Skip to content

Instantly share code, notes, and snippets.

@Pabl0Aceved0

Pabl0Aceved0/AWS-Backup-Centralized-POC-Template

Last active May 13, 2025 23:38
Show Gist options
  • Save Pabl0Aceved0/b8b3b64b389b83949391e5ed0a68e50a to your computer and use it in GitHub Desktop.
Save Pabl0Aceved0/b8b3b64b389b83949391e5ed0a68e50a to your computer and use it in GitHub Desktop.
Download ZIP
AWS backup - Centralized - POC - Template
Raw
AWS-Backup-Centralized-POC-Template
AWSTemplateFormatVersion: 2010-09-09
Description: Backup Plan template to back up all resources
Outputs: {}
Parameters:
BackupAccountEventBus:
Type: String
Description: Event Bus in Backup Account
BackupVaultName:
Type: String
Description: Backup Vault Name.
Resources:
BackupRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: r_uala-infra-backup
Description: Iam Role for AWSBackup
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- backup.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- >-
arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
- >-
arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
Tags:
- Key: Environment
Value: Prod
- Key: Owner
Value: Backup
EventRule:
Type: AWS::Events::Rule
Properties:
Description: "This Rule sends all backup job completed events to an sns topic"
EventPattern: |
{
"source": ["aws.backup"],
"detail": {
"eventName": ["BackupJobCompleted"],
"serviceEventDetails": {
"state": [{
"anything-but": ["COMPLETED"]
}]
}
}
}
Name: "uala-global-infra-backupjobnotification"
State: ENABLED
Targets:
- Arn: arn:aws:events:us-east-1:311480056764:event-bus/BackupNotifications
Id: 'BackupAccountEventBus'
RoleArn: !GetAtt EventBridgeIAMrole.Arn
EventBridgeIAMrole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub events.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: PutEventsDestinationBus
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'events:PutEvents'
Resource:
- >-
arn:aws:events:us-east-1:311480056764:event-bus/BackupNotifications
BackupPlan:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "uala-infrastructure-backup-plan"
AdvancedBackupSettings:
-
ResourceType: EC2
BackupOptions:
WindowsVSS: enabled
BackupPlanRule:
-
RuleName: "DailyBackups"
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: "cron(0 4 ? * 2,3,4,5,6,1 *)"
StartWindowMinutes: 60
CompletionWindowMinutes: 360
Lifecycle:
DeleteAfterDays: 7
-
RuleName: "WeeklyBackups"
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: "cron(0 4 ? * 7 *)"
StartWindowMinutes: 60
CompletionWindowMinutes: 360
Lifecycle:
DeleteAfterDays: 30
-
RuleName: "MonthlyBackups"
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: "cron(0 4 ? 2-12 7#1 *)"
StartWindowMinutes: 60
CompletionWindowMinutes: 360
Lifecycle:
MoveToColdStorageAfterDays: 2
DeleteAfterDays: 180
-
RuleName: "YearlyBackups"
TargetBackupVault: !Ref BackupVaultName
ScheduleExpression: "cron(0 4 ? 1 7#1 *)"
StartWindowMinutes: 60
CompletionWindowMinutes: 360
Lifecycle:
MoveToColdStorageAfterDays: 2
DeleteAfterDays: 3650
BackupSelection:
Type: 'AWS::Backup::BackupSelection'
Properties:
BackupPlanId: !Ref BackupPlan
BackupSelection:
SelectionName: "uala-infraestructure-backup-selection"
IamRoleArn: !GetAtt BackupRole.Arn
Resources:
- '*'
Conditions:
StringNotEquals:
- ConditionKey: 'aws:ResourceTag/Backup'
ConditionValue: "no"
- ConditionKey: 'aws:ResourceTag/Backup'
ConditionValue: "No"
- ConditionKey: 'aws:ResourceTag/Backup'
ConditionValue: "NO"
NotResources:
- "arn:aws:ec2:*:*:volume/*"
- "arn:aws:s3:::*"
- "arn:aws:dynamodb:us-east-1:*:table/*tfstate*"
- "arn:aws:cloudformation:*"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment