AWS Storage
Backup
Centralized automated backup across AWS services and on-premises resources
AWS Backup is a fully managed, centralized service for automating data protection across AWS services including EC2, EBS, RDS, DynamoDB, EFS, FSx, Aurora, S3, and on-premises resources via Storage Gateway. It provides a single pane of glass for backup policies, compliance reporting, and cross-account/cross-region backup copies, replacing service-specific backup configurations with a unified governance model. AWS Backup is increasingly required in enterprise environments for audit compliance and ransomware recovery planning.
AWS Backup Architecture and Key Concepts
AWS Backup introduces a set of abstractions that work across all supported services, allowing you to manage backup policy once and apply it everywhere.
| Concept | Description |
|---|---|
| Backup Plan | Policy defining backup frequency, window, retention, and lifecycle (when to move to cold storage) |
| Backup Rule | Individual schedule within a plan - a plan can have multiple rules for different frequencies |
| Backup Vault | Container for backup recovery points - access controlled via vault policy + AWS Backup authorization |
| Recovery Point | A backup - could be an EBS snapshot, RDS automated backup, DynamoDB on-demand backup, etc. |
| Resource Assignment | Tags or ARNs mapped to a backup plan - all tagged resources get backed up automatically |
| Backup Job | Single execution of a backup rule for a specific resource |
# Create a backup plan using JSON
aws backup create-backup-plan --backup-plan \
'{
"BackupPlanName": "daily-weekly-monthly",
"Rules": [
{
"RuleName": "daily-backups",
"TargetBackupVaultName": "Default",
"ScheduleExpression": "cron(0 5 ? * * *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 480,
"Lifecycle": {
"DeleteAfterDays": 35
},
"CopyActions": [{
"DestinationBackupVaultArn": "arn:aws:backup:eu-west-1:123456789:backup-vault:DR-Vault",
"Lifecycle": {"DeleteAfterDays": 35}
}]
}
]
}'Use tag-based resource assignment to automatically include new resources in backup plans. Any resource tagged with Backup=daily will be backed up without manual configuration.
Supported Services and Backup Behaviors
AWS Backup supports a wide range of services, but the backup mechanism and restoration behavior varies per service. Understanding these differences prevents surprises during recovery.
| Service | Backup Type | Restore Creates | Consistent Backup |
|---|---|---|---|
| EC2 | AMI (all attached volumes) | New EC2 instance | Application-consistent with VSS on Windows |
| EBS | Incremental snapshot | New EBS volume | Crash-consistent |
| RDS | Automated backup (daily) + transaction logs | New RDS instance | Transactionally consistent |
| Aurora | Continuous backup to S3 | New Aurora cluster | Point-in-time to any second |
| DynamoDB | On-demand full backup | New DynamoDB table | Consistent snapshot |
| EFS | Incremental backup | New EFS or overwrite existing | File-system consistent |
| FSx | File-system backup | New FSx file system | Consistent |
| S3 | Continuous data protection (CDP) | Restore objects to point in time | Object-level versioning |
Restoring from AWS Backup almost always creates a NEW resource - it does not restore in-place to the existing resource. Plan your recovery procedures to account for endpoint changes (new RDS hostname, new EFS mount target, etc.).
Backup Vaults, Vault Lock, and Security
Backup vaults are the security boundary for AWS Backup. Vault policies control who can access, delete, or copy recovery points. AWS Backup Vault Lock adds immutability for ransomware protection.
| Feature | Description | Use Case |
|---|---|---|
| Vault Access Policy | IAM resource policy on the vault | Control which accounts/roles can restore or delete |
| Vault Lock (Governance) | Prevents deletion but can be unlocked by admin | Internal policy enforcement with admin escape hatch |
| Vault Lock (Compliance) | Immutable - cannot be changed or deleted even by root | Regulatory compliance, ransomware protection |
| KMS encryption | Vault uses KMS key - all recovery points encrypted | Use a separate CMK for backup vault from production |
| Cross-account copy | Copy recovery points to a separate AWS account | Isolated backup account (recommended for enterprise) |
# Enable Vault Lock in Governance mode with a 90-day minimum retention
aws backup put-backup-vault-lock-configuration \
--backup-vault-name production-vault \
--min-retention-days 90 \
--max-retention-days 3650 \
--changeable-for-days 3
# The vault lock is not committed until 3 days have passed
# After that, it cannot be changed or removedBest practice for enterprise backup security: create a dedicated backup AWS account, use cross-account copy to replicate all production backups there, and apply Vault Lock in Compliance mode in the backup account. Even if the production account is compromised, attackers cannot delete the backup account's recovery points.
Backup Compliance Reporting and Audit
AWS Backup Audit Manager provides built-in compliance frameworks and custom reporting to demonstrate backup compliance to auditors and security teams.
| Control | What It Checks |
|---|---|
| Backup plan coverage | All resources tagged for backup are actually covered by a plan |
| Backup frequency compliance | Resources are backed up at the required frequency (e.g. daily) |
| Cross-region backup | Recovery points are copied to the required secondary region |
| Cross-account backup | Recovery points are copied to the backup account |
| Recovery point encryption | All recovery points are encrypted |
| Minimum retention | Recovery points are retained for the required minimum number of days |
# Create an audit framework based on the AWS-provided template
aws backup create-framework \
--framework-name "enterprise-backup-compliance" \
--framework-controls \
ControlName=BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK,\
ControlScope={ComplianceResourceTypes=[AWS::EC2::Instance,AWS::RDS::DBInstance]},\
ControlInputParameters=[{ParameterName=requiredFrequencyValue,ParameterValue=1},{ParameterName=requiredFrequencyUnit,ParameterValue=days}]
# Generate a compliance report
aws backup create-report-plan \
--report-plan-name monthly-compliance \
--report-delivery-channel S3BucketName=backup-reports-bucket \
--report-setting ReportTemplate=BACKUP_JOB_REPORTAWS Backup vs Native Service Backups
Most AWS services have their own native backup capabilities. AWS Backup centralizes management but does not always replace native backups. Understanding when to use each is important.
| Dimension | AWS Backup | Native Backups (e.g. RDS automated, EBS snapshots) |
|---|---|---|
| Management | Centralized - one console, one API, one policy | Per-service - must configure in each service's settings |
| Cross-service policies | Single backup plan applies to EC2, RDS, EFS, etc. | Must configure separately in each service |
| Compliance reporting | Built-in Audit Manager with compliance frameworks | Manual or third-party tooling needed |
| Cross-account copy | First-class feature | Manual via CLI/API per service |
| Vault Lock | Immutable compliance mode available | Not available natively for most services |
| Feature completeness | Subset of native features (no Aurora Global for example) | Full native capabilities |
| Granularity | Daily or more frequent (varies by service) | Continuous (RDS, Aurora), hourly possible |
AWS Backup is not a replacement for native backups in all cases. For Aurora, the native continuous backup to S3 provides point-in-time recovery to any second - AWS Backup complements this with cross-account copy and vault lock, but you would not disable Aurora's native backup.
Interview Focus Points
- 1What is AWS Backup and what problem does it solve compared to using each service's native backup features?
- 2How would you design a backup strategy for a multi-account AWS organization using AWS Backup?
- 3What is AWS Backup Vault Lock and how does it protect against ransomware attacks?
- 4Walk me through restoring an EC2 instance from an AWS Backup recovery point.
- 5How does AWS Backup Audit Manager help with compliance reporting?
- 6What are the differences between Governance mode and Compliance mode Vault Lock?
- 7How would you use cross-account backup copies to isolate production backups from production account compromise?
- 8A DynamoDB table was accidentally deleted. How would you restore it and what is the maximum data loss?
- 9When would you use native RDS automated backups versus AWS Backup for an RDS database?