Creating, updating, and deleting backup policies - Amazon Organizations
Creating a backup policyUpdating a backup policyEditing tags attached to a backup policyDeleting a backup policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating, updating, and deleting backup policies

In this topic:

Creating a backup policy

Minimum permissions

To create a backup policy, you need permission to run the following action:

  • organizations:CreatePolicy

Amazon Web Services Management Console

You can create a backup policy in the Amazon Web Services Management Console in one of two ways:

  • A visual editor that lets you choose options and generates the JSON policy text for you.

  • A text editor that lets you directly create the JSON policy text yourself.

The visual editor makes the process easy, but it limits your flexibility. It's a great way to create your first policies and get comfortable with using them. After you understand how they work and have started to be limited by what the visual editor provides, you can add advanced features to your policies by editing the JSON policy text yourself. The visual editor uses only the @@assign value-setting operator, and it doesn't provide any access to the child control operators. You can add the child control operators only if you manually edit the JSON policy text.

To create a backup policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Backup policies page, choose Create policy.

  3. On the Create policy page, enter a Policy name and an optional Policy description.

  4. (Optional) You can add one or more tags to the policy by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to a policy. For more information about tagging, see Tagging Amazon Organizations resources.

  5. You can build the policy using the Visual editor as described in this procedure. You can also enter or paste policy text in the JSON tab. For information about backup policy syntax, see Backup policy syntax and examples.

    If you choose to use the Visual editor, select the backup options appropriate for your scenario. A backup plan consists of three parts. For more information about these backup plan elements, see Creating a backup plan and Assigning resources in the Amazon Backup Developer Guide.

    1. Backup plan general details

      • The Backup plan name can consist of only alphanumeric, hyphen, and underline characters.

      • You must select at least one Backup plan region from the list. The plan can back up resources in only the selected Amazon Web Services Regions.

    2. One or more backup rules that specify how and when Amazon Backup is to operate. Each backup rule defines the following items:

      • A schedule that includes the frequency of the backup and the time window in which the backup can occur.

      • The name of the backup vault to use. The Backup vault name can consist of only alphanumeric, hyphen, and underline characters. The backup vault must exist before the plan can successfully run. Create the vault using the Amazon Backup console or Amazon CLI commands.

      • (Optional) One or more Copy to region rules to also copy the backup to vaults in other Amazon Web Services Regions.

      • One or more tag key and value pairs to attach to the backup recovery points created each time this backup plan runs.

      • Lifecycle options that specify when the backup transitions to cold storage, and when the backup expires.

      Choose Add rule to add each rule you need to the plan.

      For more information about backup rules, see Backup Rules in the Amazon Backup Developer Guide.

    3. A resource assignment that specifies which resources that Amazon Backup should backup with this plan. The assignment is made by specifying tag pairs that Amazon Backup uses to find and match resources

      • The Resource assignment name can consist of only alphanumeric, hyphen, and underline characters.

      • Specify the IAM role for Amazon Backup to use to perform the backup by its name.

        In the console, you don't specify the entire Amazon Resource Name (ARN). You must include both the role name and its prefix that specifies the type of role. The prefixes are typically role or service-role , and they are separated from the role name by a forward slash ('/'). For example, you might enter role/MyRoleName or service-role/MyManagedRoleName. This is converted to a full ARN for you when stored in the underlying JSON.

        Important

        The specified IAM role must already exist in the account the policy is applied to. If it does not, the backup plan might successfully start backup jobs, but those backup jobs will fail.

      • Specify one or more Resource tag key and Tag values pairs to identify resources that you want backed up. If there is more than one tag value, separate the values with commas.

      Choose Add assignment to add each configured resource assignment to the backup plan.

      For more information, see Assign Resources to a Backup Plan in the Amazon Backup Developer Guide.

  6. When you're finished creating your policy, choose Create policy. The policy appears in your list of available backup policies.

Amazon CLI & Amazon SDKs
To create a backup policy

You can use one of the following to create a backup policy:

  • Amazon CLI: create-policy

    Create a backup plan as JSON text similar to the following, and store it in a text file. For complete rules for the syntax, see Backup policy syntax and examples.

    {
    "plans": {
        "PII_Backup_Plan": {
            "regions": { "@@assign": [ "ap-northeast-2", "us-east-1", "eu-north-1" ] },
            "rules": {
                "Hourly": {
                    "schedule_expression": { "@@assign": "cron(0 5/1 ? * * *)" },
                    "start_backup_window_minutes": { "@@assign": "480" },
                    "complete_backup_window_minutes": { "@@assign": "10080" },
                    "lifecycle": {
                        "move_to_cold_storage_after_days": { "@@assign": "180" },
                        "delete_after_days": { "@@assign": "270" }
                    },
                    "target_backup_vault_name": { "@@assign": "FortKnox" },
                    "copy_actions": {
                        "arn:aws:backup:us-east-1:$account:backup-vault:secondary-vault": {
                            "lifecycle": {
                                "move_to_cold_storage_after_days": { "@@assign": "10" },
                                "delete_after_days": { "@@assign": "100" }
                            }
                        }
                    }
                }
            },
            "selections": {
                "tags": {
                    "datatype": {
                        "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" },
                        "tag_key": { "@@assign": "dataType" },
                        "tag_value": { "@@assign": [ "PII" ] }
                    }
                }
            }
        }
    }
}

    This backup plan specifies that Amazon Backup should back up all resources in the affected Amazon Web Services accounts that are in the specified Amazon Web Services Regions and that have the tag dataType with a value of PII.

    Next, import the JSON policy file backup plan to create a new backup policy in the organization. Note the policy ID at the end of the policy ARN in the output.

    $ aws organizations create-policy \
    --name "MyBackupPolicy" \
    --type BACKUP_POLICY \
    --description "My backup policy" \
    --content file://policy.json{
    "Policy": {
        "PolicySummary": {
            "Arn": "arn:aws:organizations::o-aa111bb222:policy/backup_policy/p-i9j8k7l6m5",
            "Description": "My backup policy",
            "Name": "MyBackupPolicy",
            "Type": "BACKUP_POLICY"
        }
        "Content": "...a condensed version of the JSON policy document you provided in the file...",
    }
}

  • Amazon SDKs: CreatePolicy
What to do next

After you create a backup policy, you can put your policy into effect. To do that, you can attach the policy to the organization root, organizational units (OUs), Amazon Web Services accounts within your organization, or a combination of all of those.

Updating a backup policy

When you sign in to your organization's management account, you can edit a policy that requires changes in your organization.

Minimum permissions

To update a backup policy, you must have permission to run the following actions:

  • organizations:UpdatePolicy with a Resource element in the same policy statement that includes the ARN of the policy to update (or "*")

  • organizations:DescribePolicy with a Resource element in the same policy statement that includes the ARN of the policy to update (or "*")

Amazon Web Services Management Console
To update a backup policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Backup policies page, choose the name of the policy that you want to update.

  3. Choose Edit policy.

  4. You can enter a new Policy name, Policy description. You can change the policy content by using either the Visual editor or by directly editing the JSON.

  5. When you're finished updating the policy, choose Save changes.

Amazon CLI & Amazon SDKs
To update a backup policy

You can use one of the following to update a backup policy:

  • Amazon CLI: update-policy

    The following example renames a backup policy.

    $ aws organizations update-policy \
    --policy-id p-i9j8k7l6m5 \
    --name "Renamed policy"
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5",
            "Name": "Renamed policy",
            "Type": "BACKUP_POLICY",
            "AwsManaged": false
        },
         "Content": "{\"plans\":{\"TestBackupPlan\":{\"regions\":{\"@@assign\":   ....TRUNCATED FOR BREVITY....   "@@assign\":[\"Yes\"]}}}}}}}"
    }
}

    The following example adds or changes the description for a backup policy.

    $ aws organizations update-policy \
    --policy-id p-i9j8k7l6m5 \
    --description "My new description"
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5",
            "Name": "Renamed policy",
            "Description": "My new description",
            "Type": "BACKUP_POLICY",
            "AwsManaged": false
        },
       "Content": "{\"plans\":{\"TestBackupPlan\":{\"regions\":{\"@@assign\":   ....TRUNCATED FOR BREVITY....   "@@assign\":[\"Yes\"]}}}}}}}"
    }
}

    The following example changes the JSON policy document attached to a backup policy. In this example, the content is taken from a file called policy.json with the following text:

    {
    "plans": {
        "PII_Backup_Plan": {
            "regions": { "@@assign": [ "ap-northeast-2", "us-east-1", "eu-north-1" ] },
            "rules": {
                "Hourly": {
                    "schedule_expression": { "@@assign": "cron(0 5/1 ? * * *)" },
                    "start_backup_window_minutes": { "@@assign": "480" },
                    "complete_backup_window_minutes": { "@@assign": "10080" },
                    "lifecycle": {
                        "move_to_cold_storage_after_days": { "@@assign": "180" },
                        "delete_after_days": { "@@assign": "270" },
                        "opt_in_to_archive_for_supported_resources": {"@@assign": false}
                    },
                    "target_backup_vault_name": { "@@assign": "FortKnox" },
                    "copy_actions": {
                        "arn:aws:backup:us-east-1:$account:backup-vault:secondary-vault": {
                            "lifecycle": {
                                "move_to_cold_storage_after_days": { "@@assign": "10" },
                                "delete_after_days": { "@@assign": "100" },
                                "opt_in_to_archive_for_supported_resources": {"@@assign": false}
                            }
                        }
                    }
                }
            },
            "selections": {
                "tags": {
                    "datatype": {
                        "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" },
                        "tag_key": { "@@assign": "dataType" },
                        "tag_value": { "@@assign": [ "PII" ] }
                    }
                }
            }
        }
    }
}
    $ aws organizations update-policy \
    --policy-id p-i9j8k7l6m5 \
    --content file://policy.json
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5",
            "Name": "Renamed policy",
            "Description": "My new description",
            "Type": "BACKUP_POLICY",
            "AwsManaged": false
        },
         "Content": "{\"plans\":{\"TestBackupPlan\":{\"regions\":{\"@@assign\":   ....TRUNCATED FOR BREVITY....   "@@assign\":[\"Yes\"]}}}}}}}"
}

  • Amazon SDKs: UpdatePolicy

Editing tags attached to a backup policy

When you sign in to your organization's management account, you can add or remove the tags attached to a backup policy. For more information about tagging, see Tagging Amazon Organizations resources.

Minimum permissions

To edit the tags attached to a backup policy in your Amazon organization, you must have the following permissions:

  • organizations:DescribeOrganization (console only – to navigate to the policy)

  • organizations:DescribePolicy (console only – to navigate to the policy)

  • organizations:TagResource

  • organizations:UntagResource

Amazon Web Services Management Console
To edit the tags attached to an backup policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Backup policies page

  3. Choose the name of the policy with the tags that you want to edit.

    The policy detail page appears.

  4. On the Tags tab, choose Manage tags.

  5. You can perform any of these actions on this page:

    • Edit the value for any tag by entering a new value over the old one. You can't modify the key. To change a key, you must delete the tag with the old key and add a tag with the new key.

    • Remove an existing tag by choosing Remove.

    • Add a new tag key and value pair. Choose Add tag, then enter the new key name and optional value in the provided boxes. If you leave the Value box empty, the value is an empty string; it isn't null.

  6. Choose Save changes after you've made all the additions, removals, and edits you want to make.

Amazon CLI & Amazon SDKs
To edit the tags attached to a backup policy

You can use one of the following commands to edit the tags attached to a backup policy:

Deleting a backup policy

When you sign in to your organization's management account, you can delete a policy that you no longer need in your organization.

Before you can delete a policy, you must first detach it from all attached entities.

Minimum permissions

To delete a policy, you must have permission to run the following action:

  • organizations:DeletePolicy with a Resource element in the same policy statement that includes the ARN of the policy to delete (or "*")

To delete a backup policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Backup policies page, choose the name of the backup policy that you want to delete.

  3. You must first detach the backup policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.

  4. Choose Delete at the top of the page.

  5. On the confirmation dialog box, enter the name of the policy, and then choose Delete.

To delete a backup policy

The following code examples show how to use DeletePolicy.

.NET
Amazon SDK for .NET
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Deletes an existing AWS Organizations policy.
    /// </summary>
    public class DeletePolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and then uses it to
        /// delete the policy with the specified policyId.
        /// </summary>
        public static async Task Main()
        {
            // Create the client object using the default account.
            IAmazonOrganizations client = new AmazonOrganizationsClient();

            var policyId = "p-00000000";

            var request = new DeletePolicyRequest
            {
                PolicyId = policyId,
            };

            var response = await client.DeletePolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully deleted Policy: {policyId}.");
            }
            else
            {
                Console.WriteLine($"Could not delete Policy: {policyId}.");
            }
        }
    }

  • For API details, see DeletePolicy in Amazon SDK for .NET API Reference.

CLI
Amazon CLI

To delete a policy

The following example shows how to delete a policy from an organization. The example assumes that you previously detached the policy from all entities:

aws organizations delete-policy --policy-id p-examplepolicyid111

  • For API details, see DeletePolicy in Amazon CLI Command Reference.

Python
SDK for Python (Boto3)
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

def delete_policy(policy_id, orgs_client):
    """
    Deletes a policy.

    :param policy_id: The ID of the policy to delete.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.delete_policy(PolicyId=policy_id)
        logger.info("Deleted policy %s.", policy_id)
    except ClientError:
        logger.exception("Couldn't delete policy %s.", policy_id)
        raise

  • For API details, see DeletePolicy in Amazon SDK for Python (Boto3) API Reference.