Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use AWS DLM to Automate EBS Snapshot Lifecycle

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Amazon DLM is used to automate the creation, retention and deletion of the EBS snapshots taken to back up EBS volumes within your AWS account. Amazon Data Lifecycle Manager (DLM) provides a straightforward, automated way to back up data stored on your AWS EBS volumes so you don't have to rely anymore on custom scripts to create and manage your backups.

Reliability

With AWS DLM service, you can manage the lifecycle of your EBS volume snapshots. By automating the EBS volume backup management using lifecycle policies, you can protect your EBS data by enforcing a regular backup schedule, retain backups as required by auditors or internal compliance, and reduce Amazon EBS storage costs by deleting outdated snapshots.

Audit

To determine if Amazon DLM is used to automate EBS volume snapshots lifecycle in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under ELASTIC BLOCK STORE, click Lifecycle Manager to access the list of lifecycle policies created by Amazon DLM in the current region. A DLM lifecycle policy is used to automate the creation and deletion of EBS volume snapshots based on a defined schedule. For example, you can have a lifecycle policy that manages all AWS EBS volumes with the tag set to "Environment = Production", creates snapshots every 24 hours at 4AM, and retains the seven most recent EBS snapshots. If there are no lifecycle policies listed on the Lifecycle Manager page, Amazon DLM service is not used to automate the EBS volume snapshots lifecycle within the current region.

04 Change the AWS region from the navigation bar and repeat step no. 3 for other regions.

Using AWS CLI

01 Run get-lifecycle-policies command (OSX/Linux/UNIX) using custom query filters to describe the data lifecycle policies created by Amazon DLM in the selected AWS region:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws dlm get-lifecycle-policies
	--region us-east-1
	--query 'Policies'

02 The command output should return an array with the requested AWS DLM information:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[]

If get-lifecycle-policies command output returns an empty array, as shown in the example above, there are no data lifecycle policies currently available, therefore Amazon DLM is not used to automate the EBS volume snapshots management in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To use Amazon Data Lifecycle Manager (DLM) service to manage the lifecycle of your EBS volume snapshots, you have to tag your AWS EBS volumes and create data lifecycle policies via Amazon DLM. To tag the necessary volume(s) and create the required lifecycle policy, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STORE, click Volumes.

04 Select the EBS volume that you want to tag for snapshot lifecycle automation.

05 Choose the Tags tab from the dashboard top menu and click Add/Edit Tags to add a new and unique tag set to the selected volume for snapshot automation with AWS DLM.

06 In the Add/Edit Tags dialog box, click Create Tag to create the required tag set, then click Save to apply the changes.

07 Now that the appropriate EBS volume is tagged in order to be targeted by Amazon DLM, you have to create the required lifecycle policy. In the navigation panel, under ELASTIC BLOCK STORE, click Lifecycle Manager.

08 Click Create Snapshot Lifecycle Policy button from the dashboard top menu to initiate the data lifecycle policy setup process.

09 On the Create Snapshot Lifecycle Policy page, provide the following information:

  1. In the Description box, type a short description for the new policy.
  2. From Target with these tags dropdown list, select the resource tags that identify the EBS volume to back up, created at the previous steps.
  3. In the Schedule Name, type a unique name for the backup schedule. Any EBS snapshot created with this policy will be automatically tagged with the schedule name.
  4. From Run policy every dropdown list, choose the number of hours between the lifecycle policy runs.
  5. Within Starting at box, configure the time of day when policy execution is scheduled to start. The policy execution starts within an hour after the scheduled time.
  6. In the Retention rule box, enter the maximum number of snapshots to retain for each targeted EBS volume. The supported range is 1 to 1000. After the limit is reached, the oldest snapshot is deleted when a new one is created.
  7. (Optional) Select Copy Tags from volume checkbox to copy all user-defined tags on the EBS source volume to the snapshots created by this lifecycle policy.
  8. (Optional) For Additional tags, click Add Tag to create additional resource tags and apply them to the snapshots created by this policy
  9. From IAM role, choose Default role (i.e. AWSDataLifecycleManagerDefaultRole) to attach an IAM role that has permissions to create, delete, describe volumes and snapshots, to the new lifecycle policy.
  10. Review the policy configuration details, available in the Policy summary section, then select Enable policy for Policy status after creation, to start the policy execution at the next scheduled time.
  11. Click Create Policy to create your new snapshot lifecycle policy. Once the confirmation message is displayed, click Close to return to the EC2 dashboard. The lifecycle policy state should be set to ENABLED.

10 If required, repeat steps no. 3 – 9 to create snapshot lifecycle policies for other Amazon EBS volumes available in the current region.

11 Change the AWS region from the navigation bar and repeat steps no. 3 – 10 for other regions.

Using AWS CLI

01 Run create-tags command (OSX/Linux/UNIX) to add new tags to the AWS EBS volume targeted for snapshot automation with Amazon Data Lifecycle Manager (DLM) service. The new tag set is required by the snapshot lifecycle policy for EBS resource identification (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 create-tags
	--region us-east-1
	--resources vol-0abcdabcdabcdabcd
	--tags Key=Environment,Value=Production

02 Define the configuration parameters of your new snapshot lifecycle policy, required by the create-lifecycle-policy command. Create a new JSON document, name it lifecycle-policy-config.json, paste the content described below, then adjust the necessary parameters based on your EBS backup needs. The following example represents a simple snapshot lifecycle policy that configures Amazon DLM to take daily backups, at 4AM, for an EBS volume tagged with "Environment = Production" tag set, that implements a retention period of 7 days:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
   "ResourceTypes": [
      "VOLUME"
   ],
   "TargetTags": [
      {
         "Key": "Environment",
         "Value": "Production"
      }
   ],
   "Schedules":[
      {
         "Name": "DailySnapshots",
         "CreateRule": {
            "Interval": 24,
            "IntervalUnit": "HOURS",
            "Times": [
               "04:00"
            ]
         },
         "CopyTags": false,
         "RetainRule": {
            "Count": 7
         }
      }
   ]
}

03 Run create-lifecycle-policy command (OSX/Linux/UNIX) using the policy definition created at the previous step (i.e. lifecycle-policy-config.json) as value for the --policy-details parameter and the ARN of the AWS-managed IAM role that has permissions to create, delete and describe volumes/snapshots, to create a snapshot lifecycle policy for the Amazon EBS volume tagged earlier in the process:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws dlm create-lifecycle-policy
	--region us-east-1
	--execution-role-arn arn:aws:iam::123456789012:role/service-role/AWSDataLifecycleManagerDefaultRole
	--description "Snapshot lifecycle policy for production EBS volumes"
	--state ENABLED
	--policy-details file://lifecycle-policy-config.json

04 The command output should return the ID of the new Amazon DLM lifecycle policy:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
    "PolicyId": "policy-01234abcd1234abcd"
}

05 If required, repeat steps no. 1 – 4 to create snapshot lifecycle policies for other Amazon EBS volumes available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 for other regions.

References

Publication date 2019-03-33

Related DLM rules