ekristen
commented
1 month ago Not sure I follow 100%. Are you saying that EC2Snapshot/RDSSnapshot can be be seen by their respective apis even though they are managed by the AWS Backup service?
Open mdgm88 opened 1 month ago
ekristen
commented
1 month ago Not sure I follow 100%. Are you saying that EC2Snapshot/RDSSnapshot can be be seen by their respective apis even though they are managed by the AWS Backup service?
mdgm88
commented
1 month ago Yes. They are not fully managed by AWS Backup, so the backups still show up in the EC2/RDS APIs.
Only some resource support for full management, and even for those that do, it is optional in some cases (e.g. for DynamoDB), so as to not force a breaking change: https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-feature-availability.html#features-for-all-resources
ekristen
commented
1 month ago Is the tag data the only way of detection that you know of? I'm going to have to get some examples or figure out how to replicate. Any details there would be appreciated
mdgm88
commented
1 month ago Tags are not the only way except for EC2Snapshot.
For EC2Image the Name begins with "AwsBackup_i-" For RDSClusterSnapshot and RDSSnapshot the Identifier begins with "awsbackup:" and the SnapshotType is "awsbackup"
For EC2Snapshot it seems the tag is the only way currently, but perhaps that resource is missing some properties?
ekristen
commented
1 month ago Very helpful.
mdgm88
commented
1 month ago Note that the tags with the prefix "aws:" are AWS owned tags and managed by AWS. So users can't tag something as being an AWS Backup that isn't.
You can't use EC2Image, EC2Snapshot, RDSClusterSnapshot and RDSSnapshot to delete recovery points in a Backup Vault. Instead you use AWSBackupRecoveryPoint to delete these.
There may be more to exclude for backups of other resources that are not fully managed by AWS Backup.
Currently I have these filters: ` EC2Image: