Backup policy syntax and examples
This page describes backup policy syntax and provides examples.
Syntax for backup policies
A backup policy is a plaintext file that is structured according to the rules of
JSON
For more information about Amazon Backup plans, see CreateBackupPlan in the Amazon Backup Developer Guide.
Considerations
Policy syntax
Duplicate key names will be rejected in JSON.
Policies must specify the Amazon Web Services Regions and resources to be backed up.
Policies must specify the IAM role that Amazon Backup assumes.
Using @@assign operator at the same level can overwrite existing
settings. For more information, see A child
policy overrides settings in a parent policy.
Inheritance operators control how inherited policies and account policies merge into the account's effective policy. These operators include value-setting operators and child control operators.
For more information, see Inheritance operators and Backup policy examples.
IAM roles
The IAM role must exist when creating a backup plan for the first time.
The IAM role must have permission to access resources identified by tag query.
The IAM role must have permission to perform the backup.
Backup vaults
Vaults must exist in each specified Amazon Web Services Regions before a backup plan can run.
Vaults must exist for each Amazon account that receives the effective policy. For more information, see Backup vault creation and deletion in the Amazon Backup Developer Guide.
We recommend that you use Amazon CloudFormation stack sets and its integration with Organizations to automatically create and configure backup vaults and IAM roles for each member account in the organization. For more information, see Create a stack set with self-managed permissions in the Amazon CloudFormation User Guide.
Quotas
For a list of quotas see, Amazon Backup quotas in the Amazon Backup Developer Guide.
Backup syntax: Overview
Backup policy syntax includes the following components:
{ "plans": { "PlanName": { "rules": { ... }, "regions": { ... }, "selections": { ... }, "advanced_backup_settings": { ... }, "backup_plan_tags": { ... } } } }
| Element | Description | Required |
|---|---|---|
| rules | List of backup rules. Each rule defines when backups start and the
execution window for the resources specified in the regions
and selections elements. |
Yes |
| regions | List of Amazon Web Services Regions where a backup policy can protect resources. | Yes |
| selections | One or more resource types within the specified regions
that the backup rules protect. |
Yes |
| advanced_backup_settings | Configuration options for specific backup scenarios. Currently, the only advanced backup setting that is supported is enabling Microsoft Volume Shadow Copy Service (VSS) backups for Windows or SQL Server running on an Amazon EC2 instance. |
No |
| backup_plan_tags | Tags you want to associate with a backup plan. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter your backup plans. |
No |
Backup syntax: rules
The rules policy key specifies the scheduled backup tasks that Amazon Backup
performs on the selected resources.
| Element | Description | Required |
|---|---|---|
schedule_expression |
Cron expression in UTC that specifies when Amazon Backup initiates a backup job. For information about cron expression, see Using cron and rate expressions to schedule rules in the Amazon EventBridge User Guide. |
Yes |
target_backup_vault_name |
Backup vault where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created. |
Yes |
start_backup_window_minutes |
Number of minutes to wait before canceling a backup job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. |
No |
complete_backup_window_minutes |
Nnumber of minutes after a backup job is successfully started before it must be completed or it will be canceled by Amazon Backup. | No |
enable_continuous_backup |
Specifies whether Amazon Backup creates continuous backups.
For more information about continuous backups, see Point-in-time recovery in the Amazon Backup Developer Guide. Note: PITR-enabled backups have 35-day maximum retention. |
No |
lifecycle |
Specifies when Amazon Backup transitions a backup to cold storage and when it expires. Resource types that can transition to cold storage are listed in the Feature availability by resource table Feature availability by resources in the Amazon Backup Developer Guide. Each lifecycle contains the following elements:
Note: Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. This means that the |
No |
copy_actions |
Specifies whether Amazon Backup copies a backup to one or more additional locations. Each copy action contains the following elements:
Note: Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. This means that the |
No |
recovery_point_tags |
Tags that you want to assigned to resources that are restored from backup. Each tag contains the following elements:
|
No |
index_actions |
Specifies whether Amazon Backup creates a backup index of your Amazon EBS snapshots and/or Amazon S3 backups. Backup indexes are created in order to search the metadata of your backups. For more information about backup index creation and backup search, see Backup search. Note: Additional IAM role permissions are required for Amazon EBS snapshot backup index creation. Each index action contains the following element:
|
No |
Backup syntax: regions
The regions policy key specifies which Amazon Web Services Regions that Amazon Backup looks in
to find the resources that match the conditions in the selections
key.
| Element | Description | Required |
|---|---|---|
regions |
Specifies the Amazon Web Services Region codes. For example:
|
Yes |
Backup syntax: selections
The selections policy key specifies the resources that are backed up by
the rules in a backup policy.
There are two mutually exclusive elements: tags and
resources. An effective policy must
have either tags or resources in the selection to be
valid.
If you want a selection with both tag conditions and resource conditions, use the
resources keys.
| Element | Description | Required |
|---|---|---|
iam_role_arn |
IAM role that Amazon Backup assumes to query, discover, and backup
resources across the specified Regions. The role must have sufficient permissions to query resources based on tag conditions and perform backup operations on the matched resources. |
Yes |
tag_key |
Tag key name to search for. | Yes |
tag_value |
Value that must be associated with the matching tag_key. Amazon Backup includes the resource only if both tag_key and tag_value match (case sensitive). |
Yes |
conditions |
Tag keys and values you want to include or exclude Use string_equals or string_not_equals to include or exclude tags of an exact match. Use string_like and string_not_like to include or exclude tags that contains or do not contain specific characters Note: Limited to 30 conditions for each selection. |
No |
| Element | Description | Required |
|---|---|---|
iam_role_arn |
IAM role that Amazon Backup assumes to query, discover, and backup
resources across the specified Regions. The role must have sufficient permissions to query resources based on tag conditions and perform backup operations on the matched resources. Note: In Amazon GovCloud (US) Regions, you must add the name of the partition to the ARN. For example, " |
Yes |
resource_types |
Resource types to include in a backup plan. | Yes |
not_resource_types |
Resource types to exclude from a backup plan. | No |
conditions |
Tag keys and values you want to include or exclude Use string_equals or string_not_equals to include or exclude tags of an exact match. Use string_like and string_not_like to include or exclude tags that contains or do not contain specific characters Note: Limited to 30 conditions for each selection. |
No |
Supported resource types
Organizations supports the following resource types for the resource_types and
not_resource_types elements:
-
Amazon Backup gateway virtual machines:
"arn:aws:backup-gateway:*:*:vm/*" -
Amazon CloudFormation stacks:
"arn:aws:cloudformation:*:*:stack/*" -
Amazon DynamoDB tables:
"arn:aws:dynamodb:*:*:table/*" -
Amazon EC2 instances:
"arn:aws:ec2:*:*:instance/*" -
Amazon EBS volumes:
"arn:aws:ec2:*:*:volume/*" -
Amazon EFS file systems:
"arn:aws:elasticfilesystem:*:*:file-system/*" -
Amazon Aurora/Amazon DocumentDB/Amazon Neptune clusters:
"arn:aws:rds:*:*:cluster:*" -
Amazon RDS databases:
"arn:aws:rds:*:*:db:*" -
Amazon Redshift clusters:
"arn:aws:redshift:*:*:cluster:*" -
Amazon S3:
"arn:aws:s3:::*" -
Amazon Systems Manager for SAP HANA databases:
"arn:aws:ssm-sap:*:*:HANA/*" -
Amazon Storage Gateway gateways:
"arn:aws:storagegateway:*:*:gateway/*" -
Amazon Timestream databases:
"arn:aws:timestream:*:*:database/*" -
Amazon FSx file systems:
"arn:aws:fsx:*:*:file-system/*" -
Amazon FSx volumes:
"arn:aws:fsx:*:*:volume/*"
Code examples
For more information, see Specifying resources with the tags block and Specifying resources with the resources block.
Backup syntax: advanced backup settings
The advanced_backup_settings key specifies the configuration options for
specific backup scenarios. Each setting contains the following elements:
| Element | Description | Required |
|---|---|---|
advanced_backup_settings |
Specifies settings for specific backup scenarios. This key contains
one or more settings. Each setting is a JSON object string with the
following elements: Currently the only advanced backup setting that is supported is enabling Microsoft Volume Shadow Copy Service (VSS) backups for Windows or SQL Server running on an Amazon EC2 instance. Each advanced backup setting the following elements:
|
No |
Example:
"advanced_backup_settings": { "ec2": { "windows_vss": { "@@assign": "enabled" } } },
Backup syntax: backup plan tags
The backup_plan_tags policy key specifies the tags that are attached to a
backup plan itself. This does not impact the tags specified for rules or
selections.
| Element | Description | Required |
|---|---|---|
backup_plan_tags |
Each tag is a label consisting of a user-defined key and value:
|
No |
Backup policy examples
The example backup policies that follow are for information purposes only. In some of the following examples, the JSON whitespace formatting might be compressed to save space.
Example 1: Policy assigned to a parent node
The following example shows a backup policy that is assigned to one of the parent nodes of an account.
Parent policy – This policy can be attached to the organization's root, or to any OU that is a parent of all of the intended accounts.
{ "plans": { "PII_Backup_Plan": { "regions": { "@@assign": [ "ap-northeast-2", "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 5/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "complete_backup_window_minutes": { "@@assign": "10080" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "180" }, "delete_after_days": { "@@assign": "270" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": { "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "120" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } } }, "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault": { "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "120" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII", "RED" ] } } } }, "advanced_backup_settings": { "ec2": { "windows_vss": { "@@assign": "enabled" } } } } } }
If no other policies are inherited or attached to the accounts, the effective policy rendered in each applicable Amazon Web Services account looks like the following example. The CRON expression causes the backup to run once an hour on the hour. The account ID 123456789012 will be the actual account ID for each account.
{ "plans": { "PII_Backup_Plan": { "regions": [ "us-east-1", "ap-northeast-3", "eu-north-1" ], "rules": { "hourly": { "schedule_expression": "cron(0 0/1 ? * * *)", "start_backup_window_minutes": "60", "target_backup_vault_name": "FortKnox", "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "delete_after_days": "2", "move_to_cold_storage_after_days": "180", "opt_in_to_archive_for_supported_resources": "false" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": { "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" }, "lifecycle": { "delete_after_days": "28", "move_to_cold_storage_after_days": "180", "opt_in_to_archive_for_supported_resources": "false" } }, "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault": { "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-west-1:111111111111:backup-vault:tertiary_vault" }, "lifecycle": { "delete_after_days": "28", "move_to_cold_storage_after_days": "180", "opt_in_to_archive_for_supported_resources": "false" } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": "arn:aws:iam::123456789012:role/MyIamRole", "tag_key": "dataType", "tag_value": [ "PII", "RED" ] } } }, "advanced_backup_settings": { "ec2": { "windows_vss": "enabled" } } } } }
Example 2: A parent policy is merged with a child policy
In the following example, an inherited parent policy and a child policy either inherited or directly attached to an Amazon Web Services account merge to form the effective policy.
Parent policy – This policy can be attached to the organization's root or to any parent OU.
{ "plans": { "PII_Backup_Plan": { "regions": { "@@append":[ "us-east-1", "ap-northeast-3", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 0/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "60" }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "28" }, "delete_after_days": { "@@assign": "180" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" : { "target_backup_vault_arn" : { "@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "28" }, "delete_after_days": { "@@assign": "180" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII", "RED" ] } } } } } } }
Child policy – This policy can be attached directly to the account or to an OU any level below the one the parent policy is attached to.
{ "plans": { "Monthly_Backup_Plan": { "regions": { "@@append":[ "us-east-1", "eu-central-1" ] }, "rules": { "Monthly": { "schedule_expression": { "@@assign": "cron(0 5 1 * ? *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "target_backup_vault_name": { "@@assign": "Default" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "365" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:Default" : { "target_backup_vault_arn" : { "@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:Default" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "30" }, "delete_after_days": { "@@assign": "365" }, "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } } } } } }, "selections": { "tags": { "MonthlyDatatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyMonthlyBackupIamRole" }, "tag_key": { "@@assign": "BackupType" }, "tag_value": { "@@assign": [ "MONTHLY", "RED" ] } } } } } } }
Resulting effective policy – The effective policy applied to the accounts contains two plans, each with its own set of rules and set of resources to apply the rules to.
{ "plans": { "PII_Backup_Plan": { "regions": [ "us-east-1", "ap-northeast-3", "eu-north-1" ], "rules": { "hourly": { "schedule_expression": "cron(0 0/1 ? * * *)", "start_backup_window_minutes": "60", "target_backup_vault_name": "FortKnox", "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "delete_after_days": "2", "move_to_cold_storage_after_days": "180", "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" : { "target_backup_vault_arn" : { "@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault" }, "lifecycle": { "move_to_cold_storage_after_days": "28", "delete_after_days": "180", "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": "arn:aws:iam::$account:role/MyIamRole", "tag_key": "dataType", "tag_value": [ "PII", "RED" ] } } } }, "Monthly_Backup_Plan": { "regions": [ "us-east-1", "eu-central-1" ], "rules": { "monthly": { "schedule_expression": "cron(0 5 1 * ? *)", "start_backup_window_minutes": "480", "target_backup_vault_name": "Default", "lifecycle": { "delete_after_days": "365", "move_to_cold_storage_after_days": "30", "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:Default" : { "target_backup_vault_arn": { "@@assign" : "arn:aws:backup:us-east-1:$account:backup-vault:Default" }, "lifecycle": { "move_to_cold_storage_after_days": "30", "delete_after_days": "365", "opt_in_to_archive_for_supported_resources": { "@@assign": "false" } } } } } }, "selections": { "tags": { "monthlydatatype": { "iam_role_arn": "arn:aws:iam::&ExampleAWSAccountNo3;:role/MyMonthlyBackupIamRole", "tag_key": "BackupType", "tag_value": [ "MONTHLY", "RED" ] } } } } } }
Example 3: A parent policy prevents any changes by a child policy
In the following example, an inherited parent policy uses the child control operators to enforce all settings and prevents them from being changed or overridden by a child policy.
Parent policy – This policy can be
attached to the organization's root or to any parent OU. The presence of
"@@operators_allowed_for_child_policies": ["@@none"] at every node
of the policy means that a child policy can't make changes of any kind to the plan.
Nor can a child policy add additional plans to the effective policy. This policy
becomes the effective policy for every OU and account under the OU to which it is
attached.
{ "plans": { "@@operators_allowed_for_child_policies": ["@@none"], "PII_Backup_Plan": { "@@operators_allowed_for_child_policies": ["@@none"], "regions": { "@@operators_allowed_for_child_policies": ["@@none"], "@@append": [ "us-east-1", "ap-northeast-3", "eu-north-1" ] }, "rules": { "@@operators_allowed_for_child_policies": ["@@none"], "Hourly": { "@@operators_allowed_for_child_policies": ["@@none"], "schedule_expression": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "cron(0 0/1 ? * * *)" }, "start_backup_window_minutes": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "60" }, "target_backup_vault_name": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "FortKnox" }, "index_actions": { "@@operators_allowed_for_child_policies": ["@@none"], "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "@@operators_allowed_for_child_policies": ["@@none"], "move_to_cold_storage_after_days": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "28" }, "delete_after_days": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "180" }, "opt_in_to_archive_for_supported_resources": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "false" } }, "copy_actions": { "@@operators_allowed_for_child_policies": ["@@none"], "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": { "@@operators_allowed_for_child_policies": ["@@none"], "target_backup_vault_arn": { "@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault", "@@operators_allowed_for_child_policies": ["@@none"] }, "lifecycle": { "@@operators_allowed_for_child_policies": ["@@none"], "delete_after_days": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "28" }, "move_to_cold_storage_after_days": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "180" }, "opt_in_to_archive_for_supported_resources": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "false" } } } } } }, "selections": { "@@operators_allowed_for_child_policies": ["@@none"], "tags": { "@@operators_allowed_for_child_policies": ["@@none"], "datatype": { "@@operators_allowed_for_child_policies": ["@@none"], "iam_role_arn": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "dataType" }, "tag_value": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": [ "PII", "RED" ] } } } }, "advanced_backup_settings": { "@@operators_allowed_for_child_policies": ["@@none"], "ec2": { "@@operators_allowed_for_child_policies": ["@@none"], "windows_vss": { "@@assign": "enabled", "@@operators_allowed_for_child_policies": ["@@none"] } } } } } }
Resulting effective policy – If any child backup policies exist, they are ignored and the parent policy becomes the effective policy.
{ "plans": { "PII_Backup_Plan": { "regions": [ "us-east-1", "ap-northeast-3", "eu-north-1" ], "rules": { "hourly": { "schedule_expression": "cron(0 0/1 ? * * *)", "start_backup_window_minutes": "60", "target_backup_vault_name": "FortKnox", "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "delete_after_days": "2", "move_to_cold_storage_after_days": "180", "opt_in_to_archive_for_supported_resources": "false" }, "copy_actions": { "target_backup_vault_arn": "arn:aws:backup:us-east-1:123456789012:backup-vault:secondary_vault", "lifecycle": { "move_to_cold_storage_after_days": "28", "delete_after_days": "180", "opt_in_to_archive_for_supported_resources": "false" } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": "arn:aws:iam::123456789012:role/MyIamRole", "tag_key": "dataType", "tag_value": [ "PII", "RED" ] } } }, "advanced_backup_settings": { "ec2": {"windows_vss": "enabled"} } } } }
Example 4: A parent policy prevents changes to one backup plan by a child policy
In the following example, an inherited parent policy uses the child control operators to enforce the settings for a single plan and prevents them from being changed or overridden by a child policy. The child policy can still add additional plans.
Parent policy – This policy can be
attached to the organization's root or to any parent OU. This example is similar to
the previous example with all child inheritance operators blocked, except at the
plans top level. The @@append setting at that level
enables child policies to add other plans to the collection in the effective policy.
Any changes to the inherited plan are still blocked.
The sections in the plan are truncated for clarity.
{ "plans": { "@@operators_allowed_for_child_policies": ["@@append"], "PII_Backup_Plan": { "@@operators_allowed_for_child_policies": ["@@none"], "regions": { ... }, "rules": { ... }, "selections": { ... } } } }
Child policy – This policy can be attached directly to the account or to an OU any level below the one the parent policy is attached to. This child policy defines a new plan.
The sections in the plan are truncated for clarity.
{ "plans": { "MonthlyBackupPlan": { "regions": { ... }, "rules": { ... }, "selections": { … } } } }
Resulting effective policy – The effective policy includes both plans.
{ "plans": { "PII_Backup_Plan": { "regions": { ... }, "rules": { ... }, "selections": { ... } }, "MonthlyBackupPlan": { "regions": { ... }, "rules": { ... }, "selections": { … } } } }
Example 5: A child policy overrides settings in a parent policy
In the following example, a child policy uses value-setting operators to override some of the settings inherited from a parent policy.
Parent policy – This policy can be
attached to the organization's root or to any parent OU. Any of the settings can be
overridden by a child policy because the default behavior, in the absence of a child-control operator that prevents
it, is to allow the child policy to @@assign, @@append, or
@@remove. The parent policy contains all of the required elements
for a valid backup plan, so it backs up your resources successfully if it is
inherited as is.
{ "plans": { "PII_Backup_Plan": { "regions": { "@@append": [ "us-east-1", "ap-northeast-3", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": {"@@assign": "cron(0 0/1 ? * * *)"}, "start_backup_window_minutes": {"@@assign": "60"}, "target_backup_vault_name": {"@@assign": "FortKnox"}, "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "delete_after_days": {"@@assign": "2"}, "move_to_cold_storage_after_days": {"@@assign": "180"}, "opt_in_to_archive_for_supported_resources": {"@@assign": false} }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:t2": { "target_backup_vault_arn": {"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:t2"}, "lifecycle": { "move_to_cold_storage_after_days": {"@@assign": "28"}, "delete_after_days": {"@@assign": "180"}, "opt_in_to_archive_for_supported_resources": {"@@assign": false} } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": {"@@assign": "arn:aws:iam::$account:role/MyIamRole"}, "tag_key": {"@@assign": "dataType"}, "tag_value": { "@@assign": [ "PII", "RED" ] } } } } } } }
Child policy – The child policy includes only the settings that need to be different from the inherited parent policy. There must be an inherited parent policy that provides the other required settings when merged into an effective policy. Otherwise, the effective backup policy contains a backup plan that is not valid and doesn't back up your resources as expected.
{ "plans": { "PII_Backup_Plan": { "regions": { "@@assign": [ "us-west-2", "eu-central-1" ] }, "rules": { "Hourly": { "schedule_expression": {"@@assign": "cron(0 0/2 ? * * *)"}, "start_backup_window_minutes": {"@@assign": "80"}, "target_backup_vault_name": {"@@assign": "Default"}, "lifecycle": { "move_to_cold_storage_after_days": {"@@assign": "30"}, "delete_after_days": {"@@assign": "365"}, "opt_in_to_archive_for_supported_resources": {"@@assign": false} } } } } } }
Resulting effective policy – The effective policy includes settings from both policies, with the settings provided by the child policy overriding the settings inherited from the parent. In this example, the following changes occur:
-
The list of Regions is replaced with a completely different list. If you wanted to add a Region to the inherited list, use
@@appendinstead of@@assignin the child policy. -
Amazon Backup performs every other hour instead of hourly.
-
Amazon Backup allows 80 minutes for the backup to start instead of 60 minutes.
-
Amazon Backup uses the
Defaultvault instead ofFortKnox. -
The lifecycle is extended for both the transfer to cold storage and the eventual deletion of the backup.
{ "plans": { "PII_Backup_Plan": { "regions": [ "us-west-2", "eu-central-1" ], "rules": { "hourly": { "schedule_expression": "cron(0 0/2 ? * * *)", "start_backup_window_minutes": "80", "target_backup_vault_name": "Default", "index_actions": { "resource_types": { "@@assign": [ "EBS", "S3" ] } }, "lifecycle": { "delete_after_days": "365", "move_to_cold_storage_after_days": "30", "opt_in_to_archive_for_supported_resources": "false" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault": { "target_backup_vault_arn": {"@@assign": "arn:aws:backup:us-east-1:$account:backup-vault:secondary_vault"}, "lifecycle": { "move_to_cold_storage_after_days": "28", "delete_after_days": "180", "opt_in_to_archive_for_supported_resources": "false" } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": "arn:aws:iam::$account:role/MyIamRole", "tag_key": "dataType", "tag_value": [ "PII", "RED" ] } } } } } }
Example 6: Specifying resources with the
tags block
The following example includes all resources with the tag_key =
“env” and and tag_value = "prod" and
"gamma". This example excludes resources with the
tag_key = "backup" and the tag_value =
"false".
... "selections":{ "tags":{ "selection_name":{ "iam_role_arn": {"@@assign": "arn:aws:iam::$account:role/IAMRole"}, "tag_key":{"@@assign": "env"}, "tag_value":{"@@assign": ["prod", "gamma"]}, "conditions":{ "string_not_equals":{ "condition_name1":{ "condition_key": { "@@assign": "aws:ResourceTag/backup" }, "condition_value": { "@@assign": "false" } } } } } } }, ...
Example 7: Specifying resources with the
resources block
The following are examples of using the resources block to specify
resources.