Restoring S3 data - AWS Backup

Restoring S3 data

You can restore the S3 data that you backed up using AWS Backup to the S3 Standard storage class. You can restore all the objects in a bucket or specific objects. You can restore them to an existing or new bucket.

Amazon S3 restore permissions

Before you begin restoring resources, ensure the role you're using has sufficient permissions.

For more information, see the following entries on policies:

Amazon S3 restore considerations

  • AWS Backup creates a backup of all your S3 versions, but restores only the latest version from the version stack at any point in time.

  • Access Control Lists (ACLs) must be enabled in the destination bucket, or the job will fail otherwise. To enable ACLs, follow the instructions in Configuring ACLs page.

  • Restores of objects are skipped if the source bucket has an object with the same name or version ID.

  • If you restore specific objects, you can restore the current version of an object.

  • When you restore to the original S3 bucket,

    • AWS Backup does not perform a destructive restore, which means AWS Backup will not put an object into a bucket in place of an object that already exists, regardless of version.

    • A delete marker in the current version is treated as the object as nonexistent, so a restore can occur.

    • AWS Backup does not delete objects (without delete markers) from a bucket during a restore (example: keys currently in the bucket which were not present during the backup will remain).

  • Restoring cross-Region copies

    • While S3 backups can be copied cross-Region, restore jobs only occur in the same Region in which the original backup or copy is located.

      Example: An S3 bucket created in US East (N. Virginia) Region can by copied to Canada (Central) Region. The restore job can be initiated using the original bucket in US East (N. Virginia) Region and restored to that Region, or the restore job can be initiated using the copy in Canada (Central) Region and restored to that Region.

    • The original encryption method cannot be used to restore a recovery point (backup) copied from another Region. Cross-Region copy AWS KMS encryption is not available for Amazon S3 resources; instead, use a different encryption type for a restore job.

Use the AWS Backup console to restore Amazon S3 recovery points

To restore your Amazon S3 data using the AWS Backup console:
  1. Open the AWS Backup console at

  2. In the navigation pane, choose Protected resources, and select the Amazon S3 resource ID that you want to restore.

  3. On the Resource details page, you will see a list of recovery points for the selected resource ID. To restore a resource:

    1. In the Backups pane, choose the recovery point ID of the resource.

    2. In the upper-right corner of the pane, choose Restore.

      (Alternatively, you can go to the backup vault, find the recovery point, and then click Actions then click Restore.)

  4. If you are restoring a continuous backup, in the Restore time pane, select either option:

    1. Accept the default to restore to the Latest restorable time.

    2. Specify date and time to restore.

  5. In the Settings pane, specify whether to Restore entire bucket or perform Item level restore.

    1. If you choose Item level restore, you restore up to 5 items (objects or folders in a bucket) per restore job by specifying each item's S3 URI that uniquely identifies that object.

      (For more information about S3 bucket URIs, see Methods for accessing a bucket in the Amazon Simple Storage Service User Guide.)

    2. Choose Add item to specify another item to restore.

  6. Choose your Restore destination. You can either Restore to source bucket, Use existing bucket, or Create new bucket.


    Your restore destination bucket must have versioning turned on. AWS Backup notifies you if the bucket you select does not meet this requirement.

    1. If you choose Use existing bucket, select the destination S3 bucket from the dropdown menu which shows all existing buckets within your current AWS Region.

    2. If you choose Create new bucket, type in the new bucket name. The new bucket defaults to S3 versioning enabled. The Block Public Access (BPA) settings will be toggled off by default. You can modify these settings after you create the bucket in S3.

  7. For the encryption of objects in your S3 bucket, you can choose your Restored object encryption. Use original encryption keys (default), Amazon S3 key (SSE-S3), or AWS Key Management Service key (SSE-KMS).

    These settings only apply to encryption of the objects in the S3 bucket. This does not affect the encryption for the bucket itself.

    1. Use original encryption keys (default) restores objects with the same encryption keys used by the source object. If a source object was unencrypted, this method restores the object without encryption.

      This restore option allows you to optionally choose a substitute encryption key to encrypt the restore object(s) if the original key is unavailable.

    2. If you choose Amazon S3 key (SSE-S3), you do not need to specify any other options.

    3. If you choose AWS Key Management Service key (SSE-KMS), you can make the following choices: AWS managed key (aws/s3), Choose from your AWS KMS keys, or Enter AWS KMS key ARN.

      1. If you choose AWS managed key (aws/s3), you do not need to specify any other options.

      2. If you Choose from your AWS KMS keys, select a AWS KMS key from the dropdown menu. Alternatively, choose Create key.

      3. If you Enter AWS KMS key ARN, type in the ARN into the text box. Alternatively, choose Create key.

  8. In the Restore role pane, choose the IAM role that AWS Backup will assume for this restore.

  9. Choose Restore backup. The Restore jobs pane appears. A message at the top of the page provides information about the restore job.

Use the AWS Backup API, CLI, or SDK to restore Amazon S3 recovery points

Use StartRestoreJob. You can specify the following metadata during Amazon S3 restores:

// Mandatory metadata: DestinationBucketName // The destination bucket for your restore. ItemsToRestore // A list of up to five paths of individual objects to restore. Only required for item-level restore. NewBucket // Boolean to indicate whether to create a new bucket. Encrypted // Boolean to indicate whether to encrypt the restored data. CreationToken // An idempotency token. EncryptionType // The type of encryption to encrypt your restored objects. Options are original (same encryption as the original object), SSE-S3, or SSE-KMS). RestoreTime // The restore time (only valid for continuous recovery points where it is required, in format 2021-11-27T03:30:27Z). // Optional metadata: KMSKey // Specifies the SSE-KMS key to use. Only needed if encryption is SSE-KMS. aws:backup:request-id

Recovery point status

Recovery points will have a status indicating their state.

PARTIAL status indicates AWS Backup could not create the recovery point before the backup window closed. To increase your backup plan window using the API, see UpdateBackupPlan. You can also increase your backup plan window using the Console by choosing and editing your backup plan.

EXPIRED status indicates that the recovery point has exceeded its retention period, but AWS Backup lacks permission or is otherwise unable to delete it. To manually delete these recovery points, see Step 3: Delete the recovery points in the Clean up resources section of Getting started.

STOPPED status occurs on a continuous backup where a user has taken some action that causes the continuous backup to be disabled. This can be caused by the removal of permissions, turning off versioning, turning off events being sent to Amazon EventBridge, or disabling the EventBridge rules that are put in place by AWS Backup.

To resolve STOPPED status, ensure that all requested permissions are in place and that versioning is enabled on the S3 bucket. Once these conditions are met, the next instance of a backup rule running will result in a new continuous recovery point being created. The recovery points with STOPPED status do not need to be deleted.