AWS Backup & Recovery
Key concepts
Centralized backup management
Backup plans and rules
Cross-region backup
Point-in-time recovery
Backup vault lock
Introduction
AWS Backup is a fully managed, centralized backup service that automates and centralizes data protection across AWS services and hybrid workloads. It provides policy-based backup management, cross-region and cross-account copy capabilities, and compliance auditing features essential for enterprise backup strategies.
AWS Backup Core Concept
AWS Backup centralizes backup management across 15+ AWS services using backup plans (policies) and backup vaults (storage). Key features include automated scheduling, retention management, cross-region/cross-account copy, and compliance auditing with Vault Lock for WORM protection.
AWS Backup Components
Backup Plans
Backup plans define your backup schedule, retention, and lifecycle policies.
Backup Plan Structure
Components of a Backup Plan:
-
Backup Rules: Define when and how to backup
- Backup frequency (hourly, daily, weekly, monthly)
- Backup window (start time and duration)
- Lifecycle (transition to cold storage, deletion)
- Copy to destination (cross-region/cross-account)
-
Resource Assignments: Define what to backup
- By resource type (EC2, RDS, EFS, etc.)
- By tags (e.g., Environment=Production)
- By resource ARN
-
Advanced Settings:
- Windows VSS (application-consistent backups)
- Continuous backup (point-in-time recovery)
```bash
# Create a backup plan
aws backup create-backup-plan --backup-plan '{
"BackupPlanName": "DailyBackupPlan",
"Rules": [{
"RuleName": "DailyBackup",
"TargetBackupVaultName": "ProductionVault",
"ScheduleExpression": "cron(0 5 ? * * *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 180,
"Lifecycle": {
"MoveToColdStorageAfterDays": 30,
"DeleteAfterDays": 365
},
"CopyActions": [{
"DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789:backup-vault:DRVault",
"Lifecycle": {
"DeleteAfterDays": 365
}
}]
}]
}'
# Assign resources by tag
aws backup create-backup-selection --backup-plan-id plan-123 \
--backup-selection '{
"SelectionName": "ProductionResources",
"IamRoleArn": "arn:aws:iam::123456789:role/AWSBackupRole",
"Resources": [],
"ListOfTags": [{
"ConditionType": "STRINGEQUALS",
"ConditionKey": "Environment",
"ConditionValue": "Production"
}]
}'
```Backup Vaults
Backup vaults are containers that store and organize your recovery points (backups).
Backup Vault Features
Key Characteristics:
- Encrypted with AWS KMS (customer-managed or AWS-managed keys)
- Access controlled via vault access policies
- Recovery points cannot be deleted if Vault Lock is enabled
Vault Types:
- Standard Vault: Default vault for backup storage
- Logically Air-Gapped Vault: Isolated vault for enhanced security (additional protection against accidental or malicious deletion)
Cross-Account Requirements:
- Must use customer-managed KMS keys (not AWS-managed)
- Vault access policy must allow cross-account access
- Re-encrypts backups with destination vault's KMS key
Recovery Points
Recovery points are the actual backup snapshots stored in vaults.
Supported Services
AWS Backup Supported Services
| Service | Backup Type | Advanced Features | PITR Support |
|---|---|---|---|
| Amazon EC2 | AMI-based | Windows VSS | No |
| Amazon EBS | Snapshots | Windows VSS | No |
| Amazon RDS | Snapshots | Full feature | Yes |
| Amazon Aurora | Snapshots | Full feature | Yes |
| Amazon DynamoDB | On-demand | Full feature (opt-in) | Yes |
| Amazon EFS | File-level | Full feature | Yes |
| Amazon FSx | Snapshots | - | No |
| Amazon S3 | Object-level | Full feature | Yes |
| AWS Storage Gateway | Snapshots | - | No |
| Amazon DocumentDB | Snapshots | - | Yes |
| Amazon Neptune | Snapshots | - | Yes |
| Amazon Redshift | Snapshots | - | No |
| SAP HANA on EC2 | Full backup | Full feature | Yes |
| VMware VMs | Full backup | Full feature | No |
For DynamoDB, you must explicitly opt-in to AWS Backup advanced features in the AWS Backup settings. Other services like EFS, S3, and Timestream automatically support advanced features.
Cross-Region Backup
Cross-Region Backup Copy
How It Works:
- AWS Backup creates recovery point in source region
- Copy rule triggers cross-region copy
- Backup is re-encrypted with destination vault's KMS key
- First copy is full; subsequent copies may be incremental
Configuration:
- Add "Copy to destination" rule in backup plan
- Specify destination vault ARN (different region)
- Configure separate retention for copied backup
Use Cases:
- Disaster recovery to another region
- Compliance with data residency requirements
- Geographic redundancy

Cross-Account Backup
Cross-Account Backup Copy
Requirements:
- Both accounts must be in same AWS Organization
- Enable cross-account management in AWS Backup settings
- Use customer-managed KMS keys (not AWS-managed)
- Configure vault access policy in destination account
Setup Steps:
- Enable "Cross-account management" in management account
- Create backup vault with customer-managed KMS key in destination
- Configure vault access policy to allow source account
- Add cross-account copy rule to backup plan
Security Considerations:
- Backups re-encrypted with destination vault's KMS key
- Source account cannot delete backups in destination account
- Provides protection against account compromise
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountCopy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:root"
},
"Action": [
"backup:CopyIntoBackupVault"
],
"Resource": "*"
}
]
}
```AWS Backup Vault Lock
Vault Lock (WORM Protection)
What is Vault Lock? Enables Write-Once-Read-Many (WORM) protection for recovery points. Once locked, backups cannot be deleted by anyone, including the root user.
Lock Modes:
- Governance Mode: Authorized users can modify/delete with special permissions
- Compliance Mode: NO ONE can delete until retention period expires (truly immutable)
Configuration Parameters:
- Min Retention Days: Minimum retention period enforced
- Max Retention Days: Maximum retention period allowed
- Changeable For Days: Grace period before lock becomes immutable
Compliance Use Cases:
- SEC Rule 17a-4(f)
- CFTC Rule 1.31(c)-(d)
- FINRA regulations
- Healthcare (HIPAA)
Vault Lock is Irreversible
Once a vault lock is applied in Compliance mode and the grace period expires, it CANNOT be removed or modified. Carefully plan retention periods before applying vault lock. Test with Governance mode first.
AWS Backup Audit Manager
Backup Audit Manager
Purpose: Audit and report on compliance of your backup activities.
Key Features:
- Pre-built and custom compliance frameworks
- Automated compliance reports
- CloudWatch integration for alerts
Built-in Frameworks:
- AWS Backup best practices
- Custom frameworks for specific regulations
Reports Generated:
- Backup jobs report
- Copy jobs report
- Restore jobs report
- Compliance report
Use Cases:
- Demonstrate backup compliance to auditors
- Monitor backup policy adherence
- Track backup SLA compliance
Continuous Backup and PITR
Point-in-Time Recovery (PITR)
Supported Services:
- Amazon RDS
- Amazon Aurora
- Amazon DynamoDB (with opt-in)
- Amazon S3 (versioning-based)
- Amazon EFS
Retention:
- Continuous backups retained for 1-35 days
- Allows restore to any second within retention window
How It Works:
- Enable continuous backup in backup rule
- AWS Backup maintains transaction logs
- Restore to any point within retention period
- Combines full backups with transaction log replay
AWS Organizations Integration
Centralized Backup Management
Features:
- Backup policies deployed across member accounts
- Cross-account monitoring from management account
- Delegated administrator support
Setup:
- Enable backup policies in AWS Organizations
- Enable cross-account monitoring in AWS Backup
- Optionally delegate to backup admin account
Benefits:
- Consistent backup policies organization-wide
- Centralized visibility into all backup jobs
- Reduced management overhead
- Compliance enforcement at scale
Common Exam Scenarios
AWS Backup Scenarios: Centralized backup → AWS Backup | Copy to DR region → Cross-region copy | Protect from deletion → Vault Lock Compliance mode | Compliance reporting → Backup Audit Manager | Point-in-time restore → Continuous backup + PITR | Org-wide policy → Organizations integration | Tag-based selection → Resource assignment by tags
A company needs to ensure their backups cannot be deleted by anyone, including administrators, for 7 years to meet regulatory compliance. What should they configure?
A company wants to automatically backup all EC2 instances tagged with 'Backup=Daily' to a vault in both us-east-1 and eu-west-1. How should they configure this?
Which of the following are requirements for AWS Backup cross-account copy? (Select TWO)
Best Practices
AWS Backup Best Practices
- Use tags for resource selection: Easier management as resources are added/removed
- Implement cross-region copy: For disaster recovery requirements
- Enable Vault Lock for compliance: Use Compliance mode for regulatory requirements
- Test restores regularly: Backup is only valuable if restore works
- Use lifecycle policies: Transition old backups to cold storage to reduce costs
- Monitor with CloudWatch: Set alarms for failed backup/restore jobs
- Leverage Organizations: Centralize backup management across accounts
- Document retention requirements: Align backup retention with business/compliance needs
- Use Backup Audit Manager: Generate compliance reports for auditors
- Separate backup vaults by environment: Production, staging, development
Summary
AWS Backup provides centralized, policy-driven backup management across AWS services:
- Backup Plans: Define schedules, retention, and cross-region/cross-account copy rules
- Backup Vaults: Secure, encrypted containers for recovery points
- Cross-Region/Cross-Account: DR and compliance with geographic separation
- Vault Lock: WORM protection for immutable backups
- Audit Manager: Compliance reporting and monitoring
- Organizations Integration: Enterprise-scale backup management
Understanding these components and their configuration is essential for designing resilient architectures on the SAA-C03 exam.