AWS Backup

AWS Backup

Overview

This document describes the integration process between FenixDFA and AWS Backup, detailing the required configuration steps and data needed for successful integration.

Prerequisites

  • Access to the AWS Management Console
  • AWS IAM user or role with appropriate permissions for AWS Backup
  • Active AWS account and region with AWS Backup configured

Configuration Process

1. Create an IAM User or Role

  1. Navigate to the IAM section in the AWS Management Console.
  2. For IAM User:
    • Select Users and click Add Users.
    • Provide a username and select Programmatic Access.
    • Attach the necessary permissions (e.g., AWSBackupReadOnlyAccess) or create a custom policy.
    • Complete the setup and download the Access Key ID and Secret Access Key.
  3. For IAM Role:
    • Select Roles and click Create Role.
    • Choose a trusted entity (e.g., an EC2 instance or Lambda function).
    • Attach the necessary permissions (e.g., AWSBackupReadOnlyAccess) or create a custom policy.
    • Save the role’s ARN for future use.

2. Configure Permissions

If using a custom policy, ensure it includes at least the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsBackupAllAccess",
            "Effect": "Allow",
            "Action": [
                "backup:Get*",
                "backup:List*",
                "backup:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RDSDescribeAccess",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBSnapshots",
                "rds:ListTagsForResource",
                "rds:DescribeDBInstances",
                "rds:describeDBEngineVersions",
                "rds:describeOptionGroups",
                "rds:describeOrderableDBInstanceOptions",
                "rds:describeDBSubnetGroups",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBInstanceAutomatedBackups",
                "rds:DescribeDBClusterAutomatedBackups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DynamoDBAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListBackups",
                "dynamodb:ListTables"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EFSAccess",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeFilesystems"
            ],
            "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*"
        },
        {
            "Sid": "EC2Access",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumes",
                "ec2:describeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeSubnets",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeAddresses"
            ],
            "Resource": "*"
        },
        {
            "Sid": "TagReadAccess",
            "Effect": "Allow",
            "Action": [
                "tag:GetTagKeys",
                "tag:GetTagValues",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "StorageGatewaySCSIAccess",
            "Effect": "Allow",
            "Action": [
                "storagegateway:DescribeCachediSCSIVolumes",
                "storagegateway:DescribeStorediSCSIVolumes"
            ],
            "Resource": "arn:aws:storagegateway:*:*:gateway/*/volume/*"
        },
        {
            "Sid": "StorageGatewayReadAccess",
            "Effect": "Allow",
            "Action": [
                "storagegateway:ListGateways"
            ],
            "Resource": "arn:aws:storagegateway:*:*:*"
        },
        {
            "Sid": "StorageGatewayDiskReadAccess",
            "Effect": "Allow",
            "Action": [
                "storagegateway:DescribeGatewayInformation",
                "storagegateway:ListLocalDisks"
            ],
            "Resource": "arn:aws:storagegateway:*:*:gateway/*"
        },
        {
            "Sid": "StorageGatewayVolumeReadAccess",
            "Effect": "Allow",
            "Action": [
                "storagegateway:ListVolumes"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OrganizationsAccess",
            "Effect": "Allow",
            "Action": "organizations:DescribeOrganization",
            "Resource": "*"
        },
        {
            "Sid": "SSMReadAccess",
            "Effect": "Allow",
            "Action": [
                "ssm:CancelCommand",
                "ssm:GetCommandInvocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "FSXDescribeAccess",
            "Effect": "Allow",
            "Action": "fsx:DescribeBackups",
            "Resource": "arn:aws:fsx:*:*:backup/*"
        },
        {
            "Sid": "FSxFileAccess",
            "Effect": "Allow",
            "Action": "fsx:DescribeFileSystems",
            "Resource": "arn:aws:fsx:*:*:file-system/*"
        },
        {
            "Sid": "FSxVolumeAccess",
            "Effect": "Allow",
            "Action": "fsx:DescribeVolumes",
            "Resource": "arn:aws:fsx:*:*:volume/*/*"
        },
        {
            "Sid": "FSxMachineAccess",
            "Effect": "Allow",
            "Action": "fsx:DescribeStorageVirtualMachines",
            "Resource": "arn:aws:fsx:*:*:storage-virtual-machine/*/*"
        },
        {
            "Sid": "DirectoryServiceAccess",
            "Effect": "Allow",
            "Action": "ds:DescribeDirectories",
            "Resource": "*"
        },
        {
            "Sid": "BackupGatewayListAccess",
            "Effect": "Allow",
            "Action": [
                "backup-gateway:ListGateways",
                "backup-gateway:ListHypervisors",
                "backup-gateway:ListTagsForResource",
                "backup-gateway:ListVirtualMachines"
            ],
            "Resource": "*"
        },
        {
            "Sid": "BackupGatewayHypervisorAccess",
            "Effect": "Allow",
            "Action": [
                "backup-gateway:GetHypervisor",
                "backup-gateway:GetHypervisorPropertyMappings"
            ],
            "Resource": "arn:aws:backup-gateway:*:*:hypervisor/*"
        },
        {
            "Sid": "BackupGatewayMachineAccess",
            "Effect": "Allow",
            "Action": [
                "backup-gateway:GetVirtualMachine"
            ],
            "Resource": "arn:aws:backup-gateway:*:*:vm/*"
        },
        {
            "Sid": "BackupGatewayAccess",
            "Effect": "Allow",
            "Action": [
                "backup-gateway:GetBandwidthRateLimitSchedule",
                "backup-gateway:GetGateway"
            ],
            "Resource": "arn:aws:backup-gateway:*:*:gateway/*"
        },
        {
            "Sid": "CloudWatchAccess",
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        },
        {
            "Sid": "TimestreamListAccess",
            "Effect": "Allow",
            "Action": [
                "timestream:ListDatabases",
                "timestream:ListTables"
            ],
            "Resource": [
                "arn:aws:timestream:*:*:database/*"
            ]
        },
        {
            "Sid": "TimestreamDescribeAccess",
            "Effect": "Allow",
            "Action": [
                "timestream:DescribeEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3ListAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "RedshiftAccess",
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeClusters",
                "redshift:DescribeClusterSubnetGroups",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeSnapshotSchedules"
            ],
            "Resource": [
                "arn:aws:redshift:*:*:cluster:*",
                "arn:aws:redshift:*:*:subnetgroup:*",
                "arn:aws:redshift:*:*:snapshot:*/*",
                "arn:aws:redshift:*:*:snapshotschedule:*"
            ]
        },
        {
            "Sid": "RedshiftOptionsAccess",
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeNodeConfigurationOptions",
                "redshift:DescribeOrderableClusterOptions",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterTracks"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RedshiftServerlessListPermissions",
            "Effect": "Allow",
            "Action": [
                "redshift-serverless:ListNamespaces",
                "redshift-serverless:ListSnapshots",
                "redshift-serverless:ListWorkgroups"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "RedshiftServerlessGetPermissions",
            "Effect": "Allow",
            "Action": [
                "redshift-serverless:GetNamespace",
                "redshift-serverless:GetSnapshot",
                "redshift-serverless:GetWorkgroup"
            ],
            "Resource": [
                "arn:aws:redshift-serverless:*:*:namespace/*",
                "arn:aws:redshift-serverless:*:*:workgroup/*",
                "arn:aws:redshift-serverless:*:*:snapshot/*"
            ]
        },
        {
            "Sid": "CloudFormationAccess",
            "Effect": "Allow",
            "Action": [
                "cloudformation:ListStacks"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/*"
            ]
        },
        {
            "Sid": "SAPAccess",
            "Effect": "Allow",
            "Action": [
                "ssm-sap:GetOperation",
                "ssm-sap:ListDatabases"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SAPDatabaseAccess",
            "Effect": "Allow",
            "Action": [
                "ssm-sap:GetDatabase",
                "ssm-sap:ListTagsForResource"
            ],
            "Resource": "arn:aws:ssm-sap:*:*:*"
        },
        {
            "Sid": "RAMAccess",
            "Effect": "Allow",
            "Action": [
                "ram:GetResourceShareAssociations"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DSQLDescribePermissions",
            "Effect": "Allow",
            "Action": [
                "dsql:GetCluster",
                "dsql:ListClusters",
                "dsql:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

    • Related Articles

    • Azure Backup

      Overview This document describes the integration process between FenixDFA and Azure Backup, detailing the required configuration steps and data needed for successful integration. Prerequisites Azure portal access with administrative privileges Active ...

    • SQL Native Integration Guide

      Integration Guide Overview This document describes the integration process with SQL Native Backup (Standard, Enterprise and SQLEXPRESS), detailing the required configuration steps and data needed for successful integration. Prerequisites SQL Server ...

    • Oracle Cloud Integration Guide

      Configuration Process 1. OCI Account Configuration Access the OCI Console and verify that you have the required permissions. Identify the tenancy where the resources will be accessed. Confirm that you have access to the region where the resources are ...

    • Create Connection

      Connections are used to create a bridge between the FenixDFA panel and the collection agent. The collection agent can have more than one connection, from different backup software. It is created from access to the FenixDFA panel, when the company’s ...

    • Data Collected

      FenixDFA Data Collected There are three types of data structures that are collected from backup software. 1. Job Session This is basically the session opened in some operation performed by the backup tool, and there may be more than 1 session for the ...