Protecting Amazon DynamoDB Using AWS Backup

Prerequisites

What You Will Accomplish

• Create an on-demand backup of an Amazon DynamoDB table, for scenarios where you need to create a standalone, unscheduled backup, with AWS Backup.
• Create a backup plan to automate your backups on a schedule.
• Define resources to be protected by adding them to an existing backup plan using tags.

Implementation

Step 1: Go to the AWS Backup Console

• Log in to the AWS Management Console and navigate to the AWS Backup console. Confirm that you are configuring AWS Backup in the same Region as your DynamoDB table.

Step 2: Configure an On-Demand AWS Backup Job of an Amazon DynamoDB Table

• In the navigation pane on the left of the console, choose Settings.
• On the Service opt-in page, choose the Configure resources button.

• On the Configure resources page, use the toggle switches to enable or disable the services used with AWS Backup. In this case, enable DynamoDB. Choose Confirm when your services are configured.

• Scroll down Setting page to the Advanced features for Amazon DynamoDB backups section.
• Confirm that this is Enabled. If Disabled, enable before continuing. To learn more these advanced features, visit the Advanced DynamoDB backup page in the AWS Backup documentation.

• Back in the AWS Backup console, under My account, select Protected resources in the left navigation pane. Then choose the Create on-demand backup button.

• On the Create on-demand backup page, choose the Resource type that you want to back up; choose DynamoDB, from the list of supported resources, to back up an Amazon DynamoDB table.
• Choose the Table name of the DynamoDB resource that you want to protect.
• In the Backup window section, select Create backup now. This initiates a backup immediately and enables you to see your saved resource sooner on the Protected resources page. Choosing Customize Backup Window can be used if you would prefer to configure the backup job to start at a later time.
• For Transition to cold storage, you can define how long your data will remain on primary storage before transitioning to a lower cost storage tier. For this tutorial, enter 7 days.
• For Retention period select Days and enter the number of days you want to retain the backups for. For this tutorial, enter 97 days. Backups can be retained indefinitely in cold storage, with a minimum retention of 90 days. The total retention period is the sum of the time that backups are stored in warm and and cold storage. You can learn more about AWS Backup lifecycle to cold storage in the AWS Backup documentation.
• For Backup vault, select one of the existing vaults and continue with step 2.3.3, or follow step 2.3.2 to create a new backup vault (which begins with selecting Create new Backup vault). You may see a Default Vault in your account, if you have not removed it previously. You can use the Default vault for this tutorial. In practice, we see customers create new backup vaults so they can group backups storage according to their organizational structure. For example, customers may want to store backups from different business units in different vaults.

• On the Create on-demand backup page, choose Create new Backup vault This opens a new browser tab with the Create a backup vault page.
• Enter a name for your backup vault. You can name your vault to reflect what you will store in it, which will also make it easier to search for the backups you need. For example, you could name it WebappBackups.
• Select an AWS Key Management Service (AWS KMS) key. You can use either a key that you already created or select the default AWS Backup KMS key.

• Optionally, add tags that will help you search for and identify your backup vault.

• After adding tags, click on the Create backup vault button to finish creating the backup vault. You will be redirected to the details page for the newly created WebappBackups vault.

• Close the current browser tab and return to the browser tab with the Create on-demand backup page. Select the WebappBackups backup vault.

• Choose the Default role for the** IAM role, as shown in the screenshot below. If the AWS Backup Default role is not present in your account, one will be automatically created for you with the correct permissions.

• Choose the Create on-demand backup button. This takes you to the Jobs page, where you will see a list of AWS Backup jobs. From here, you will be able to monitor the progress of active backup jobs, as well as recovery and copy jobs. After a few minutes, the status of the backup job you created will change from Created to Completed. We will look at your recovery points in Step 4, when we restore our newly created backup.

Step 3: Configure a Scheduled AWS Backup Job of an Amazon DynamoDB Table

• In the AWS Backup console, under My account, select Backup plans in the left navigation pane, and then choose the Create Backup plan button.

• AWS Backup provides three options to create a backup plan: in this tutorial, you will build a new plan.
  • Start with a template - You can create a new backup plan based on the configurations in an existing plan. Be aware that backup plans created by AWS Backup are based on backup best practices and common backup policy configurations available in the AWS Backup Developer Guide. When you select an existing backup plan to start from, the configurations from that backup plan are automatically populated for your new backup plan. You can then change any of these configurations according to your backup requirements.
  • Build a new plan - You can create a new backup plan by specifying each of the backup configuration details, as described in the next section. You can choose from the recommended default configurations.
  • Define a plan using JSON: You can modify the JSON expression of an existing backup plan or create a new expression.
• Choose Build a new plan.
• For Backup plan name, You must provide a unique name. If you choose a name that is identical to the name of an existing plan, you will receive an error message. For this tutorial, create a backup plan named DynamoDB-backup.

• For Backup rule name, enter a descriptive name such as DynamoDB-dailies
• For Backup vault, select one of the existing vaults or use the WebappBackups vault, created previously in Step 2.
• For Backup Frequency, choose Daily. The backup frequency determines how often a backup is created. You can choose a frequency of every 12 hours, daily, weekly, or monthly. When selecting weekly, you can specify which days of the week you want backups to be taken. When selecting monthly, you can choose a specific day of the month.
• In the Backup window section, leave the default Start time, Start within duration, and the Complete within duration.. If you would like to customize the backup frequency and backup window, refer to the documentation for more information.
• As noted in the console and in the tutorial overview, continuous backups is not supported for DynamoDB, by AWS Backup. So, leave the checkbox empty.

• For Transition to cold storage, you can define how long your data will remain on primary storage before transitioning to a lower cost storage tier. In this tutorial, enter 7 days.
• For Retention period select Days and enter the number of days you want to retain the backups for. In this tutorial, enter 97 days.

• For Copy to destination, leave this unselected, since this tutorial covers backups within the same AWS Region.
• For Advanced backup settings, leave Windows VSS unchecked. This setting enables application-consistent backups for third-party applications that are running on Amazon EC2 instances. You can refer to the documentation for more details.
• Then, choose the Create plan button.

• Select the created backup plan and choose the Assign resources button.

• You will be redirected to another window where you can assign resources to your new backup plan. For Resource assignment name, enter a name such as DynamoDB-resources.
• Choose the Default role for the IAM role, as shown in the screenshot below. If the AWS Backup Default role is not present in your account, one will be automatically created for you with the correct permissions.

• AWS Backup provides two options for assigning resources to a backup plan. In this tutorial, you will include your DynamoDB table as a specific resource in your new backup plan.
  • Include all resource types - This option will select all resources and it can be further refined with key value pair selection in the step below.
  • Include specific resource types - This option will allow you to select the specific resource types, including DynamoDB, you will want to back up with this backup rule.
• Select Include specific resource types and you will be presented with additional options to choose the resource type you want to back up.
• In the Select specific resource types section, use the Select resource types drop-down list and select DynamoDB.
• For Table names, use the choose resources drop-down list and select Music.

• Skip to the bottom and select the Assign resources button. This will assign the DynamoDB table, named Music, as a resource to the backup plan.
• You will be redirected to another page where you will see the details for your newly created backup plan. You will see your Backup rules and Resource assignments.

Step 4: Restore an Amazon DynamoDB Table Using AWS Backup

• Navigate to the WebappBackups backup vault that has been used in this tutorial. Select the latest completed DynamoDB backup by clicking on the recovery point ARN. This will be the on-demand backup recovery point created in Section 2.

• In the recovery point page, select the Restore button.

• The restore of the recovery point ARN will bring you to a Restore backup screen that will have the Original table name, and other configurations.
  • For New table name, enter a name such as DynamoDB-restore.

• For Encryption key, choose the Amazon DynamoDB-owned key. You also have the option of choosing a different KMS key for encrypting you restored DynamoDB table.
• Choose the Default role for the Restore role, as shown in the screenshot below. If the AWS Backup Default role is not present in your account, one will be automatically created for you with the correct permissions.
• Verify all your entries, and choose Restore backup.

• You will be redirected to the AWS Backup Jobs page, where you can track the progress of your restore job.

• Once the job status appears as completed, navigate to the Amazon DynamoDB console. Select Tables in the left navigation pane to see the restored DynamoDB table.

• Open the restored table and confirm that it is identical to original Music table.

Step 5: Cleanup

• 5.1.1 - Open the AWS Backup console. Navigate to the vault where the recovery point is stored.
• 5.1.2 - Select the recovery point and select Delete from the drop-down menu.
• 5.1.3 - Delete the backup vault if no longer needed.
• 5.1.4 - Navigate to the backup plans page.
• 5.1.5 - Navigate to the details page for any recovery point you no longer need.
• 5.1.6 - Delete the resource assignment for the recovery point and then delete the recovery point.

• 5.2.1 — Open the Amazon DynamoDB console.
• 5.2.2 — In the navigation pane on the left, choose Tables under DynamoDB.
• 5.2.3 — Select the restored DynamoDB table and choose Delete. Delete all CloudWatch alarms for the restored table. Confirm the deletion by typing confirm.
• 5.2.4 - You can repeat the above steps to delete the Music DynamoDB table you backed up, if it is no longer needed.

Conclusion