Reading25 min read·Module 2

AWS Backup & Recovery

Key concepts

  • Centralized backup management

  • Backup plans and rules

  • Cross-region backup

  • Point-in-time recovery

  • Backup vault lock

Introduction

AWS Backup is a fully managed, centralized backup service that automates and centralizes data protection across AWS services and hybrid workloads. It provides policy-based backup management, cross-region and cross-account copy capabilities, and compliance auditing features essential for enterprise backup strategies.

AWS Backup Core Concept

AWS Backup centralizes backup management across 15+ AWS services using backup plans (policies) and backup vaults (storage). Key features include automated scheduling, retention management, cross-region/cross-account copy, and compliance auditing with Vault Lock for WORM protection.


AWS Backup Components

Backup Plans

Backup plans define your backup schedule, retention, and lifecycle policies.

Backup Plan Structure

Components of a Backup Plan:

  1. Backup Rules: Define when and how to backup

    • Backup frequency (hourly, daily, weekly, monthly)
    • Backup window (start time and duration)
    • Lifecycle (transition to cold storage, deletion)
    • Copy to destination (cross-region/cross-account)
  2. Resource Assignments: Define what to backup

    • By resource type (EC2, RDS, EFS, etc.)
    • By tags (e.g., Environment=Production)
    • By resource ARN
  3. Advanced Settings:

    • Windows VSS (application-consistent backups)
    • Continuous backup (point-in-time recovery)
SHBackup Plan Configuration (CLI)
```bash
# Create a backup plan
aws backup create-backup-plan --backup-plan '{
    "BackupPlanName": "DailyBackupPlan",
    "Rules": [{
        "RuleName": "DailyBackup",
        "TargetBackupVaultName": "ProductionVault",
        "ScheduleExpression": "cron(0 5 ? * * *)",
        "StartWindowMinutes": 60,
        "CompletionWindowMinutes": 180,
        "Lifecycle": {
            "MoveToColdStorageAfterDays": 30,
            "DeleteAfterDays": 365
        },
        "CopyActions": [{
            "DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789:backup-vault:DRVault",
            "Lifecycle": {
                "DeleteAfterDays": 365
            }
        }]
    }]
}'

# Assign resources by tag
aws backup create-backup-selection --backup-plan-id plan-123 \
    --backup-selection '{
        "SelectionName": "ProductionResources",
        "IamRoleArn": "arn:aws:iam::123456789:role/AWSBackupRole",
        "Resources": [],
        "ListOfTags": [{
            "ConditionType": "STRINGEQUALS",
            "ConditionKey": "Environment",
            "ConditionValue": "Production"
        }]
    }'
```

Backup Vaults

Backup vaults are containers that store and organize your recovery points (backups).

Backup Vault Features

Key Characteristics:

  • Encrypted with AWS KMS (customer-managed or AWS-managed keys)
  • Access controlled via vault access policies
  • Recovery points cannot be deleted if Vault Lock is enabled

Vault Types:

  • Standard Vault: Default vault for backup storage
  • Logically Air-Gapped Vault: Isolated vault for enhanced security (additional protection against accidental or malicious deletion)

Cross-Account Requirements:

  • Must use customer-managed KMS keys (not AWS-managed)
  • Vault access policy must allow cross-account access
  • Re-encrypts backups with destination vault's KMS key

Recovery Points

Recovery points are the actual backup snapshots stored in vaults.


Supported Services

AWS Backup Supported Services

ServiceBackup TypeAdvanced FeaturesPITR Support
Amazon EC2AMI-basedWindows VSSNo
Amazon EBSSnapshotsWindows VSSNo
Amazon RDSSnapshotsFull featureYes
Amazon AuroraSnapshotsFull featureYes
Amazon DynamoDBOn-demandFull feature (opt-in)Yes
Amazon EFSFile-levelFull featureYes
Amazon FSxSnapshots-No
Amazon S3Object-levelFull featureYes
AWS Storage GatewaySnapshots-No
Amazon DocumentDBSnapshots-Yes
Amazon NeptuneSnapshots-Yes
Amazon RedshiftSnapshots-No
SAP HANA on EC2Full backupFull featureYes
VMware VMsFull backupFull featureNo
Exam Tip

For DynamoDB, you must explicitly opt-in to AWS Backup advanced features in the AWS Backup settings. Other services like EFS, S3, and Timestream automatically support advanced features.


Cross-Region Backup

Cross-Region Backup Copy

How It Works:

  1. AWS Backup creates recovery point in source region
  2. Copy rule triggers cross-region copy
  3. Backup is re-encrypted with destination vault's KMS key
  4. First copy is full; subsequent copies may be incremental

Configuration:

  • Add "Copy to destination" rule in backup plan
  • Specify destination vault ARN (different region)
  • Configure separate retention for copied backup

Use Cases:

  • Disaster recovery to another region
  • Compliance with data residency requirements
  • Geographic redundancy
Cross-Region Backup Architecture
Automated backup copy from primary region to DR region using AWS Backup

Cross-Account Backup

Cross-Account Backup Copy

Requirements:

  1. Both accounts must be in same AWS Organization
  2. Enable cross-account management in AWS Backup settings
  3. Use customer-managed KMS keys (not AWS-managed)
  4. Configure vault access policy in destination account

Setup Steps:

  1. Enable "Cross-account management" in management account
  2. Create backup vault with customer-managed KMS key in destination
  3. Configure vault access policy to allow source account
  4. Add cross-account copy rule to backup plan

Security Considerations:

  • Backups re-encrypted with destination vault's KMS key
  • Source account cannot delete backups in destination account
  • Provides protection against account compromise
JSONCross-Account Vault Policy
```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountCopy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:root"
            },
            "Action": [
                "backup:CopyIntoBackupVault"
            ],
            "Resource": "*"
        }
    ]
}
```

AWS Backup Vault Lock

Vault Lock (WORM Protection)

What is Vault Lock? Enables Write-Once-Read-Many (WORM) protection for recovery points. Once locked, backups cannot be deleted by anyone, including the root user.

Lock Modes:

  • Governance Mode: Authorized users can modify/delete with special permissions
  • Compliance Mode: NO ONE can delete until retention period expires (truly immutable)

Configuration Parameters:

  • Min Retention Days: Minimum retention period enforced
  • Max Retention Days: Maximum retention period allowed
  • Changeable For Days: Grace period before lock becomes immutable

Compliance Use Cases:

  • SEC Rule 17a-4(f)
  • CFTC Rule 1.31(c)-(d)
  • FINRA regulations
  • Healthcare (HIPAA)
Vault Lock is Irreversible

Once a vault lock is applied in Compliance mode and the grace period expires, it CANNOT be removed or modified. Carefully plan retention periods before applying vault lock. Test with Governance mode first.


AWS Backup Audit Manager

Backup Audit Manager

Purpose: Audit and report on compliance of your backup activities.

Key Features:

  • Pre-built and custom compliance frameworks
  • Automated compliance reports
  • CloudWatch integration for alerts

Built-in Frameworks:

  • AWS Backup best practices
  • Custom frameworks for specific regulations

Reports Generated:

  • Backup jobs report
  • Copy jobs report
  • Restore jobs report
  • Compliance report

Use Cases:

  • Demonstrate backup compliance to auditors
  • Monitor backup policy adherence
  • Track backup SLA compliance

Continuous Backup and PITR

Point-in-Time Recovery (PITR)

Supported Services:

  • Amazon RDS
  • Amazon Aurora
  • Amazon DynamoDB (with opt-in)
  • Amazon S3 (versioning-based)
  • Amazon EFS

Retention:

  • Continuous backups retained for 1-35 days
  • Allows restore to any second within retention window

How It Works:

  1. Enable continuous backup in backup rule
  2. AWS Backup maintains transaction logs
  3. Restore to any point within retention period
  4. Combines full backups with transaction log replay

AWS Organizations Integration

Centralized Backup Management

Features:

  • Backup policies deployed across member accounts
  • Cross-account monitoring from management account
  • Delegated administrator support

Setup:

  1. Enable backup policies in AWS Organizations
  2. Enable cross-account monitoring in AWS Backup
  3. Optionally delegate to backup admin account

Benefits:

  • Consistent backup policies organization-wide
  • Centralized visibility into all backup jobs
  • Reduced management overhead
  • Compliance enforcement at scale

Common Exam Scenarios

Exam Tip

AWS Backup Scenarios: Centralized backup → AWS Backup | Copy to DR region → Cross-region copy | Protect from deletion → Vault Lock Compliance mode | Compliance reporting → Backup Audit Manager | Point-in-time restore → Continuous backup + PITR | Org-wide policy → Organizations integration | Tag-based selection → Resource assignment by tags

Q

A company needs to ensure their backups cannot be deleted by anyone, including administrators, for 7 years to meet regulatory compliance. What should they configure?

AVault access policy denying delete actions
BAWS Backup Vault Lock in Compliance mode
CS3 Object Lock in Governance mode
DIAM policy denying backup:DeleteRecoveryPoint
Q

A company wants to automatically backup all EC2 instances tagged with 'Backup=Daily' to a vault in both us-east-1 and eu-west-1. How should they configure this?

ACreate two separate backup plans, one for each region
BCreate one backup plan with a copy rule to eu-west-1 vault
CUse S3 Cross-Region Replication for EC2 backups
DEnable EC2 instance replication to eu-west-1
Q

Which of the following are requirements for AWS Backup cross-account copy? (Select TWO)

ABoth accounts must use the same AWS Region
BDestination vault must use customer-managed KMS key
CBoth accounts must be in the same AWS Organization
DSource and destination vaults must have the same name
ES3 Cross-Region Replication must be enabled

Best Practices

AWS Backup Best Practices
  1. Use tags for resource selection: Easier management as resources are added/removed
  2. Implement cross-region copy: For disaster recovery requirements
  3. Enable Vault Lock for compliance: Use Compliance mode for regulatory requirements
  4. Test restores regularly: Backup is only valuable if restore works
  5. Use lifecycle policies: Transition old backups to cold storage to reduce costs
  6. Monitor with CloudWatch: Set alarms for failed backup/restore jobs
  7. Leverage Organizations: Centralize backup management across accounts
  8. Document retention requirements: Align backup retention with business/compliance needs
  9. Use Backup Audit Manager: Generate compliance reports for auditors
  10. Separate backup vaults by environment: Production, staging, development

Summary

AWS Backup provides centralized, policy-driven backup management across AWS services:

  • Backup Plans: Define schedules, retention, and cross-region/cross-account copy rules
  • Backup Vaults: Secure, encrypted containers for recovery points
  • Cross-Region/Cross-Account: DR and compliance with geographic separation
  • Vault Lock: WORM protection for immutable backups
  • Audit Manager: Compliance reporting and monitoring
  • Organizations Integration: Enterprise-scale backup management

Understanding these components and their configuration is essential for designing resilient architectures on the SAA-C03 exam.

Related services

AWS BackupRDSEBSEFS