由于需求,需要在账户上自动创建 EBS 快照并分享给跨账户用户共享管理,EBS 快照的 Data Lifecycle Manager 可以制定相关策略。
通过控制台创建
基于计划的策略使用“EBS 快照策略”和基于事件的策略使用“跨账户复制事件策略”均可
跨账户复制事件策略
选择策略类型
进入EC2,左侧菜单栏中 Elastic Block Store 子项中找到“生命周期管理器”(DLM)这一项,创建生命周期策略。
创建生命周期策略
输入策略描述,如"Daily snapshot policy with cross-account sharing",然后添加其它 AWS 账户 ID,此处可以在右上角处可以复制下来。“复制拥有此快照描述的快照”即用正则表达式筛选,如 .* 代表使用此账户复制由指定的 AWS 账户共享的所有快照。
键入策略名称。如果同区域,则目标账户区域和源账户区域保持一致,过期时间看自身情况,其余 KMS 密钥这些,如无高级设置,默认即可。下方“策略状态”如需立即生效,则选中“已启用”,未启用则不会在策略创建好后生成快照。
EBS 快照策略
选择策略类型
创建生命周期策略
目标资源类型选择卷或是实例,若是实例的话则会将附加上的所有卷都进行创建快照,指定目标资源标签,资源必须附上相应的标签才行。如下选项根据自身情况所定
配置计划
此处设置详细计划时可以在下拉菜单中找到用 cron 表达式,设置保留数量
在高级选项中找到“跨账户共享”,即可共享给其它账户
通过CloudFormation堆栈创建
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Setup DLM to create EBS snapshots and share them with another AWS Account.'
Parameters:
TargetAccountId:
Type: String
Description: 'The 12-digit AWS Account ID to share snapshots with.'
AllowedPattern: '^\d{12}$'
VolumeTagKey:
Type: String
Default: 'BackupPlan'
Description: 'The tag key on EBS volumes to target.'
VolumeTagValue:
Type: String
Default: 'Gold'
Description: 'The tag value on EBS volumes to target.'
SnapshotRetentionCount:
Type: Number
Default: 7
Description: 'Number of snapshots to retain.'
Resources:
# IAM Role for DLM
# DLM needs permission to manage snapshots and modify their attributes (for sharing)
DLMLifecycleRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: dlm.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: DLMSnapshotManagement
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:CreateSnapshot
- ec2:CreateSnapshots
- ec2:DeleteSnapshot
- ec2:DescribeInstances
- ec2:DescribeVolumes
- ec2:DescribeSnapshots
# Permissions required to add tags to created snapshots
- ec2:CreateTags
Resource: "*"
- Effect: Allow
Action:
# Permission specifically required to SHARE snapshots
- ec2:ModifySnapshotAttribute
- ec2:DescribeSnapshotAttribute
Resource: "*"
# DLM Lifecycle Policy
DLMSharePolicy:
Type: AWS::DLM::LifecyclePolicy
Properties:
Description: 'Daily snapshot policy with cross-account sharing'
State: ENABLED
ExecutionRoleArn: !GetAtt DLMLifecycleRole.Arn
PolicyDetails:
PolicyType: EBS_SNAPSHOT_MANAGEMENT
# Target EBS volumes with specific tags
TargetTags:
- Key: !Ref VolumeTagKey
Value: !Ref VolumeTagValue
Schedules:
- Name: 'DailySnapshotsAndShare'
TagsToAdd:
- Key: 'CreatedBy'
Value: 'DLM-CloudFormation'
# Create a snapshot every 24 hours
CreateRule:
Interval: 24
IntervalUnit: HOURS
Times:
- '01:00' # UTC time
# Retain snapshots for X counts
RetainRule:
Count: !Ref SnapshotRetentionCount
# Configuration for sharing with another account
ShareRules:
- TargetAccounts:
- !Ref TargetAccountId
# Unshare (stop sharing) after this interval.
# Usually set >= RetainRule to ensure it is shared for its whole life.
UnshareInterval: !Ref SnapshotRetentionCount
UnshareIntervalUnit: 'DAYS'
Outputs:
DLMPolicyId:
Description: 'The ID of the created DLM Policy'
Value: !Ref DLMSharePolicy参考资料
Automate backups with Amazon Data Lifecycle Manager - Amazon EBS
Automate cross-account snapshot copies with Data Lifecycle Manager - Amazon EBS