AWS protection rules

A Clumio protection rule defines a set of conditions to apply a backup policy to your assets. You can use protection rules to automate policy application for your EC2, EBS, RDS, and DynamoDB assets across multiple accounts and regions. Instead of applying policies to multiple tags, or assets per region, you can define a set of conditions such as asset types, accounts, regions, and tags and then select a backup policy to apply when that set of conditions is met. Protection rules can also be prioritized. Priority determines which rule wins if an asset is covered by multiple rules. The policy in the highest priority matched rule takes precedence.

Once you create a protection rule, depending on the configuration, the rule can also apply to any new accounts that you connect to Clumio, if the rule conditions are met.

Note: Protection rules do not apply to S3 buckets, MS SQL on EC2 databases, Microsoft 365 assets, or VMware. For these asset types, you must apply the policy directly to the specific asset, see Direct Policy Assignment.

A preview feature lets you see which assets will be affected by a new rule before you apply the rule. This preview feature also shows you the impact on your assets when you edit or delete a rule.

You can also create protection rules at the organizational unit (OU) level. These rules are applicable to the OU and any child OUs contained within it. You must switch to the OU where you want the rule or rules to apply and create the rule. Protection rules created at the OU level are superseded by any higher priority global protection rules. A Super Admin can set global rules to take priority over OU rules as well as set global rules to be a lower priority than OU rules. Only first level OUs are allowed to create rules, child OUs of an OU cannot create rules.

Protection rules are displayed in order of priority on the AWS Protection Rules tab of the Policies page with the highest priority rule at the top of the table. You can change the priority of a rule by dragging it up or down to the level of priority you need. In addition to the rule priority, you can also see which organizational units a rule applies to, the policy contained in that rule, and the number of assets impacted by the rule. You can also edit and delete rules from this page.

The AWS Protection Rules page displays protection rules in order of priority, with the highest priority rule at the top of the table. See Protection Rules for information about protection rules.

Rule categories

Clumio provides three categories of rules to help with prioritization.

  • Global Rules - High Priority: These rules override any OU rules
  • Organizational Unit Rules: These rules only apply to assets within the OUs where they are created
  • Global Rules - Low Priority: These rules are overridden by OU rules

You can order rules within each of these categories to further refine the prioritization. For example, rules in the Global Rules - High Prioritycategory are applied in order as the conditions are matched, starting with the first rule in the category. You should plan your rule strategy to take prioritization into account. For example, if you have applied policies directly to assets, they are covered under the Direct Policy Assignment rule. If that same asset is assigned to an OU, and the OU Admin creates a policy to protect that asset, that OU rule will be overridden by the Direct Policy Assignment rule as it is in a higher priority category. An OU Admin cannot change the priority of rules in the Global Rules - High Priority category. In that case a Super Admin can move the Direct Policy Assignment rule down to the Global Rules - Low Priority category so that it only comes into effect if any assets are not covered by any higher priority rules.

Direct Policy Assignment

Clumio provides a default rule called Direct Policy Assignment that shows you which assets have had a policy applied directly by a user and not automatically as a result of a conditions defined in a rule. You can apply a policy directly to an asset by navigating to an account that contains the asset you want to protect, select an asset type—an EC2 instance, an EBS volume, an RDS resource, or a DynamoDB table—click the plus sign in the Policy column, select a policy, and apply it to that asset. When you navigate back to the AWS Protection Rules page, you will now see an increase in the number of Covered Assets for the Direct Policy Assignment rule. If an asset is already covered by a rule that has a higher priority than the Direct Assignment rule, then you cannot directly assign a policy to that asset. However, if the asset is covered by a rule that is lower in priority when compared to the Direct Assignment rule, you can still directly assign a policy to that asset.

This rule cannot be edited, but its priority can be changed and you can remove assets that have had a policy directly applied.

If an asset has a directly assigned policy, then gets a policy from a higher priority rule, the directly assigned policy is superseded by the new rule. The Direct Policy Assignment rule takes effect again if the higher priority rule is deleted, re-prioritized to a lower priority, or the directly assigned policy is explicitly removed, see Remove a Directly Assigned Policy for more information.