AWS Storage Services

AWS Backup

5 min read
Updated June 22, 2025
5,042 characters

How AWS Backup Works

AWS Backup uses a policy-based approach to data protection. The workflow consists of three main components working together:

  1. Backup Plan: You create a plan that defines your backup requirements.

  2. Resource Assignment: You assign AWS resources to the plan.

  3. Backup Vault: The plan executes and stores the resulting encrypted backups (recovery points) in a backup vault.

Core Components

1. Backup Plans

A backup plan is a policy expression that defines how and when you want to back up your AWS resources.

  • Backup Rules: A plan is made up of one or more backup rules. Each rule specifies:

    • Backup Frequency: How often to create a backup (e.g., every 12 hours, daily, weekly).

    • Backup Window: A block of time during which the backup job will be started.

    • Lifecycle Policy: Rules to automatically transition backups to lower-cost cold storage (e.g., Amazon S3 Glacier) and when to expire (delete) them.

    • Target Backup Vault: The vault where the recovery points will be stored.

  • Incremental Backups: AWS Backup stores periodic backups incrementally where possible for supported services, saving cost and time.

  • Policy Management: You can manage backup plans via the AWS Console, CLI, or as code using AWS CloudFormation.

2. Resource Assignments

This is how you tell AWS Backup which resources to protect with a specific backup plan.

  • Assignment by Tags: The most powerful method. You can assign resources by specifying a tag key-value pair (e.g., backup-policy=daily). Any supported resource with this tag will be automatically included in the plan.

  • Assignment by Resource ID: You can explicitly select specific resources by their Amazon Resource Name (ARN).

3. Backup Vaults

A backup vault is an encrypted container where you store and organize your backups (recovery points).

  • Encryption: All backups in a vault are encrypted. You can use an AWS-owned KMS key or specify your own customer-managed KMS key for encryption. You can use different vaults to enforce different encryption standards.

  • Access Control: You can attach resource-based policies to a backup vault to control which users or roles can access the vault and perform actions (like restores or deletions).

  • Default Vault: AWS Backup creates a default vault automatically in your account.

Key Features

Backup Lifecycle Management

  • A cost-optimization feature configured within a backup rule.

  • It allows you to automatically move backups from warm storage to low-cost cold storage after a specified number of days.

  • You can also define when backups should be expired (deleted).

  • Example: Keep backups in warm storage for 30 days, then transition to cold storage for 335 days, then delete after 365 days.

Cross-Region and Cross-Account Backup

  • Cross-Region Backup: For disaster recovery, you can configure a backup rule to automatically copy backups to a vault in a different AWS Region.

  • Cross-Account Backup: For centralized management, you can copy backups to a vault in a separate AWS account. This protects backups from being affected by issues in the source account.

AWS Backup Vault Lock

  • A compliance feature that helps you enforce a Write-Once-Read-Many (WORM) policy on your backups.

  • You apply a Vault Lock policy to a vault to prevent backups from being deleted or altered before their retention period ends.

  • Once locked, the policy is immutable and cannot be changed or deleted by anyone, including the root user. This is crucial for meeting regulatory requirements.

Supported Services

AWS Backup supports a wide range of AWS services, including but not limited to:

  • Compute: Amazon EC2, VMware on AWS

  • Storage: Amazon EBS, Amazon S3, Amazon EFS, Amazon FSx (for Windows, Lustre, ONTAP, OpenZFS), AWS Storage Gateway

  • Databases: Amazon RDS, Amazon Aurora, Amazon DynamoDB, Amazon Neptune, Amazon DocumentDB

  • Other: AWS CloudFormation (application-aware backup)

Restoring from a Backup

  • You initiate a restore from the AWS Backup console by selecting a recovery point from within a backup vault.

  • A restore job creates a new AWS resource based on the state captured in the recovery point.

  • AWS Backup does not overwrite existing resources; it always restores to a new resource or location, which prevents accidental data loss. You can configure restore parameters, such as the VPC, subnet, or instance type for the new resource.

On-Demand vs. Scheduled Backups

  • Scheduled Backups: These are the automated backups created by your backup plans according to the defined frequency. This is the primary mode of operation.

  • On-Demand Backups: You can also create a one-off backup of any supported resource at any time. This is useful for taking a backup before performing a critical operation or for seeding a new environment.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All