Amazon Backup FAQs

Q: What is Amazon Backup?

A: Amazon Backup is a fully managed service that centralizes and automates data protection across Amazon Web Services. Amazon Backup offers a cost-effective, fully managed, policy-based service that further simplifies data protection at scale. Using the Amazon Backup Audit Manager, you can audit and report on the compliance of your data protection policies to help meet your business and regulatory needs. Together with Amazon Organizations, use Amazon Backup to centrally deploy data protection policies to configure, manage, and govern your backup activities across your Amazon Web Services accounts and resources.

Q: How does Amazon Backup work with other Amazon Web Services services that have backup capabilities?

A: Today, several Amazon Web Services services offer backup features that help you protect your data, such as EBS snapshots, RDS snapshots, Aurora snapshots, DynamoDB backups,  Redshift snapshots, Amazon FSx backups, CloudFormation templates, and Storage Gateway snapshots. All existing per-service backup capabilities remain unchanged. Amazon Backup provides a new, common way to manage backups across Amazon Web Services services both in the Amazon Web Services Cloud and on premises. Amazon Backup introduces a centralized backup console that offers backup scheduling, retention management, and backup monitoring. Amazon Backup supports existing backup functionality provided by EBS, RDS, Amazon FSx, DynamoDB, and Storage Gateway. For Amazon Web Services services that have backup functionality built on Amazon Backup, such as Amazon EFS and Amazon S3. Amazon Backup provides you with backup management capabilities. Additional features include backup scheduling, retention management and backup monitoring, lifecycle policies to transition backups to a low-cost storage tier, backup storage and encryption that is independent from its source data, and backup access policies.

Q: Why should I use Amazon Backup?

A: Backing up your data is an important step towards protecting your application and ensuring that you meet your business and regulatory backup compliance requirements. Even durable resources are susceptible to threats like bugs in your application that could cause accidental deletions or corruption. Building and managing your own backup workflows across all your applications in a compliant and consistent manner can be complex and costly. Amazon Backup removes the need for costly, custom solutions or manual processes by providing a fully managed, policy-based backup solution that provides automated backup scheduling and backup retention management.

Q: How does Amazon Backup work?

A: With Amazon Backup, you can define a central data protection policy called a backup plan that works across Amazon Web Services for compute, storage, and databases. The backup plan defines parameters such as backup frequency and backup retention period. Once you define your data protection policies and assign Amazon Web Services resources to the policies, Amazon Backup automates the creation of backups and stores those backups in an encrypted backup vault that you designate. The centralized policies in Amazon Backup also help you define access controls and automate backup access management across all your accounts within your Amazon Organizations. You can use Amazon Backup’s central console to view your Amazon Web Services resources that are being protected, restore from a backup, and monitor backup and restore activity. Additionally, with Amazon Backup, you can generate reports on compliance metrics such as backup frequency, data retention period, and backup coverage across your Amazon Web Services resources, and demonstrate compliance to auditors.

Q: What are the key features of Amazon Backup?

A: Amazon Backup provides a centralized console, automated backup scheduling, backup retention management, and backup monitoring and alerting. Amazon Backup offers advanced features such as lifecycle policies to transition backups to a low-cost storage tier. It also includes backup storage and encryption independent from its source data, audit and compliance reporting capabilities with Amazon Backup Audit Manager, and delete protection with Amazon Backup Vault Lock.

Q: What can I backup using Amazon Backup?

A: You can use Amazon Backup to manage the backups of EBS volumes, EC2 instances, RDS databases, Redshift databases, DynamoDB tables, CloudFormation templates, EFS file systems, Amazon FSx file systems, Amazon S3 buckets and Storage Gateway volumes.

Q: Can I use Amazon Backup to back up on-premises data?

A: Yes. Amazon Backup integrates with Storage Gateway to enable you to back up on-premises Storage Gateway volumes, providing a common way to manage the backups of your application data both on premises and in the Amazon Web Services cloud.

Q: Can I use Amazon Backup to access backups created by services with existing backup capabilities?

A: Yes. Backups created using services with existing backup capabilities, such as EBS snapshots or DynamoDB backups, can be accessed using Amazon Backup. Conversely, backups created by Amazon Backup can be accessed using the source service, like EBS or DynamoDB.

Q: How does Amazon Backup relate to Amazon Data Lifecycle Manager and when should I use one over the other?

A: Amazon Data Lifecycle Management (DLM) policies and backup plans created in Amazon Backup work independently from each other and provide two ways to manage EBS snapshots. DLM provides a simple way to manage the lifecycle of EBS resources, such as volume snapshots. You should use DLM when you want to automate the creation, retention, and deletion of EBS snapshots. You should use Amazon Backup to manage and monitor backups across the Amazon Web Services services you use, including EBS volumes, from a single place.

Q: What is a recovery point?

A: A recovery point represents the content of a resource at a specified time. Recovery points also include metadata such as information about the resource, restore parameters, and tags.

Q: What is a Backup Plan?

A: A backup plan is a policy expression that defines when and how you want to back up your Amazon Web Services resources, such as DynamoDB tables or EFS file systems. You assign resources to backup plans and Amazon Backup will then automatically backup and retain backups for those resources according to the backup plan. Backup plans are composed of one or more backup rules. Each backup rule is composed of 1) a backup schedule, which includes the backup frequency (Recovery Point Objective - RPO) and backup window, 2) a lifecycle rule that specifies when to transition a backup from one storage tier to another and when to expire the recovery point, 3) the Backup Vault in which to place the created recovery points in, and 4) the tags to be added to backups upon creation. For example, a backup plan might have a “daily backup rule” and a “monthly backup rule”. The daily rule backs up resources every day at midnight and retains the backups for one month. The monthly rule takes a backup once a month on the beginning of every month and retains the backups for one year.

Q: What is a Backup Vault?

A: A backup vault is an encrypted storage location in your Amazon Web Services account that stores and organizes your backups (recovery points). You can create new backup vaults in each Amazon Web Services Region where Amazon Backup is available. Enable delete-protection on the backup vaults using Amazon Backup Vault Lock to prevent malicious actors from re-encrypting your data. Amazon Backup stores your continuous backups and periodic snapshots in the backup vault of your preference and lets you browse and restore as per your requirements.

Q: How does Amazon Backup’s lifecycle feature work?

A: The Amazon Backup lifecycle feature can automatically transition your recovery points from a warm storage tier to a lower-cost cold storage tier. Cold storage tier is available only for backups of EFS, and DynamoDB.

Q: How does encryption work in Amazon Backup?

A: Backups from Amazon Web Services services that introduce backup functionality built on Amazon Backup, such as Amazon EFS, Amazon S3 are encrypted in-transit and at-rest independently from the source services, giving your backups an additional layer of protection. Encryption is configured at the Backup Vault level. Backups from services with existing backup capabilities are encrypted using the source service’s backup encryption methodology. For example, EBS snapshots are encrypted using the encryption key of the volume the snapshot was created from.

Q: How do I use access policies in a Backup Vault to control access to backups?

A: Amazon Backup allows you to set resource-based policies on Backup Vaults, enabling you to control access to the Backup Vault and the backups in it.

Q: What services provide support for Amazon Backup’s advanced features?

A: Services with backup functionality built on Amazon Backup support additional backup features, like lifecycle tiering of backups to a low-cost storage tier, backup storage and encryption independent from its source data, and backup access policies. Currently, S3, EFS and DynamoDB support Amazon Backup advanced features with backup functionality integrated with Amazon Backup. To activate Amazon Backup advanced features for DynamoDB, you must opt in through settings. EFS and S3 automatically support Amazon Backup advanced features. Amazon Backup for S3 supports backup access policies and encryption of backups with a different key, but does not support cold storage tier.

Q: What is Amazon Backup Vault Lock?

A: Amazon Backup Vault Lock is a feature that enables you to prevent changes to backup lifecycle as well as prevent manual deletion of backups, helping you meet your compliance requirements. Amazon Backup Vault Lock implements safeguards that ensure you are storing your backups using a Write-Once-Read-Many (WORM) model.

Q: Why should I use Amazon Backup Vault Lock?

A: You should use Amazon Backup Vault Lock to ensure that no user, including administrators or perpetrators of malicious actions, can delete your backups or change their lifecycle settings such as retention periods and transition to cold storage. Amazon Backup keeps these backups according to your scheduled retention periods, helping you meet your business continuity goals. In addition, Amazon Backup Vault Lock works seamlessly with backup policies such as retention periods, cold storage transitioning, and cross-Region copy, providing you an additional layer of protection and helping you meet your compliance requirements. Amazon Backup Vault Lock protects you from keeping backups that don’t meet your acceptable minimum and maximum retention periods.

Q: How does Amazon Backup Vault Lock differ from Amazon S3 Glacier Vault Lock?

A: While Amazon Backup Vault Lock applies to data residing in your Amazon Backup backup vault, Amazon S3 Glacier Vault Lock applies to an individual Amazon S3 Glacier Vault. Amazon Backup Vault Lock prevents manual deletion of backups and changes to backup lifecycle settings to help you centrally protect backups across Amazon Web Services services. Amazon S3 Glacier Vault Lock enables you to enforce compliance controls that are designed to support long-term records retention for individual Amazon S3 Glacier vaults.

Q: How does Amazon Backup Vault Lock work?

A: Amazon Backup Vault Lock is an optional configuration at the Amazon Backup vault level and comprises three properties: minimum acceptable retention days, maximum acceptable retention days, and a cooling-off period. It blocks backup deletion operations and changes to their lifecycle.

If you enable the Amazon Backup Vault Lock configuration, then Amazon Backup will protect all newly created recovery points in the vault against deletion and change to their lifecycle. Amazon Backup will also fail all backup jobs, with retention periods not meeting the Amazon Backup Vault Lock acceptable retention periods.

Amazon Backup Vault Lock ensures that your backups are available until they reach their retention periods and expire. If any user, including the root account user, attempts to delete a backup or update its lifecycle properties in a locked vault, Amazon Backup denies the operation.

The cooling-off period allows you to test the feature for a number of days you define. You can update and remove the Amazon Backup Vault Lock configuration as long as the cooling-off period has not expired. Once the cooling-off period expires, Amazon Backup will not allow any change to the configuration. 

Q: What is legal hold?

A: Legal holds, also known as litigation holds, are used when an organization must retain certain data either for preservation, auditing, or as evidence in legal proceedings and e-Discovery. These holds prevent backups from being deleted, even if their retention period is over, and remain in place until explicitly released.

Q: How does Amazon Backup for S3 work?

With Amazon Backup, you can define a central backup policy to manage backup and restore for your application across Amazon Web Services services for compute, storage, and database services. Once you define your backup policy and assign S3 resources, Amazon Backup automates the creation of S3 backups, and stores those backups in an encrypted storage vault that you designate. Create continuous point-in-time backups or periodic backups of S3 buckets, including object data, object tags, access control lists (ACLs), and user-defined metadata. The first backup is a full snapshot, while subsequent backups are incremental. If there is a data disruption event, choose a backup from the backup vault and restore an S3 bucket (or individual S3 objects) to a new or existing S3 bucket. The centralized policies in Amazon Backup also help you define access controls and automate backup access management across all your accounts within your organizations.

Q: How are these capabilities different from what Amazon S3 provides?

Both Amazon Backup and Amazon S3 offer capabilities that help you manage the business continuity of your applications. While you can centrally manage backup and restore for your applications across multiple Amazon Web Services services with Amazon Backup, with Amazon S3 you can manage data in S3 buckets and objects. If you’re a backup administrator responsible for the backups, restores, and compliance of your applications across multiple Amazon Web Services services, you can use Amazon Backup to meet those needs. Amazon S3 capabilities such as Versioning, Object Lock, and Replication help storage administrators preserve data and prevent the unintended deletion of Amazon S3 data. You can use both sets of capabilities together to manage backup and restore across your organization.

Q: Can I use an existing backup plan in Amazon Backup to start backing up Amazon S3?

If you already have a backup plan for your application and want to use it for Amazon S3, add your Amazon S3 resources to the existing backup plan using tags or S3 bucket ARNs. Amazon Backup matches the tags in S3 buckets to those assigned to your backup plan and backs up those resources, along with other Amazon Web Services services your application uses.

Q: What backup options are available in Amazon Backup for Amazon S3?

You have two backup options available for Amazon S3 resources in Amazon Backup: continuous and periodic. Continuous backups can restore Amazon S3 resources to any point in time within the last 35 days. You can use this point-in-time feature to restore your Amazon S3 resources to their condition at any time within the last 35 days. Periodic backups retain data for an infinite period. You can schedule snapshots using frequencies such as 1 hour, 12 hours, 1 day, 1 week, or 1 month, or create them on demand. Continuous backups are useful for undoing accidental deletions, while periodic snapshots can help you meet long-term data retention needs.

Q: Are there any prerequisites to creating backups of S3 buckets?

Yes, turning on S3 Versioning is a prerequisite to creating backups of S3 buckets and objects. Set a lifecycle expiration period for your versions as well—if you don’t, your S3 costs might increase since Amazon Backup backs up and stores all unexpired versions of your S3 data. See the technical documentation for more information.