Restoring an Amazon EC2 instance - AWS Backup

Restoring an Amazon EC2 instance

When using the console, you can perform restores with 16 options. If you need to set the other parameters, you must use the CLI or SDK.


AWS Backup does not backup and restore user-data that is used while launching an Amazon EC2 instance.

Use the AWS Backup console to restore Amazon EC2 recovery points

This is the recommended option.

To restore Amazon EC2 resources using the AWS Backup console
  1. Open the AWS Backup console at

  2. In the navigation pane, choose Protected resources and the Amazon EC2 resource ID that you want to restore.

  3. On the Resource details page, a list of recovery points for the selected resource ID is shown. To restore a resource, in the Backups pane, choose the radio button next to the recovery point ID of the resource. In the upper-right corner of the pane, choose Restore.

  4. In the Network settings pane, accept the defaults or specify the options for the Instance type, Virtual Private Cloud (VPC), Subnet, Security groups, and Instance IAM role settings.

  5. In the Restore role pane, accept the Default role or Choose an IAM role to specify the IAM role that AWS Backup will assume for this restore.

  6. In the Advanced settings pane, accept the defaults or specify the options for the Shutdown behavior, Enable termination protection, Placement group, T2/T3 Unlimited, Tenancy, and User data settings. This section is used to customize shutdown and hibernation behavior, termination protection, placement groups, tenancy, and other advanced settings.

  7. After specifying all your settings, choose Restore backup.

    The Restore jobs pane appears. A message at the top of the page provides information about the restore job.

The AWS Backup console allows you to restore Amazon EC2 recovery points with the following parameters and settings you can customize:

  • Instance type

  • Amazon VPC

  • Subnet

  • Security groups

  • IAM role

  • Shutdown behavior

  • Stop–hibernate behavior

  • Termination protection

  • T2/T3 unlimited

  • Placement group name

  • EBS-optimized instance

  • Tenancy

  • RAM disk ID

  • Kernel ID

  • User data

  • Deletion on termination

These parameters are prefilled to match the original backup. You can change them before restoring the instance. AWS Backup identifies parameters with values that might not be valid or that might result in an invalid restore.

Use the AWS Backup API, CLI, or SDK to restore Amazon EC2 recovery points

Use StartRestoreJob. This option allows you to restore all 38 parameters, including the 22 parameters that are not customizable on the console. The Amazon EC2 API Reference lists all 38 parameters. This is suitable if you require all 38 parameters and are comfortable restoring parameters without validation. The following is an example of the metadata you can pass to restore an Amazon EC2 recovery point.

"restoreMetadata": "{\"HibernationOptions\":\"{\\\"Configured\\\":false}\",\"InstanceInitiatedShutdo wnBehavior\":\"stop\",\"CpuOptions\":\"{\\\"CoreCount\\\":1,\\\"ThreadsPerCo re\\\":2}\",\"SubnetId\":\"subnet-b35676f9\",\"SecurityGroupIds\":\"[\\\"sg- 09e183a37f21ec0ba\\\"]\",\"EbsOptimized\":\"false\",\"KeyName\":\"ec2Canary KeyPair\",\"DisableApiTermination\":\"false\",\"VpcId\":\"vpc- 4852ff32\",\"Placement\":\"{\\\"AvailabilityZone\\\":\\\"us-east- 1a\\\",\\\"GroupName\\\":\\\"\\\",\\\"Tenancy\\\":\\\"default\\\"}\",\"Netwo rkInterfaces\":\"[{\\\"AssociatePublicIpAddress\\\":true,\\\"DeleteOnTerminatio n\\\":true,\\\"Description\\\":\\\"\\\",\\\"DeviceIndex\\\":0,\\\"Groups\\\":[\ \\"sg-09e183a37f21ec0ba\\\"],\\\"Ipv6AddressCount\\\":0,\\\"Ipv6Addresses\\\":[],\ \\"NetworkInterfaceId\\\":\\\"eni-024f43c22193155e3\\\",\\\"PrivateIpAddress\\\":\\\"\\\",\\\"Priv ateIpAddresses\\\":[{\\\"Primary\\\":true,\\\"PrivateIpAddress\\\":\\\"172.31.2 4.10\\\"}],\\\"SecondaryPrivateIpAddressCount\\\":0,\\\"SubnetId\\\":\\\"subn et-b35676f9\\\",\\\"InterfaceType\\\":\\\"interface\\\"}]\",\"InstanceType\":\"t3.n ano\",\"CapacityReservationSpecification\":\"{\\\"CapacityReservationPreference \\\":\\\"open\\\"}\",\"CreditSpecification\":\"{\\\"CpuCredits\\\":\\\"unlimited \\\"}\",\"Monitoring\":\"{\\\"State\\\":\\\"disabled\\\"}\"}"

You can also restore an Amazon EC2 instance without including any stored parameters. This option is available on the Protected resource tab on the AWS Backup console.


AWS Backup will use the SSH key pair used at time of backup to automatically perform your restore.

AWS Backup doesn't allow you to modify the instance profile. This is to prevent the possibility of privilege escalations. If you need to modify the instance profile, do so from Amazon EC2.

To successfully do a restore with the original instance profile, you must edit the restore policy. If you apply an instance profile during the restore, you have to update the operator role and add PassRole permissions of the underlying instance profile role to Amazon EC2. Otherwise, Amazon EC2 can't authorize the instance launch, and it will fail.

During a restore, all Amazon EC2 quotas and configuration restrictions apply.