Creating a backup plan - AWS Backup

Creating a backup plan

When you create a backup plan, it is added to the set of plans in your account. You can also use the AWS CloudFormation template to create a backup plan. For information, see AWS Backup Resource Type Reference in the AWS CloudFormation User Guide.

Creating backup plans using the AWS Management Console

AWS Backup provides two ways to get started using the AWS Backup console:

  • Start from an existing plan — You can create a new backup plan based on the configurations in an existing plan. Be aware that backup plans created by AWS Backup are based on backup best practices and common backup policy configurations. When you select an existing backup plan to start from, the configurations from that backup plan are automatically populated for your new backup plan. You can then change any of these configurations according to your backup requirements.

    For step-by-step instructions, see Step 1: Create a backup plan by modifying an existing one in the Getting Started section.

  • Build a new plan from scratch — You can create a new backup plan by specifying each of the backup configuration details, as described in the next section. You can choose from the recommended default configurations.


    If you try to create a backup plan that is identical to an existing plan, you get an AlreadyExistsException error.

Backup plan options and configuration

When you define a backup plan in the AWS Backup console, you configure the following options:

Backup plan name

You must provide a unique backup plan name.

If you choose name that is identical to the name of an existing plan, you will receive an error message.

Backup rules

Backup plans are composed of one or more backup rules. Each backup rule consists of the following elements.


If you have a backup plan with multiple rules if the time frame of the two rules overlap, AWS Backup optimizes the backup and takes a backup for the rule with the longer retention time. The optimization takes into account the full start window, not just when the daily backup is taken.

Backup rule name

Backup rule names are case sensitive. They must contain from 1 to 50 alphanumeric characters or hyphens.

Backup frequency

The backup frequency determines how often AWS Backup creates a snapshot backup. Using the console, you can choose a frequency of every 12 hours, daily, weekly, or monthly. You can also create a cron expression that creates snapshot backups as frequently as hourly. Using the AWS Backup CLI, you can schedule snapshot backups as frequently as hourly.

If you select weekly, you can specify which days of the week you want backups to be taken. If you select monthly, you can choose a specific day of the month.

You can also check the Enable continuous backups for supported resources checkbox to create a point-in-time restore (PITR)-enabled continuous backup rule. Unlike snapshot backups, continuous backups allow you to perform point-in-time restore. To learn more about continuous backups, see Point-in-Time Recovery.

Backup window

Backup windows consist of the time that the backup window begins and the duration of the window in hours. Backup jobs are started within this window. If you are unsure what backup window to use, you can choose to use the default backup window that AWS Backup recommends. The default backup window is set to start at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours.


You can customize the backup frequency and backup window start time using a cron expression. For more information about cron expressions, see Schedule Expressions for Rules in the Amazon CloudWatch Events User Guide. We recommend testing your cron expression using one of the many available cron generator and testing tools.


AWS Backup evaluates cron expressions between 00:00 and 23:59 UTC. If you create a backup rule for "every 12 hours" but provide a start time of later than 11:59, it will only run once per day.


AWS Backup cancels any backup job scheduled 4 hours before the maintenance window or automated backup window of any AWS database resource. This is to ensure the data integrity of your databases. AWS database resources include, but are not limited to, Amazon RDS instances, Aurora clusters, and Amazon DynamoDB tables. To avoid failed backup jobs, do one of the following:

  • Configure your backup plans to run at least 4 hours before (or immediately after) the backup windows of those services, or

  • Use AWS Backup plans and rules to perform both your snapshot and continuous backups. See Point-in-Time Recovery for instructions. AWS Backup only supports this capability for Amazon RDS (not including Amazon Aurora). AWS Backup will intelligently schedule both backup windows to avoid a potential conflict.

Overlapping backup rules

On occasion, a backup plan might contain multiple, overlapping rules. When the start windows of different rules overlap, AWS Backup retains the backup under the rule with the longer retention period. For example, consider a backup plan with two rules:

  1. Backup hourly, with a 1-hour start window, and retain for 1 day.

  2. Backup every 12 hours, with an 8-hour start window, and retain for 1 week.

After 24 hours, the second rule creates two backups (because it has the longer retention period). The first rule creates eight backups (because the second rule's 8-hour start window prevented more hourly backups from running). Specifically:

During this Start Window This Rule Creates 1 Backup
Midnight to 8AM 12 hours
8 to 9 Hourly
9 to 10 Hourly
10 to 11 Hourly
11 to Noon Hourly
Noon to 8PM 12 hours
8 to 9 Hourly
9 to 10 Hourly
10 to 11 Hourly
11 to Midnight Hourly


The lifecycle defines when a backup is transitioned to cold storage and when it expires. AWS Backup transitions and expires backups automatically according to the lifecycle that you define.

If you want your backups to be incremental, you must have at least one warm backup. Because each backup to cold storage is a full backup, AWS Backup recommends that you set your lifecycle settings to not move your backup to cold storage until after at least 8 days.

If you set your lifecycle to back up to cold storage after 1 day, each of those backups will be a full backup. This might be less cost effective than a less regular transfer to cold storage.

Backups that are transitioned to cold storage must be stored in cold storage for a minimum of 90 days. Therefore, on the console, the “expire after days” setting must be 90 days longer than the “transition to cold after days” setting. You can't change the “transition to cold after days” setting after a backup has been transitioned to cold.

  • Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold storage expression is ignored for the backups of Amazon Elastic Block Store (Amazon EBS), Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon DynamoDB, and AWS Storage Gateway.

  • When backups reach the end of their lifecycle and are marked for deletion as part of your lifecycle policy, AWS Backup deletes the backups at a randomly chosen point over the following 8 hours. This 8-hour window helps ensure consistent performance for deletion.

Backup vault

A backup vault is a container to organize your backups in. Backups created by a backup rule are organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to help you organize them. If you don't want to use the default vault, you can create your own. For step-by-step instructions for creating a backup vault, see Step 3: Create a backup vault.

Copy to Regions

As part of your backup plan, you can optionally create a backup copy in another AWS Region. For more information about backup copies, see

When you define a backup copy, you configure the following options:

Destination Region

The destination Region for the backup copy.

(Advanced Settings) Backup vault

The destination backup vault for the copy.

(Advanced Settings) IAM Role

The IAM role that AWS Backup uses when creating the copy. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. If you choose Default and the AWS Backup default role is not present in your account, a role is created for you with the correct permissions.

(Advanced Settings) Lifecycle

Specifies when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. You can't change this value after a copy has transitioned to cold storage.

Expire specifies the number of days after creation that the copy is deleted. This must be greater than 90 days beyond the Transition to cold storage value.


When backups reach the end of their lifecycle and are marked for deletion as part of your lifecycle policy, AWS Backup deletes the backups at a randomly chosen point over the following 24 hours. This 24-hour window helps ensure consistent performance for deletion.

Tags added to recovery points

The tags that you list here are automatically added to backups when they are created.

Tags added to backup plans

These tags are associated with the backup plan itself to help you organize and track your backup plan.

Advanced backup settings

Enables application consistent backups for third-party applications that are running on Amazon EC2 instances. Currently, AWS Backup supports Windows VSS backups. AWS Backup excludes specific Amazon EC2 instance types from Windows VSS backups. For more information, see Creating Windows VSS backups.