Theme 6: Automate backups

Essential Eight strategies covered

Regular backups

"Failures are a given and everything will eventually fail over time: from routers to hard disks, from operating systems to memory units corrupting TCP packets, from transient errors to permanent failures. This is a given, whether you are using the highest-quality hardware or lowest cost components." —Werner Vogels, CTO, Amazon, All Things Distributed

Data backup and recovery is a critical part of the reliability of a system. AWS is designed to make it easier to create backups, maintain durability of backed-up data, and make sure that backed-up data remains recoverable.

AWS Backup is a fully managed service that centralises and automates the backup of data across AWS services. It supports multiple AWS resource types and helps you implement and maintain a backup strategy for workloads that use multiple AWS resources that must be backed up collectively. AWS Backup also helps you to collectively monitor a backup and restore operation of multiple AWS resources.

AWS Backup Vault Lock is an optional feature of a backup vault, and it can provide additional security and control. When a lock is active in Compliance mode and the grace time is over, the vault configuration cannot be altered or deleted by a user, account or data owner, or AWS. Each vault can have one vault lock in place. This provides write-once, read-many (WORM) configuration and enforcement of retention periods.

If you follow the current configuration guidance, AWS Backup can provide 99.999999999% annual durability, also known as 11 nines. It uses the AWS global infrastructure to replicate your backups across multiple Availability Zones. For more information, see Resilience in AWS Backup.

AWS Backup helps you automate the recovery and testing of backed-up data to verify backup integrity and processes.

Related best practices in the AWS Well-Architected Framework

• SEC09-BP01 Implement secure key and certificate management

• SEC09-BP02 Enforce encryption in transit

• SEC09-BP03 Authenticate network communications

Implementing this theme

Automate data backup and recovery

• Implement data backup on AWS

• Automate data backup at scale (AWS blog post)

• Automate data recovery validation with AWS Backup (AWS blog post)

Implement governance across your AWS Backup outcomes

• Top 10 security best practices for securing backups in AWS (AWS blog post)

• Use AWS Backup Vault Lock to improve the security of your backup vaults

• Use AWS Backup Audit Manager to audit the compliance of your AWS Backup policies

Monitoring this theme

Implement the following AWS Config rules

• RDS_IN_BACKUP_PLAN

• RDS_LAST_BACKUP_RECOVERY_POINT_CREATED

• RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

• REDSHIFT_BACKUP_ENABLED

• AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED

• AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN

• BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK

• BACKUP_RECOVERY_POINT_ENCRYPTED

• BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED

• BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK

• DB_INSTANCE_BACKUP_ENABLED

• DYNAMODB_IN_BACKUP_PLAN

• DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED

• DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN

• EBS_IN_BACKUP_PLAN

• EBS_LAST_BACKUP_RECOVERY_POINT_CREATED

• EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

• EC2_LAST_BACKUP_RECOVERY_POINT_CREATED

• S3_LAST_BACKUP_RECOVERY_POINT_CREATED

• S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN

• STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED

• STORAGEGATEWAY_RESOURCES_PROTECTED_BY_BACKUP_PLAN

• VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED

• VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN