Uly.me

cloud engineer

AWS Backup Vaults

Here’s how to list AWS Backup vaults and plans. You can filter the output by specifying a vault.

aws backup list-backup-vaults --query "BackupVaultList[?BackupVaultName=='my-vault']" --output json

Output: (outputs are redacted for security reasons)

[
    {
        "BackupVaultName": "my-vault",
        "BackupVaultArn": "arn:aws:backup:us-east-1:xxxxxxxxxxxx:backup-vault:my-vault",
        "CreationDate": "2019-02-10T11:38:42.556000-05:00",
        "EncryptionKeyArn": "arn:aws:kms:us-east-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "CreatorRequestId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "NumberOfRecoveryPoints": 3
    }
]

Display the BackupPlanId of a specific backup plan.

aws backup list-backup-plans --query "BackupPlansList[?BackupPlanName=='my-backup-plan'].BackupPlanId"

Output: (outputs are redacted for security reasons)

[
    "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]

AWS EFS Create Terraform

Here’s how to build an EFS file system using Terraform. Create a main.tf file.

terraform {
  required_providers {
    aws = {
      version = ">= 3.22.0"
      source = "hashicorp/aws"
    }
  }
}
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}
resource "aws_efs_file_system" "efs-test" {
   creation_token = "efs-test"
   performance_mode = "generalPurpose"
   throughput_mode = "bursting"
   encrypted = "true"
 tags = {
     Name = "efs-test"
   }
}
resource "aws_efs_mount_target" "efs-mt-example" {
   file_system_id  = aws_efs_file_system.efs-test.id
   subnet_id = "subnet-xxxxxxxxxxxxxxxxx"
   security_groups = ["sg-xxxxxxxxxxxxxxxxxx"]
}

To launch, run terraform.

terraform init
terraform apply

EFS Tags Auto Assign Backup Tags

Here’s a script that scans all EFS systems in several AWS accounts and regions and randomly assigns backup tags to EFS systems that are missing backup tags. This is assuming EFS is using AWS Backup service using tags to apply backup policies. If there are no backup tags, an EFS gets assigned a randomly picked backup policy.

#!/bin/bash
# log file
output="test.log"
tmpfil="temp.txt"
# empty file
> $output
# set random array
arr[0]="efs-0000"
arr[1]="efs-0400"
arr[2]="efs-0800"
arr[3]="efs-1200"
arr[4]="efs-1600"
arr[5]="efs-2000"
rand=$[ $RANDOM %6 ]
backup=${arr[$rand]}
# set accounts and regions
declare -a account=("default" "one" "two" "three" "four" "five")
declare -a region=("us-east-1" "us-east-2" "us-west-1" "us-west-2")
for i in "${account[@]}"; do
  echo "===================" >> $output
  echo $i >> $output
  echo "===================" >> $output
  for j in "${region[@]}"; do
    echo $j >> $output
        aws efs describe-file-systems \
        --query "FileSystems[*].[FileSystemId,Tags[?Key=='aws-backup']|[0].Value]" \
        --profile $i \
        --region $j \
        --output text > $tmpfil
        while read -r id tag; do
      if [[ $tag == "" ]]; then
        aws efs tag-resource \
        --resource-id $id \
        --tags Key="aws-backup",Value=${arr[$rand]} \
        --profile $i \
        --region $j >> $output
        echo "Added backup tag $backup to $id" >> $output
      elif [[ $tag == "no-backup" ]]; then
        echo "Backup tag is already set to no-backup on $id." >> $output
      else
        echo "No backup tag changes applied to $id." >> $output
      fi
    done < $tmpfil
  done
done
rm $tmpfil

AWS EFS Tags

This script add new tags if they are missing.

#!/bin/bash
log="log.txt"
id=$(aws efs describe-file-systems --query "FileSystems[*].[FileSystemId]" --output text --region us-east-1)
tag=$(aws efs describe-file-systems --query "FileSystems[*].Tags[?Key=='aws-backup'].Value" --output text --region us-east-1 )
 
arr[0]="efs-0000"
arr[1]="efs-0400"
arr[2]="efs-0800"
arr[3]="efs-1200"
arr[4]="efs-1600"
arr[5]="efs-2000"
 
rand=$[ $RANDOM %6 ]
backup=${arr[$rand]}
 
if [[ $tag == "" ]]; then
  aws efs tag-resource --resource-id $id --tags Key="aws-backup",Value=${arr[$rand]} --profile default --region us-east-1
  echo "Added backup tag $backup to $id" 
elif [[ $tag == "no-backup" ]]; then
  echo "No backup on $id."
else
  echo "No changes done to $id."
fi

EFS Encryption

If you have an existing EFS that’s unencrypted, you can encrypt it be creating a snapshot using AWS Backup, and then restoring the file system to a new EFS with encryption. If you choose to restore in a directory in the same file system, it will not be encrypted. It has to be a new EFS. In addition, you’ll be asked to select which encryption key to use. The default key will work, unless you have your own.