One of the key benefits of working with IaaS services Amazon EBS, Amazon RDS, etc. is the ability to programmatically create backups and snapshots, but it can also become a source of unchecked cost if not watched closely.
The AWS Backup service, first released in 2019, has the ability to automate backup scheduling and enforce retention policies, but many customers aren’t aware or have existing processes and tools that leave thousands of aged snapshots in their accounts. In addition to our governance controls that enforce AWS Backup plans, Turbot Guardrails also has additional controls to help manage aging resources (e.g. instance, access keys, storage, volumes, snapshots, etc.) in a consistent, repeatable framework across cloud providers and services.
This post looks at how to use Turbot Guardrails
Active > Agepolicies to delete EC2 snapshots based on your retention policies.
It is very common at scale to see customer environments with backup automation but lacking retention management. While any individual snapshot can be deleted in a few clicks, it becomes difficult to identify snapshots, manage their lifecycle and programmatically remove them across multiple accounts. Often, because of time and personnel changes, it creates compliance risk to delete older snapshots (i.e. "what if someone needs it for something"). Over time, dozens of snapshots turn into hundreds (or thousands) due to this inaction.
Get it done with Turbot Guardrails
With Turbot Guardrails, you can use active guardrails to identify if a resource is in active use. Once a resource has been identified as inactive, Turbot Guardrails has the ability to cleanup the inactive resources with corrective controls, or alert you with detective controls. “Active” type policies have defined sub-policies to calculate the current status based on conditions such as
last modified, ‘attached’, etc. One such criteria is the “age” state sub-policy for Amazon EBS snapshots shown in the example below:
After setting the above policies, Turbot Guardrails automation will quickly identify all currently aged snapshots, create an alert and then begin remediation (deletion) once the warning period is over. To evaluate the potential impact of this in your environment (before remediating) we suggest setting the value to
Check: Active at the Turbot level. You can then selectively apply the enforcement setting to development and/or sandbox environments to test the corrective controls.
Make it happen!
See for yourself how easy it is to automate snapshot cleanup in just a few clicks. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!