What is AWS Backup? - AWS Backup

What is AWS Backup?

AWS Backup is a fully-managed data protection service that makes it easy to centralize and automate across AWS services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your AWS resources in one place. It allows you to automate and consolidate backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes. With a few clicks in the AWS Backup console, you can automate your data protection policies and schedules.

AWS Backup does not govern backups you take in your AWS environment outside of AWS Backup. Therefore, if you want a centralized, end-to-end solution for business and regulatory compliance requirements, start using AWS Backup today.

Supported AWS resources and third-party applications

The following are AWS resources and third-party applications that you can back up and restore using AWS Backup.

Supported service Supported resource type
Amazon FSx FSx for Windows File Server and FSx for Lustre
Amazon Elastic File System (Amazon EFS) Amazon EFS file systems
Amazon DynamoDB DynamoDB tables
Amazon Elastic Compute Cloud (Amazon EC2) Amazon EC2 instances (excluding store-backed instances)
Windows Volume Shadow Copy Service (VSS) Windows VSS-supported applications (including Windows Server and Microsoft SQL Server) on Amazon EC2
Amazon Elastic Block Store (Amazon EBS) Amazon EBS volumes
Amazon Relational Database Service (Amazon RDS) Amazon RDS databases (including all database engines)
Amazon Aurora Aurora clusters
AWS Storage Gateway (Volume Gateway) Storage Gateway volumes

Supported features and Regions

AWS Backup offers the following features ONLY with these supported AWS services.

AWS Backup does NOT offer the following feature-service combinations.

  • DynamoDB and Aurora do not support incremental backup. Every backup taken is a full backup.

  • DynamoDB does not support cross-Region backup. DynamoDB also does not support cross-account backup.

  • Amazon RDS and Aurora do not support cross-Region AND cross-account backup as a single copy action. You can choose one or the other. You can also use a AWS Lambda script to listen for when your first copy completes, perform your second copy, then delete the first copy.

AWS Backup is available in all the following AWS Regions. This chart also shows which features are not available in a particular Region.

AWS Backup supports Cross-Region backup Cross-account management Cross-account backup AWS Backup Audit Manager Storage Gateway and Amazon FSx
South America (São Paulo) Region
Asia Pacific (Sydney) Region
Asia Pacific (Tokyo) Region
Europe (Ireland) Region
US East (Ohio) Region
Europe (London) Region
US West (Oregon) Region
US West (N. California) Region
Asia Pacific (Mumbai) Region
Europe (Paris) Region
Europe (Stockholm) Region
Asia Pacific (Singapore) Region
Canada (Central) Region
Asia Pacific (Seoul) Region
US East (N. Virginia) Region
Europe (Frankfurt) Region
China (Beijing) Region
China (Ningxia) Region
Middle East (Bahrain) Region
Asia Pacific (Hong Kong) Region
Africa (Cape Town) Region
Europe (Milan) Region
Asia Pacific (Osaka) Region
AWS GovCloud (US-West)
AWS GovCloud (US-East)

AWS Backup overview

AWS Backup provides the following features and capabilities.

Centralized backup management

AWS Backup provides a centralized backup console, a set of backup APIs, and the AWS Command Line Interface (AWS CLI) to manage backups across the AWS services that your applications use. With AWS Backup, you can centrally manage backup policies that meet your backup requirements. You can then apply them to your AWS resources across AWS services, enabling you to back up your application data in a consistent and compliant manner. The AWS Backup centralized backup console offers a consolidated view of your backups and backup activity logs, making it easier to audit your backups and ensure compliance.

Policy-based backup

With AWS Backup, you can create backup policies known as backup plans. Use these backup plans to define your backup requirements and then apply them to the AWS resources that you want to protect across the AWS services that you use. You can create separate backup plans that each meet specific business and regulatory compliance requirements. This helps ensure that each AWS resource is backed up according to your requirements. Backup plans make it easy to enforce your backup strategy across your organization and across your applications in a scalable manner.

Tag-based backup policies

You can use AWS Backup to apply backup plans to your AWS resources by tagging them. Tagging makes it easier to implement your backup strategy across all your applications and to ensure that all your AWS resources are backed up and protected. AWS tags are a great way to organize and classify your AWS resources. Integration with AWS tags enables you to quickly apply a backup plan to a group of AWS resources, so that they are backed up in a consistent and compliant manner.

Lifecycle management policies

AWS Backup enables you to meet compliance requirements while minimizing backup storage costs by storing backups in a low-cost cold storage tier. You can configure lifecycle policies that automatically transition backups from warm storage to cold storage according to a schedule that you define.

Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold storage expression is ignored for the backups of Amazon EBS, Amazon RDS, Amazon Aurora, Amazon DynamoDB, and Storage Gateway.

Incremental backups

AWS Backup efficiently stores your periodic backups incrementally. The first backup of an AWS resource backs up a full copy of your data. For each successive incremental backup, only the changes to your AWS resources are backed up. Incremental backups enable you to benefit from the data protection of frequent backups while minimizing storage costs.

Currently DynamoDB and Aurora do not support incremental backup. Each periodic DynamoDB or Aurora backup is a full copy of your data.

Cross-Region backup

Using AWS Backup, you can copy backups to multiple different AWS Regions on demand or automatically as part of a scheduled backup plan. Cross-Region backup is particularly valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data. For more information, see Creating backup copies across AWS Regions.

Cross-account management and cross-account backup

You can use AWS Backup to manage your backups across all AWS accounts inside your AWS Organizations structure. With cross-account management, you can automatically use backup policies to apply backup plans across the AWS accounts within your organization. This makes compliance and data protection efficient at scale and reduces operational overhead. It also helps eliminate manually duplicating backup plans across individual accounts. For more information, see Managing AWS Backup resources across multiple AWS accounts.

You can also copy backups to multiple different AWS accounts inside your AWS Organizations management structure. This way, you can "fan in" backups to a single repository account, then "fan out" backups for greater resilience. Creating backup copies across AWS accounts.

Before you can use the cross-account management and cross-account backup features, you must have an existing organization structure configured in AWS Organizations. An organizational unit (OU) is a group of accounts that can be managed as a single entity. AWS Organizations is a list of accounts that can be grouped into organizational units and managed as a single entity.

Backup activity monitoring

AWS Backup provides a dashboard that makes it simple to audit backup and restore activity across AWS services. With just a few clicks on the AWS Backup console, you can view the status of recent backup jobs. You can also restore jobs across AWS services to ensure that your AWS resources are properly protected.

AWS Backup integrates with Amazon CloudWatch and Amazon EventBridge. CloudWatch allows you to track metrics and create alarms. EventBridge allows you to view and monitor AWS Backup events. For more information, see Monitoring AWS Backup events using EventBridge and Monitoring AWS Backup metrics with CloudWatch.

AWS Backup integrates with AWS CloudTrail. CloudTrail gives you a consolidated view of backup activity logs that make it quick and easy to audit how your resources are backed up. AWS Backup also integrates with Amazon Simple Notification Service (Amazon SNS), providing you with backup activity notifications, such as when a backup succeeds or a restore has been initiated. For more information, see Logging AWS Backup API calls with CloudTrail and Using Amazon SNS to track AWS Backup events.

Auditing and reporting with AWS Backup Audit Manager

AWS Backup Audit Manager helps you simplify data governance and compliance management of your backups across AWS. AWS Backup Audit Manager provides built-in, customizable controls that you can align with your organizational requirements. You can also use these controls to automatically track your backup activities and resources.

AWS Backup Audit Manager can help you locate specific activities and resources that are not yet compliant with the controls that you defined. It also generates daily reports that you can use to demonstrate evidence of compliance with your controls over time.

To include your backup compliance alongside your overall compliance posture, you can automatically import AWS Backup Audit Manager findings into AWS Audit Manager.

Secure your data in backup vaults

The content of each AWS Backup backup is immutable, meaning that no one can alter that content. AWS Backup further secures your backups in backup vaults, which separates them safely from their source instances. For example, your vault will retain your Amazon EC2 and Amazon EBS backups according to the lifecycle policy you choose, even if you delete the source Amazon EC2 instance and Amazon EBS volumes.

Backup vaults offer encryption and resource-based access policies that let you define who has access to your backups. You can define access policies for a backup vault that define who has access to the backups within that vault and what actions they can take. This provides a simple and secure way to control access to your backups across AWS services. To review AWS and customer managed policies for AWS Backup, see Managed policies for AWS Backup.

You can use AWS Backup Vault Lock to prevent anyone (including you) from deleting backups or altering their retention period. AWS Backup Vault Lock helps you enforce a write-once-read-many (WORM) model and add another layer of defense to your defense in depth. To get started, see AWS Backup Vault Lock.

Support for compliance obligations

AWS Backup helps you meet your global compliance obligations. AWS Backup is in scope of the following AWS compliance programs:

Getting started

To learn more about AWS Backup, we recommend that you start with Getting started with AWS Backup.