Skip to content

Configure AWS Backup

This guide shows you how to configure AWS Backup. Once configured, AWS Backup schedules daily backups of AWS resources including databases and S3 buckets.

Warning

As part of this series of guides you will create a AWS Backup vault and enable Compliance mode. When Compliance mode is enabled, any backups created cannot be deleted by any user including the root user.

Step 1: Create a Boilerplate configuration file

Assumption

This step assumes you are already using Boilerplate and have a vars-common.yml. If you do not, have a look here for an example

In your IaC directory, create a file name vars-backup.yml with the following content:

StackName: "backup"
NotifySlack:
  Enable: false

Step 2: Create a backup stack

boilerplate \
    --template-url "git@github.com:oslokommune/golden-path-boilerplate.git//boilerplate/terraform/backup?ref=main" \
    --var-file vars-backup.yml \
    --var-file vars-common.yml \
    --output-folder backup \
    --non-interactive

Warning

In config_override.tf, it's possible to set the variable changeable_for_days.

If or when you set changeable_for_days, you will NOT be able to delete the backup after changeable_for_days days. This ensures that intruders cannot delete your backups.

Step 3: Apply the configuration

Initialize Terraform and apply the configuration:

terraform init
terraform apply

Step 4: Verify

  • Go to AWS console > AWS Backup > Backup plans
  • Verify that you have a backup plan with the name of your environment
  • Go to the backup plan
  • Verify that it contains two scheduled backup rules: Daily and monthly

Next steps

Follow the Slack notification guide to set up Slack notifications for backups.