DocsICP FilingConsole
官方文档
首页

Enable an automatic disk snapshot policy

更新时间:
复制 MD 格式
产品详情
我的收藏

When you create an instance, enable an automatic snapshot policy for its disks to periodically back up important data.

Security risks

Business data stored on disks is exposed to multiple threats that can cause data corruption or permanent data loss:

  • Human error: Accidental file deletion, disk formatting, or incorrect configurations.

  • Malicious attacks: Ransomware that encrypts data, or hackers who delete or tamper with data after an intrusion.

  • Software and application faults: Application bugs or system crashes that can cause inconsistent data writes or data corruption.

  • Hardware failures: Any physical device can fail, although this is unlikely.

Best practices

An automatic snapshot policy automatically creates snapshots for your disks at regular intervals. This reduces the risk of data loss from human error and improves system reliability and stability.

Console

When you create an instance on the instance buy page, select an automatic snapshot policy for the system disk and data disks in the Snapshot section.

If the default policies do not meet your requirements, click Create Automatic Snapshot Policy. After you create a new policy, you can select it.

API

  1. Call the CreateAutoSnapshotPolicy operation to create an automatic snapshot policy. Set the backup times with the timePoints parameter, the backup schedule with the repeatWeekdays parameter, and the retention period with the retentionDays parameter. A successful request returns the automatic snapshot policy ID, AutoSnapshotPolicyId.

  2. When you create an instance by calling the RunInstances or CreateInstance operation, use the SystemDisk.AutoSnapshotPolicyId and DataDisk.X.AutoSnapshotPolicyId parameters to specify the automatic snapshot policies for the system disk and data disks, respectively.

After the snapshot policy takes effect, the system automatically creates snapshots. You can then restore your data from these snapshots. For detailed steps, see Roll back a disk using a snapshot.

Compliance capabilities

Check: Verify automatic snapshot policies

ECS Insight

  1. Go to ECS Insight.

  2. Select the Reliability tab. Click the Snapshots Created Within Previous 7 Days check item to verify that snapshots were created for your disks in the last 7 days.

Security Center

  1. Go to the Security Center console.

  2. In the left-side navigation pane, choose Risk Governance > CSPM. On the Cloud Service Configuration Risk tab, find the check item named Enable Automatic Snapshot Policy and click Scan in the Actions column.

    A status of Failed indicates that an automatic snapshot policy is not enabled for one or more instances. Click Details to view the instances.

Block: Block instance creation without snapshot policies

Important

This feature is in invitational preview and is available only in the China (Chengdu), China (Ulanqab), and China (Hohhot) regions.

To meet security and compliance requirements for data protection against threats such as ransomware, you can enforce periodic backups. You can configure a RAM policy to require that an automatic snapshot policy is attached to the system and data disks of all new instances. This restriction applies to specified RAM users and RAM roles. When a restricted user or role attempts to create an instance or a disk, ECS checks whether an automatic snapshot policy is included in the request. ECS sends the result of the check to RAM for authorization. If the request does not meet the policy's conditions, RAM denies the request, and the disk creation fails.

  • For enterprise users:

    1. Log on to the Resource Directory console with an Alibaba Cloud account. In the left-side navigation pane, click Control Policies. Then, create a custom policy and paste the following JSON content.

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskAutoSnapshotPolicyEnabled": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskAutoSnapshotPolicyEnabled": "false"
        }
      },
      "Effect": "Deny"
    }
  ]
}

    2. In Resource Directory, attach the policy to the appropriate folder or member. The policy then blocks non-compliant requests from all accounts in the folder or from the specified member.

  • For non-enterprise users:

    1. Log on to the RAM console with an Alibaba Cloud account. In the left-side navigation pane, click Permission Policy. Create a custom policy by using the JSON content from the preceding step.

    2. Attach the policy to the required RAM users, RAM user groups, or RAM roles. For more information, see Grant permissions to a RAM user.

Fix: Set an automatic snapshot policy

If a check indicates that an automatic snapshot policy is not enabled for some instances, you can set an automatic snapshot policy for the disks.

Previous:Data securityNext:Image and snapshot permission management and data breach prevention