The aws-backup mod contains resource, control and policy definitions for AWS Backup service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for Backup:

PermissionGrant LevelHelp
backup-storage:MountCapsuleAdminThis permission is required to create a Backup Vault.
backup:CreateBackupPlanAdmin
backup:CreateBackupSelectionAdmin
backup:CreateBackupSelectionAdmin
backup:CreateBackupVaultAdmin
backup:DeleteBackupPlanAdmin
backup:DeleteBackupSelectionAdmin
backup:DeleteBackupSelectionAdmin
backup:DeleteBackupVaultAdmin
backup:DeleteBackupVaultAccessPolicyAdmin
backup:DeleteBackupVaultNotificationsAdmin
backup:DeleteRecoveryPointAdmin
backup:DescribeBackupJobMetadata
backup:DescribeBackupVaultMetadata
backup:DescribeProtectedResourceMetadata
backup:DescribeRecoveryPointMetadata
backup:DescribeRestoreJobMetadata
backup:ExportBackupPlanTemplateMetadata
backup:GetBackupPlanMetadata
backup:GetBackupPlanFromJSONMetadata
backup:GetBackupPlanFromTemplateMetadata
backup:GetBackupSelectionMetadata
backup:GetBackupVaultAccessPolicyMetadata
backup:GetBackupVaultNotificationsMetadata
backup:GetRecoveryPointRestoreMetadataMetadata
backup:GetSupportedResourceTypesMetadata
backup:ListBackupJobsMetadata
backup:ListBackupPlanTemplatesMetadata
backup:ListBackupPlanVersionsMetadata
backup:ListBackupPlansMetadata
backup:ListBackupSelectionsMetadata
backup:ListBackupVaultsMetadata
backup:ListProtectedResourcesMetadata
backup:ListRecoveryPointsByBackupVaultMetadata
backup:ListRecoveryPointsByResourceMetadata
backup:ListRestoreJobsMetadata
backup:ListTagsMetadata
backup:PutBackupVaultAccessPolicyAdmin
backup:PutBackupVaultNotificationsOperator
backup:StartBackupJobOperator
backup:StartRestoreJobOperator
backup:StopBackupJobOperator
backup:TagResourceOperator
backup:UntagResourceOperator
backup:UpdateBackupPlanAdmin
backup:UpdateRecoveryPointLifecycleAdmin
backup:UpdateRegionSettingsAdmin
health:DescribeEventAggregatesMetadata
kms:DescribeKeyMetadata
kms:ListAliasesMetadata
kms:ListKeysMetadata

Learn More About Turbot

Version
5.9.0
Released On
May 31, 2023
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.9.0 (2023-05-31)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

5.8.1 (2022-12-14)

Bug fixes

  • The AWS > Backup > Recovery Point > CMDB control would sometimes go into an error state for recovery points that don't support tagging operations. This is fixed and the control will now work as expected.

Action Types

Added

  • AWS > Backup > Backup Plan > Skip alarm for approved control
  • AWS > Backup > Backup Plan > Skip alarm for approved control [90 days]
  • AWS > Backup > Backup Selection > Skip alarm for approved control
  • AWS > Backup > Backup Selection > Skip alarm for approved control [90 days]
  • AWS > Backup > Backup Vault > Skip alarm for approved control
  • AWS > Backup > Backup Vault > Skip alarm for approved control [90 days]
  • AWS > Backup > Recovery Point > Skip alarm for approved control
  • AWS > Backup > Recovery Point > Skip alarm for approved control [90 days]

5.8.0 (2022-05-11)

Resource Types

Added

  • AWS > Backup > Backup Selection
  • AWS > Backup > Protected Resource
  • AWS > Backup > Recovery Point

Control Types

Added

  • AWS > Backup > Backup Selection > Active
  • AWS > Backup > Backup Selection > Approved
  • AWS > Backup > Backup Selection > CMDB
  • AWS > Backup > Backup Selection > Discovery
  • AWS > Backup > Protected Resource > CMDB
  • AWS > Backup > Protected Resource > Discovery
  • AWS > Backup > Recovery Point > Active
  • AWS > Backup > Recovery Point > Approved
  • AWS > Backup > Recovery Point > CMDB
  • AWS > Backup > Recovery Point > Discovery
  • AWS > Backup > Recovery Point > Tags

Policy Types

Added

  • AWS > Backup > Backup Selection > Active
  • AWS > Backup > Backup Selection > Active > Age
  • AWS > Backup > Backup Selection > Active > Last Modified
  • AWS > Backup > Backup Selection > Approved
  • AWS > Backup > Backup Selection > Approved > Custom
  • AWS > Backup > Backup Selection > Approved > Regions
  • AWS > Backup > Backup Selection > Approved > Usage
  • AWS > Backup > Backup Selection > CMDB
  • AWS > Backup > Backup Selection > Regions
  • AWS > Backup > Protected Resource > CMDB
  • AWS > Backup > Protected Resource > Regions
  • AWS > Backup > Recovery Point > Active
  • AWS > Backup > Recovery Point > Active > Age
  • AWS > Backup > Recovery Point > Active > Budget
  • AWS > Backup > Recovery Point > Active > Last Modified
  • AWS > Backup > Recovery Point > Approved
  • AWS > Backup > Recovery Point > Approved > Budget
  • AWS > Backup > Recovery Point > Approved > Custom
  • AWS > Backup > Recovery Point > Approved > Regions
  • AWS > Backup > Recovery Point > Approved > Usage
  • AWS > Backup > Recovery Point > CMDB
  • AWS > Backup > Recovery Point > Regions
  • AWS > Backup > Recovery Point > Tags
  • AWS > Backup > Recovery Point > Tags > Template

Action Types

Added

  • AWS > Backup > Backup Selection > Delete
  • AWS > Backup > Backup Selection > Router
  • AWS > Backup > Recovery Point > Delete
  • AWS > Backup > Recovery Point > Router
  • AWS > Backup > Recovery Point > Update Tags

5.7.0 (2022-03-22)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Control Types

Added

  • AWS > Backup > Backup Plan > Configured
  • AWS > Backup > Backup Vault > Configured

Policy Types

Added

  • AWS > Backup > Backup Plan > Approved > Custom
  • AWS > Backup > Backup Plan > Configured
  • AWS > Backup > Backup Plan > Configured > Claim Precedence
  • AWS > Backup > Backup Plan > Configured > Source
  • AWS > Backup > Backup Vault > Approved > Custom
  • AWS > Backup > Backup Vault > Configured
  • AWS > Backup > Backup Vault > Configured > Claim Precedence
  • AWS > Backup > Backup Vault > Configured > Source

5.6.0 (2021-07-22)

Resource Types

Added

  • AWS > Backup > Region Settings

Control Types

Added

  • AWS > Backup > Region Settings > CMDB
  • AWS > Backup > Region Settings > Discovery
  • AWS > Backup > Region Settings > Service Opt-In

Policy Types

Added

  • AWS > Backup > Region Settings > CMDB
  • AWS > Backup > Region Settings > Regions
  • AWS > Backup > Region Settings > Service Opt-In
  • AWS > Backup > Region Settings > Service Opt-In > Resources

Action Types

Added

  • AWS > Backup > Region Settings > Router
  • AWS > Backup > Region Settings > Update Service Opt-In

5.5.0 (2021-06-24)

What's new?

  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-backup policy now includes backup-storage:* permissions.

5.4.0 (2021-06-17)

Control Types

Added

  • AWS > Backup > Stack

Policy Types

Added

  • AWS > Backup > Stack
  • AWS > Backup > Stack > Secret Variables
  • AWS > Backup > Stack > Source
  • AWS > Backup > Stack > Terraform Version
  • AWS > Backup > Stack > Variables

5.3.2 (2020-12-28)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.3.1 (2020-09-30)

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.3.0 (2020-09-04)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.
  • A vault's access policy document is now available in its Policy field.

Policy Types

Renamed

  • AWS > Backup > Regions [Default] to AWS > Backup > Regions

5.2.0 (2020-08-13)

What's new?

  • Updated AWS > Backup > Regions policy default value to now include us-gov-east-1, us-gov-west-1 .

Policy Types

Added

  • AWS > Backup > Backup Vault > Approved > Encryption at Rest
  • AWS > Backup > Backup Vault > Approved > Encryption at Rest > Customer Managed Key

5.1.5 (2020-08-11)

Bug fixes

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

5.1.4 (2020-07-06)

Bug fixes

  • Updated various resource configurations to provide better compatibility with AWS China regions.

5.1.3 (2020-06-12)

What's new?

  • All resource Router actions now run even if Turbot is outside of its allowed change window. This allows Turbot to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Turbot's ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.

5.1.2 (2020-05-26)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.