RDS Offsite Backup
Build
Building is possible using the go way (for further information see the go website).
Usage
Call the built binary with
rds_backup snapshot backup <rds-instance-id> <database>
There are options to specify the user and password using the -u
and -p
flags.
Custom Policy
Having a dedicated user with credentials that are only allowed to execute the
actions required is advised to prevent misuse in case of leaked credentials.
The following IAM policies are required. Make sure to replace the
account-id
and <identifier>
placeholders to appropriate values. Changing
the region might be required, too.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1410789578000",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots"
],
"Resource": [
"arn:aws:rds:eu-west-1:<account-id>:db:<identifier>",
]
},
{
"Sid": "Stmt1410790425000",
"Effect": "Allow",
"Action": [
"rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:ModifyDBInstance"
],
"Resource": [
"arn:aws:rds:eu-west-1:<account-id>:secgrp:sg-<identifier>-backup",
]
},
{
"Sid": "Stmt1410790425001",
"Effect": "Allow",
"Action": [
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:DescribeDBInstances",
"rds:ModifyDBInstance",
"rds:DeleteDBInstance"
],
"Resource": [
"arn:aws:rds:eu-west-1:<account-id>:db:<identifier>-backup",
"arn:aws:rds:eu-west-1:<account-id>:snapshot:rds:<identifier>-*",
]
}
]
}