Use AWS Backup Service in Use for Amazon RDS

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Snapshots.

04 On the Snapshots listing page, click on the dropdown list that filters your RDS snapshots based on their type, and choose Backup service to list the snapshots processed by AWS Backup service. If there are no snapshots available, i.e.

the service is not used to manage RDS database instance snapshots, therefore Amazon Backup is not in use for Amazon RDS within the current region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run describe-db-snapshots command (OSX/Linux/UNIX) using custom query filters to list the RDS database snapshots managed by Amazon Backup service, available in the selected AWS region:

aws rds describe-db-snapshots
    --region us-east-1
    --query 'DBSnapshots[?(SnapshotType==`awsbackup`)]'

02 The command output should return an array with the requested information:

[]

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to AWS Backup dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, choose Backup plans.

04 Click Create Backup planbutton from the dashboard top menu to initiate the backup plan setup process.

05 On the Create Backup plan page, perform the following:

1. In the Start options section, select Start from an existing plan option.
2. From Choose plan dropdown list, select a predefined backup plan to start from, e.g. Daily-35day-Retention.
3. Provide a unique name for your backup plan in the Backup plan name box.
4. To edit the predefined backup rule, select the rule available in the Backup rules section, then click the Edit button. Review and choose the right configuration for your rule. For example, you can extend the retention period of the backup plan in the Monthly rule to three years instead of one year. For Backup vault, choose Default to use the default vault made available by Amazon Backup. Click Save Backup rule to apply the changes.
5. In the Tags added to Backup plan section, define any necessary tag sets to help you organize and track your backup plan.
6. Click Create plan to create your new backup plan.

06 On the newly created backup plan page, within Resource assignments section, click Assign resources button to apply your new backup plan to your AWS RDS resources.

07 On the Assign resources page, provide the following details:

1. Type a unique name for the new assignment in the Resource assignment name box.
2. Under IAM role, choose Default role. If the Amazon Backup default role is not available in your AWS account, a new one will be created with the correct permissions.
3. In the Assign resources section, select Resource ID from Assign by dropdown list, choose RDS from Resource type list, then click inside Database name box and select the name of the AWS RDS database instance that you want to assign to your backup plan. (Optional) To assign more resources to your backup plan, click Add assignment and follow the same steps.
4. Once the necessary assignments are configured, click Assign resources to confirm the action. From now on, Amazon Backup will use the backup plan created at the previous steps to take daily snapshots of your AWS RDS database instance and manage these snapshots using the backup rules associated with your AWS Backup plan.

08 If required, repeat step no. 4 – 7 to create and configure new Amazon Backup plans for other AWS RDS database instances available in the current region.

09 Change the AWS region from the navigation bar to repeat the entire process for the other regions.

01 Define the necessary Amazon Backup plan, including the backup rules required for scheduled (daily) RDS database backups. Create a new JSON document, name it daily-35day-retention.json, and paste the content listed below. The following example represents a predefined Amazon Backup plan that takes daily backups (in this case AWS RDS instance snapshots) and has a retention period of 35 days:

{
  "BackupPlanName": "cc-project5-backup-plan",
  "Rules": [
    {
      "RuleName": "DailyBackups",
      "TargetBackupVaultName": "Default",
      "ScheduleExpression": "cron(0 5 ? * * *)",
      "StartWindowMinutes": 480,
      "CompletionWindowMinutes": 10080,
      "Lifecycle": {
        "DeleteAfterDays": 35
      }
    }
  ]
}

02 Run create-backup-plan command (OSX/Linux/UNIX) using the backup plan definition created at the previous step (i.e. daily-35day-retention.json) as value for the --backup-plan command parameter, to create your new Amazon Backup plan:

aws backup create-backup-plan
    --region us-east-1
    --backup-plan file://daily-35day-retention.json

03 The command output should return the command request metadata:

{
    "BackupPlanArn": "arn:aws:backup:us-east-1:123456789012:backup-plan:abcd1234-abcd-1234-abcd-1234abcd1234",
    "VersionId": "ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD",
    "CreationDate": 1552652281.971,
    "BackupPlanId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

04 Run create-backup-selection command (OSX/Linux/UNIX) using the ID of the newly created backup plan as parameter, to assign the specified Amazon Backup plan to an RDS database instance, identified by the ARN "arn:aws:rds:us-east-1:123456789012:db:cc-project5-instance", using the default IAM service role provided by AWS Backup, identified by "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole". After the create-backup-selection command request is executed, Amazon Backup will use the backup plan created at the previous steps to take daily snapshots of your RDS database instance and manage these snapshots using the predefined backup rules associated with your AWS Backup plan:

aws backup create-backup-selection
    --region us-east-1
    --backup-plan-id abcd1234-abcd-1234-abcd-1234abcd1234
    --backup-selection SelectionName=cc-project5-db-instance,IamRoleArn=arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole,Resources=arn:aws:rds:us-east-1:123456789012:db:cc-project5-instance

05 The command output should return the command request metadata:

{
    "SelectionId": "12341234-abcd-abcd-abcd-123412341234",
    "CreationDate": 1552652418.029,
    "BackupPlanId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

06 If required, repeat step no. 1 – 5 to create and configure new Amazon Backup plans for other AWS RDS database instances provisioned in the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the remediation/resolution process for other regions.