Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The ID of the legal hold.

[required] A string the describes the reason for removing the legal hold.

The integer amount, in days, after which to remove legal hold.

[required] The body of a backup plan. Includes a BackupPlanName and one or more sets of Rules.

The tags to assign to the backup plan.

Identifies the request and allows failed requests to be retried without the risk of running the operation twice. If the request includes a CreatorRequestId that matches an existing backup plan, that plan is returned. This parameter is optional.

If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.

[required] The ID of the backup plan.

[required] The body of a request to assign a set of resources to a backup plan.

A unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice. This parameter is optional.

If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created. They consist of letters, numbers, and hyphens.

The tags to assign to the backup vault.

The server-side encryption key that is used to protect your backups; for example, ⁠arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab⁠.

A unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice. This parameter is optional.

If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.

[required] The unique name of the framework. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (_).

An optional description of the framework with a maximum of 1,024 characters.

[required] The controls that make up the framework. Each control in the list has a name, input parameters, and scope.

A customer-chosen string that you can use to distinguish between otherwise identical calls to CreateFrameworkInput. Retrying a successful request with the same idempotency token results in a success message with no action taken.

The tags to assign to the framework.

[required] The title of the legal hold.

[required] The description of the legal hold.

This is a user-chosen string used to distinguish between otherwise identical calls. Retrying a successful request with the same idempotency token results in a success message with no action taken.

The criteria to assign a set of resources, such as resource types or backup vaults.

Optional tags to include. A tag is a key-value pair you can use to manage, filter, and search for your resources. Allowed characters include UTF-8 letters, numbers, spaces, and the following characters: + - = . _ : /.

[required] The name of a logical container where backups are stored. Logically air-gapped backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.

The tags to assign to the vault.

The ID of the creation request.

This parameter is optional. If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.

[required] This setting specifies the minimum retention period that the vault retains its recovery points.

The minimum value accepted is 7 days.

[required] The maximum retention period that the vault retains its recovery points.

[required] The unique name of the report plan. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (_).

An optional description of the report plan with a maximum of 1,024 characters.

[required] A structure that contains information about where and how to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports.

[required] Identifies the report template for the report. Reports are built using a report template. The report templates are:

RESOURCE_COMPLIANCE_REPORT | CONTROL_COMPLIANCE_REPORT | BACKUP_JOB_REPORT | COPY_JOB_REPORT | RESTORE_JOB_REPORT

If the report template is RESOURCE_COMPLIANCE_REPORT or CONTROL_COMPLIANCE_REPORT, this API resource also describes the report coverage by Amazon Web Services Regions and frameworks.

The tags to assign to the report plan.

A customer-chosen string that you can use to distinguish between otherwise identical calls to CreateReportPlanInput. Retrying a successful request with the same idempotency token results in a success message with no action taken.

This is a unique string that identifies the request and allows failed requests to be retriedwithout the risk of running the operation twice. This parameter is optional. If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.

[required] A restore testing plan must contain a unique RestoreTestingPlanName string you create and must contain a ScheduleExpression cron. You may optionally include a StartWindowHours integer and a CreatorRequestId string.

The RestoreTestingPlanName is a unique string that is the name of the restore testing plan. This cannot be changed after creation, and it must consist of only alphanumeric characters and underscores.

The tags to assign to the restore testing plan.

This is an optional unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice. If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.

[required] Input the restore testing plan name that was returned from the related CreateRestoreTestingPlan request.

[required] This consists of RestoreTestingSelectionName, ProtectedResourceType, and one of the following:

• ProtectedResourceArns

• ProtectedResourceConditions

Each protected resource type can have one single value.

A restore testing selection can include a wildcard value ("*") for ProtectedResourceArns along with ProtectedResourceConditions. Alternatively, you can include up to 30 specific protected resource ARNs in ProtectedResourceArns.

[required] Uniquely identifies a backup plan.

[required] Uniquely identifies a backup plan.

[required] Uniquely identifies the body of a request to assign a set of resources to a backup plan.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created. They consist of lowercase letters, numbers, and hyphens.

[required] The name of the backup vault from which to delete Backup Vault Lock.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.

[required] The unique name of a framework.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

[required] The unique name of a report plan.

[required] Required unique name of the restore testing plan you wish to delete.

[required] Required unique name of the restore testing plan that contains the restore testing selection you wish to delete.

[required] Required unique name of the restore testing selection you wish to delete.

[required] Uniquely identifies a request to Backup to back up a resource.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

The account ID of the specified backup vault.

[required] Uniquely identifies a copy job.

[required] The unique name of a framework.

[required] An Amazon Resource Name (ARN) that uniquely identifies a resource. The format of the ARN depends on the resource type.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

The account ID of the specified backup vault.

[required] The identifier of the report job. A unique, randomly generated, Unicode, UTF-8 encoded string that is at most 1,024 bytes long. The report job ID cannot be edited.

[required] The unique name of a report plan.

[required] Uniquely identifies the job that restores a recovery point.

[required] The unique name of an Backup vault.

[required] An Amazon Resource Name (ARN) that uniquely identifies an Backup recovery point.

[required] The name of a logical container where the child (nested) recovery point is stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] The Amazon Resource Name (ARN) that uniquely identifies the child (nested) recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.⁠

[required] Uniquely identifies a backup plan.

[required] Uniquely identifies a backup plan.

Unique, randomly generated, Unicode, UTF-8 encoded strings that are at most 1,024 bytes long. Version IDs cannot be edited.

[required] A customer-supplied backup plan document in JSON format.

[required] Uniquely identifies a stored backup plan template.

[required] Uniquely identifies a backup plan.

[required] Uniquely identifies the body of a request to assign a set of resources to a backup plan.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] The ID of the legal hold.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.

Accepted characters include lowercase letters, numbers, and hyphens.

[required] An ARN that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

The account ID of the specified backup vault.

[required] This is a unique identifier of a restore job within Backup.

The account ID of the specified backup vault.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web ServicesRegion where they are created. They consist of letters, numbers, and hyphens.

[required] An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

[required] Required unique name of the restore testing plan.

[required] Required unique name of the restore testing plan.

[required] Required unique name of the restore testing selection.

Returns the job count for the specified account.

If the request is sent from a member account or an account not part of Amazon Web Services Organizations, jobs within requestor's account will be returned.

Root, admin, and delegated administrator accounts can use the value ANY to return job counts from every account in the organization.

AGGREGATE_ALL aggregates job counts from all accounts within the authenticated organization, then returns the sum.

This parameter returns the job count for jobs with the specified state.

The the value ANY returns count of all states.

AGGREGATE_ALL aggregates job counts for all states and returns the sum.

⁠Completed with issues⁠ is a status found only in the Backup console. For API, this status refers to jobs with a state of COMPLETED and a MessageCategory with a value other than SUCCESS; that is, the status is completed but comes with a status message. To obtain the job count for ⁠Completed with issues⁠, run two GET requests, and subtract the second, smaller number:

GET /audit/backup-job-summaries?AggregationPeriod=FOURTEEN_DAYS&State=COMPLETED

GET /audit/backup-job-summaries?AggregationPeriod=FOURTEEN_DAYS&MessageCategory=SUCCESS&State=COMPLETED

Returns the job count for the specified resource type. Use request get_supported_resource_types to obtain strings for supported resource types.

The the value ANY returns count of all resource types.

AGGREGATE_ALL aggregates job counts for all resource types and returns the sum.

The type of Amazon Web Services resource to be backed up; for example, an Amazon Elastic Block Store (Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.

This parameter returns the job count for the specified message category.

Example accepted strings include AccessDenied, Success, and InvalidParameters. See Monitoring for a list of accepted MessageCategory strings.

The the value ANY returns count of all message categories.

AGGREGATE_ALL aggregates job counts for all message categories and returns the sum.

The period for the returned results.

• ONE_DAY - The daily job count for the prior 14 days.

• SEVEN_DAYS - The aggregated job count for the prior 7 days.

• FOURTEEN_DAYS - The aggregated job count for prior 14 days.

The maximum number of items to be returned.

The value is an integer. Range of accepted values is from 1 to 500.

The next item following a partial list of returned resources. For example, if a request is made to return MaxResults number of resources, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

Returns only backup jobs that match the specified resource Amazon Resource Name (ARN).

Returns only backup jobs that are in the specified state.

⁠Completed with issues⁠ is a status found only in the Backup console. For API, this status refers to jobs with a state of COMPLETED and a MessageCategory with a value other than SUCCESS; that is, the status is completed but comes with a status message.

To obtain the job count for ⁠Completed with issues⁠, run two GET requests, and subtract the second, smaller number:

GET /backup-jobs/?state=COMPLETED

GET /backup-jobs/?messageCategory=SUCCESS&state=COMPLETED

Returns only backup jobs that will be stored in the specified backup vault. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

Returns only backup jobs that were created before the specified date.

Returns only backup jobs that were created after the specified date.

Returns only backup jobs for the specified resources:

• Aurora for Amazon Aurora

• CloudFormation for CloudFormation

• DocumentDB for Amazon DocumentDB (with MongoDB compatibility)

• DynamoDB for Amazon DynamoDB

• EBS for Amazon Elastic Block Store

• EC2 for Amazon Elastic Compute Cloud

• EFS for Amazon Elastic File System

• FSx for Amazon FSx

• Neptune for Amazon Neptune

• RDS for Amazon Relational Database Service

• Redshift for Amazon Redshift

• S3 for Amazon Simple Storage Service (Amazon S3)

• ⁠SAP HANA on Amazon EC2⁠ for SAP HANA databases on Amazon Elastic Compute Cloud instances

• ⁠Storage Gateway⁠ for Storage Gateway

• Timestream for Amazon Timestream

• VirtualMachine for VMware virtual machines

The account ID to list the jobs from. Returns only backup jobs associated with the specified account ID.

If used from an Organizations management account, passing * returns all jobs across the organization.

Returns only backup jobs completed after a date expressed in Unix format and Coordinated Universal Time (UTC).

Returns only backup jobs completed before a date expressed in Unix format and Coordinated Universal Time (UTC).

This is a filter to list child (nested) jobs based on parent job ID.

This is an optional parameter that can be used to filter out jobs with a MessageCategory which matches the value you input.

Example strings may include AccessDenied, SUCCESS, AGGREGATE_ALL, and InvalidParameters.

View Monitoring

The wildcard () returns count of all message categories.

AGGREGATE_ALL aggregates job counts for all message categories and returns the sum.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to return.

[required] Uniquely identifies a backup plan.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

A Boolean value with a default value of FALSE that returns deleted backup plans when set to TRUE.

[required] Uniquely identifies a backup plan.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

This parameter will sort the list of vaults by vault type.

This parameter will sort the list of vaults by shared vaults.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

Returns the job count for the specified account.

If the request is sent from a member account or an account not part of Amazon Web Services Organizations, jobs within requestor's account will be returned.

Root, admin, and delegated administrator accounts can use the value ANY to return job counts from every account in the organization.

AGGREGATE_ALL aggregates job counts from all accounts within the authenticated organization, then returns the sum.

This parameter returns the job count for jobs with the specified state.

The the value ANY returns count of all states.

AGGREGATE_ALL aggregates job counts for all states and returns the sum.

Returns the job count for the specified resource type. Use request get_supported_resource_types to obtain strings for supported resource types.

The the value ANY returns count of all resource types.

AGGREGATE_ALL aggregates job counts for all resource types and returns the sum.

The type of Amazon Web Services resource to be backed up; for example, an Amazon Elastic Block Store (Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.

This parameter returns the job count for the specified message category.

Example accepted strings include AccessDenied, Success, and InvalidParameters. See Monitoring for a list of accepted MessageCategory strings.

The the value ANY returns count of all message categories.

AGGREGATE_ALL aggregates job counts for all message categories and returns the sum.

The period for the returned results.

• ONE_DAY - The daily job count for the prior 14 days.

• SEVEN_DAYS - The aggregated job count for the prior 7 days.

• FOURTEEN_DAYS - The aggregated job count for prior 14 days.

This parameter sets the maximum number of items to be returned.

The value is an integer. Range of accepted values is from 1 to 500.

The next item following a partial list of returned resources. For example, if a request is made to return MaxResults number of resources, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

Returns only copy jobs that match the specified resource Amazon Resource Name (ARN).

Returns only copy jobs that are in the specified state.

Returns only copy jobs that were created before the specified date.

Returns only copy jobs that were created after the specified date.

Returns only backup jobs for the specified resources:

• Aurora for Amazon Aurora

• CloudFormation for CloudFormation

• DocumentDB for Amazon DocumentDB (with MongoDB compatibility)

• DynamoDB for Amazon DynamoDB

• EBS for Amazon Elastic Block Store

• EC2 for Amazon Elastic Compute Cloud

• EFS for Amazon Elastic File System

• FSx for Amazon FSx

• Neptune for Amazon Neptune

• RDS for Amazon Relational Database Service

• Redshift for Amazon Redshift

• S3 for Amazon Simple Storage Service (Amazon S3)

• ⁠SAP HANA on Amazon EC2⁠ for SAP HANA databases on Amazon Elastic Compute Cloud instances

• ⁠Storage Gateway⁠ for Storage Gateway

• Timestream for Amazon Timestream

• VirtualMachine for VMware virtual machines

An Amazon Resource Name (ARN) that uniquely identifies a source backup vault to copy from; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.

The account ID to list the jobs from. Returns only copy jobs associated with the specified account ID.

Returns only copy jobs completed before a date expressed in Unix format and Coordinated Universal Time (UTC).

Returns only copy jobs completed after a date expressed in Unix format and Coordinated Universal Time (UTC).

This is a filter to list child (nested) jobs based on parent job ID.

This is an optional parameter that can be used to filter out jobs with a MessageCategory which matches the value you input.

Example strings may include AccessDenied, SUCCESS, AGGREGATE_ALL, and INVALIDPARAMETERS.

View Monitoring for a list of accepted strings.

The the value ANY returns count of all message categories.

AGGREGATE_ALL aggregates job counts for all message categories and returns the sum.

The number of desired results from 1 to 1000. Optional. If unspecified, the query will return 1 MB of data.

An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.

The next item following a partial list of returned recovery points.

For example, if a request is made to return MaxResults number of indexed recovery points, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of resource list items to be returned.

A string of the Amazon Resource Name (ARN) that uniquely identifies the source resource.

Returns only indexed recovery points that were created before the specified date.

Returns only indexed recovery points that were created after the specified date.

Returns a list of indexed recovery points for the specified resource type(s).

Accepted values include:

• EBS for Amazon Elastic Block Store

• S3 for Amazon Simple Storage Service (Amazon S3)

Include this parameter to filter the returned list by the indicated statuses.

Accepted values: PENDING | ACTIVE | FAILED | DELETING

A recovery point with an index that has the status of ACTIVE can be included in a search.

The next item following a partial list of returned resources. For example, if a request is made to return MaxResults number of resources, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of resource list items to be returned.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

[required] The list of protected resources by backup vault within the vault(s) you specify by name.

The list of protected resources by backup vault within the vault(s) you specify by account ID.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

Backup vault name might not be available when a supported service creates the backup.

This parameter will sort the list of recovery points by account ID.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

Returns only recovery points that match the specified resource Amazon Resource Name (ARN).

Returns only recovery points that match the specified resource type(s):

• Aurora for Amazon Aurora

• CloudFormation for CloudFormation

• DocumentDB for Amazon DocumentDB (with MongoDB compatibility)

• DynamoDB for Amazon DynamoDB

• EBS for Amazon Elastic Block Store

• EC2 for Amazon Elastic Compute Cloud

• EFS for Amazon Elastic File System

• FSx for Amazon FSx

• Neptune for Amazon Neptune

• RDS for Amazon Relational Database Service

• Redshift for Amazon Redshift

• S3 for Amazon Simple Storage Service (Amazon S3)

• ⁠SAP HANA on Amazon EC2⁠ for SAP HANA databases on Amazon Elastic Compute Cloud instances

• ⁠Storage Gateway⁠ for Storage Gateway

• Timestream for Amazon Timestream

• VirtualMachine for VMware virtual machines

Returns only recovery points that match the specified backup plan ID.

Returns only recovery points that were created before the specified timestamp.

Returns only recovery points that were created after the specified timestamp.

This returns only recovery points that match the specified parent (composite) recovery point Amazon Resource Name (ARN).

[required] The ID of the legal hold.

The next item following a partial list of returned resources. For example, if a request is made to return MaxResults number of resources, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of resource list items to be returned.

[required] An ARN that uniquely identifies a resource. The format of the ARN depends on the resource type.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

Amazon RDS requires a value of at least 20.

This attribute filters recovery points based on ownership.

If this is set to TRUE, the response will contain recovery points associated with the selected resources that are managed by Backup.

If this is set to FALSE, the response will contain all recovery points associated with the selected resource.

Type: Boolean

Returns only report jobs with the specified report plan name.

Returns only report jobs that were created before the date and time specified in Unix format and Coordinated Universal Time (UTC). For example, the value 1516925490 represents Friday, January 26, 2018 12:11:30 AM.

Returns only report jobs that were created after the date and time specified in Unix format and Coordinated Universal Time (UTC). For example, the value 1516925490 represents Friday, January 26, 2018 12:11:30 AM.

Returns only report jobs that are in the specified status. The statuses are:

CREATED | RUNNING | COMPLETED | FAILED

The number of desired results from 1 to 1000. Optional. If unspecified, the query will return 1 MB of data.

An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.

The number of desired results from 1 to 1000. Optional. If unspecified, the query will return 1 MB of data.

An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.

Returns the job count for the specified account.

If the request is sent from a member account or an account not part of Amazon Web Services Organizations, jobs within requestor's account will be returned.

Root, admin, and delegated administrator accounts can use the value ANY to return job counts from every account in the organization.

AGGREGATE_ALL aggregates job counts from all accounts within the authenticated organization, then returns the sum.

This parameter returns the job count for jobs with the specified state.

The the value ANY returns count of all states.

AGGREGATE_ALL aggregates job counts for all states and returns the sum.

Returns the job count for the specified resource type. Use request get_supported_resource_types to obtain strings for supported resource types.

The the value ANY returns count of all resource types.

AGGREGATE_ALL aggregates job counts for all resource types and returns the sum.

The type of Amazon Web Services resource to be backed up; for example, an Amazon Elastic Block Store (Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.

The period for the returned results.

• ONE_DAY - The daily job count for the prior 14 days.

• SEVEN_DAYS - The aggregated job count for the prior 7 days.

• FOURTEEN_DAYS - The aggregated job count for prior 14 days.

This parameter sets the maximum number of items to be returned.

The value is an integer. Range of accepted values is from 1 to 500.

The next item following a partial list of returned resources. For example, if a request is made to return MaxResults number of resources, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

The account ID to list the jobs from. Returns only restore jobs associated with the specified account ID.

Include this parameter to return only restore jobs for the specified resources:

• Aurora for Amazon Aurora

• CloudFormation for CloudFormation

• DocumentDB for Amazon DocumentDB (with MongoDB compatibility)

• DynamoDB for Amazon DynamoDB

• EBS for Amazon Elastic Block Store

• EC2 for Amazon Elastic Compute Cloud

• EFS for Amazon Elastic File System

• FSx for Amazon FSx

• Neptune for Amazon Neptune

• RDS for Amazon Relational Database Service

• Redshift for Amazon Redshift

• S3 for Amazon Simple Storage Service (Amazon S3)

• ⁠SAP HANA on Amazon EC2⁠ for SAP HANA databases on Amazon Elastic Compute Cloud instances

• ⁠Storage Gateway⁠ for Storage Gateway

• Timestream for Amazon Timestream

• VirtualMachine for VMware virtual machines

Returns only restore jobs that were created before the specified date.

Returns only restore jobs that were created after the specified date.

Returns only restore jobs associated with the specified job status.

Returns only copy jobs completed before a date expressed in Unix format and Coordinated Universal Time (UTC).

Returns only copy jobs completed after a date expressed in Unix format and Coordinated Universal Time (UTC).

This returns only restore testing jobs that match the specified resource Amazon Resource Name (ARN).

[required] Returns only restore jobs that match the specified resource Amazon Resource Name (ARN).

Returns only restore jobs associated with the specified job status.

Returns only restore jobs of recovery points that were created after the specified date.

Returns only restore jobs of recovery points that were created before the specified date.

The next item following a partial list of returned items. For example, if a request ismade to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

The maximum number of items to be returned.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the nexttoken.

The maximum number of items to be returned.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the nexttoken.

[required] Returns restore testing selections by the specified restore testing plan name.

[required] An Amazon Resource Name (ARN) that uniquely identifies a resource. The format of the ARN depends on the type of resource. Valid targets for list_tags are recovery points, backup plans, and backup vaults.

The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.

The maximum number of items to be returned.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

The backup vault access policy document in JSON format.

[required] The Backup Vault Lock configuration that specifies the name of the backup vault it protects.

The Backup Vault Lock configuration that specifies the minimum retention period that the vault retains its recovery points. This setting can be useful if, for example, your organization's policies require you to retain certain data for at least seven years (2555 days).

This parameter is required when a vault lock is created through CloudFormation; otherwise, this parameter is optional. If this parameter is not specified, Vault Lock will not enforce a minimum retention period.

If this parameter is specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or longer than the minimum retention period. If the job's retention period is shorter than that minimum retention period, then the vault fails that backup or copy job, and you should either modify your lifecycle settings or use a different vault. The shortest minimum retention period you can specify is 1 day. Recovery points already saved in the vault prior to Vault Lock are not affected.

The Backup Vault Lock configuration that specifies the maximum retention period that the vault retains its recovery points. This setting can be useful if, for example, your organization's policies require you to destroy certain data after retaining it for four years (1460 days).

If this parameter is not included, Vault Lock does not enforce a maximum retention period on the recovery points in the vault. If this parameter is included without a value, Vault Lock will not enforce a maximum retention period.

If this parameter is specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or shorter than the maximum retention period. If the job's retention period is longer than that maximum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. The longest maximum retention period you can specify is 36500 days (approximately 100 years). Recovery points already saved in the vault prior to Vault Lock are not affected.

The Backup Vault Lock configuration that specifies the number of days before the lock date. For example, setting ChangeableForDays to 30 on Jan. 1, 2022 at 8pm UTC will set the lock date to Jan. 31, 2022 at 8pm UTC.

Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable. Therefore, you must set ChangeableForDays to 3 or greater.

Before the lock date, you can delete Vault Lock from the vault using delete_backup_vault_lock_configuration or change the Vault Lock configuration using put_backup_vault_lock_configuration. On and after the lock date, the Vault Lock becomes immutable and cannot be changed or deleted.

If this parameter is not specified, you can delete Vault Lock from the vault using delete_backup_vault_lock_configuration or change the Vault Lock configuration using put_backup_vault_lock_configuration at any time.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events; for example, arn:aws:sns:us-west-2:111122223333:MyVaultTopic.

[required] An array of events that indicate the status of jobs to back up resources to the backup vault.

For common use cases and code samples, see Using Amazon SNS to track Backup events.

The following events are supported:

• BACKUP_JOB_STARTED | BACKUP_JOB_COMPLETED

• COPY_JOB_STARTED | COPY_JOB_SUCCESSFUL | COPY_JOB_FAILED

• RESTORE_JOB_STARTED | RESTORE_JOB_COMPLETED | RECOVERY_POINT_MODIFIED

• S3_BACKUP_OBJECT_FAILED | S3_RESTORE_OBJECT_FAILED

The list below includes both supported events and deprecated events that are no longer in use (for reference). Deprecated events do not return statuses or notifications. Refer to the list above for the supported events.

[required] This is a unique identifier of a restore job within Backup.

[required] The status of your restore validation.

This is an optional message string you can input to describe the validation status for the restore test validation.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] An Amazon Resource Name (ARN) that uniquely identifies a resource. The format of the ARN depends on the resource type.

[required] Specifies the IAM role ARN used to create the target recovery point; for example, ⁠arn:aws:iam::123456789012:role/S3Access⁠.

A customer-chosen string that you can use to distinguish between otherwise identical calls to start_backup_job. Retrying a successful request with the same idempotency token results in a success message with no action taken.

A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. This value is optional, and the default is 8 hours. If this value is included, it must be at least 60 minutes to avoid errors.

This parameter has a maximum value of 100 years (52,560,000 minutes).

During the start window, the backup job status remains in CREATED status until it has successfully begun or until the start window time has run out. If within the start window time Backup receives an error that allows the job to be retried, Backup will automatically retry to begin the job at least every 10 minutes until the backup successfully begins (the job status changes to RUNNING) or until the job status changes to EXPIRED (which is expected to occur when the start window time is over).

A value in minutes during which a successfully started backup must complete, or else Backup will cancel the job. This value is optional. This value begins counting down from when the backup was scheduled. It does not add additional time for StartWindowMinutes, or if the backup started later than scheduled.

Like StartWindowMinutes, this parameter has a maximum value of 100 years (52,560,000 minutes).

The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. Backup will transition and expire backups automatically according to the lifecycle that you define.

Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. Therefore, the “retention” setting must be 90 days greater than the “transition to cold after days” setting. The “transition to cold after days” setting cannot be changed after a backup has been transitioned to cold.

Resource types that can transition to cold storage are listed in the Feature availability by resource table. Backup ignores this expression for other resource types.

This parameter has a maximum value of 100 years (36,500 days).

The tags to assign to the resources.

The backup option for a selected resource. This option is only available for Windows Volume Shadow Copy Service (VSS) backup jobs.

Valid values: Set to "WindowsVSS":"enabled" to enable the WindowsVSS backup option and create a Windows VSS backup. Set to ⁠"WindowsVSS""disabled"⁠ to create a regular backup. The WindowsVSS option is not enabled by default.

Include this parameter to enable index creation if your backup job has a resource type that supports backup indexes.

Resource types that support backup indexes include:

• EBS for Amazon Elastic Block Store

• S3 for Amazon Simple Storage Service (Amazon S3)

Index can have 1 of 2 possible values, either ENABLED or DISABLED.

To create a backup index for an eligible ACTIVE recovery point that does not yet have a backup index, set value to ENABLED.

To delete a backup index, set value to DISABLED.

[required] An ARN that uniquely identifies a recovery point to use for the copy job; for example, arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.

[required] The name of a logical source container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] An Amazon Resource Name (ARN) that uniquely identifies a destination backup vault to copy to; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.

[required] Specifies the IAM role ARN used to copy the target recovery point; for example, ⁠arn:aws:iam::123456789012:role/S3Access⁠.

A customer-chosen string that you can use to distinguish between otherwise identical calls to start_copy_job. Retrying a successful request with the same idempotency token results in a success message with no action taken.

[required] The unique name of a report plan.

A customer-chosen string that you can use to distinguish between otherwise identical calls to StartReportJobInput. Retrying a successful request with the same idempotency token results in a success message with no action taken.

[required] An ARN that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

[required] A set of metadata key-value pairs.

You can get configuration metadata about a resource at the time it was backed up by calling get_recovery_point_restore_metadata. However, values in addition to those provided by get_recovery_point_restore_metadata might be required to restore a resource. For example, you might need to provide a new resource name if the original already exists.

For more information about the metadata for each resource, see the following:

• Metadata for Amazon Aurora

• Metadata for Amazon DocumentDB

• Metadata for CloudFormation

• Metadata for Amazon DynamoDB

• Metadata for Amazon EBS

• Metadata for Amazon EC2

• Metadata for Amazon EFS

• Metadata for Amazon FSx

• Metadata for Amazon Neptune

• Metadata for Amazon RDS

• Metadata for Amazon Redshift

• Metadata for Storage Gateway

• Metadata for Amazon S3

• Metadata for Amazon Timestream

• Metadata for virtual machines

The Amazon Resource Name (ARN) of the IAM role that Backup uses to create the target resource; for example: ⁠arn:aws:iam::123456789012:role/S3Access⁠.

A customer-chosen string that you can use to distinguish between otherwise identical calls to start_restore_job. Retrying a successful request with the same idempotency token results in a success message with no action taken.

Starts a job to restore a recovery point for one of the following resources:

• Aurora - Amazon Aurora

• DocumentDB - Amazon DocumentDB

• CloudFormation - CloudFormation

• DynamoDB - Amazon DynamoDB

• EBS - Amazon Elastic Block Store

• EC2 - Amazon Elastic Compute Cloud

• EFS - Amazon Elastic File System

• FSx - Amazon FSx

• Neptune - Amazon Neptune

• RDS - Amazon Relational Database Service

• Redshift - Amazon Redshift

• ⁠Storage Gateway⁠ - Storage Gateway

• S3 - Amazon Simple Storage Service

• Timestream - Amazon Timestream

• VirtualMachine - Virtual machines

This is an optional parameter. If this equals True, tags included in the backup will be copied to the restored resource.

This can only be applied to backups created through Backup.

[required] Uniquely identifies a request to Backup to back up a resource.

[required] An ARN that uniquely identifies a resource. The format of the ARN depends on the type of the tagged resource.

ARNs that do not include backup are incompatible with tagging. tag_resource and untag_resource with invalid ARNs will result in an error. Acceptable ARN content can include arn:aws:backup:us-east. Invalid ARN content may look like arn:aws:ec2:us-east.

[required] Key-value pairs that are used to help organize your resources. You can assign your own metadata to the resources you create. For clarity, this is the structure to assign tags: ⁠[{"Key":"string","Value":"string"}]⁠.

[required] An ARN that uniquely identifies a resource. The format of the ARN depends on the type of the tagged resource.

ARNs that do not include backup are incompatible with tagging. tag_resource and untag_resource with invalid ARNs will result in an error. Acceptable ARN content can include arn:aws:backup:us-east. Invalid ARN content may look like arn:aws:ec2:us-east.

[required] The keys to identify which key-value tags to remove from a resource.

[required] The ID of the backup plan.

[required] The body of a backup plan. Includes a BackupPlanName and one or more sets of Rules.

[required] The unique name of a framework. This name is between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (_).

An optional description of the framework with a maximum 1,024 characters.

The controls that make up the framework. Each control in the list has a name, input parameters, and scope.

A customer-chosen string that you can use to distinguish between otherwise identical calls to UpdateFrameworkInput. Retrying a successful request with the same idempotency token results in a success message with no action taken.

A value for isCrossAccountBackupEnabled and a Region. Example: ⁠update-global-settings --global-settings isCrossAccountBackupEnabled=false --region us-west-2⁠.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.

Accepted characters include lowercase letters, numbers, and hyphens.

[required] An ARN that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

This specifies the IAM role ARN used for this operation.

For example, arn:aws:iam::123456789012:role/S3Access

[required] Index can have 1 of 2 possible values, either ENABLED or DISABLED.

To create a backup index for an eligible ACTIVE recovery point that does not yet have a backup index, set value to ENABLED.

To delete a backup index, set value to DISABLED.

[required] The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.

[required] An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, ⁠arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45⁠.

The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define.

Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. Therefore, the “retention” setting must be 90 days greater than the “transition to cold after days” setting. The “transition to cold after days” setting cannot be changed after a backup has been transitioned to cold.

Updates the list of services along with the opt-in preferences for the Region.

If resource assignments are only based on tags, then service opt-in settings are applied. If a resource type is explicitly assigned to a backup plan, such as Amazon S3, Amazon EC2, or Amazon RDS, it will be included in the backup even if the opt-in is not enabled for that particular service. If both a resource type and tags are specified in a resource assignment, the resource type specified in the backup plan takes priority over the tag condition. Service opt-in settings are disregarded in this situation.

Enables or disables full Backup management of backups for a resource type. To enable full Backup management for DynamoDB along with Backup's advanced DynamoDB backup features, follow the procedure to enable advanced DynamoDB backup programmatically.

[required] The unique name of the report plan. This name is between 1 and 256 characters, starting with a letter, and consisting of letters (a-z, A-Z), numbers (0-9), and underscores (_).

An optional description of the report plan with a maximum 1,024 characters.

The information about where to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports.

The report template for the report. Reports are built using a report template. The report templates are:

RESOURCE_COMPLIANCE_REPORT | CONTROL_COMPLIANCE_REPORT | BACKUP_JOB_REPORT | COPY_JOB_REPORT | RESTORE_JOB_REPORT

If the report template is RESOURCE_COMPLIANCE_REPORT or CONTROL_COMPLIANCE_REPORT, this API resource also describes the report coverage by Amazon Web Services Regions and frameworks.

A customer-chosen string that you can use to distinguish between otherwise identical calls to UpdateReportPlanInput. Retrying a successful request with the same idempotency token results in a success message with no action taken.

[required] Specifies the body of a restore testing plan.

[required] The name of the restore testing plan name.

[required] The restore testing plan name is required to update the indicated testing plan.

[required] To update your restore testing selection, you can use either protected resource ARNs or conditions, but not both. That is, if your selection has ProtectedResourceArns, requesting an update with the parameter ProtectedResourceConditions will be unsuccessful.

[required] The required restore testing selection name of the restore testing selection you wish to update.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The Amazon Resource Name (ARN) of the IAM role used to run the operations specified by the lifecycle policy.

[required] A description of the lifecycle policy. The characters ^[0-9A-Za-z _-]+$ are supported.

[required] The activation state of the lifecycle policy after creation.

The configuration details of the lifecycle policy.

If you create a default policy, you can specify the request parameters either in the request body, or in the PolicyDetails request structure, but not both.

The tags to apply to the lifecycle policy during creation.

[Default policies only] Specify the type of default policy to create.

• To create a default policy for EBS snapshots, that creates snapshots of all volumes in the Region that do not have recent backups, specify VOLUME.

• To create a default policy for EBS-backed AMIs, that creates EBS-backed AMIs from all instances in the Region that do not have recent backups, specify INSTANCE.

[Default policies only] Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.

Default: 1

[Default policies only] Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.

Default: 7

[Default policies only] Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is false.

Default: false

[Default policies only] Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.

By default (ExtendDeletion=false):

• If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify true.

• If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify true.

If you enable extended deletion (ExtendDeletion=true), you override both default behaviors simultaneously.

If you do not specify a value, the default is false.

Default: false

[Default policies only] Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.

[Default policies only] Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.

[required] The identifier of the lifecycle policy.

The identifiers of the data lifecycle policies.

The activation state.

The resource type.

The target tag for a policy.

Tags are strings in the format key=value.

The tags to add to objects created by the policy.

Tags are strings in the format key=value.

These user-defined tags are added in addition to the Amazon Web Services-added lifecycle tags.

[Default policies only] Specifies the type of default policy to get. Specify one of the following:

• VOLUME - To get only the default policy for EBS snapshots

• INSTANCE - To get only the default policy for EBS-backed AMIs

• ALL - To get all default policies

[required] The identifier of the lifecycle policy.

[required] The Amazon Resource Name (ARN) of the resource.

[required] The Amazon Resource Name (ARN) of the resource.

[required] One or more tags.

[required] The Amazon Resource Name (ARN) of the resource.

[required] The tag keys.

[required] The identifier of the lifecycle policy.

The Amazon Resource Name (ARN) of the IAM role used to run the operations specified by the lifecycle policy.

The desired activation state of the lifecycle policy after creation.

A description of the lifecycle policy.

The configuration of the lifecycle policy. You cannot update the policy type or the resource type.

[Default policies only] Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days.

[Default policies only] Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time.

[Default policies only] Indicates whether the policy should copy tags from the source resource to the snapshot or AMI.

[Default policies only] Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.

By default (ExtendDeletion=false):

• If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify true.

• If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify true.

If you enable extended deletion (ExtendDeletion=true), you override both default behaviors simultaneously.

Default: false

[Default policies only] Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.

[Default policies only] Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The ID of the snapshot.

[required] The number of blocks that were written to the snapshot.

An aggregated Base-64 SHA256 checksum based on the checksums of each written block.

To generate the aggregated checksum using the linear aggregation method, arrange the checksums for each written block in ascending order of their block index, concatenate them to form a single string, and then generate the checksum on the entire string using the SHA256 algorithm.

The algorithm used to generate the checksum. Currently, the only supported algorithm is SHA256.

The aggregation method used to generate the checksum. Currently, the only supported aggregation method is LINEAR.

[required] The ID of the snapshot containing the block from which to get data.

If the specified snapshot is encrypted, you must have permission to use the KMS key that was used to encrypt the snapshot. For more information, see Using encryption in the Amazon Elastic Compute Cloud User Guide.

[required] The block index of the block in which to read the data. A block index is a logical index in units of 512 KiB blocks. To identify the block index, divide the logical offset of the data in the logical volume by the block size (logical offset of data/524288). The logical offset of the data must be 512 KiB aligned.

[required] The block token of the block from which to get data. You can obtain the BlockToken by running the list_changed_blocks or list_snapshot_blocks operations.

The ID of the first snapshot to use for the comparison.

The FirstSnapshotID parameter must be specified with a SecondSnapshotId parameter; otherwise, an error occurs.

[required] The ID of the second snapshot to use for the comparison.

The SecondSnapshotId parameter must be specified with a FirstSnapshotID parameter; otherwise, an error occurs.

The token to request the next page of results.

If you specify NextToken, then StartingBlockIndex is ignored.

The maximum number of blocks to be returned by the request.

Even if additional blocks can be retrieved from the snapshot, the request can return less blocks than MaxResults or an empty array of blocks.

To retrieve the next set of blocks from the snapshot, make another request with the returned NextToken value. The value of NextToken is null when there are no more blocks to return.

The block index from which the comparison should start.

The list in the response will start from this block index or the next valid block index in the snapshots.

If you specify NextToken, then StartingBlockIndex is ignored.

[required] The ID of the snapshot from which to get block indexes and block tokens.

The token to request the next page of results.

If you specify NextToken, then StartingBlockIndex is ignored.

The maximum number of blocks to be returned by the request.

Even if additional blocks can be retrieved from the snapshot, the request can return less blocks than MaxResults or an empty array of blocks.

To retrieve the next set of blocks from the snapshot, make another request with the returned NextToken value. The value of NextToken is null when there are no more blocks to return.

The block index from which the list should start. The list in the response will start from this block index or the next valid block index in the snapshot.

If you specify NextToken, then StartingBlockIndex is ignored.

[required] The ID of the snapshot.

If the specified snapshot is encrypted, you must have permission to use the KMS key that was used to encrypt the snapshot. For more information, see Using encryption in the Amazon Elastic Compute Cloud User Guide..

[required] The block index of the block in which to write the data. A block index is a logical index in units of 512 KiB blocks. To identify the block index, divide the logical offset of the data in the logical volume by the block size (logical offset of data/524288). The logical offset of the data must be 512 KiB aligned.

[required] The data to write to the block.

The block data is not signed as part of the Signature Version 4 signing process. As a result, you must generate and provide a Base64-encoded SHA256 checksum for the block data using the x-amz-Checksum header. Also, you must specify the checksum algorithm using the x-amz-Checksum-Algorithm header. The checksum that you provide is part of the Signature Version 4 signing process. It is validated against a checksum generated by Amazon EBS to ensure the validity and authenticity of the data. If the checksums do not correspond, the request fails. For more information, see Using checksums with the EBS direct APIs in the Amazon Elastic Compute Cloud User Guide.

[required] The size of the data to write to the block, in bytes. Currently, the only supported size is 524288 bytes.

Valid values: 524288

The progress of the write process, as a percentage.

[required] A Base64-encoded SHA256 checksum of the data. Only SHA256 checksums are supported.

[required] The algorithm used to generate the checksum. Currently, the only supported algorithm is SHA256.

[required] The size of the volume, in GiB. The maximum size is 65536 GiB (64 TiB).

The ID of the parent snapshot. If there is no parent snapshot, or if you are creating the first snapshot for an on-premises volume, omit this parameter.

You can't specify ParentSnapshotId and Encrypted in the same request. If you specify both parameters, the request fails with ValidationException.

The encryption status of the snapshot depends on the values that you specify for Encrypted, KmsKeyArn, and ParentSnapshotId, and whether your Amazon Web Services account is enabled for encryption by default. For more information, see Using encryption in the Amazon Elastic Compute Cloud User Guide.

If you specify an encrypted parent snapshot, you must have permission to use the KMS key that was used to encrypt the parent snapshot. For more information, see Permissions to use Key Management Service keys in the Amazon Elastic Compute Cloud User Guide.

The tags to apply to the snapshot.

A description for the snapshot.

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. Idempotency ensures that an API request completes only once. With an idempotent request, if the original request completes successfully. The subsequent retries with the same client token return the result from the original successful request and they have no additional effect.

If you do not specify a client token, one is automatically generated by the Amazon Web Services SDK.

For more information, see Idempotency for StartSnapshot API in the Amazon Elastic Compute Cloud User Guide.

Indicates whether to encrypt the snapshot.

You can't specify Encrypted and ParentSnapshotId in the same request. If you specify both parameters, the request fails with ValidationException.

The encryption status of the snapshot depends on the values that you specify for Encrypted, KmsKeyArn, and ParentSnapshotId, and whether your Amazon Web Services account is enabled for encryption by default. For more information, see Using encryption in the Amazon Elastic Compute Cloud User Guide.

To create an encrypted snapshot, you must have permission to use the KMS key. For more information, see Permissions to use Key Management Service keys in the Amazon Elastic Compute Cloud User Guide.

The Amazon Resource Name (ARN) of the Key Management Service (KMS) key to be used to encrypt the snapshot.

The encryption status of the snapshot depends on the values that you specify for Encrypted, KmsKeyArn, and ParentSnapshotId, and whether your Amazon Web Services account is enabled for encryption by default. For more information, see Using encryption in the Amazon Elastic Compute Cloud User Guide.

To create an encrypted snapshot, you must have permission to use the KMS key. For more information, see Permissions to use Key Management Service keys in the Amazon Elastic Compute Cloud User Guide.

The amount of time (in minutes) after which the snapshot is automatically cancelled if:

• No blocks are written to the snapshot.

• The snapshot is not completed after writing the last block of data.

If no value is specified, the timeout defaults to 60 minutes.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] A string of up to 64 ASCII characters that Amazon EFS uses to ensure idempotent creation.

Creates tags associated with the access point. Each tag is a key-value pair, each key must be unique. For more information, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference Guide.

[required] The ID of the EFS file system that the access point provides access to.

The operating system user and group applied to all file system requests made using the access point.

Specifies the directory on the EFS file system that the access point exposes as the root directory of your file system to NFS clients using the access point. The clients using the access point can only access the root directory and below. If the RootDirectory \> Path specified does not exist, Amazon EFS creates it and applies the CreationInfo settings when a client connects to an access point. When specifying a RootDirectory, you must provide the Path, and the CreationInfo.

Amazon EFS creates a root directory only if you have provided the CreationInfo: OwnUid, OwnGID, and permissions for the directory. If you do not provide this information, Amazon EFS does not create the root directory. If the root directory does not exist, attempts to mount using the access point will fail.

[required] A string of up to 64 ASCII characters. Amazon EFS uses this to ensure idempotent creation.

The performance mode of the file system. We recommend generalPurpose performance mode for all file systems. File systems using the maxIO performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The maxIO mode is not supported on One Zone file systems.

Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems.

Default is generalPurpose.

A Boolean value that, if true, creates an encrypted file system. When creating an encrypted file system, you have the option of specifying an existing Key Management Service key (KMS key). If you don't specify a KMS key, then the default KMS key for Amazon EFS, ⁠/aws/elasticfilesystem⁠, is used to protect the encrypted file system.

The ID of the KMS key that you want to use to protect the encrypted file system. This parameter is required only if you want to use a non-default KMS key. If this parameter is not specified, the default KMS key for Amazon EFS is used. You can specify a KMS key ID using the following formats:

• Key ID - A unique identifier of the key, for example ⁠1234abcd-12ab-34cd-56ef-1234567890ab⁠.

• ARN - An Amazon Resource Name (ARN) for the key, for example ⁠arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab⁠.

• Key alias - A previously created display name for a key, for example alias/projectKey1.

• Key alias ARN - An ARN for a key alias, for example arn:aws:kms:us-west-2:444455556666:alias/projectKey1.

If you use KmsKeyId, you must set the CreateFileSystemRequest$Encrypted parameter to true.

EFS accepts only symmetric KMS keys. You cannot use asymmetric KMS keys with Amazon EFS file systems.

Specifies the throughput mode for the file system. The mode can be bursting, provisioned, or elastic. If you set ThroughputMode to provisioned, you must also set a value for ProvisionedThroughputInMibps. After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see Specifying throughput with provisioned mode in the Amazon EFS User Guide.

Default is bursting.

The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if ThroughputMode is set to provisioned. Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Amazon Web Services Support. For more information, see Amazon EFS quotas that you can increase in the Amazon EFS User Guide.

For One Zone file systems, specify the Amazon Web Services Availability Zone in which to create the file system. Use the format ⁠us-east-1a⁠ to specify the Availability Zone. For more information about One Zone file systems, see EFS file system types in the Amazon EFS User Guide.

One Zone file systems are not available in all Availability Zones in Amazon Web Services Regions where Amazon EFS is available.

Specifies whether automatic backups are enabled on the file system that you are creating. Set the value to true to enable automatic backups. If you are creating a One Zone file system, automatic backups are enabled by default. For more information, see Automatic backups in the Amazon EFS User Guide.

Default is false. However, if you specify an AvailabilityZoneName, the default is true.

Backup is not available in all Amazon Web Services Regions where Amazon EFS is available.

Use to create one or more tags associated with the file system. Each tag is a user-defined key-value pair. Name your file system on creation by including a ⁠"Key":"Name","Value":"{value}"⁠ key-value pair. Each key must be unique. For more information, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference Guide.

[required] The ID of the file system for which to create the mount target.

[required] The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.

Valid IPv4 address within the address range of the specified subnet.

Up to five VPC security group IDs, of the form sg-xxxxxxxx. These must be for the same VPC as subnet specified.

[required] Specifies the Amazon EFS file system that you want to replicate. This file system cannot already be a source or destination file system in another replication configuration.

[required] An array of destination configuration objects. Only one destination configuration object is supported.

[required] The ID of the file system whose tags you want to modify (String). This operation modifies the tags only, not the file system.

[required] An array of Tag objects to add. Each Tag object is a key-value pair.

[required] The ID of the access point that you want to delete.

[required] The ID of the file system you want to delete.

[required] Specifies the EFS file system for which to delete the FileSystemPolicy.

[required] The ID of the mount target to delete (String).

[required] The ID of the source file system in the replication configuration.

When replicating across Amazon Web Services accounts or across Amazon Web Services Regions, Amazon EFS deletes the replication configuration from both the source and destination account or Region (ALL_CONFIGURATIONS) by default. If there's a configuration or permissions issue that prevents Amazon EFS from deleting the replication configuration from both sides, you can use the LOCAL_CONFIGURATION_ONLY mode to delete the replication configuration from only the local side (the account or Region from which the delete is performed).

Only use the LOCAL_CONFIGURATION_ONLY mode in the case that Amazon EFS is unable to delete the replication configuration in both the source and destination account or Region. Deleting the local configuration leaves the configuration in the other account or Region unrecoverable.

Additionally, do not use this mode for same-account, same-region replication as doing so results in a BadRequest exception error.

[required] The ID of the file system whose tags you want to delete (String).

[required] A list of tag keys to delete.

(Optional) When retrieving all access points for a file system, you can optionally specify the MaxItems parameter to limit the number of objects returned in a response. The default value is 100.

NextToken is present if the response is paginated. You can use NextMarker in the subsequent request to fetch the next page of access point descriptions.

(Optional) Specifies an EFS access point to describe in the response; mutually exclusive with FileSystemId.

(Optional) If you provide a FileSystemId, EFS returns all access points for that file system; mutually exclusive with AccessPointId.

(Optional) You can use NextToken in a subsequent request to fetch the next page of Amazon Web Services account preferences if the response payload was paginated.

(Optional) When retrieving account preferences, you can optionally specify the MaxItems parameter to limit the number of objects returned in a response. The default value is 100.

[required] Specifies which EFS file system for which to retrieve the BackupPolicy.

[required] Specifies which EFS file system to retrieve the FileSystemPolicy for.

(Optional) Specifies the maximum number of file systems to return in the response (integer). This number is automatically set to 100. The response is paginated at 100 per page if you have more than 100 file systems.

(Optional) Opaque pagination token returned from a previous describe_file_systems operation (String). If present, specifies to continue the list from where the returning call had left off.

(Optional) Restricts the list to the file system with this creation token (String). You specify a creation token when you create an Amazon EFS file system.

(Optional) ID of the file system whose description you want to retrieve (String).

[required] The ID of the file system whose LifecycleConfiguration object you want to retrieve (String).

[required] The ID of the mount target whose security groups you want to retrieve.

(Optional) Maximum number of mount targets to return in the response. Currently, this number is automatically set to 10, and other values are ignored. The response is paginated at 100 per page if you have more than 100 mount targets.

(Optional) Opaque pagination token returned from a previous describe_mount_targets operation (String). If present, it specifies to continue the list from where the previous returning call left off.

(Optional) ID of the file system whose mount targets you want to list (String). It must be included in your request if an AccessPointId or MountTargetId is not included. Accepts either a file system ID or ARN as input.

(Optional) ID of the mount target that you want to have described (String). It must be included in your request if FileSystemId is not included. Accepts either a mount target ID or ARN as input.

(Optional) The ID of the access point whose mount targets that you want to list. It must be included in your request if a FileSystemId or MountTargetId is not included in your request. Accepts either an access point ID or ARN as input.

You can retrieve the replication configuration for a specific file system by providing its file system ID. For cross-account,cross-region replication, an account can only describe the replication configuration for a file system in its own Region.

NextToken is present if the response is paginated. You can use NextToken in a subsequent request to fetch the next page of output.

(Optional) To limit the number of objects returned in a response, you can specify the MaxItems parameter. The default value is 100.

(Optional) The maximum number of file system tags to return in the response. Currently, this number is automatically set to 100, and other values are ignored. The response is paginated at 100 per page if you have more than 100 tags.

(Optional) An opaque pagination token returned from a previous describe_tags operation (String). If present, it specifies to continue the list from where the previous call left off.

[required] The ID of the file system whose tag set you want to retrieve.

[required] Specifies the EFS resource you want to retrieve tags for. You can retrieve tags for EFS file systems and access points using this API endpoint.

(Optional) Specifies the maximum number of tag objects to return in the response. The default value is 100.

(Optional) You can use NextToken in a subsequent request to fetch the next page of access point descriptions if the response payload was paginated.

[required] The ID of the mount target whose security groups you want to modify.

An array of up to five VPC security group IDs.

[required] Specifies the EFS resource ID preference to set for the user's Amazon Web Services account, in the current Amazon Web Services Region, either LONG_ID (17 characters), or SHORT_ID (8 characters).

Starting in October, 2021, you will receive an error when setting the account preference to SHORT_ID. Contact Amazon Web Services support if you receive an error and must use short IDs for file system and mount target resources.

[required] Specifies which EFS file system to update the backup policy for.

[required] The backup policy included in the put_backup_policy request.

[required] The ID of the EFS file system that you want to create or update the FileSystemPolicy for.

[required] The FileSystemPolicy that you're creating. Accepts a JSON formatted policy definition. EFS file system policies have a 20,000 character limit. To find out more about the elements that make up a file system policy, see Resource-based policies within Amazon EFS.

(Optional) A boolean that specifies whether or not to bypass the FileSystemPolicy lockout safety check. The lockout safety check determines whether the policy in the request will lock out, or prevent, the IAM principal that is making the request from making future put_file_system_policy requests on this file system. Set BypassPolicyLockoutSafetyCheck to True only when you intend to prevent the IAM principal that is making the request from making subsequent put_file_system_policy requests on this file system. The default value is False.

[required] The ID of the file system for which you are creating the LifecycleConfiguration object (String).

[required] An array of LifecyclePolicy objects that define the file system's LifecycleConfiguration object. A LifecycleConfiguration object informs lifecycle management of the following:

• TransitionToIA – When to move files in the file system from primary storage (Standard storage class) into the Infrequent Access (IA) storage.

• TransitionToArchive – When to move files in the file system from their current storage class (either IA or Standard storage) into the Archive storage.

  File systems cannot transition into Archive storage before transitioning into IA storage. Therefore, TransitionToArchive must either not be set or must be later than TransitionToIA.

  The Archive storage class is available only for file systems that use the Elastic throughput mode and the General Purpose performance mode.

• TransitionToPrimaryStorageClass – Whether to move files in the file system back to primary storage (Standard storage class) after they are accessed in IA or Archive storage.

When using the put-lifecycle-configuration CLI command or the put_lifecycle_configuration API action, Amazon EFS requires that each LifecyclePolicy object have only a single transition. This means that in a request body, LifecyclePolicies must be structured as an array of LifecyclePolicy objects, one object for each storage transition. See the example requests in the following section for more information.

[required] The ID specifying the EFS resource that you want to create a tag for.

[required] An array of Tag objects to add. Each Tag object is a key-value pair.

[required] Specifies the EFS resource that you want to remove tags from.

[required] The keys of the key-value tag pairs that you want to remove from the specified EFS resource.

[required] The ID of the file system that you want to update.

(Optional) Updates the file system's throughput mode. If you're not updating your throughput mode, you don't need to provide this value in your request. If you are changing the ThroughputMode to provisioned, you must also set a value for ProvisionedThroughputInMibps.

(Optional) The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if ThroughputMode is set to provisioned. Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Amazon Web Services Support. For more information, see Amazon EFS quotas that you can increase in the Amazon EFS User Guide.

[required] The ID of the file system to update.

The status of the file system's replication overwrite protection.

• ENABLED – The file system cannot be used as the destination file system in a replication configuration. The file system is writeable. Replication overwrite protection is ENABLED by default.

• DISABLED – The file system can be used as the destination file system in a replication configuration. The file system is read-only and can only be modified by EFS replication.

• REPLICATING – The file system is being used as the destination file system in a replication configuration. The file system is read-only and is only modified only by EFS replication.

If the replication configuration is deleted, the file system's replication overwrite protection is re-enabled and the file system becomes writeable.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The unique identifier for the permission group.

[required] The unique identifier for the user.

A token that ensures idempotency. This token expires in 10 minutes.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the FinSpace Dataset where the Changeset will be created.

[required] The option to indicate how a Changeset will be applied to a Dataset.

• REPLACE – Changeset will be considered as a replacement to all prior loaded Changesets.

• APPEND – Changeset will be considered as an addition to the end of all prior loaded Changesets.

• MODIFY – Changeset is considered as a replacement to a specific prior ingested Changeset.

[required] Options that define the location of the data being ingested (s3SourcePath) and the source of the changeset (sourceType).

Both s3SourcePath and sourceType are required attributes.

Here is an example of how you could specify the sourceParams:

⁠"sourceParams": { "s3SourcePath": "s3://finspace-landing-us-east-2-bk7gcfvitndqa6ebnvys4d/scratch/wr5hh8pwkpqqkxa4sxrmcw/ingestion/equity.csv", "sourceType": "S3" }⁠

The S3 path that you specify must allow the FinSpace role access. To do that, you first need to configure the IAM policy on S3 bucket. For more information, see Loading data from an Amazon S3 Bucket using the FinSpace API section.

[required] Options that define the structure of the source file(s) including the format type (formatType), header row (withHeader), data separation character (separator) and the type of compression (compression).

formatType is a required attribute and can have the following values:

• PARQUET – Parquet source file format.

• CSV – CSV source file format.

• JSON – JSON source file format.

• XML – XML source file format.

Here is an example of how you could specify the formatParams:

⁠"formatParams": { "formatType": "CSV", "withHeader": "true", "separator": ",", "compression":"None" }⁠

Note that if you only provide formatType as CSV, the rest of the attributes will automatically default to CSV values as following:

⁠{ "withHeader": "true", "separator": "," }⁠

For more information about supported file formats, see Supported Data Types and File Formats in the FinSpace User Guide.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique Dataset identifier that is used to create a Dataview.

Flag to indicate Dataview should be updated automatically.

Columns to be used for sorting the data.

Ordered set of column names used to partition data.

Beginning time to use for the Dataview. The value is determined as epoch time in milliseconds. For example, the value for Monday, November 1, 2021 12:00:00 PM UTC is specified as 1635768000000.

[required] Options that define the destination type for the Dataview.

A token that ensures idempotency. This token expires in 10 minutes.

[required] Display title for a FinSpace Dataset.

[required] The format in which Dataset data is structured.

• TABULAR – Data is structured in a tabular format.

• NON_TABULAR – Data is structured in a non-tabular format.

Description of a Dataset.

Contact information for a Dataset owner.

[required] Permission group parameters for Dataset permissions.

The unique resource identifier for a Dataset.

Definition for a schema on a tabular Dataset.

[required] The name of the permission group.

A brief description for the permission group.

[required] The option to indicate FinSpace application permissions that are granted to a specific group.

When assigning application permissions, be aware that the permission ManageUsersAndGroups allows users to grant themselves or others access to any functionality in their FinSpace environment's application. It should only be granted to trusted users.

• create_dataset – Group members can create new datasets.

• ManageClusters – Group members can manage Apache Spark clusters from FinSpace notebooks.

• ManageUsersAndGroups – Group members can manage users and permission groups. This is a privileged permission that allows users to grant themselves or others access to any functionality in the application. It should only be granted to trusted users.

• ManageAttributeSets – Group members can manage attribute sets.

• ViewAuditData – Group members can view audit data.

• AccessNotebooks – Group members will have access to FinSpace notebooks.

• GetTemporaryCredentials – Group members can get temporary API credentials.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The email address of the user that you want to register. The email address serves as a uniquer identifier for each user and cannot be changed after it's created.

[required] The option to indicate the type of user. Use one of the following options to specify this parameter:

• SUPER_USER – A user with permission to all the functionality and data in FinSpace.

• APP_USER – A user with specific permissions in FinSpace. The users are assigned permissions by adding them to a permission group.

The first name of the user that you want to register.

The last name of the user that you want to register.

The option to indicate whether the user can use the get_programmatic_access_credentials API to obtain credentials that can then be used to access other FinSpace Data API operations.

• ENABLED – The user has permissions to use the APIs.

• DISABLED – The user does not have permissions to use any APIs.

The ARN identifier of an AWS user or role that is allowed to call the get_programmatic_access_credentials API to obtain a credentials token for a specific FinSpace user. This must be an IAM role within your FinSpace account.

A token that ensures idempotency. This token expires in 10 minutes.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier of the Dataset to be deleted.

[required] The unique identifier for the permission group that you want to delete.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the user that you want to deactivate.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the permission group.

[required] The unique identifier for the user.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the user that you want to activate.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the FinSpace Dataset where the Changeset is created.

[required] The unique identifier of the Changeset for which to get data.

[required] The unique identifier for the Dataview.

[required] The unique identifier for the Dataset used in the Dataview.

[required] The unique identifier for a Dataset.

[required] The unique identifier for the Dataview that you want to access.

[required] The unique identifier for the Dataset.

[required] The unique identifier for the permission group.

The time duration in which the credentials remain valid.

[required] The FinSpace environment identifier.

[required] The unique identifier of the user to get data for.

Specify the type of the working location.

• SAGEMAKER – Use the Amazon S3 location as a temporary location to store data content when working with FinSpace Notebooks that run on SageMaker studio.

• INGESTION – Use the Amazon S3 location as a staging location to copy your data content and then use the location with the Changeset creation operation.

[required] The unique identifier for the FinSpace Dataset to which the Changeset belongs.

The maximum number of results per page.

A token that indicates where a results page should begin.

[required] The unique identifier of the Dataset for which to retrieve Dataviews.

A token that indicates where a results page should begin.

The maximum number of results per page.

A token that indicates where a results page should begin.

The maximum number of results per page.

A token that indicates where a results page should begin.

[required] The maximum number of results per page.

[required] The unique identifier for the user.

A token that indicates where a results page should begin.

[required] The maximum number of results per page.

A token that indicates where a results page should begin.

[required] The maximum number of results per page.

[required] The unique identifier for the permission group.

A token that indicates where a results page should begin.

[required] The maximum number of results per page.

[required] The unique identifier of the user that a temporary password is requested for.

A token that ensures idempotency. This token expires in 10 minutes.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the FinSpace Dataset in which the Changeset is created.

[required] The unique identifier for the Changeset to update.

[required] Options that define the location of the data being ingested (s3SourcePath) and the source of the changeset (sourceType).

Both s3SourcePath and sourceType are required attributes.

Here is an example of how you could specify the sourceParams:

⁠"sourceParams": { "s3SourcePath": "s3://finspace-landing-us-east-2-bk7gcfvitndqa6ebnvys4d/scratch/wr5hh8pwkpqqkxa4sxrmcw/ingestion/equity.csv", "sourceType": "S3" }⁠

The S3 path that you specify must allow the FinSpace role access. To do that, you first need to configure the IAM policy on S3 bucket. For more information, see Loading data from an Amazon S3 Bucket using the FinSpace APIsection.

[required] Options that define the structure of the source file(s) including the format type (formatType), header row (withHeader), data separation character (separator) and the type of compression (compression).

formatType is a required attribute and can have the following values:

• PARQUET – Parquet source file format.

• CSV – CSV source file format.

• JSON – JSON source file format.

• XML – XML source file format.

Here is an example of how you could specify the formatParams:

⁠"formatParams": { "formatType": "CSV", "withHeader": "true", "separator": ",", "compression":"None" }⁠

Note that if you only provide formatType as CSV, the rest of the attributes will automatically default to CSV values as following:

⁠{ "withHeader": "true", "separator": "," }⁠

For more information about supported file formats, see Supported Data Types and File Formats in the FinSpace User Guide.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the Dataset to update.

[required] A display title for the Dataset.

[required] The format in which the Dataset data is structured.

• TABULAR – Data is structured in a tabular format.

• NON_TABULAR – Data is structured in a non-tabular format.

A description for the Dataset.

The unique resource identifier for a Dataset.

Definition for a schema on a tabular Dataset.

[required] The unique identifier for the permission group to update.

The name of the permission group.

A brief description for the permission group.

The permissions that are granted to a specific group for accessing the FinSpace application.

When assigning application permissions, be aware that the permission ManageUsersAndGroups allows users to grant themselves or others access to any functionality in their FinSpace environment's application. It should only be granted to trusted users.

• create_dataset – Group members can create new datasets.

• ManageClusters – Group members can manage Apache Spark clusters from FinSpace notebooks.

• ManageUsersAndGroups – Group members can manage users and permission groups. This is a privileged permission that allows users to grant themselves or others access to any functionality in the application. It should only be granted to trusted users.

• ManageAttributeSets – Group members can manage attribute sets.

• ViewAuditData – Group members can view audit data.

• AccessNotebooks – Group members will have access to FinSpace notebooks.

• GetTemporaryCredentials – Group members can get temporary API credentials.

A token that ensures idempotency. This token expires in 10 minutes.

[required] The unique identifier for the user that you want to update.

The option to indicate the type of user.

• SUPER_USER– A user with permission to all the functionality and data in FinSpace.

• APP_USER – A user with specific permissions in FinSpace. The users are assigned permissions by adding them to a permission group.

The first name of the user.

The last name of the user.

The option to indicate whether the user can use the get_programmatic_access_credentials API to obtain credentials that can then be used to access other FinSpace Data API operations.

• ENABLED – The user has permissions to use the APIs.

• DISABLED – The user does not have permissions to use any APIs.

The ARN identifier of an AWS user or role that is allowed to call the get_programmatic_access_credentials API to obtain a credentials token for a specific FinSpace user. This must be an IAM role within your FinSpace account.

A token that ensures idempotency. This token expires in 10 minutes.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] Specifies the file system with which you want to associate one or more DNS aliases.

[required] An array of one or more DNS alias names to associate with the file system. The alias name has to comply with the following formatting requirements:

• Formatted as a fully-qualified domain name (FQDN), hostname.domain , for example, accounting.corp.example.com.

• Can contain alphanumeric characters and the hyphen (-).

• Cannot start or end with a hyphen.

• Can start with a numeric.

For DNS alias names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: as uppercase letters, lowercase letters, or the corresponding letters in escape codes.

[required] Specifies the data repository task to cancel.

[required] The ID of the source backup. Specifies the ID of the backup that's being copied.

The source Amazon Web Services Region of the backup. Specifies the Amazon Web Services Region from which the backup is being copied. The source and destination Regions must be in the same Amazon Web Services partition. If you don't specify a Region, SourceRegion defaults to the Region where the request is sent from (in-Region copy).

A Boolean flag indicating whether tags from the source backup should be copied to the backup copy. This value defaults to false.

If you set CopyTags to true and the source backup has existing tags, you can use the Tags parameter to create new tags, provided that the sum of the source backup tags and the new tags doesn't exceed 50. Both sets of tags are merged. If there are tag conflicts (for example, two tags with the same key but different values), the tags created with the Tags parameter take precedence.

[required] Specifies the ID of the volume that you are copying the snapshot to.

[required]

Specifies the strategy to use when copying data from a snapshot to the volume.

• FULL_COPY - Copies all data from the snapshot to the volume.

• INCREMENTAL_COPY - Copies only the snapshot data that's changed since the previous replication.

CLONE isn't a valid copy strategy option for the copy_snapshot_and_update_volume operation.

Confirms that you want to delete data on the destination volume that wasn’t there during the previous snapshot replication.

Your replication will fail if you don’t include an option for a specific type of data and that data is on your destination. For example, if you don’t include DELETE_INTERMEDIATE_SNAPSHOTS and there are intermediate snapshots on the destination, you can’t copy the snapshot.

• DELETE_INTERMEDIATE_SNAPSHOTS - Deletes snapshots on the destination volume that aren’t on the source volume.

• DELETE_CLONED_VOLUMES - Deletes snapshot clones on the destination volume that aren't on the source volume.

• DELETE_INTERMEDIATE_DATA - Overwrites snapshots on the destination volume that don’t match the source snapshot that you’re copying.

The ID of the file system to back up.

(Optional) A string of up to 63 ASCII characters that Amazon FSx uses to ensure idempotent creation. This string is automatically filled on your behalf when you use the Command Line Interface (CLI) or an Amazon Web Services SDK.

(Optional) The tags to apply to the backup at backup creation. The key value of the Name tag appears in the console as the backup name. If you have set CopyTagsToBackups to true, and you specify one or more tags using the create_backup operation, no existing file system tags are copied from the file system to the backup.

(Optional) The ID of the FSx for ONTAP volume to back up.

[required]

A path on the file system that points to a high-level directory (such as ⁠/ns1/⁠) or subdirectory (such as ⁠/ns1/subdir/⁠) that will be mapped 1-1 with DataRepositoryPath. The leading forward slash in the name is required. Two data repository associations cannot have overlapping file system paths. For example, if a data repository is associated with file system path ⁠/ns1/⁠, then you cannot link another data repository with file system path ⁠/ns1/ns2⁠.

This path specifies where in your file system files will be exported from or imported to. This file system directory can be linked to only one Amazon S3 bucket, and no other S3 bucket can be linked to the directory.

If you specify only a forward slash (/) as the file system path, you can link only one data repository to the file system. You can only specify "/" as the file system path for the first data repository associated with a file system.

[required] The path to the Amazon S3 data repository that will be linked to the file system. The path can be an S3 bucket or prefix in the format ⁠s3://bucket-name/prefix/⁠ (where prefix is optional). This path specifies where in the S3 data repository files will be imported from or exported to.

Set to true to run an import data repository task to import metadata from the data repository to the file system after the data repository association is created. Default is false.

For files imported from a data repository, this value determines the stripe count and maximum amount of data per file (in MiB) stored on a single physical disk. The maximum number of disks that a single file can be striped across is limited by the total number of disks that make up the file system.

The default chunk size is 1,024 MiB (1 GiB) and can go as high as 512,000 MiB (500 GiB). Amazon S3 objects have a maximum size of 5 TB.

The configuration for an Amazon S3 data repository linked to an Amazon FSx Lustre file system with a data repository association. The configuration defines which file events (new, changed, or deleted files or directories) are automatically imported from the linked data repository to the file system or automatically exported from the file system to the data repository.