Backup Recovery Point deletion - should automatically filter where can't delete #364
Comments
mdgm88
changed the title
|
Not sure I follow 100%. Are you saying that EC2Snapshot/RDSSnapshot can be be seen by their respective apis even though they are managed by the AWS Backup service? |
|
Yes. They are not fully managed by AWS Backup, so the backups still show up in the EC2/RDS APIs. Only some resource support for full management, and even for those that do, it is optional in some cases (e.g. for DynamoDB), so as to not force a breaking change: https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-feature-availability.html#features-for-all-resources |
|
Is the tag data the only way of detection that you know of? I'm going to have to get some examples or figure out how to replicate. Any details there would be appreciated |
|
Tags are not the only way except for EC2Snapshot. For EC2Image the Name begins with "AwsBackup_i-" For EC2Snapshot it seems the tag is the only way currently, but perhaps that resource is missing some properties? |
|
Very helpful. |
|
Note that the tags with the prefix "aws:" are AWS owned tags and managed by AWS. So users can't tag something as being an AWS Backup that isn't. |
You can't use EC2Image, EC2Snapshot, RDSClusterSnapshot and RDSSnapshot to delete recovery points in a Backup Vault. Instead you use AWSBackupRecoveryPoint to delete these.
There may be more to exclude for backups of other resources that are not fully managed by AWS Backup.
Currently I have these filters:
`
EC2Image:
type: glob
value: "*"
EC2Snapshot:
type: glob
value: "*"
RDSClusterSnapshot:
type: glob
value: "awsbackup*"
RDSSnapshot:
type: glob
value: "awsbackup*"
`
The text was updated successfully, but these errors were encountered: