April 05, 2021
Deleting AWS Backup Vaults Recovery Points at Scale
This time-consuming chore can be quickly handled with the right script.
Within CDW’s Amazon Web Services practice, we maintain a number of AWS accounts for managing our day-to-day business activities. One of the accounts is the “Sandbox Training” account that provides an environment for our CDW coworkers to learn and experiment with a multitude AWS services.
Learn about CDW’s AWS Practice.
Periodically, we go to the account and try to understand the cost and resource usage pattern within the account. Recently I found out that there were many snapshots created by AWS Backups in our training account, as depicted in the following image.
Most likely, the vault was created as a part of the training and learning exercise. The AWS Backup policy was created to back up a few EBS volumes every night. Due to an oversight, the user forgot to delete the backup policy after the experimentation was over.
Deleting AWS Backup Snapshots
I could have deleted the snapshots by clicking through the AWS management console user interface. By design, the AWS Backup interface currently does not support the ability to select and delete all the snapshots in one go. Instead of deleting the backups one at a time, I decided to automate the deletion of snapshots by creating a script. I can reuse the script again in different accounts or at a later time in the same account for the next cost and management oversight activity.
Since the backup policies were managed exclusively via the “AWS Backup” service (and not through the IAM policy), I was not able to use my administrator credentials for deleting the snapshots. I had to first attach a backup policy to the backup vault by navigating to the AWS backup console as illustrated in the following figure:
Developing an AWS Backup Policy
Here is the full policy, which you can copy for managing your Backup snapshots as well (after replacing <aws-acct-id> and <iam-user-id> appropriately):
The above backup policy gives the specified principal/user the permission to use AWS Backup APIs for managing backup vaults. Then we used the following shell script to automatically delete the snapshots created via the command line:
Once all the recovery points are deleted, we can delete the vault as well, if required. So, using a few lines of shell scripts made it easy for us to automate the mundane task of deleting snapshots created within the AWS Backup service.
CDW’s AWS Practice
CDW has a mature AWS practice both in the professional and managed services areas. We have highly qualified teams consisting of solutions architects, delivery engineers, technical account managers (TAMs), and operations and DevOps engineers. All of the technical folks have achieved 100 percent AWS certifications at associate, specialty and professional levels in their practice area. CDW professional and managed services can assist your organization by providing thought leadership to assist you in your cloud journey.