Efficient data backup is a vital component of any enterprise’s data protection strategy. Organizations must ensure they not only comply with regulations but also safeguard against threats like ransomware. However, managing these backups is just as critical as creating them. A significant part of this management involves eliminating stale recovery points—backups that are either outdated or associated with resources that no longer exist. Prompt management is essential to prevent administrators from wasting time on unnecessary validation of backups.
As infrastructure scales, backup administrators might face the daunting task of cleaning up hundreds or even thousands of recovery points. This process can be labor-intensive and time-consuming.
To streamline management with AWS Backup, it’s crucial to configure backup policies effectively. For instance, Amazon EBS storage for Amazon EC2 recovery points can accumulate rapidly if the retention period is set to “Always.” Fortunately, updating this configuration is straightforward, eliminating the need to recreate backup plans. However, it’s important to note that changing the retention period only affects new recovery points; previously created points will continue to follow the old retention settings.
Recently, AWS Backup introduced batch operations, allowing users to delete multiple recovery points via the AWS Backup console. For those looking to enhance their data protection processes, this functionality enables bulk deletions based on specific criteria like creation date or associated AWS resource. Automating these actions at scale is made simpler with AWS Tools for PowerShell.
In this post, I will illustrate how to use AWS Tools for PowerShell to automate various scenarios for cleaning up AWS Backup recovery points. The examples provided will focus on recovery points for Amazon EC2 instances, Amazon RDS, Amazon DynamoDB tables, and Amazon FSx, but the principles apply to other AWS resources supported by AWS Backup.
Understanding AWS Backup Basics
Before diving into use cases, let’s clarify some fundamental concepts related to AWS Backup. AWS Backup serves to centralize and automate data protection across various AWS services, including support for cross-account and cross-region backups within AWS Organizations.
Key components of AWS Backup include:
- Backup Vault: A container for storing backups, which can be encrypted using AWS KMS keys and tagged with resource identifiers.
- Backup Plan: This policy outlines the specifics of how backups should be conducted, detailing which resources to back up, the frequency of backups, and the retention period. Backup plans contain backup rules, which dictate schedules, windows, and lifecycle guidelines.
- Backup Policies: Similar to backup plans but applied at the organizational level, enabling configuration across multiple accounts.
- Recovery Points: Each recovery point signifies a successful backup of an AWS resource, identified by a unique ID that varies based on resource type. For instance, recovery point IDs for Amazon EC2 start with “image,” while those for Amazon EBS start with “snapshot.”
Prerequisites for Using PowerShell Commands
To execute the AWS Tools for PowerShell commands outlined in this article, you will need:
- An AWS account.
- An IAM user with permissions to manage AWS Backup operations. If you lack full admin access, consider using the AWSBackupFullAccess policy for ease of implementation.
- At least two recovery points configured in AWS Backup, with one set to “Always.” If needed, create new recovery points quickly through on-demand backups.
- Properly installed and configured AWS Tools for PowerShell.
Getting Started with AWS Backup Cmdlets
The AWS Backup PowerShell module includes 50 cmdlets for automating various tasks related to backup management, such as creating and modifying vaults, plans, and recovery points. Key cmdlets that will be showcased in this guide include:
Get-BAKBackupVaultList: Lists all available backup vaults in a specified region.Get-BAKRecoveryPointsByBackupVaultList: Displays recovery points stored in a particular vault.Remove-BAKRecoveryPoint: Deletes specified recovery points.
Example Scenario: Deleting Recovery Points with No Expiry
In this scenario, we aim to delete recovery points that have an infinite retention period, meaning they lack an expiry date. To identify these points, you can check the recovery point lifecycle value. If the lifecycle value is null, it indicates that there are no defined retention days.
Start by listing all recovery points in the default backup vault of the eu-west-2 (London) region:
Get-BAKRecoveryPointsByBackupVaultList -BackupVaultName Default -Region eu-west-2 | Out-GridViewThe output will provide a grid view for easy filtering and manipulation. Pay attention to the CalculatedLifecycle column, which indicates the retention period.
For further insights on AWS Backup management, you can read another blog post here, or check out the expert opinions on this topic at https://chvnci.com/?p=17433. Also, if you’re looking for a visual guide, this YouTube video is an excellent resource.
Leave a Reply