Apply tags to resources for automating backups
Automate backups for your AWS resources by applying tags to resources at scale
Last updated
Automate backups for your AWS resources by applying tags to resources at scale
Last updated
Your company's cloud environment is valuable: data, applications, logs, and the infrastructure behind them are all valuable. Ransomware attacks or accidental deletion can cost companies millions of dollars directly, while damaging brand reputations and customer relationships.
In this tutorial, we'll walk through how to set up backups for your existing AWS infrastructure at scale using Resourcely. We will automatically apply tags to relevant resources, and then use that to set up an aws_backup_vault.
Things you'll need to continue: 1. Resourcely account () 2. A Terraform pipeline running, and the Resourcely Campaign Agent for scanning your Terraform state (use our demo scaffolding repo )
Critical infrastructure is likely some of the following:
EC2 instances
EBS volumes
RDS instances
Aurora Clusters
DynamoDB tables
EFS file systems
For each of these resources, we'll add a backup tag that we can use with aws_backup_vault:
aws_backup_vault configuredSetting up an aws_backup_vault like below, with a tag-based selection that looks for our backup tag, will allow us to automatically backup all of our relevant resources.
Now, we'll move into Resourcely. If you haven't already, follow the Remediate policy violations in existing infrastructure quickstart to set up the Campaigns agent for scanning your existing infrastructure..
Resourcely Guardrails feature a flexible policy language. We can write a single policy that will allow us to find relevant resources without a backup tag and apply it.
This policy will flag any resources that don't have the appropriate tag when we include it in a Campaign. You can choose this Guardrail from our pre-built policies in Resourcely, just search for "Require backup tags".
Campaigns lets companies orchestrate remediation across their existing resources. Here is the existing Terraform code that we have in our playground repo (feel free to use it for yourself for testing purposes).
First, we'll create a Campaign. We'll choose relevant repositories and the policies that we want to scan for. I selected the Guardrail that we created above.
The Campaign has scanned our existing infrastructure for violations and identified those resources that fail.
Now that we know there are 3 resources missing the correct backup tag, let's remediate them! Navigating to the remediation screen shows us our violations against our Terraform code:
Let's look at each of our scenarios. The first is the example-rds instance, with an incorrect tag
Given this resource has a tag keypair that matches our Guardrail, that specific parameter is highlighted when we click on our violation:
Changing the value to "true" gives us feedback that our change was accepted (with the green check).
Let's now consider our violation against key-application-prod. This resource is missing any tag parameters, so we highlight the overall resource. In this case, I must add a tag parameter.
When I add the tag parameter, Resourcely gives me feedback with a green check - to let me know that I've added the correct Terraform.
Let's consider our final violation. In this case, the RDS database is for development only. If your organization doesn't want to spend money backing up development databases, we may not want to add the tag. How can we satisfy the Guardrail without adding the tag?
The answer: exceptions. As a user I can request an exception by clicking on the Guardrail and "Manage Exception".
We have now satisfied our backup tag Guardrail. The next step is to submit these changes through our existing CI. This way we:
Preserve our existing approval workflows
Avoid Terraform drift as compared to automated remediation
By clicking Evaluate Changes --> Finalize, I can submit a change request through my version control tool of choice.
Here is the PR I made in GitHub via Resourcely remediation, that will add relevant backup tags.
The exception request for our dev database is included in the conversation, and a reviewer is automatically tagged to review the changes.
We've demonstrated two key use cases in one: adding backups to existing resources that are missing them at scale, and adding or changing tags to existing resources - again at scale.
Resourcely Campaigns are a flexible framework for changing Terraform configuration of existing resources. While a single person could manage the example we gave, it could easily scale to hundreds of different developers. Many Resourcely customers have security teams creating and managing Campaigns, while individual developers use the Remediation functionality for the resources they are responsible for.
You can also write it yourself in the .
Fixing misconfigurations can help you stay compliant, mitigate risk & liability, and reduce breaches or incidents. Get started yourself at today!
