Restoring S3 data - AWS Backup

Restoring S3 data

You can restore the S3 data that you backed up using AWS Backup to the S3 Standard storage class. You can restore all the objects in a bucket or specific objects. You can restore them to an existing or new bucket.

If you restore specific objects, you can restore the current version of an object.

While S3 backups can be copied cross-Region, restore jobs only occur in the same Region in which the original backup or copy is located.

Example: An S3 bucket created in US East (N. Virginia) Region can by copied to Canada (Central) Region. The restore job can be initiated using the original bucket in US East (N. Virginia) Region and restored to that Region, or the restore job can be initiated using the copy in Canada (Central) Region and restored to that Region.

Use the AWS Backup console to restore Amazon S3 recovery points

To restore your Amazon S3 data using the AWS Backup console:

  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In the navigation pane, choose Protected resources, and select the Amazon S3 resource ID that you want to restore.

  3. On the Resource details page, you will see a list of recovery points for the selected resource ID. To restore a resource:

    1. In the Backups pane, choose the recovery point ID of the resource.

    2. In the upper-right corner of the pane, choose Restore.

      (Alternatively, you can go to the backup vault, find the recovery point, and then click Actions then click Restore.)

  4. If you are restoring a continuous backup, in the Restore time pane, select either option:

    1. Accept the default to restore to the Latest restorable time.

    2. Specify date and time to restore.

  5. In the Settings pane, specify whether to Restore entire bucket or perform Item level restore.

    1. If you choose Item level restore, you restore up to 5 items (S3 objects) per restore job by specifying each item's S3 URI that uniquely identifies that object.

      (For more information about S3 bucket URIs, see Methods for accessing a bucket in the Amazon Simple Storage Service User Guide.)

    2. Choose Add item to specify another item to restore.

  6. Choose your Restore destination. You can either Restore to source bucket, Use existing bucket, or Create new bucket.

    Note

    Your restore destination bucket must have versioning turned on. AWS Backup notifies you if the bucket you select does not meet this requirement.

    1. If you choose Use existing bucket, select the destination S3 bucket from the dropdown menu which shows all existing buckets within your current AWS Region.

    2. If you choose Create new bucket, type in the new bucket name. The new bucket defaults to S3 versioning enabled. The Block Public Access (BPA) settings will be toggled off by default. You can modify these settings after you create the bucket in S3.

  7. You have additional options to choose your Restored object encryption. Use original encryption keys (default), Amazon S3 key (SSE-S3), or AWS Key Management Service key (SSE-KMS).

    1. If you choose Use original encryption keys (default) but the original object was unencrypted, the restored object will also be unencrypted.

    2. If you choose Amazon S3 key (SSE-S3), you do not need to specify any other options.

    3. If you choose AWS Key Management Service key (SSE-KMS), you can make the following choices: AWS managed key (aws/s3), Choose from your AWS KMS keys, or Enter AWS KMS key ARN.

      1. If you choose AWS managed key (aws/s3), you do not need to specify any other options.

      2. If you Choose from your AWS KMS keys, select a AWS KMS key from the dropdown menu. Alternatively, choose Create key.

      3. If you Enter AWS KMS key ARN, type in the ARN into the text box. Alternatively, choose Create key.

  8. In the Restore role pane, choose the IAM role that AWS Backup will assume for this restore.

  9. Choose Restore backup. The Restore jobs pane appears. A message at the top of the page provides information about the restore job.

Limitations:

AWS Backup creates a backup of all your S3 versions, but restores only the latest version from the version stack at any point in time.

Considerations:

Access Control Lists (ACLs) must be enabled in the destination bucket, or the job will fail otherwise. S3 buckets created through the AWS Backup console have ACLs disabled by default (note that restoring with the Create new bucket option will create a bucket with ACLs enabled). To enable ACLs, follow the instructions in Configuring ACLs page.

Restores of objects are skipped if the source bucket has an object with the same name or version ID.

Use the AWS Backup API, CLI, or SDK to restore Amazon S3 recovery points

Use StartRestoreJob. You can specify the following metadata during Amazon S3 restores:

// Mandatory metadata: DestinationBucketName // The destination bucket for your restore. ItemsToRestore // A list of up to five paths of individual objects to restore. Only required for object-level restore. NewBucket // Boolean to indicate whether to create a new bucket. Encrypted // Boolean to indicate whether to encrypt the restored data. CreationToken // An idempotency token. EncryptionType // The type of encryption to encrypt your restored objects. Options are original (same encryption as the original object), SSE-S3, or SSE-KMS). RestoreTime // The restore time (only valid for continuous recovery points where it is required, in format 2021-11-27T03:30:27Z). // Optional metadata: KMSKey // Specifies the SSE-KMS key to use. Only needed if encryption is SSE-KMS.

Recovery point status

Recovery points will have a status indicating their state.

PARTIAL status indicates AWS Backup could not create the recovery point before the backup window closed. To increase your backup plan window using the API, see UpdateBackupPlan. You can also increase your backup plan window using the Console by choosing and editing your backup plan.

EXPIRED status indicates that the recovery point has exceeded its retention period, but AWS Backup lacks permission or is otherwise unable to delete it. To manually delete these recovery points, see Step 3: Delete the recovery points in the Clean up resources section of Getting started.

STOPPED status occurs on a continuous backup where a user has taken some action that causes the continuous backup to be disabled. This can be caused by the removal of permissions, turning off versioning, turning off events being sent to Amazon EventBridge, or disabling the EventBridge rules that are put in place by AWS Backup.

To resolve STOPPED status, ensure that all requested permissions are in place and that versioning is enabled on the S3 bucket. Once these conditions are met, the next instance of a backup rule running will result in a new continuous recovery point being created. The recovery points with STOPPED status do not need to be deleted.