New for Amazon Backup – Protect and Restore Your CloudFormation Stacks

{"value":"To define the data protection policy of an application, you have to look at its components and find which ones store data that needs to be protected. Those are the stateful components of your application, such as databases and file systems. Other components don’t store data but need to be restored as well in case of issues. These are stateless components, such as containers and their network configurations.\n\nWhen you manage your application using infrastructure as code (IaC), you have a single repository where all these components are described. Can we use this information to help protect your applications? Yes! Amazon Backup now supports attaching an Amazon CloudFormation stack to your data protection policies.\n\nWhen you use CloudFormation as a resource, all stateful components supported by Amazon Backup are backed up around the same time. The backup also includes the stateless resources in the stack, such as Amazon Identity and Access Management (IAM) roles and Amazon Virtual Private Cloud (Amazon VPC) security groups. This gives you a single recovery point that you can use to recover the application stack or the individual resources you need. In case of recovery, you don’t need to mix automated tools with custom scripts and manual activities to recover and put the whole application stack back together. As you modernize and update an application managed with CloudFormation, Amazon Backup automatically keeps track of changes and updates the data protection policies for you.\n\nCloudFormation support for Amazon Backup also helps you prove compliance of your data protection policies. You can monitor your application resources in Amazon Backup Audit Manager, a feature of Amazon Backup that enables you to audit and report on the compliance of data protection policies. You can also use Amazon Backup Vault Lock to manage the immutability of your backups as required by your compliance obligations.\n\nLet’s see how this works in practice.\n\n#### **Using Amazon Backup Support for CloudFormation Stacks**\nFirst, I need to turn on the CloudFormation resource type for Amazon Backup. In the [Amazon Backup console](https://console.aws.amazon.com/backup), I choose Settings in the navigation pane and then, in the Service opt-in section, Configure resources. There, I toggle the CloudFormation resource type on and choose Confirm.\n\n\n\nNow that CloudFormation support is enabled, I choose Dashboard in the navigation pane and then Create backup plan. I select the Start with a template option and then the Daily-35day-Retention template. As the name suggests, this template creates daily backups that are kept for 35 days before being automatically deleted. I enter a name for the backup plan and choose Create plan.\n\n\n\nNow I can assign resources to my backup plan. I enter a resource assignment name and use the default IAM role that is automatically created with the correct permissions.\n\n\n\nIn the Resource selection, I can select Include all resource types to automatically protect all resource types that are enabled in my account. Because I’d like to show how CloudFormation support works, I select Include specific resource types and then CloudFormation in the Select resource types dropdown menu. In the Choose resources menu, I can use the All supported CloudFormation stacks option to have all my stacks protected. For simplicity, I choose to protect only one stack, the my-app stack.\n\n\n\nI leave the other options at their default values and choose Assign resources. That’s all! Now the CloudFormation stack that I selected will be backed up daily with 35 days of retention. What does that mean? Let’s have a look at what happens when I create an on-demand backup of a CloudFormation stack.\n\nCreating On-Demand Backups for CloudFormation Stacks\nI choose Protected resources in the navigation pane and then Create on-demand backup. The next steps are similar to what I did before when assigning resources to a backup plan. I select the CloudFormation resource type and the my-app stack. I use the Create backup now option to start the backup within one hour. I choose 7 days of retention and the Default backup vault. Backup vaults are logical containers that store and organize your backups. I select the default IAM role and choose Create on-demand backup.\n\n\n\n\nWithin a few minutes, the backup job is running. I expand the Backup job ID in the Backup jobs list to see the resources being backed up. The stateful resources (such as Amazon DynamoDB tables and Amazon Relational Database Service (RDS) databases) are listed with the current state of the backup job. The stateless resources in my stack (such as IAM roles, Amazon Lambda functions, and VPC configurations) are backed up by the job with the CloudFormation resource type.\n\n\n\nWhen the backup job has completed, I go back to the Protected resources page to see the list of resources that I can now restore. In the list, I see the IDs of the stateful resources (in this case, two DynamoDB tables and an Aurora database) and of the CloudFormation stack. If I choose each of the stateful resources, I see the available recovery points corresponding to the different points in time when that resource has been backed up.\n\n\n\nIf I choose the CloudFormation stack, I get a list of composite recovery points. Each composite recovery point includes all stateless and stateful resources in the stack. More specifically, the stateless resources are included in the CloudFormation template recovery point (the last one in the following screenshot).\n\n\n\nRestoring a CloudFormation Backup\nInside the composite recovery point, I select the recovery point of the CloudFormation stack and choose Restore. Restoring a CloudFormation stack backup creates a new stack with a change set that represents the backup. I enter the new stack and change set names and choose Restore backup. After a few minutes, the restore job is completed.\n\nIn the CloudFormation console, the new stack is under review. I need to apply the change set.\n\n\n\n\nI choose the new stack and select the change set created by the restore job to apply the change set.\n\n\n\nAfter some time, the resources in my original stack have been recreated in the new stack. The stateful resources have been recreated empty. To recover the stateful resources, I can go back to the list of recovery points, select the recovery point I need, and initiate a restore.\n\n#### **++Availability and Pricing++**\n[AWS Backup](https://aws.amazon.com/backup/) support for CloudFormation stacks is available today using the console, Amazon Command Line Interface (CLI), and Amazon SDKs in all Amazon Regions where Amazon Backup is offered. There is no additional cost for the stateless resources backed up and restored by Amazon Backup. You only pay for the stateful resources such as databases, storage volumes, or file systems. For more information, see [Amazon Backup pricing](https://aws.amazon.com/backup/pricing/).\n\nYou now have an automated solution to create and restore your applications with a simplified experience, eliminating the need to manage custom scripts.\n\n— [Danilo](https://twitter.com/danilop)\n\n\n\n[**Danilo Poccia**](https://aws.amazon.com/blogs/aws/author/danilop/)\nDanilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of Amazon Lambda in Action from Manning.\n","render":"<p>To define the data protection policy of an application, you have to look at its components and find which ones store data that needs to be protected. Those are the stateful components of your application, such as databases and file systems. Other components don’t store data but need to be restored as well in case of issues. These are stateless components, such as containers and their network configurations.</p>\n<p>When you manage your application using infrastructure as code (IaC), you have a single repository where all these components are described. Can we use this information to help protect your applications? Yes! Amazon Backup now supports attaching an Amazon CloudFormation stack to your data protection policies.</p>\n<p>When you use CloudFormation as a resource, all stateful components supported by Amazon Backup are backed up around the same time. The backup also includes the stateless resources in the stack, such as Amazon Identity and Access Management (IAM) roles and Amazon Virtual Private Cloud (Amazon VPC) security groups. This gives you a single recovery point that you can use to recover the application stack or the individual resources you need. In case of recovery, you don’t need to mix automated tools with custom scripts and manual activities to recover and put the whole application stack back together. As you modernize and update an application managed with CloudFormation, Amazon Backup automatically keeps track of changes and updates the data protection policies for you.</p>\n<p>CloudFormation support for Amazon Backup also helps you prove compliance of your data protection policies. You can monitor your application resources in Amazon Backup Audit Manager, a feature of Amazon Backup that enables you to audit and report on the compliance of data protection policies. You can also use Amazon Backup Vault Lock to manage the immutability of your backups as required by your compliance obligations.</p>\n<p>Let’s see how this works in practice.</p>\n<h4><a id=\"Using_Amazon_Backup_Support_for_CloudFormation_Stacks_10\"></a><strong>Using Amazon Backup Support for CloudFormation Stacks</strong></h4>\n<p>First, I need to turn on the CloudFormation resource type for Amazon Backup. In the <a href=\"https://console.aws.amazon.com/backup\" target=\"_blank\">Amazon Backup console</a>, I choose Settings in the navigation pane and then, in the Service opt-in section, Configure resources. There, I toggle the CloudFormation resource type on and choose Confirm.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/8333987700264386b83d91a6a1de1f86_image.png\" alt=\"image.png\" /></p>\n<p>Now that CloudFormation support is enabled, I choose Dashboard in the navigation pane and then Create backup plan. I select the Start with a template option and then the Daily-35day-Retention template. As the name suggests, this template creates daily backups that are kept for 35 days before being automatically deleted. I enter a name for the backup plan and choose Create plan.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/5032a855bdd747d6b2e16441142d2a03_image.png\" alt=\"image.png\" /></p>\n<p>Now I can assign resources to my backup plan. I enter a resource assignment name and use the default IAM role that is automatically created with the correct permissions.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/9c7fb1613d6f4defa21eaf4ef0488eb2_image.png\" alt=\"image.png\" /></p>\n<p>In the Resource selection, I can select Include all resource types to automatically protect all resource types that are enabled in my account. Because I’d like to show how CloudFormation support works, I select Include specific resource types and then CloudFormation in the Select resource types dropdown menu. In the Choose resources menu, I can use the All supported CloudFormation stacks option to have all my stacks protected. For simplicity, I choose to protect only one stack, the my-app stack.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/c005f35350da4cf68d61b9863f670951_image.png\" alt=\"image.png\" /></p>\n<p>I leave the other options at their default values and choose Assign resources. That’s all! Now the CloudFormation stack that I selected will be backed up daily with 35 days of retention. What does that mean? Let’s have a look at what happens when I create an on-demand backup of a CloudFormation stack.</p>\n<p>Creating On-Demand Backups for CloudFormation Stacks<br />\nI choose Protected resources in the navigation pane and then Create on-demand backup. The next steps are similar to what I did before when assigning resources to a backup plan. I select the CloudFormation resource type and the my-app stack. I use the Create backup now option to start the backup within one hour. I choose 7 days of retention and the Default backup vault. Backup vaults are logical containers that store and organize your backups. I select the default IAM role and choose Create on-demand backup.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/4a829dd9cdea4ef59b9251de26599c18_image.png\" alt=\"image.png\" /></p>\n<p>Within a few minutes, the backup job is running. I expand the Backup job ID in the Backup jobs list to see the resources being backed up. The stateful resources (such as Amazon DynamoDB tables and Amazon Relational Database Service (RDS) databases) are listed with the current state of the backup job. The stateless resources in my stack (such as IAM roles, Amazon Lambda functions, and VPC configurations) are backed up by the job with the CloudFormation resource type.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/e39018268fe44e74b3f357f909165eae_image.png\" alt=\"image.png\" /></p>\n<p>When the backup job has completed, I go back to the Protected resources page to see the list of resources that I can now restore. In the list, I see the IDs of the stateful resources (in this case, two DynamoDB tables and an Aurora database) and of the CloudFormation stack. If I choose each of the stateful resources, I see the available recovery points corresponding to the different points in time when that resource has been backed up.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/4e328e03599540bf943e3fd591ea60b4_image.png\" alt=\"image.png\" /></p>\n<p>If I choose the CloudFormation stack, I get a list of composite recovery points. Each composite recovery point includes all stateless and stateful resources in the stack. More specifically, the stateless resources are included in the CloudFormation template recovery point (the last one in the following screenshot).</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/d1a6487a779145c6b1276bbba8aaa036_image.png\" alt=\"image.png\" /></p>\n<p>Restoring a CloudFormation Backup<br />\nInside the composite recovery point, I select the recovery point of the CloudFormation stack and choose Restore. Restoring a CloudFormation stack backup creates a new stack with a change set that represents the backup. I enter the new stack and change set names and choose Restore backup. After a few minutes, the restore job is completed.</p>\n<p>In the CloudFormation console, the new stack is under review. I need to apply the change set.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/86efffcd89dd4b2e805488ee9ff75ce0_image.png\" alt=\"image.png\" /></p>\n<p>I choose the new stack and select the change set created by the restore job to apply the change set.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/bf8e6280e24f4686a1378ecb4bbefdc0_image.png\" alt=\"image.png\" /></p>\n<p>After some time, the resources in my original stack have been recreated in the new stack. The stateful resources have been recreated empty. To recover the stateful resources, I can go back to the list of recovery points, select the recovery point I need, and initiate a restore.</p>\n<h4><a id=\"Availability_and_Pricing_61\"></a><strong><ins>Availability and Pricing</ins></strong></h4>\n<p><a href=\"https://aws.amazon.com/backup/\" target=\"_blank\">AWS Backup</a> support for CloudFormation stacks is available today using the console, Amazon Command Line Interface (CLI), and Amazon SDKs in all Amazon Regions where Amazon Backup is offered. There is no additional cost for the stateless resources backed up and restored by Amazon Backup. You only pay for the stateful resources such as databases, storage volumes, or file systems. For more information, see <a href=\"https://aws.amazon.com/backup/pricing/\" target=\"_blank\">Amazon Backup pricing</a>.</p>\n<p>You now have an automated solution to create and restore your applications with a simplified experience, eliminating the need to manage custom scripts.</p>\n<p>— <a href=\"https://twitter.com/danilop\" target=\"_blank\">Danilo</a></p>\n<p><img src=\"https://dev-media.amazoncloud.cn/c5ccf521b9144ff1b0fcac3c30e92f5e_danilo.png\" alt=\"danilo.png\" /></p>\n<p><a href=\"https://aws.amazon.com/blogs/aws/author/danilop/\" target=\"_blank\"><strong>Danilo Poccia</strong></a><br />\nDanilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of Amazon Lambda in Action from Manning.</p>\n"}