common Errors
Type: String
Required: No
RecoveryPointArn

Type: String
Required: No
RestoreJobId
Type: String
Required: No
Status
A status code specifying the state of the job initiated by AWS Backup to restore a recovery point.
Type: String
Valid Values: PENDING | RUNNING | COMPLETED | ABORTED | FAILED
Required: No
StatusMessage
A detailed message explaining the status of the job to restore a recovery point.
Type: String
Required: No
See Also
• AWS SDK for C++

• AWS SDK for Go
Common Errors
This section lists the errors common to the API actions of all AWS services. For errors specific to an API
action for this service, see the topic for that API action.
AccessDeniedException
You do not have sufficient access to perform this action.
222
Common Errors
IncompleteSignature
The request signature does not conform to AWS standards.

InternalFailure
The request processing has failed because of an unknown error, exception or failure.

InvalidAction
The action or operation requested is invalid. Verify that the action is typed correctly.

InvalidClientTokenId
The X.509 certificate or AWS access key ID provided does not exist in our records.

InvalidParameterCombination
Parameters that must not be used together were used together.

InvalidParameterValue
An invalid or out-of-range value was supplied for the input parameter.

InvalidQueryParameter
The AWS query string is malformed or does not adhere to AWS standards.

MalformedQueryString
The query string contains a syntax error.

MissingAction
The request is missing an action or a required parameter.

MissingAuthenticationToken
The request must contain either a valid (registered) AWS access key ID or X.509 certificate.

MissingParameter
A required parameter for the specified action is not supplied.

OptInRequired
The AWS access key ID needs a subscription for the service.
223
Common Errors

RequestExpired
The request reached the service more than 15 minutes after the date stamp on the request or more
than 15 minutes after the request expiration date (such as for pre-signed URLs), or the date stamp
on the request is more than 15 minutes in the future.

ServiceUnavailable
The request has failed due to a temporary failure of the server.

ThrottlingException
The request was denied due to request throttling.

ValidationError
The input fails to satisfy the constraints specified by an AWS service.
224
AWS Glossary
For the latest AWS terminology, see the AWS Glossary in the AWS General Reference.
225
Document History for AWS Backup

The following table describes the documentation for this release of AWS Backup.
• API version: 2019-01-15

• Latest documentation update: January 13, 2020
Change Description Date
Support for backing up Amazon You can now backup entire January 13, 2020
EC2 instances and also adds Amazon EC2 instances and
support for Cross-Region also copy resources across AWS
backups. Regions. For more information,
see Cross-Region Backups.
New guide This is the first release of the January 15, 2019
AWS Backup Developer Guide.
226

AWSBackup DG PDF

Uploaded by

Copyright:

Available Formats

AWSBackup DG PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWSBackup DG PDF

Uploaded by

Copyright:

Available Formats

AWS Backup

AWS Backup: Developer Guide

Backup Vault Tags ............................................................................................................ 25

RecoveryPointByResource ................................................................................................ 218

What Is AWS Backup?

Supported Service Supported Resource

Amazon Elastic File System Amazon EFS ﬁle systems

Amazon DynamoDB DynamoDB tables

Amazon Elastic Compute Amazon EC2 instances*

Amazon Elastic Block Store Amazon EBS volumes

Amazon Relational Amazon RDS databases**

AWS Storage Gateway AWS Storage Gateway volumes

AWS Backup Overview

Centralized Backup Management

Policy-Based Backup Solutions

Tag-Based Backup Policies

Backup Activity Monitoring

Lifecycle Management Policies

Backup Access Policies

• AWS Backup: How It Works (p. 4)

AWS Backup: How It Works

How AWS Backup Works with Other AWS Services

• Amazon EC2 Related Services

Working with Amazon EC2

Backing Up Amazon EC2 Resources

AWS Backup will not back up the following:

• Conﬁguration of the elastic inference accelerator, if it is attached to the instance.

Restoring Amazon EC2 Resources

Working with Amazon RDS

Working with AWS Storage Gateway

• Amazon Elastic File System (Amazon EFS) ﬁle systems

Metering Backup and Pricing Usage

AWS Backup Blogs, Videos, and Other Resources

1. Sign up for AWS (p. 8)

Sign up for AWS

To create an AWS account

Create an IAM User

Getting Started with AWS Backup

• An AWS account. For more information, see Setting Up (p. 8).

AWS Backup currently supports the following services:

Step 1: Create an On-Demand Backup

To create an on-demand backup

Step 2: Create a Scheduled Backup

Create a Backup Plan by Modifying an Existing One

To create a backup plan from an existing one

6. When you have ﬁnished editing the rule, choose Save.

Assign Resources to a Backup Plan

To assign resources to a backup plan

Create a Backup Vault

To create a backup vault

Step 3: Monitor Your Backup Jobs and Verify That

View the Status of Backup Jobs

To view backup job status

1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

View All Backups in a Vault

To view all backups in a vault

View Details of Protected Resources

To view protected resources

Step 4: Restore a Backup