AWS Backup – Übersicht
AWS Backup konsolidiert Backups für:
- EC2 (EBS Snapshots)
- RDS/Aurora
- EFS (Elastic File System)
- DynamoDB
- FSx
- S3 (S3 Backup)
Backup Plan erstellen
# IAM-Rolle für Backup
aws iam create-role --role-name AWSBackupDefaultServiceRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"backup.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name AWSBackupDefaultServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
# Backup Vault
aws backup create-backup-vault --backup-vault-name firma-backup-vault --encryption-key-arn arn:aws:kms:eu-central-1:123:key/xxxxx
# Backup Plan
cat > backup-plan.json << 'EOF'
{
"BackupPlanName": "firma-backup-plan",
"Rules": [
{
"RuleName": "DailyBackup",
"TargetBackupVaultName": "firma-backup-vault",
"ScheduleExpression": "cron(0 2 * * ? *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 180,
"Lifecycle": {
"DeleteAfterDays": 30
},
"CopyActions": [
{
"DestinationBackupVaultArn": "arn:aws:backup:eu-west-1:123:backup-vault:firma-dr-vault",
"Lifecycle": {"DeleteAfterDays": 90}
}
]
},
{
"RuleName": "WeeklyBackup",
"TargetBackupVaultName": "firma-backup-vault",
"ScheduleExpression": "cron(0 3 ? * SUN *)",
"Lifecycle": {"DeleteAfterDays": 90}
}
]
}
EOF
PLAN_ID=$(aws backup create-backup-plan --backup-plan file://backup-plan.json --query 'BackupPlanId' --output text)
# Ressourcen zum Backup-Plan hinzufügen (alle mit Tag Environment=Production)
aws backup create-backup-selection --backup-plan-id $PLAN_ID --backup-selection '{"SelectionName":"production-resources","IamRoleArn":"arn:aws:iam::123:role/AWSBackupDefaultServiceRole","ListOfTags":[{"ConditionType":"STRINGEQUALS","ConditionKey":"Environment","ConditionValue":"Production"}]}'
EC2 AMI Backup (automatisch)
# EC2 mit Backup-Tag versehen
aws ec2 create-tags --resources i-1234567890abcdef0 --tags Key=Environment,Value=Production Key=Backup,Value=daily
# Manuellen Snapshot erstellen
aws ec2 create-image --instance-id i-1234567890abcdef0 --name "web-server-backup-$(date +%Y-%m-%d)" --no-reboot
Backup wiederherstellen
# Letzte Recovery Points anzeigen
aws backup list-recovery-points-by-vault --backup-vault-name firma-backup-vault --by-resource-type EC2 --query 'RecoveryPoints | sort_by(@, &CreationDate) | [-3:].{ID:RecoveryPointArn,Date:CreationDate}'
# EC2 wiederherstellen
aws backup start-restore-job --recovery-point-arn arn:aws:ec2:eu-central-1::snapshot/snap-xxx --iam-role-arn arn:aws:iam::123:role/AWSBackupDefaultServiceRole --metadata '{"instanceType":"t3.small","subnetId":"subnet-xxx"}'
S3 Versioning + Cross-Region Replication
# Versioning aktivieren
aws s3api put-bucket-versioning --bucket firma-data --versioning-configuration Status=Enabled
# Cross-Region Replication (Disaster Recovery)
aws s3api put-bucket-replication --bucket firma-data --replication-configuration '{"Role":"arn:aws:iam::123:role/replication-role","Rules":[{"Status":"Enabled","Filter":{"Prefix":""},"Destination":{"Bucket":"arn:aws:s3:::firma-data-dr","StorageClass":"STANDARD_IA"},"DeleteMarkerReplication":{"Status":"Disabled"}}]}'
FAQ
Was kostet AWS Backup?
Kosten für den Backup-Service selbst: 0,05 USD/GB/Monat. Dazu kommen EBS Snapshot Kosten (~0,05 USD/GB/Monat) und Cross-Region-Transfer.
Fazit
AWS Backup konsolidiert alle Backup-Jobs und ermöglicht Cross-Region-Backups für echtes Disaster Recovery.
AWS Backup und DR-Strategie für KMU in Heidelberg, Mannheim und der Rhein-Neckar-Region. Anfragen.