How AWS Backup Works with Other AWS Services - AWS Backup

How AWS Backup Works with Other AWS Services

Many AWS services offer backup features that help you protect your data. These features include Amazon Elastic Block Store (Amazon EBS) snapshots, Amazon Relational Database Service (Amazon RDS) snapshots, Amazon DynamoDB backups, AWS Storage Gateway snapshots, and others. AWS Backup implements its backup features using the existing capabilities of these AWS services.

Configuring Services to Work with AWS Backup

When new AWS services become available, you must enable AWS Backup to use those services. If you try to create an on-demand backup or backup plan using resources from a service that is not enabled, you receive an error message and cannot complete the process.


Service opt-in settings are Region-specific. If you change the AWS Region that you're using, you must reconfigure the services that you use with AWS Backup.

To configure the services used with AWS Backup

  1. Open the AWS Backup console at

  2. In the navigation pane, choose Settings.

  3. On the Service opt-in page, choose Configure resources. Use the toggle switches to enable or disable the services used with AWS Backup.

  4. Choose Confirm when your services are configured.

AWS Backup uses existing backup capabilities of AWS services to implement its centralized features. For example, when you create a backup plan, AWS Backup uses the EBS snapshot capabilities when creating backups on your behalf according to your backup plan.

All per-service backup capabilities continue to be available. For example, you can make snapshots of your EBS volumes using the Amazon Elastic Compute Cloud (Amazon EC2) API. AWS Backup provides a common way to manage backups across AWS services both in the AWS Cloud and on premises. AWS Backup provides a centralized backup console that offers backup scheduling, retention management, and backup monitoring.


Backups created with AWS Backup cannot be deleted using APIs that belong to the backed-up resource. For information about deleting recovery points using the AWS Backup API, see DeleteRecoveryPoint.

Working with Amazon FSx File Systems

AWS Backup supports backing up and restoring Amazon FSx file systems. Amazon FSx provides fully managed third-party file systems with the native compatibility and feature sets for workloads, such as Microsoft Windows–based storage, high performance computing, machine learning, and electronic design automation.

Amazon FSx supports two file system types: Lustre and Windows File Server. You can back up any Amazon FSx for Windows File Server file system and any Amazon FSx for Lustre file system that has persistent storage and is not linked to a data repository such as Amazon S3. AWS Backup uses the built-in backup functionality of Amazon FSx. So backups taken from the AWS Backup console have the same level of file system consistency and performance, and the same restore options as backups that are taken through the Amazon FSx console.

If you use AWS Backup to manage these backups, you gain additional functionality, such as unlimited retention options, and the ability to create scheduled backups as frequently as every hour. In addition, AWS Backup retains your backups even after the source file system is deleted. This protects against accidental or malicious deletion.

Use AWS Backup to protect Amazon FSx file systems if you want to configure backup policies and monitor backup tasks from a central backup console that also extends support for other AWS services.

For detailed information about Amazon FSx file systems, see the Amazon FSx documentation.

Working with Amazon EC2

Using AWS Backup, you can schedule or perform on-demand backup jobs that include entire EC2 instances and Windows applications running on Amazon EC2, along with associated configuration data. This limits the need for you to interact with the storage (Amazon EBS) volume. Similarly, you can restore an entire Amazon EC2 instance from a single recovery point. A backup job can only have one resource. So you can have a job to back up an EC2 instance, and it will back up the root volume, all data volumes, and the associated instance configurations.

AWS Backup does not reboot EC2 instances at any time.

Backing Up Amazon EC2 Resources

When backing up an Amazon EC2 instance, AWS Backup takes a snapshot of the root Amazon EBS storage volume, the launch configurations, and all associated EBS volumes. AWS Backup stores certain configuration parameters of the EC2 instance, including instance type, security groups, Amazon VPC, monitoring configuration, and tags. The backup data is stored as an Amazon EBS volume-backed Amazon Machine Image (AMI).

You can also back up and restore your VSS-enabled Microsoft Windows applications. You can schedule application-consistent backups, define lifecycle policies, and perform consistent restores as part of an on-demand backup or a scheduled backup plan. For more information, see Creating a VSS-Enabled Windows Backup.

AWS Backup does not back up the following:

  • Configuration of the Elastic Inference accelerator, if it is attached to the instance.

  • User data used when the instance was launched.


For all instance types, only Amazon EBS backed EC2 instances are supported. Ephemeral storage instances (that is, instance store-backed instances) are not supported.

AWS Backup can encrypt EBS snapshots associated with an Amazon EC2 backup. This is similar to how it encrypts EBS snapshots. AWS Backup uses the same encryption applied on the underlying EBS volumes when creating a snapshot of the Amazon EC2 AMI, and the configuration parameters of the original instance are persisted in the restore metadata.

A snapshot derives its encryption from the volume as you have defined, and the same encryption is applied to the corresponding snapshots. EBS snapshots of a copied AMI will always be encrypted. If you use a KMS key during the copy, the key will be applied. If you don't use a KMS key, a default KMS key is applied.

Restoring Amazon EC2 Resources

You can restore Amazon EC2 resources using the AWS Backup console, AWS Command Line Interface (AWS CLI), or API.

The console provides an interactive user interface for restoring resources, but its functionality is limited. Currently, you can't use the AWS Backup console to configure the following restore parameters.

NetworkInterfaces = [{ "AssociatePublicIpAddress": true, "DeleteOnTermination": false, "Description": "test network interface", "DeviceIndex": 1, "Groups": ["your nic_groups_id"], "Ipv6AddressCount": 1, "Ipv6Addresses": [{ "Ipv6Address1": "ipv6_address2" }], "NetworkInterfaceId": "your nic_interface_id", "PrivateIpAddress": "your private_ip_address", "PrivateIpAddresses": [{ "Primary": true, "PrivateIpAddress": "private_ip_address_1" }, { "Primary": false, "PrivateIpAddress": "private_ip_address_2" }], "SecondaryPrivateIpAddressCount": 1, "SubnetId": "nic_subnet_id", "InterfaceType": "interface" }],

ElasticGpuSpecification = [{ "Type": "test_elastic_gpu_type" }],

CapacityReservationSpecification = { "CapacityReservationPreference": "none" },

InstanceMarketOptions = { "MarketType": "spot", "SpotOptions": { "MaxPrice": "test_spot_price_value", "SpotInstanceType": "persistent", "BlockDurationMinutes": 20, "ValidUntil": "2019-12-16T12:34:56.000Z", "InstanceInterruptionBehavior": "hibernate" } },

LicenseSpecifications = [{ "LicenseConfigurationArn": "your_license_configuration_arn" }],

However, you can use the AWS CLI and the API to perform a full restore. For more information about restore parameters, see run-instances.

All the restore configurations for an EC2 instance should be provided as restore metadata, which is a map of key-value pairs. The key is the name of the configuration, and value as is a JSON serialized string.


When restoring a backup, AWS Backup doesn’t allow mutation of the SSH key pair, so you can only restore using a backed-up key pair.

AWS Backup doesn't allow you to modify the instance profile to prevent the possibility of privilege escalations. You can choose not to apply this from AWS Backup, but if you want to change it, you can apply it from EC2.

To successfully do a restore with the original instance profile, you must edit the restore policy. If you apply an instance profile during the restore, you have to update the operator role and add PassRole permissions of the underlying instance profile role to Amazon EC2. Otherwise, Amazon EC2 can't authorize the instance launch, and it will fail.


When you are restoring from AWS Backup, all quotas and restrictions of the configuration that can be used to launch an instance from an EC2 run instance API apply.

For detailed information about Amazon EC2, see What is Amazon EC2? in the Amazon EC2 User Guide for Windows Instances.

Working with Amazon EFS

AWS Backup currently supports Amazon Elastic File System (Amazon EFS).

For detailed information about Amazon EFS file systems, see What is Amazon Elastic File System? in the Amazon Elastic File System User Guide.

Working with Amazon DynamoDB

AWS Backup currently supports Amazon DynamoDB (DynamoDB).

For detailed information about DynamoDB, see What is Amazon DynamoDB? in the Amazon DynamoDB Developer Guide.

Working with Amazon EBS

AWS Backup currently supports Amazon Elastic Block Store (Amazon EBS) volumes.

For detailed information about Amazon EBS volumes, see What is Amazon Elastic Block Store (Amazon EBS)? in the Amazon EC2 User Guide for Linux Instances.

For more information, see Creating an Amazon EBS Volume in the Amazon EC2 User Guide for Linux Instances.

Working with Amazon RDS and Amazon Aurora

AWS Backup currently supports Amazon RDS database engines and Aurora clusters.

For more information about Amazon RDS, see What is Amazon Relational Database Service? in the Amazon RDS User Guide.

For detailed information about Aurora, see What is Amazon Aurora? in the Amazon Aurora User Guide.


If you initiate a backup job from the Amazon RDS console, this can conflict with an Aurora clusters backup job, causing the error Backup job expired before completion. If this occurs, configure a longer backup window in AWS Backup.

Working with AWS Storage Gateway

Amazon EBS snapshots can be restored as AWS Storage Gateway volumes.

For detailed information about AWS Storage Gateway, see What is AWS Storage Gateway? in the AWS Storage Gateway User Guide.

How AWS Services Back Up Their Own Resources

For information about how to use specific AWS services to back up their resources, see the following: