Configuration to create AWS Backup plans and vaults. AWS Backup automates the process of backing up of data across AWS services including EFS, DynamoDB, EC2, EBS, Aurora, RDS, and Storage Gateway, as well as setting custom retention policies, access policies, and encryption

This CloudFormation template creates a custom backup plan with a scheduled backup rule (monthly at 5AM) and resource selection based on specified tags. The backup plan includes lifecycle policies for deleting backups after 120 days and moving them to cold storage after 30 days. This template assumes that the backup service-linked role already exists in the account.

This CloudFormation template creates a backup vault and plan for AWS Backup. It includes a custom backup plan with a scheduled backup rule and a resource selection for EC2 instances and RDS databases.

This CloudFormation template creates a backup vault and a KMS key for encryption. The backup vault is named 'my-backup-vault' and the KMS key is configured to allow IAM user permissions.

Configure AWS Backup Audit Manager to audit the compliance of your AWS Backup policies against controls that you define. This template deploys the AWS backup framework (a collection of controls that helps you to evaluate your backup practices) and (optionally) automatic daily reports for the compliance status of the frameworks set up.

Configure AWS Backup Audit Manager to create automated daily reports on backup job activity. Other reports that can be configured include Backup Restore activity and Backup Copy Jobs activity  This template deploys can (optionally) also audit frameworks to evaluate backup policies for the account.

Configure a Data Lifecycle Manager (DLM) policy to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.

A Config rule that checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with the RestorableByUserIds field is set to all. If this field is set to all, then Amazon EBS snapshots are public.

A Config rule that checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.

A Config rule that checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.

A config rule that checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.

A config rule that checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON_COMPLIANT, if Amazon RDS DB snapshots are not encrypted.

A Config rule that checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan.

A Config rule that checks that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON_COMPLIANT if the value for automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or less than MinRetentionPeriod or the value is 0.

A Config rule that checks if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter.

A Config rule that checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans.

A Config rule that checks whether Amazon DynamoDB table is present in AWS Backup plans. The rule is NON_COMPLIANT if DynamoDB tables are not present in any AWS Backup plan.

A Config rule that checks if a backup plan has a backup rule that satisfies the required frequency and retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.

A Config rule that checks if a recovery point is encrypted. The rule is NON_COMPLIANT if the recovery point is not encrypted.

A Config rule that checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement.

A Config rule that checks if a recovery point expires no earlier than after the specified period. The rule is NON_COMPLIANT if the recovery point has a retention point that is less than the required retention period.