Amazon Backup features

Amazon Backup is a fully managed service that centralizes and automates data protection across Amazon Web Services services and hybrid workloads. It provides core data protection features, ransomware recovery capabilities, and compliance insights and analytics for data protection policies and operations. Amazon Backup offers a cost-effective, policy-based service with features that simplify data protection at exabyte scale across your Amazon Web Services estate. 

Amazon Backup helps protect application resources, including your Amazon Web Services storage, database, and compute services as well as hybrid workloads like VMware. Amazon Backup supports the following capabilities for all its supported services and third-party applications: automated backup scheduling and retention management, centralized data protection monitoring, Amazon KMS-integrated backup encryption, data protection auditing and compliance reporting with Amazon Backup Audit Manager, and write-once, read-many (WORM) with Amazon Backup Vault Lock.

Amazon Backup provides a backup console, public APIs, and a command line interface to centrally manage backups across the Amazon Web Services storage, compute, database, and hybrid services your applications run on, including Amazon Simple Storage Service (S3), Amazon Elastic BlockStore (EBS), Amazon FSx, Amazon Elastic FileSystem (EFS), Amazon Storage Gateway, Amazon Elastic ComputeCloud (EC2), Amazon RelationalDatabase Service (RDS), Amazon Aurora, Amazon DynamoDB, Amazon Neptune, Amazon DocumentDB (with MongoDB compatibility), Amazon Redshift, and the entire application stack defined by Amazon CloudFormation.

The Amazon Backup vault is a logical container that stores and manages your encrypted backups. When creating a backup vault, you must specify the Amazon Web Services Key Management Service (Amazon KMS) encryption key that encrypts the backups placed in this vault. All copied backups are encrypted with the key of the target vault. For more information about encryption, see the chart in Encryption for backups in Amazon Web Services.

Amazon Backup encrypts your backup data at rest and in transit, providing a comprehensive encryption solution that secures your backup data and helps meet compliance requirements. Your backup data is encrypted using encryption keys managed by the Amazon Key Management Service (KMS), reducing the need to build and maintain a key management infrastructure. The keys used to encrypt your Amazon Backup data are independent of the keys used to encrypt the resources that the backups are based on. Having separate encryption keys for your production and backup data provides an important layer of protection for your applications.

You can create backups managed by backup plans, enabling you to define your backup requirements and apply these policies to the Amazon Web Services resources you want to protect. Backup plans simplify and scale your data protection strategy across your applications and organization.

You can apply backup plans to your Amazon Web Services resources by tagging them. Amazon Web Services tags are a great way to consistently organize and classify your Amazon Web Services resources.

You can customize backup schedules or choose from predefined backup schedules based on common best practices. Amazon Backup automatically backs up your application resources according to the policies and schedules you define to avoid conflicting with production.

You can set backup retention policies that automatically retain and expire backups, minimizing backup storage costs. Configure lifecycle policies that automatically transition backups from warm storage to cold storage, helping lower backup storage costs by storing backups in a low-cost cold storage tier.

You can copy backups across different Amazon Web Services Regions from a central console to meet compliance and disaster recovery needs. You can copy backups either manually as an on-demand copy, or automatically as part of a scheduled backup plan, and recover those backups in a new Region.

Amazon Backup console includes an Amazon CloudWatch dashboard to see metrics on completed or failed backup, copy, and restore jobs. Within this dashboard, you can view job status by time period, customized to the schedule you desire.

Amazon Backup integrates with Amazon CloudTrail, which provides a consolidated view of backup activity logs and simplifies the audit process for protected resources.

Amazon Backup integrates with Amazon Simple Notification Service (Amazon SNS), which can automatically alert you on backup activity such as when a backup succeeds or a restore is initiated.

For a fully managed experience, you can use Amazon Backup Audit Manager to monitor your backup activity.

Amazon Backup provides capabilities that you help protect and recover critical data from a ransomware events and account compromise. Ransomware refers to a business model and a wide range of associated technologies that bad actors use to extort money from entities. These actors use a range of tactics to gain unauthorized access to their victims’ data and systems, including exploiting unpatched vulnerabilities and weak or stolen credentials. Access to data and systems is then restricted by these actors, and a ransom demand is made for the safe return of these digital assets. There are several methods such actors use to restrict or reduce legitimate access to resources including encryption and deletion, modified access controls, and network-based denial of service attacks. 

You can back up your Amazon CloudFormation stack along with its resources like Amazon  IAM roles and Amazon VPC security groups. This means you can more easily recover your entire application stack, and manage compliance of your data protection policies across the entire application stack.

You can import application definitions and create application-wide protection plans managed on a recurring schedule and cross-Region copy for additional protection from ransomware events.

Amazon Backup Vault Lock allows you to protect your backups from deletion or changes to their lifecycle (making data immutable) by inadvertent or malicious changes. You can use the Amazon Web Services CLI, Amazon Backup API, or Amazon Backup SDK to apply the Amazon Backup Vault Lock protection to an existing vault or a new one. Amazon Backup Vault Lock works with backup policies such as retention periods, cold storage transitioning, and cross-Region copy. This provides an additional layer of protection and helps meet your compliance requirements. 

Amazon Backup Audit Manager is a capability that monitors and generates audit reports of your data protection activity, such as backup frequency or backup retention period. Amazon Backup Audit Manager is a fully managed experience that can generate daily reports with insights on the compliance status of your data protection frameworks.

You can audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs with Amazon Backup Audit Manager. It provides built-in compliance controls which you can customize to define your data protection policies (such as backup frequency or retention period). It is designed to automatically detect violations against what you have defined as your data protection guardrails and will prompt you to take remediation actions. With Amazon Backup Audit Manager, you can continuously evaluate backup activity and generate audit reports that can help you demonstrate compliance with regulatory requirements.

Amazon Backup supports legal hold, which is used when an organization must retain certain data either for preservation, auditing, or as evidence in legal proceedings and e-Discovery. You can use legal holds to prevent backups from being deleted even if their retention period is over, and remain in place until they are explicitly released.

You can use compliance report templates to generate you daily reports on the compliance of your backup activity and resources against the controls you defined in one or more frameworks. A framework is a collection of controls that helps you to evaluate your compliance posture.

You can use pre-built or customizable controls to define your policies and evaluate whether your backup practices comply with your policies. For more information on controls, visit the Amazon Backup Developer Guide. You can also setup automatic daily reports to gain insights into the compliance status of your frameworks.