Creating Amazon S3 backups - AWS Backup

Creating Amazon S3 backups


AWS Backup for S3 is not yet available in South America (São Paulo) Region, Asia Pacific (Jakarta) Region, China (Beijing) Region, China (Ningxia) Region, AWS GovCloud (US-West), and AWS GovCloud (US-East) Regions.

AWS Backup supports centralized backup and restore of applications storing data in S3 alone or alongside other AWS services for database, storage, and compute. Many features are available for S3 backups, including Backup Audit Manager.

You can use a single backup policy in AWS Backup to centrally automate the creation of backups of your application data. AWS Backup automatically organizes backups across different AWS services and third-party applications in one centralized, encrypted location (known as a backup vault) so that you can manage backups of your entire application through a centralized experience. For S3, you can create continuous backups and restore your application data stored in S3 and restore the backups to a point-in-time with a single click.

With AWS Backup, you can create the following types of backups of your S3 buckets, including object data, tags, Access Control Lists (ACLs), and user-defined metadata:

  • Continuous backups, allowing you to restore to any point in time within the last 35 days. Continuous backups for an S3 bucket should only be configured in one backup plan.

    See Point-in-Time Recovery for a list of supported services and instructions on how to use AWS Backup to take continuous backups.

  • Periodic backups, which allow you to retain data for your specified duration, including indefinitely. You can schedule periodic backups in frequencies such as 1 hour, 12 hours, 1 day, 1 week, or 1 month. AWS Backup takes periodic backups during the backup window you define in your backup plan.

    See Creating a backup plan to understand how AWS Backup applies your backup plan to your resources.

Cross-account and cross-Region copies are available for S3 backups, but copies of continuous backups do not have point-in-time restore capabilities.

Continuous and periodic backups of S3 buckets must both reside in the same backup vault.

For both backup types, the first backup is a full backup, while subsequent backups are incremental at object-level. For example, if there is a 1 kB change in your 1 GB object, the subsequent backup will create a new 1 GB object in the backup vault.


You must enable S3 Versioning on your S3 bucket to use AWS Backup for Amazon S3. We have kept this prerequisite because in AWS we recommend S3 versioning as a best practice for data protection.

We recommend that you set a lifecycle expiration period for your S3 versions. Not setting up a lifecycle expiration period might increase your S3 costs because AWS Backup backs up and stores all unexpired versions of your S3 data. To learn more about setting up S3 lifecycle policies, follow the instructions on this page.

Supported S3 Storage Classes

AWS Backup allows you to backup your S3 data stored in the following S3 Storage Classes:

  • S3 Standard

  • S3 Standard - Infrequently Access (IA)

  • S3 One Zone-IA

  • S3 Glacier Instant Retrieval

  • S3 Intelligent-Tiering (S3 INT)

With the exception of Glacier Instant Retrieval, archived storage classes (including S3 INT - Glacier, Glacier Flexible Retrieval, and Glacier Deep Archive) are not supported.

Limitations of AWS Backup for Amazon S3

AWS Backup support for S3 has the following limitations:

  • To back up an S3 bucket, it must contain fewer than 3 billion objects.

  • Limited object metadata support: AWS Backup allows you to back up your S3 data along with the following metadata: tags, access control lists (ACLs), user-defined metadata, original creation date, and version ID. It allows you to restore all backed-up data and metadata except original creation date, version ID, storage class, and e-tag.

  • Cold storage transition: AWS Backup's lifecycle management policy allows you to define the timeline for backup expiration, but cold storage transition of S3 backups is not supported.

  • Backups of S3 buckets with many versions of the same object that were created at the same second are not supported.

  • For periodic backups, AWS Backup makes a best effort to track all changes to your object metadata. However, if you update a tag or ACL multiple times within 1 minute, AWS Backup might not capture all intermediate states.

  • AWS Backup does not backup SSE-C-encrypted objects. AWS Backup also does not back up bucket configurations, including bucket policy, settings, name, or access point.

  • If you create a backup of an S3 Intelligent Tier (INT) object, then the source object moves to a storage tier that is more expensive than its present storage tier.

  • We do not support backups of S3 on AWS Outposts.

One-time permissions setup

To start using AWS Backup support for S3, you must perform the following one-time setup. During this setup, you add new IAM policies to an AWS Backup-managed IAM role. Doing so enables this role to create S3 backups. Use the following procedure to perform this setup:

To set up your permissions:

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the left navigation menu, choose Roles.

  3. In the search bar, type AWSBackupDefaultServiceRole. Choose AWSBackupDefaultServiceRole.


    NOTE: If AWSBackupDefaultServiceRole does not exist, you might be using AWS Backup for the first time with a new account. You must create that role using the AWS Backup Console before you can proceed with the rest of the steps. To create the role, follow the procedure in Creating the AWS Backup default role. After you create the role, return to this step.

  4. In the Permissions tab, choose Create inline policy from the Add permissions dropdown menu.

  5. Choose the JSON tab.

  6. Copy-paste the following code into the JSON editor:

    { "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketBackupPermissions", "Action":[ "s3:GetInventoryConfiguration", "s3:PutInventoryConfiguration", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:GetBucketLocation", "s3:GetBucketTagging" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectBackupPermissions", "Action":[ "s3:GetObjectAcl", "s3:GetObject", "s3:GetObjectVersionTagging", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3GlobalPermissions", "Action":[ "s3:ListAllMyBuckets" ], "Effect":"Allow", "Resource":[ "*" ] }, { "Sid":"KMSBackupPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*" } } }, { "Sid":"EventsPermissions", "Action":[ "events:DescribeRule", "events:EnableRule", "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule", "events:DisableRule" ], "Effect":"Allow", "Resource":"arn:aws:events:*:*:rule/AwsBackupManagedRule*" }, { "Sid":"EventsMetricsGlobalPermissions", "Action":[ "cloudwatch:GetMetricData", "events:ListRules" ], "Effect":"Allow", "Resource":"*" } ] }
  7. Choose Review Policy.

  8. For Name, type s3-backup-policy.

  9. Choose Create Policy.

  10. In the Permissions tab, choose Create inline policy from the Add permissions dropdown menu (a second time).

  11. Choose the JSON tab.

  12. Copy-paste the following JSON:

    { "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketRestorePermissions", "Action":[ "s3:CreateBucket", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketLocation", "s3:PutBucketVersioning" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectRestorePermissions", "Action":[ "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:PutObjectVersionAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:PutObject", "s3:ListMultipartUploadParts" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3KMSPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*" } } } ] }
  13. Choose Review Policy.

  14. For Name, type s3-restore-policy.

  15. Choose Create Policy.

After you add these permissions, you can back up and restore S3 data.

Backing up S3 data

You use the same, familiar AWS Backup workflows to back up your S3 data along with your other database, storage, and compute resources. For instructions, see Getting started with AWS Backup.

Restoring S3 backups

You can restore your S3 data that you backed up using AWS Backup to the S3 Standard Storage class. You can restore your S3 data to an existing bucket, including the original bucket. During restore, you can also create a new S3 bucket as the restore target. You can restore S3 backups only to the same AWS Region where your backup is located.

You can restore the entire S3 bucket, or folders or objects within the bucket. AWS Backup restores the current version of that object.

To restore your S3 data using AWS Backup, see Restoring S3 data.