Backup and recovery using AWS Backup - AWS Prescriptive Guidance

Backup and recovery using AWS Backup

AWS Backup is a fully managed backup service centralizing and automating the backup of data across AWS services. AWS Backup provides an orchestration layer that integrates Amazon CloudWatch, AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Organizations, and other services. This centralized, AWS Cloud native solution provides global backup capabilities that can help you achieve your disaster recovery and compliance requirements. Using AWS Backup, you can centrally configure backup policies and monitor backup activity for AWS resources.

AWS Backup is an ideal solution for implementing standard backup plans for your AWS resources across your AWS accounts and Regions. Because AWS Backup supports multiple AWS resource types, it makes it easier to maintain and implement a backup strategy for workloads using multiple AWS resources that need to be backed up collectively. AWS Backup also enables you to collectively monitor a backup and restore operation that involves multiple AWS resources.

If you have compliance and audit requirements, you can use the AWS Backup Audit Manager feature to create audit frameworks and reports to support your compliance requirements. The AWS Backup Vault Lock feature also supports compliance requirements by enforcing a write-once, read-many (WORM) configuration for all your backups stored in an backup vault in AWS Backup.

A key differentiator for AWS Backup is support for Organizations. Using this support, you can define and manage backup policies at the organization or organizational unit level and automatically have those policies implemented for each related AWS account and Region. As you onboard new AWS accounts and Regions, you don’t have to define and manage backup plans separately.

AWS Backup can make it easier for you to implement an organization-wide backup policy by using tags. You can create separate backup plans that each have unique frequency and retention settings and then create unique key-value pair tags that select the resources to include for backup.

For example, you could create a daily backup plan that starts a backup at 05:00 UTC on a daily basis and has a 35-day retention policy. This backup plan can include a backup resource assignment that specifies that any supported AWS resource with the tag key backup and tag value daily will be backed up according to this plan. Additionally, you could create a monthly backup plan that starts at 05:00 UTC on the first day of each month and has a 366-day retention policy. This backup plan can include a backup resource assignment that specifies that any supported AWS resource with the tag key backup and tag value monthly will be backed up according to this plan.

You can then use tag policies and the required-tags AWS Config rule to ensure that all your AWS supported resources have this tag key and one of these tag values. This approach can help you consistently implement and maintain a standard backup approach in AWS for supported AWS Backup resources. You can extend this approach to standardize backups for your applications and architectural layers that have different recovery point objective (RPO) requirements.

We recommend taking steps to secure your backup vault. For example, you can implement an Organizations service control policy (SCP) that prevents your backup vault from being deleted or from being shared with unintended AWS accounts. For more details and other important security considerations, review the Top 10 security best practices for securing backups in AWS blog post.

AWS Backup can simplify implementation of your disaster recovery (DR) plan for AWS because it supports multiple AWS resources that can be addressed collectively. For example, you can implement cross-Region and cross-account backup for most of the AWS resource types supported by AWS Backup. Cross-account backup improves backup security because a copy is available in a separate account. Cross-Region backup improves availability because the backups are available in more than one Region. For details about supported AWS resource types, see the Feature availability by resource table.

You can use the example Backup and Recovery with AWS Backup open-source solution to implement an infrastructure as code (IaC) and continuous integration and continuous delivery (CI/CD) approach to managing backups for your AWS Organizations organization. This solution includes custom features, such as automatically reapplying AWS tags on restored AWS resources as well as establishing a secondary backup vault in a separate account and Region for DR purposes.