Migrating from tag-based policy to the AWS protection rules

This article will guide you through the steps of migrating from the existing tag-based policy methodology to the new AWS protection rules. Before actually jumping onto the steps, let’s first discuss what AWS Protection Rules are.

AWS Protection rules define which assets will be protected, and allow you to automate your protection across EC2, EBS, RDS, and DynamoDB assets. Simply define your desired conditions and associated policies, and we'll take care of the rest!

Important Notes**

• Currently AWS Protection Rules do not support S3 and MS SQL on EC2 datasources.
• After you finish creating protection rules (by following steps as defined in this article) for all your backup policies , contact support@clumio.com to have protection rules enabled in your account.

Features:

Protection automation - One rule can cover all accounts and regions

Prioritizations - no more tag conflicts!

Rules Preview - Gain full visibility into how newly created rules would impact your environment without committing

Direct Asset Protection - Apply a policy directly to an asset, regardless of its tags

Prerequisites: 

• To use protection rules, use standard tags across all AWS(EC2, EBS, RDS and DynamoDB) assets that need to be protected.

For example: If you have a Backup:Clumio tag associated with your AWS assets in AWS Account 123, then create a protection rule using this tag. Clumio searches for assets with this tag and automatically starts protecting them with the backup policy associated with your protection rule.

• From your Clumio UI, go to Policies (from the left navigation pane), then, under Manage Policies, look for all the policies that are currently protecting your EC2/EBS/RDS/DynamoDB and look for the asset count (under the Asset tab) corresponding to each backup policy. Record these counts to use later in the process.

Create a protection rule for each of your backup policies protecting AWS assets (EC2,EBS,RDS and DynamoDB). The asset count for each protection rule must match the policy asset counts to complete the policy migration successfully.

For example, in the screenshot, there are two policies, each of which is currently protecting 1 AWS asset (see the highlighted circle, which shows the protected assets count with respective backup policy). In this case, you would need to create 2 protection rules, and each protection rule should have an asset count that matches the numbers shown.

To create a protection rule:

Step 1: Login to your Clumio UI, go to Policies (from the left navigation pane) then click the AWS Protection Rules tab.

Step 2. Click Create Protection Rule, which opens a pop-up window. Fill in required details like the protection rule name and define your desired conditions, and click Next.

For example, in Account 123 the tag backup:clumio-backup is protected with the test backup policy. In Conditions, select Account as Account 123 or ANY account and specify the tag backup:clumio-backup, and click Next. Selecting ANY account applies to all of your currently added accounts, and also to all AWS accounts you add in the future. 

Step 3. Select your existing backup policy, for example, test backup policy, and click Next.

Note: On the next page, Set Priority is optional.

Step 4. Click Preview Assets to preview your rule and make sure all assets remain protected.

For example:  As you saw in the image in the second list item in Prerequisites, you will see the total number of assets protected with the test backup policy is 1, and the same 1 asset appears in the preview section.

The Preview Assets page:

Step 6: Click Create Rule. Your newly created protection rule appears under the AWS Protection Rules tab as below: 

Note: In this image, it shows 0 assets under the “Covered Assets” column for that rule. This is because after a rule has been created, you must contact Clumio Support to get the Protection Rule Feature enabled. Once enabled, these values will populate correctly.

For any additional questions, please contact us at support@clumio.com