Creating a backup plan - AWS Backup

Creating a backup plan

You can create a backup plan using the AWS Backup console, API, CLI, SDK, or an AWS CloudFormation template.

Creating backup plans using the AWS Backup console

Open the AWS Backup console at From the dashboard, choose Manage Backup plans. Or, using the navigation pane, choose Backup plans and choose Create Backup plan.

Start options

You have three choices for your new backup plan:

In this tutorial, we will choose Build a new plan. Each part of the configuration has a link to an expanded section further on the page to where you can navigate for more detail.

  1. Enter a plan name in Backup plan name. You can't change the name of a plan after it is created.

    If you try to create a backup plan that is identical to an existing plan, you receive an AlreadyExistsException error.

  2. Optionally, you can add tags to your backup plan.

  3. Backup rule configuration: In the backup rule configuration section, you will set the backup schedule, window, and lifecycle.

  4. Schedule:

    1. Input a backup rule name in the text field.

    2. In the backup vault dropdown menu, choose Default or choose Create new Backup vault to create a new vault.

    3. In the backup frequency dropdown menu, choose how often you want this plan to create a backup.

  5. Backup window:

    1. Start time defaults to 12:30 AM (00:30 in 24hr time) in your system’s local timezone.

    2. Start within defaults to 8 hours. You can change this to specify a window of time for the backup to start.

    3. Complete within defaults to 7 days.

  6. Continuous backups and point-in-time restore (PITR): You can select Enable continuous backups for point-in-time recovery (PITR). To verify which resources are supported for this type of backup, see the Feature availability by resource matrix.

  7. Lifecycle

    1. Cold storage: Select this box to let eligible resource types transition to cold storage in accordance with the timetable you specify in the total retention period. To use cold storage, you must have a total retention period of 90 days or greater.

    2. Cold storage for Amazon EBS is Amazon EBS Snapshots Archive. Snapshots transitioned to archive storage tier will display in the console as cold tier. If cold storage is enabled, and if your backup frequency is monthly or less often, you can have your backup plan transition EBS snapshots.

    3. The total retention period is the number of days that you store your resource in AWS Backup. It is the total number of days of warm storage plus cold storage.

  8. (Optional) Use Copy to destination to create a cross-Region copy of eligible resources if you want to store a copy of a backup in a different AWS Region.

  9. (Optional) Tags added to recovery points.

  10. When all sections are set to your specifications, choose Save Backup rule.

Creating backup plans using the AWS CLI

You can also define your backup plan in a JSON document and provide it using the AWS Backup console or AWS CLI. The following JSON document contains a sample backup plan that creates a daily backup at 1:00 Pacific time (the local time adjusts to daylight, standard, or summer time conditions if applicable). It automatically deletes a backup after one year.

{ "BackupPlan":{ "BackupPlanName":"test-plan", "Rules":[ { "RuleName":"test-rule", "TargetBackupVaultName":"test-vault", "ScheduleExpression":"cron(0 1 ? * * *)", "ScheduleExpressionTimezone":"America/Los_Angeles", "StartWindowMinutes":integer, // Value is in minutes "CompletionWindowMinutes":integer, // Value is in minutes "Lifecycle":{ "DeleteAfterDays":integer, // Value is in days } } ] } }

You can store your JSON document with a name you choose. The following CLI command shows create-backup-plan with a JSON named test-backup-plan.json:

aws backup create-backup-plan --cli-input-json file://PATH-TO-FILE/test-backup-plan.json

Note that while some systems number the days of the week from 0 to 6, we number them from 1 to 7. For more information, see Cron expressions . For more information about timezones, see TimeZone in the Amazon Location Service API reference.

Backup plan options and configuration

When you define a backup plan in the AWS Backup console, you configure the following options:

Backup plan name

You must provide a unique backup plan name.

If you choose name that is identical to the name of an existing plan, you will receive an error message.

Backup rules

Backup plans are composed of one or more backup rules. To add backup rules to a backup plan, or to edit existing rules in a backup plan:

  1. From the AWS Backup console, in the left navigation pane, choose Backup plans.

  2. Under Backup plan name, select a backup plan.

  3. Under the Backup rules section:

    • To add a backup rule, choose Add backup rule.

    • To edit an existing backup rule, select a rule, then choose Edit.


If you have a backup plan with multiple rules and the time frames of the two rules overlap, AWS Backup optimizes the backup and takes a backup for the rule with the longer retention time. The optimization takes into account the full start window, not just when the daily backup is taken.

Each backup rule consists of the following elements.

Backup rule name

Backup rule names are case sensitive. They must contain from 1 to 50 alphanumeric characters or hyphens.

Backup frequency

The backup frequency determines how often AWS Backup creates a snapshot backup. Using the console, you can choose a frequency of every hour, 12 hours, daily, weekly, or monthly. You can also create a cron expression that creates snapshot backups as frequently as hourly. Using the AWS Backup CLI, you can schedule snapshot backups as frequently as hourly.

If you select weekly, you can specify which days of the week you want backups to be taken. If you select monthly, you can choose a specific day of the month.

You can also check the Enable continuous backups for supported resources checkbox to create a point-in-time restore (PITR)-enabled continuous backup rule. Unlike snapshot backups, continuous backups allow you to perform point-in-time restore. To learn more about continuous backups, see Point-in-Time Recovery.

Backup window

Backup windows consist of the time that the backup window begins and the duration of the window in hours. Backup jobs are started within this window. The default settings in the console are:

  • 12:30 AM local to your system’s timezone (0:30 in 24-hour systems)

  • Start within 8 hours

  • Complete within 7 days

    (complete within parameter does not apply to Amazon FSx resources)

You can customize the backup frequency and backup window start time using a cron expression. To see the six fields of AWS cron expressions, see Cron Expressions in the Amazon CloudWatch Events User Guide. Two examples of AWS cron expressions are 15 * ? * * * (take a backup every hour at 15 minutes past the hour) and 0 12 * * ? * (take a backup every day at 12 noon UTC). For a table of examples, click the preceding link and scroll down the page.

AWS Backup evaluates cron expressions between 00:00 and 23:59. If you create a backup rule for "every 12 hours" but provide a start time of later than 11:59, it will only run once per day.

Continuous backups and point-in-time restore (PITR) reference the changes recorded over a period of time; therefore, they cannot be scheduled with a time or cron expression.


In general, AWS database services cannot start backups 1 hour before or during their maintenance window and Amazon FSx cannot start backups 4 hours before or during their maintenance window or automatic backup window (Amazon Aurora is exempt from this maintenance window restriction). Snapshot backups scheduled during those times will fail.

An exception occurs when you opt in to using AWS Backup for both snapshot and continuous backups for a supported service. AWS Backup will schedule backup windows automatically to avoid conflicts. See Point-in-Time Recovery for a list of supported services and instructions on how to use AWS Backup to take continuous backups.

Overlapping backup rules

On occasion, a backup plan might contain multiple, overlapping rules. When the start windows of different rules overlap, AWS Backup retains the backup under the rule with the longer retention period. For example, consider a backup plan with two rules:

  1. Backup hourly, with a 1-hour start window, and retain for 1 day.

  2. Backup every 12 hours, with an 8-hour start window, and retain for 1 week.

After 24 hours, the second rule creates two backups (because it has the longer retention period). The first rule creates eight backups (because the second rule's 8-hour start window prevented more hourly backups from running). Specifically:

During this Start Window This Rule Creates 1 Backup
Midnight to 8AM 12 hours
8 to 9 Hourly
9 to 10 Hourly
10 to 11 Hourly
11 to Noon Hourly
Noon to 8PM 12 hours
8 to 9 Hourly
9 to 10 Hourly
10 to 11 Hourly
11 to Midnight Hourly

During the start window, the backup job status remains in CREATED status until it has successfully begun or until the start window time has run out. If within the start window time AWS Backup receives an error that allows the job to be retried, AWS Backup will automatically retry to begin the job at least every 10 minutes until the backup successfully begins (the job status changes to RUNNING) or until the job status changes to EXPIRED (which is expected to occur when the start window time is over).

Lifecycle and storage tiers

Backups are stored for the number of days you specify, known as the backup lifecycle. Backups can be restored until the end of their lifecycle.

This is set as the total retention period in the lifecycle section of backup rule configuration in the AWS Backup console.

If you use AWS CLI, this is set using the parameter DeleteAfterDays. The retention period for snapshots can range between 1 day and 100 years (or indefinitely if you don't enter one), while the retention period for continuous backups can range from 1 day to 35 days. The creation date of a backup is the date the backup job started, not the date it completed. If your backup job doesn't complete on the same date it started, use the date on which it began to help calculate retention periods.

Backups are maintained in a storage tier. Each tier incurs a different cost for storage and for restore, as outlined by AWS Backup pricing. Every backup is created and is stored in warm storage. Depending on how long you choose to store your backup, you may wish to transition your backup to a lower-cost tier called cold storage. Feature availability by resource displays which resources have this optional feature.

  1. Open the AWS Backup console at

  2. Create or edit a backup plan.

  3. In the lifecycle section of backup rule configuration, check the box Move backups from warm to cold storage.

  4. (optional) If Amazon EBS is one of the resources you back up and your backup frequency is monthly or less frequent, you can transition them to cold tier using EBS snapshot archival.

  5. Input a value (in days) that you want your backups to remain in warm storage. AWS Backup recommends at least 8 days.

  6. Input a value (in days) for the total retention period. The difference between total retention period and time in warm storage will be the amount of days the backups remain in cold storage.

  1. Use create-backup-plan or update-backup-plan.

  2. Include the Boolean parameter OptInToArchiveForSupportedResources for EBS resources.

  3. Include the parameter MoveToColdStorageAfterdays.

  4. Use the parameter DeleteAfterDays. This value must be 90 (days) plus the value you input for MoveToColdStorageAfterDays.

Cold storage is currently available for the following resource types:

Resource type Incremental or Full backup in cold storage

AWS CloudFormation


DynamoDB with advanced features

Full; no Incremental backups in any tier

Amazon EBS (using EBS Snapshot Archive)

Full; Incremental backups will become Full after transition.

Amazon EFS


SAP HANA databases running on Amazon EC2 instances


Amazon Timestream


VMware virtual machines


Once you have enabled transition to cold storage through the console or command line, the following conditions are true for backups in cold storage (or archive):

  • Backups transitioned must be stored in cold storage for a minimum of 90 days, in addition to the time in warm storage. AWS Backup requires the retention to be set for 90 days longer than the “transition to cold after days” setting. You can't change the “transition to cold after days” setting after a backup has been transitioned to cold.

  • Some services support incremental backups. For incremental backups, you must have at least one warm full backup. AWS Backup recommends that you set your lifecycle settings to not move your backup to cold storage until after at least 8 days. If the full backup is transitioned to cold storage too soon (for example, a transition to cold storage after 1 day), AWS Backup will create another warm full backup.

  • For resource types that support incremental backups, AWS Backup transitions data from warm to cold storage if the transitioned data is no longer referenced by warm backups. Data in backups retained in cold storage that is only referenced by other cold backups is billed at cold storage tier prices. Other backups continue at warm storage tier pricing.

Backup vault

A backup vault is a container to organize your backups in. Backups created by a backup rule are organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to help you organize them. If you don't want to use the default vault, you can create your own. For step-by-step instructions for creating a backup vault, see Step 3: Create a backup vault.

Copy to Regions

As part of your backup plan, you can optionally create a backup copy in another AWS Region. For more information about backup copies, see Creating backup copies across AWS Regions.

When you define a backup copy, you configure the following options:

Destination Region

The destination Region for the backup copy.

(Advanced Settings) Backup vault

The destination backup vault for the copy.

(Advanced Settings) IAM Role

The IAM role that AWS Backup uses when creating the copy. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. If you choose Default and the AWS Backup default role is not present in your account, a role is created for you with the correct permissions.

(Advanced Settings) Lifecycle

Specifies when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. You can't change this value after a copy has transitioned to cold storage.

Expire specifies the number of days after creation that the copy is deleted. This must be greater than 90 days beyond the Transition to cold storage value.

Tags added to recovery points

The tags that you list here are automatically added to backups when they are created.

Tags added to backup plans

These tags are associated with the backup plan itself to help you organize and track your backup plan.

Advanced backup settings

Enables application consistent backups for third-party applications that are running on Amazon EC2 instances. Currently, AWS Backup supports Windows VSS backups. AWS Backup excludes specific Amazon EC2 instance types from Windows VSS backups. For more information, see Creating Windows VSS backups.

AWS CloudFormation templates for backup plans

We provide two sample AWS CloudFormation templates for your reference. The first template creates a simple backup plan. The second template enables VSS backups in a backup plan.


If you are using the default service role, replace service-role with AWSBackupServiceRolePolicyForBackup.

Description: backup plan template to back up all resources daily at 5am UTC, and tag all recovery points with backup:daily. Resources: KMSKey: Type: AWS::KMS::Key Properties: Description: "Encryption key for daily" EnableKeyRotation: True Enabled: True KeyPolicy: Version: "2012-10-17" Statement: - Effect: Allow Principal: "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } Action: - kms:* Resource: "*" BackupVaultWithDailyBackups: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: "BackupVaultWithDailyBackups" EncryptionKeyArn: !GetAtt KMSKey.Arn BackupPlanWithDailyBackups: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: "BackupPlanWithDailyBackups" BackupPlanRule: - RuleName: "RuleForDailyBackups" TargetBackupVault: !Ref BackupVaultWithDailyBackups ScheduleExpression: "cron(0 5 ? * * *)" DependsOn: BackupVaultWithDailyBackups DDBTableWithDailyBackupTag: Type: "AWS::DynamoDB::Table" Properties: TableName: "TestTable" AttributeDefinitions: - AttributeName: "Album" AttributeType: "S" KeySchema: - AttributeName: "Album" KeyType: "HASH" ProvisionedThroughput: ReadCapacityUnits: "5" WriteCapacityUnits: "5" Tags: - Key: "backup" Value: "daily" BackupRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "" Action: - "sts:AssumeRole" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/service-role" TagBasedBackupSelection: Type: "AWS::Backup::BackupSelection" Properties: BackupSelection: SelectionName: "TagBasedBackupSelection" IamRoleArn: !GetAtt BackupRole.Arn ListOfTags: - ConditionType: "STRINGEQUALS" ConditionKey: "backup" ConditionValue: "daily" BackupPlanId: !Ref BackupPlanWithDailyBackups DependsOn: BackupPlanWithDailyBackups
Description: backup plan template to enable Windows VSS and add backup rule to take backup of assigned resources daily at 5am UTC. Resources: KMSKey: Type: AWS::KMS::Key Properties: Description: "Encryption key for daily" EnableKeyRotation: True Enabled: True KeyPolicy: Version: "2012-10-17" Statement: - Effect: Allow Principal: "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } Action: - kms:* Resource: "*" BackupVaultWithDailyBackups: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: "BackupVaultWithDailyBackups" EncryptionKeyArn: !GetAtt KMSKey.Arn BackupPlanWithDailyBackups: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: "BackupPlanWithDailyBackups" AdvancedBackupSettings: - ResourceType: EC2 BackupOptions: WindowsVSS: enabled BackupPlanRule: - RuleName: "RuleForDailyBackups" TargetBackupVault: !Ref BackupVaultWithDailyBackups ScheduleExpression: "cron(0 5 ? * * *)" DependsOn: BackupVaultWithDailyBackups