Restoring to a specified time using Point-In-Time Recovery (PITR) - AWS Backup

Restoring to a specified time using Point-In-Time Recovery (PITR)

For some resources, AWS Backup supports continuous backups and point-in-time recovery (PITR) in addition to snapshot backups.

With continuous backups, you can restore your AWS Backup-supported resource by rewinding it back to a specific time that you choose, within 1 second of precision (going back a maximum of 35 days). Continuous backup works by first creating a full backup of your resource, and then constantly backing up your resource’s transaction logs. PITR restore works by accessing your full backup and replaying the transaction log to the time that you tell AWS Backup to recover.

Alternatively, snapshot backups can be taken as frequently as every hour. Snapshot backups can be stored for up to a maximum of 100 years. Snapshots can by copied for full or incremental backups.

Because continuous and snapshot backups offer different advantages, we recommend that you protect your resources with both continuous and snapshot backup rules.

You can opt in to continuous backups for supported resources when you create a backup plan in AWS Backup using the AWS Backup console or the API.

To enable continuous backups using the console
  1. Sign in to the AWS Management Console, and open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In the navigation pane, choose Backup plans, and then choose Create Backup plan.

  3. Under Backup rules, choose Add Backup rule.

  4. In the Backup rule configuration section, select Enable continuous backups for supported resources.

Supported services and applications for Point-In-Time Recovery (PITR)

AWS Backup supports continuous backups and point-in-time recovery for the following services and applications:

  • Amazon S3

  • Amazon RDS

Amazon S3

To turn on PITR for S3 backups, continuous backups need to part of the backup plan.

While this original backup of the source bucket can have PITR active, cross-Region or cross-account destination copies will not have PITR, and restoring from these copies will restore to the time they were created (the copies will be snapshot copies) instead of restoring to a specified point in time.

Amazon RDS

Amazon RDS calls its continuous backups "automated backups." AWS Backup calls Amazon RDS continuous backups "continuous backups."

If you use AWS Backup for both Amazon RDS snapshots and continuous backups, AWS Backup will intelligently schedule your backup windows, along with the Amazon RDS maintenance window, to prevent conflicts. You no longer have to manually schedule one backup window hours before another.

You can't control the Amazon RDS automated backup window. This is because AWS Backup intelligently schedules it for you.

When you change your PITR retention period, AWS Backup calls ModifyDBInstance and applies that change immediately. If you have other configuration updates pending the next maintenance window, changing your PITR retention period will also apply those configuration updates immediately. For more information, see ModifyDBInstance in the Amazon Relational Database Service API Reference.

You can perform a point-in-time recovery using either AWS Backup or Amazon RDS. For AWS Backup console instructions, see Restoring an Amazon RDS Database. For Amazon RDS instructions, see Restoring a DB Instance to a specified time in the Amazon RDS User Guide. RDS takes snapshots once per day regardless if a backup plan has a frequency for snapshot backups other than once per day.

AWS Backup currently does not support Amazon Aurora continuous backups. AWS Backup supports Aurora snapshots.

Incremental snapshot copy jobs process faster than full snapshot copy jobs. Keeping a previous snapshot copy until the new copy job is complete may reduce the copy job duration. If you choose to copy snapshots from RDS database instances, it is important to note that deleting previous copies first will cause full snapshot copies to be made (instead of incremental). For more information on optimizing copying, see Incremental snapshot copying in the Amazon RDS User Guide

Considerations:

Keep in mind the following when performing a point-in-time recovery:

  • Restoring recent activity — Amazon RDS activity allows restores up until the most recent 5 minutes of activity; Amazon S3 allows restores up until the most recent 15 minutes of activity.

  • Creating copies of Amazon RDS continuous backups — You can't create copies of Amazon RDS continuous backups because AWS Backup for Amazon RDS does not allow copying transaction logs. Instead, AWS Backup creates a snapshot and copies it with the frequency specified in the backup plan.

For general information about working with Amazon RDS, see the Amazon RDS User Guide.

Managing continuous backup settings

After you apply an AWS Backup continuous backup rule to an Amazon RDS instance, you can't create or modify continuous backup settings to that instance in Amazon RDS. This limitation exists to prevent conflicts.

To view your continuous backup in Amazon RDS, open the Amazon RDS console and choose Automated backups in the left-hand menu.

To transition control of continuous backup for that Amazon RDS instance back to Amazon RDS, you can use the AWS Backup console, AWS CLI, or API.

To transition continuous backup control to Amazon RDS using the AWS Backup console
  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In the navigation pane, choose Backup plans.

  3. Delete all the Amazon RDS backup plans with continuous backup protecting that resource.

  4. Choose Backup vaults. Delete the continuous backup recovery point from your backup vault. Or, wait for their retention period to elapse, causing AWS Backup to automatically delete the recovery point.

After you complete these steps, AWS Backup will transition continuous backup control of your resource back to Amazon RDS.

To transition continuous backup control to Amazon RDS using the AWS Backup API or CLI
IAM permissions required for Amazon RDS continuous backups
  • To use AWS Backup to configure continuous backups for your Amazon RDS database, verify that the API permission rds:ModifyDBInstance exists in the IAM role defined by your backup plan configuration. To restore Amazon RDS continuous backups, you must add the permission rds:RestoreDBInstanceToPointInTime to the IAM role that you submitted for the restore job. You can use the AWS Backup default service role to perform backups and restores.

  • To describe the range of times available for point-in-time recovery, AWS Backup calls rds:DescribeDBInstanceAutomatedBackupsAPI. In the AWS Backup console, you must have the rds:DescribeDBInstanceAutomatedBackups API permission in your AWS Identity and Access Management (IAM) managed policy. You can use the AWSBackupFullAccess or AWSBackupOperatorAccess managed policies. Both policies have all required permissions. For more information, see Managed Policies.

Working with continuous backups

Finding a continuous backup

You can use the AWS Backup console to find your continuous backup.

To find a continuous backup using the AWS Backup console
  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In the navigation pane, choose Backup vaults, and then choose your backup vault in the list.

  3. In the Backups section, in the Backup type column, sort for Continuous recovery points. You can also sort by Recovery point ID for the prefix continuous.

Restoring a continuous backup

To restore a continuous backup using the AWS Backup console
  • During the PITR restore process, the AWS Backup console displays a Restore time section. In this section, do one of the following:

    • Choose to restore to the Latest restorable time.

    • Choose Specify date and time to enter your own date and time within your retention period.

To restore a continuous backup using the AWS Backup API
  1. For Amazon S3 see Use the AWS Backup API, CLI, or SDK to restore S3 recovery points.

  2. For Amazon RDS see Use the AWS Backup API, CLI, or SDK to restore Amazon RDS recovery points.

Stopping continuous backups

If you want to stop continuous backups, you must delete the continuous backup rule from your backup plan. If you wish to stop continuous backups for one or more resources but not for all resources, create a new backup plan with the continuous backup rule for those resources you still want to be continuously backed up. If instead you only delete a continuous backup recovery point from your backup vault, your backup plan will still continue to execute the continuous backup rule, creating a new recovery point.

However, even after you delete your continuous backup rule, AWS Backup remembers the retention period from your now-deleted backup rule. It will automatically delete your continuous backup recovery point from your backup vault based on your specified retention period.

Copying continuous backups

If a continuous backup rule also specifies a cross-account or cross-Region copy, AWS Backup takes a snapshot of the continuous backup and copies that snapshot to the destination vault. To learn more about copying your recovery points across accounts and Regions, see Copying a backup .

Continuous backups will create a periodic backup in accordance with the frequency set in the backup plan rule in the destination account and/or Region.

AWS Backup does not support on-demand copies of continuous backups.

Changing your retention period

You can use AWS Backup to increase or decrease the retention period for your existing continuous backup rule. The minimum retention period is 1 day. The maximum retention period is 35 days.

If you increase your retention period, the effect is immediate. If you decrease your retention period, AWS Backup will wait until enough time passes before applying the change to protect against data loss. For example, if you decrease your retention period from 35 days to 20, AWS Backup will continue to preserve 35 days of continuous backup until 15 days have passed. This design protects your last 15 days of backups at the time you made the change.

Removing the only continuous backup rule from a backup plan

When you create a backup plan with a continuous backup rule and then you remove that rule, AWS Backup remembers the retention period from your now-deleted rule. It will delete the continuous backup from your backup vault when the retention period elapses.

Overlapping continuous backups on the same resource

In general, you should protect each resource with no more than one continuous backup rule. This is because additional continuous backups are redundant. However, as you scale up your backup estate, it is possible for multiple backup plans, rules, and vaults to overlap on a single resource. AWS Backup handles these overlaps as follows.

If you include the same resource in more than one backup plan with a continuous backup rule, AWS Backup will only create a continuous backup for the first backup plan it evaluates. It will create snapshot backups for all of the other backup plans.

If you include multiple continuous backup rules in a single backup plan:

  • If your rules point to the same backup vault, AWS Backup only creates a continuous backup for the rule with the longest retention period. It disregards all other rules.

  • If your rules point to different backup vaults, AWS Backup rejects the plan as not valid.

Point-in-time recovery considerations

Be aware of the following considerations for point-in-time recovery:

  • Automatic fallback to snapshots — If AWS Backup is unable to perform a continuous backup, it tries to perform a snapshot backup instead.

  • No support for on-demand continuous backups — AWS Backup doesn't support on-demand continuous backup because on-demand backup records a point in time, whereas continuous backup records changes over a period of time.

  • No support for transition to cold storage — Continuous backups don't support transition to cold storage because transition to cold requires a minimum transition period of 90 days, whereas continuous backups have a maximum retention period of 35 days.