Automate Amazon RDS Backups with AWS Lambda and AWS Backup

Backing up your Amazon RDS instances is critical, especially for production environments where data loss is not an option. While RDS has built-in backup options, many teams prefer additional control, retention strategies, or cross-account copies. This guide walks through automating RDS snapshots using AWS Lambda and AWS Backup.

Why Use Lambda for RDS Backups?

Using Lambda lets you trigger backups based on specific conditions or schedules without manual intervention. Pairing it with AWS Backup allows for more scalable policies and easier management.

What This Setup Includes

• An automated Lambda function triggered by a scheduled CloudWatch Event
  
• Integration with AWS Backup to handle snapshot creation
  
• Optional tagging to help manage lifecycle policies and retention
  

Step 1: Set Up IAM Role

Create an IAM role for your Lambda function. Attach permissions for the following actions:

• rds:CreateDBSnapshot
  
• rds:DeleteDBSnapshot (if you want to prune old backups)
  
• rds:DescribeDBInstances
  
• backup:StartBackupJob (if using AWS Backup)
  
• logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
  

Use the principle of least privilege.

Step 2: Create the Lambda Function

You can use Python or Node.js. Below is an example in Python that creates a snapshot:

import boto3
import datetime

rds = boto3.client('rds')

def lambda_handler(event, context):
    db_instance_id = 'your-db-instance-identifier'
    timestamp = datetime.datetime.now().strftime('%Y-%m-%d-%H-%M')
    snapshot_id = f"{db_instance_id}-{timestamp}"

    rds.create_db_snapshot(
        DBSnapshotIdentifier=snapshot_id,
        DBInstanceIdentifier=db_instance_id
    )
    print(f"Snapshot {snapshot_id} created")

You can also trigger an AWS Backup job instead, depending on your needs.

Step 3: Set Up a CloudWatch Rule

Use CloudWatch to schedule this Lambda function. A typical rate expression might be cron(0 3 * * ? *) to run daily at 3 AM UTC. Adjust to match your timezone and backup policy.

Optional: Use AWS Backup Instead

AWS Backup provides additional features such as cross-region backups, lifecycle rules, and backup vaults. You can create a backup plan and use tags on RDS resources to assign them to that plan. Use EventBridge if you want to trigger backup jobs on specific application events.

Recommendations

• Set up monitoring using CloudWatch Logs and create alarms for failed backups.
  
• Store backups in encrypted form and use tagging to help with retention policies.
  
• Consider cross-account backups for disaster recovery scenarios.
  

Summary

Automating RDS backups with Lambda gives you flexibility, while AWS Backup brings scalability and compliance features. Combining both allows your team to control backup timing and retention without relying solely on default RDS options. Use this setup to simplify your backup process while ensuring coverage across environments.