Backup of DBPaaS RDS Oracle - Prerequisite

Configuring Amazon's S3 bucket or Amazon's Elastic File system for the use of NetBackup RDS Oracle support involves following AWS resources configured.

Prerequisite :

Option group:

→ While creating option group, RDS- Engine version should be same of option group- Major engine version and also RDS- Engine must be same as of option group- Name of database engine

→ Also add S3 integration (S3_INTEGRATION)/ EFS integration (EFS_INTEGRATION) in option group.

In security group add - 1521 port and 2049 nfs port in inbound rules, also provide ip or ip range.

Backup retention period greater than zero

It is expected to set the retention period using command: 

SQL>begin rdsadmin.rdsadmin_util.set_configuration( name => 'archivelog retention hours', value => '24'); end; / commit;

or check retention period value with command: 

SQL>set serveroutput on

SQL>exec rdsadmin.rdsadmin_util.show_configuration;

If its multi-tenant container based database, so need to update retention period on individual PDB.

Backup via EFS is only possible in case of 19c version.

NOTE:
if case of 19c if S3 configuration fails/not configured properly, then backup falls backup to EFS.
User should reserve approx. 2 times the space as of RDS database size before initiating backup.​

BACKUP VIA EFS:

Configuring Amazon's Elastic File system for the use of NetBackup RDS Oracle support involves following AWS resources to be configured.

EFS volume, IAM policy configured on the EFS, Security Group, Option group and its Option used within RDS, 

Configuration:

→ set throughput mode according to your usage.

→ Ensure that the security group used for EFS and RDS instance is same.

→ EFS created via IAM is supported, to do so refer: https://aws.amazon.com/blogs/database/integrate-amazon-rds-for-oracle-with-amazon-efs-part-2-file-system-policy-and-encryption-in-transit/

If IAM role needs to configure, modify file system policy as

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn_name"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource": "arn_name"
        }
    ]
}

Permissions required for IAM role

efsdescribemounttarget

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeFileSystems",
            ],
            "Resource": [
                "arn:aws:elasticfilesystem:*:*:access-point/*",
                "arn:aws:elasticfilesystem:*:*:file-system/*"
            ]
        }
    ]
}

 rdsdescribeoptiongroup 

             {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "rds:DescribeOptionGroupOptions",
            "Resource": "arn:aws:rds:*:*:og:*"
        }
    ]
}

AmazonRDSReadOnlyAccess: This is AWS managed service

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricData",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "devops-guru:GetResourceCollection"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "devops-guru:SearchInsights",
                "devops-guru:ListAnomaliesForInsight"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "devops-guru:ServiceNames": [
                        "RDS"
                    ]
                },
                "Null": {
                    "devops-guru:ServiceNames": "false"
                }
            }
        }
    ]
}

For an EFS overview, Please refer: 

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-efs-integration.html#oracle-efs-integration.overview

BACKUP VIA S3:

Configuring Amazon's S3 bucket for the use of NetBackup RDS Oracle support involves following AWS resources to be configured.

S3 bucket, IAM policy configured on the S3, Security Group, Option group and its Option used within RDS.

Bucket name convention is “aws-rds-oracle-netbackup-account_id-region”

If bucket is not present on cloud S3, then firstly bucket will be created through backup.

No external backups via rds rman api, on instance to maintain data consistency.

Configuration:

Create an IAM role for S3 option group enabled with policy.

Create an AWS Identity and Access Management (IAM) policy that grants Amazon RDS access to an Amazon S3 bucket.

Include the appropriate actions in the policy based on the type of access required:

GetObject – Required to transfer files from an Amazon S3 bucket to Amazon RDS.
ListBucket – Required to transfer files from an Amazon S3 bucket to Amazon RDS.
PutObject – Required to transfer files from Amazon RDS to an Amazon S3 bucket.

Create same account IAM policy:

aws iam create-policy \

   --policy-name rds-s3-integration-policy \

   --policy-document '{

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "s3integration",

         "Action": [

           "s3:GetObject",

           "s3:ListBucket",

           "s3:PutObject"

         ],

         "Effect": "Allow",

         "Resource": [

           "arn:aws:s3:::your-s3-bucket-arn",

           "arn:aws:s3:::your-s3-bucket-arn/*"

         ]

       }

     ]

   }'

Create cross account IAM policy

You plan to upload files to an Amazon S3 bucket from one account (account A) and access them from a different account (account B).
Account B owns the bucket.
Account B needs full control of objects loaded into the bucket.

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Example permissions",

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::account-A-ID:account-A-user"

      },

      "Action": [

        "s3:PutObject",

        "s3:PutObjectAcl"

      ],

      "Resource": [

        "arn:aws:s3:::account-B-bucket-arn",

        "arn:aws:s3:::account-B-bucket-arn/*"

      ]

    }

  ]

}

For an S3 overview, Please refer: 

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html

For BYO setup:

→ Install Oracle ODBC Driver manually

     Download these 2 rpms:
        1. Basics (rpm -ivh oracle-instantclient-basic-23.7.0.25.01-1.el8.x86_64.rpm)
        2. Odbc (rpm -ivh oracle-instantclient-odbc-23.7.0.25.01-1.el9.x86_64.rpm)

→ install efs-util,  

→ install stunnel > 5,

→ install unixodbc,

→ install openssl