AWS Backup

2021/10/07 - AWS Backup - 2 new 2 updated api methods

Changes  Launch of AWS Backup Vault Lock, which protects your backups from malicious and accidental actions, works with existing backup policies, and helps you meet compliance requirements.

PutBackupVaultLockConfiguration (new) Link ¶

Applies Backup Vault Lock to a backup vault, preventing attempts to delete any recovery point stored in or created in a backup vault. Vault Lock also prevents attempts to update the lifecycle policy that controls the retention period of any recovery point currently stored in a backup vault. If specified, Vault Lock enforces a minimum and maximum retention period for future backup and copy jobs that target a backup vault.

See also: AWS API Documentation

Request Syntax

client.put_backup_vault_lock_configuration(
    BackupVaultName='string',
    MinRetentionDays=123,
    MaxRetentionDays=123,
    ChangeableForDays=123
)
type BackupVaultName

string

param BackupVaultName

[REQUIRED]

The Backup Vault Lock configuration that specifies the name of the backup vault it protects.

type MinRetentionDays

integer

param MinRetentionDays

The Backup Vault Lock configuration that specifies the minimum retention period that the vault retains its recovery points. This setting can be useful if, for example, your organization's policies require you to retain certain data for at least seven years (2555 days).

If this parameter is not specified, Vault Lock will not enforce a minimum retention period.

If this parameter is specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or longer than the minimum retention period. If the job's retention period is shorter than that minimum retention period, then the vault fails that backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already saved in the vault prior to Vault Lock are not affected.

type MaxRetentionDays

integer

param MaxRetentionDays

The Backup Vault Lock configuration that specifies the maximum retention period that the vault retains its recovery points. This setting can be useful if, for example, your organization's policies require you to destroy certain data after retaining it for four years (1460 days).

If this parameter is not included, Vault Lock does not enforce a maximum retention period on the recovery points in the vault. If this parameter is included without a value, Vault Lock will not enforce a maximum retention period.

If this parameter is specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or shorter than the maximum retention period. If the job's retention period is longer than that maximum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already saved in the vault prior to Vault Lock are not affected.

type ChangeableForDays

integer

param ChangeableForDays

The Backup Vault Lock configuration that specifies the number of days before the lock date. For example, setting ChangeableForDays to 30 on Jan. 1, 2022 at 8pm UTC will set the lock date to Jan. 31, 2022 at 8pm UTC.

Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable. Therefore, you must set ChangeableForDays to 3 or greater.

Before the lock date, you can delete Vault Lock from the vault using DeleteBackupVaultLockConfiguration or change the Vault Lock configuration using PutBackupVaultLockConfiguration . On and after the lock date, the Vault Lock becomes immutable and cannot be changed or deleted.

If this parameter is not specified, you can delete Vault Lock from the vault using DeleteBackupVaultLockConfiguration or change the Vault Lock configuration using PutBackupVaultLockConfiguration at any time.

returns

None

DeleteBackupVaultLockConfiguration (new) Link ¶

Deletes Backup Vault Lock from a backup vault specified by a backup vault name.

If the Vault Lock configuration is immutable, then you cannot delete Vault Lock using API operations, and you will receive an InvalidRequestException if you attempt to do so. For more information, see Vault Lock in the Backup Developer Guide .

See also: AWS API Documentation

Request Syntax

client.delete_backup_vault_lock_configuration(
    BackupVaultName='string'
)
type BackupVaultName

string

param BackupVaultName

[REQUIRED]

The name of the backup vault from which to delete Backup Vault Lock.

returns

None

DescribeBackupVault (updated) Link ¶
Changes (response)
{'LockDate': 'timestamp',
 'Locked': 'boolean',
 'MaxRetentionDays': 'long',
 'MinRetentionDays': 'long'}

Returns metadata about a backup vault specified by its name.

See also: AWS API Documentation

Request Syntax

client.describe_backup_vault(
    BackupVaultName='string'
)
type BackupVaultName

string

param BackupVaultName

[REQUIRED]

The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created. They consist of lowercase letters, numbers, and hyphens.

rtype

dict

returns

Response Syntax

{
    'BackupVaultName': 'string',
    'BackupVaultArn': 'string',
    'EncryptionKeyArn': 'string',
    'CreationDate': datetime(2015, 1, 1),
    'CreatorRequestId': 'string',
    'NumberOfRecoveryPoints': 123,
    'Locked': True|False,
    'MinRetentionDays': 123,
    'MaxRetentionDays': 123,
    'LockDate': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • BackupVaultName (string) --

      The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created. They consist of lowercase letters, numbers, and hyphens.

    • BackupVaultArn (string) --

      An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:vault:aBackupVault .

    • EncryptionKeyArn (string) --

      The server-side encryption key that is used to protect your backups; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab .

    • CreationDate (datetime) --

      The date and time that a backup vault is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.

    • CreatorRequestId (string) --

      A unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice.

    • NumberOfRecoveryPoints (integer) --

      The number of recovery points that are stored in a backup vault.

    • Locked (boolean) --

      A Boolean that indicates whether Backup Vault Lock is currently protecting the backup vault. True means that Vault Lock causes delete or update operations on the recovery points stored in the vault to fail.

    • MinRetentionDays (integer) --

      The Backup Vault Lock setting that specifies the minimum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a minimum retention period.

      If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or longer than the minimum retention period. If the job's retention period is shorter than that minimum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.

    • MaxRetentionDays (integer) --

      The Backup Vault Lock setting that specifies the maximum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a maximum retention period on the recovery points in the vault (allowing indefinite storage).

      If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or shorter than the maximum retention period. If the job's retention period is longer than that maximum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.

    • LockDate (datetime) --

      The date and time when Backup Vault Lock configuration cannot be changed or deleted.

      If you applied Vault Lock to your vault without specifying a lock date, you can change any of your Vault Lock settings, or delete Vault Lock from the vault entirely, at any time.

      This value is in Unix format, Coordinated Universal Time (UTC), and accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.

ListBackupVaults (updated) Link ¶
Changes (response)
{'BackupVaultList': {'LockDate': 'timestamp',
                     'Locked': 'boolean',
                     'MaxRetentionDays': 'long',
                     'MinRetentionDays': 'long'}}

Returns a list of recovery point storage containers along with information about them.

See also: AWS API Documentation

Request Syntax

client.list_backup_vaults(
    NextToken='string',
    MaxResults=123
)
type NextToken

string

param NextToken

The next item following a partial list of returned items. For example, if a request is made to return maxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

type MaxResults

integer

param MaxResults

The maximum number of items to be returned.

rtype

dict

returns

Response Syntax

{
    'BackupVaultList': [
        {
            'BackupVaultName': 'string',
            'BackupVaultArn': 'string',
            'CreationDate': datetime(2015, 1, 1),
            'EncryptionKeyArn': 'string',
            'CreatorRequestId': 'string',
            'NumberOfRecoveryPoints': 123,
            'Locked': True|False,
            'MinRetentionDays': 123,
            'MaxRetentionDays': 123,
            'LockDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • BackupVaultList (list) --

      An array of backup vault list members containing vault metadata, including Amazon Resource Name (ARN), display name, creation date, number of saved recovery points, and encryption information if the resources saved in the backup vault are encrypted.

      • (dict) --

        Contains metadata about a backup vault.

        • BackupVaultName (string) --

          The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created. They consist of lowercase letters, numbers, and hyphens.

        • BackupVaultArn (string) --

          An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:vault:aBackupVault .

        • CreationDate (datetime) --

          The date and time a resource backup is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.

        • EncryptionKeyArn (string) --

          The server-side encryption key that is used to protect your backups; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab .

        • CreatorRequestId (string) --

          A unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice.

        • NumberOfRecoveryPoints (integer) --

          The number of recovery points that are stored in a backup vault.

        • Locked (boolean) --

          A Boolean value that indicates whether Backup Vault Lock applies to the selected backup vault. If true , Vault Lock prevents delete and update operations on the recovery points in the selected vault.

        • MinRetentionDays (integer) --

          The Backup Vault Lock setting that specifies the minimum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a minimum retention period.

          If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or longer than the minimum retention period. If the job's retention period is shorter than that minimum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.

        • MaxRetentionDays (integer) --

          The Backup Vault Lock setting that specifies the maximum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a maximum retention period on the recovery points in the vault (allowing indefinite storage).

          If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or shorter than the maximum retention period. If the job's retention period is longer than that maximum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.

        • LockDate (datetime) --

          The date and time when Backup Vault Lock configuration becomes immutable, meaning it cannot be changed or deleted.

          If you applied Vault Lock to your vault without specifying a lock date, you can change your Vault Lock settings, or delete Vault Lock from the vault entirely, at any time.

          This value is in Unix format, Coordinated Universal Time (UTC), and accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.

    • NextToken (string) --

      The next item following a partial list of returned items. For example, if a request is made to return maxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.