Description:
AWS Backup is centralized and automated data protection across AWS services. It enables you to centrally deploy data protection policies to configure, manage, and govern your backup activity across your organization's AWS accounts and resources, including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service(RDS). It helps to configure backup policies from a central backup console. It also provides automated backup schedules, retention management, and lifecycle management, It also enforces your backup policies, encrypts your backups, and audits backup activity from a centralized console to help meet your backup compliance requirements.
Rationale:
AWS protect our AWS resources and take backups it contains the protection policies also and it takes backups or snapshot in encrypted form so it makes secure our EBS volumes from malicious activities. If any problem or issue or something bad happens to instance volumes, we can recover the volumes from the backup.
Impact:
You can configure backup policies from a central backup console, simplifying backup management and making it easy to ensure that your application data across AWS services is backed up and protected.
Default Value:
By default, an AWS Backup plan is not created or contained, when you create a Backup plan in AWS Backup by default it does not assign in the Resource assignments means the resource is not assigned by default.
Pre-Requisite:
In AWS Backup you need to create a Backup Plan for this policy.
You must have EBS volume in EC2.
For AWS Backup we need to contain a default IAM role for Backup.
Remediation:
Test Plan:
Log in to your AWS console and go to AWS Backup service: https://console.aws.amazon.com/backup/.
Click on Backup plan in the left navigation pane
Choose your Backup plans and go to the Resource assignment section.
In this section, you can see EBS volumes is assigned or not for the Backup plan if not then follow the implementation steps
Using AWS CLI:
To get the details of a backup plan
aws backup get-backup-plan \
--backup-plan-id "<backup_paln_id>"
Implementation Steps:
Log in to your AWS console and go to AWS Backup service: https://console.aws.amazon.com/backup/.
Click on Backup plan in the left navigation pane
Choose your Backup plans and go to the Resource assignment section, click the Assign resources button.
In the Resource assignment field, enter the name for your assignment e.g. “ebs_resources” you choose your role which you have to contain keep in mind always it has permission to take access to IAM resources.
Next select Assign By => Resource ID. In the Resource type field choose EBS. In the Instance ID field, choose your EBS volume.
Then click on the Assign resources button
Using AWS CLI
To assign the EBS volume to the backup plan
aws backup create-backup-selection
--backup-plan-id "<backup_plan_id>" \
SelectionName="<dispaly name of resource selection e.g. ebs_backup>",
IamRoleArn=<role>,Resources="arn:aws:ec2:region:account-id:volume/volume-id",\
ListOfTags=[{ConditionType="ec2:ResourceTag/Department": "accounting",\
ConditionKey="ec2:ResourceTag/Department",ConditionValue="accounting"}]
Backout Plan:
Log in to your AWS console and go to AWS Backup service: https://console.aws.amazon.com/backup/.
Click on Backup plan in the left navigation pane
Choose your Backup plans and go to the Resource assignment section, choose the assigned resource and click on the delete button to remove from the backup plan resource assignment section.
Using AWS CLI
To delete EBS volume from the backup plan
aws backup delete-backup-selection
--backup-plan-id "<backup_plan_id>" \
SelectionName="<dispaly name of resource selection e.g. ebs_backup>",
IamRoleArn=<role>,Resources="arn:aws:ec2:region:account-id:volume/volume-id",\
ListOfTags=[{ConditionType="ec2:ResourceTag/Department": "accounting",\
ConditionKey="ec2:ResourceTag/Department",ConditionValue="accounting"}]