This is an AWS Backup implementation using Terraform with security and operational best practices in mind.

The following services are supported:

• RDS
• EBS
• EFS
• DynamoDB

• AWS Backup selects resources to backup using resource tags. The resource tags determine the backup plan to use.

• A lambda function identifies resources without the backup_policy tag, auto-tags those resources with the default backup plan and notifies the operations team.

• Backups are performed using the AWS Backup service. All backups are stored in a backup vault named backup_vault.

This terraform config adds extra security to the AWS backup vault setup by applying a resource policy that prevents any user from:

• Removing the recovery points
• Removing the backup vault
• Changing or removing the resource policy which imposes the previous restrictions

This means that only the root account will ever be able to remove this backup vault! The backup vault will survive even in a scenario where a privileged IAM principal with *:* permissions is compromised.

Review the backup-plan.tf file and customize the aws_backup_plan resources to match your company policies. This is an example resource definition:

resource "aws_backup_plan" "daily_two_weeks" {
  name = "daily_two_weeks"
  rule {
    rule_name = "daily_two_weeks"
    target_vault_name = "${aws_backup_vault.backup_vault.name}"

    # every day at 3am
    schedule = "cron(0 3 * * ? *)"

    lifecycle {
      delete_after = "14"
    }
  }
}

Customize the name, schedule and lifecycle to match your company requirements. Then create a selector similar to the following:

resource "aws_backup_selection" "daily_two_weeks_selection" {
  plan_id = "${aws_backup_plan.daily_two_weeks.id}"
  name = "daily_two_weeks_selection"
  iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-role/AWSBackupDefaultServiceRole"

  selection_tag {
    type = "STRINGEQUALS"
    key = "backup_policy"
    value = "daily_two_weeks"
  }
}

The aws_backup_selection resource is used to match the resources for the aws_backup_plan. In this case the resources with backup_policy tag with value daily_two_weeks are selected and associated with the plan_id.

The backup-plan.tf file contains a more complex backup plan which is inspired on the Grandfather-father-son strategy.

Edit the variables.tf configuration to define the to and from email addresses to use by the Lambda function to send notifications.

The from email address will require you to perform an SES verification. In other words, after applying these terraform configs you will have to go to the email inbox for the from email address and click on a verification link that will allow the Lambda function to send emails from this address.

After customization, configure your credentials in ~/.aws/credentials and use the following commands to deploy:

cd aws-backup/ 

terraform init
terraform plan -var profile=awsbackup -var region=us-east-1
terraform apply -var profile=awsbackup -var region=us-east-1

Manually tag all resources in your infrastructure using a tag named backup_policy containing one of aws_backup_plan as values. Any resources that AWS backup can manage and were not manually tagged will be notified by the lambda function to the operations team.

AWS Backup will select resources per-region, this solution needs to be deployed multiple times, one for each region where your company is creating resources.

It is possible to disable backups for a specific resource using the tag backup_policy with value none. This will prevent AWS Backup from running backups on the resource and the Lambda function from sending notifications.

The lambda function is run every day and inspects the infrastructure looking for resources which have no backups enabled (no backup_policy tag). When such a resource is found the lambda function will:

• auto tag it with backup_policy: daily_two_weeks
• Notify the infrastructure team, as they might want to change the backup policy and update the terraform configs.

The recommended steps for restoring a backup can be found in the AWS documentation

terraform fmt