AWS: Services & Architecture
by Sergey Okinchuk
Storage GatewayChapter 3
AWS Backup
Service 15

AWS Backup

StorageManagedCompliance

AWS Backup creates and manages backups across many AWS services from one dashboard. Instead of configuring snapshots service by service — EBS here, RDS there, DynamoDB somewhere else — you define backup plans centrally and let it handle scheduling, retention, and cross-Region or cross-account copies.

It covers EBS, EC2, EFS, FSx, RDS, Aurora, DynamoDB, DocumentDB, Neptune, Timestream, S3, Storage Gateway, and Organizations resources. For compliance, it is often the simplest way to prove backups exist, are tested, and meet retention rules.

Key Concepts

A backup plan is a policy defining what to back up, how often, and how long to keep it. A backup vault is the encrypted container for the backups. A resource assignment maps resources to a plan — usually by tag, so any new resource with the right tag is included automatically. A recovery point is a single backup you restore from.

A plan might back up everything tagged Backup=Daily nightly with 35-day retention, add weekly copies kept six months and monthly copies kept seven years, and copy each to a second Region.

Cross-Region, Cross-Account, and Vault Lock

Cross-Region copy supports disaster recovery; cross-account copy sends backups to a dedicated backup account so an attacker or mistake cannot delete data and its backups together. The combination is the gold standard against ransomware and accidental deletion.

Vault Lock makes recovery points immutable (WORM) for a set period — once locked in compliance mode, not even the root user can delete them early, meeting frameworks like SEC 17a-4(f) and FINRA. Vault Lock is permanent, so test on a non-critical vault first.

AWS Backup vs service-native backups

AWS Backup — many services to protect under one policy, or a compliance requirement to prove retention centrally.

Service-native backups — a few resources — RDS automated backups or EBS snapshots via DLM can be enough on their own.

Service-native replication — near-zero RPO needs — use RDS replicas, S3 Replication, or DynamoDB Global Tables, not Backup.

Common Mistakes
  • Assigning resources to plans by hand instead of by tag, which does not scale and silently misses new resources.
  • Keeping backups in the same account as the data, so one compromised account loses both — use a separate backup account.
  • Never testing a restore — a backup you have never restored is not yet a backup.
  • Locking a production vault before testing the plan — Vault Lock compliance mode is permanent and cannot be shortened.
  • Expecting AWS Backup to give near-zero RPO — it is point-in-time, not real-time; use service-native replication for that.
  • Running with no alarm on backup-job failures, so backups stop silently until you need one.
Best Practices
  • Assign resources to plans by tag so new resources are protected automatically.
  • Copy critical backups to a separate backup account in AWS Organizations.
  • Test restores regularly, not just backups.
  • Use Vault Lock for compliance archives and critical DR copies — after testing on a non-critical vault.
  • Encrypt vaults with customer-managed KMS keys for sensitive data.
  • Alarm on backup-job failures in CloudWatch.
Comparable services GCP Backup and DR ServiceAzure Azure Backup

Knowledge Check

What is the main advantage of AWS Backup over configuring snapshots service by service?

  • One set of policies governs backups across many services, with tag-based assignment and central retention
  • It delivers near-zero RPO real-time replication automatically for every supported service across all Regions
  • It eliminates all storage cost for the recovery points it keeps
  • It is the single supported way to back up your EBS volumes

Why copy critical backups to a separate AWS account?

  • So a compromise or mistake in the primary account cannot delete both the data and its backups
  • Because per-GB backup storage is billed at a meaningfully cheaper rate when it lives in a second account
  • Because AWS Backup is unable to retain any backups in the source account itself
  • To bypass the requirement to encrypt the copied data

What does AWS Backup Vault Lock guarantee?

  • Recovery points are immutable (WORM) for the retention period — not even root can delete them early
  • Recovery points are automatically restored back to the source resources on a fixed recurring schedule
  • Recovery points are continuously replicated to every AWS Region
  • Backup storage cost is capped at a flat fixed monthly fee

A workload needs near-zero RPO. Is AWS Backup the right tool?

  • No — it is point-in-time; use service-native replication like RDS read replicas or DynamoDB Global Tables
  • Yes — simply set the backup plan's schedule to run a fresh point-in-time job every single second around the clock
  • Yes — Vault Lock continuously provides true real-time replication of every recovery point as it is written
  • Yes — but only once cross-Region copy is enabled on the plan, which streams each change to the second Region instantly

You got correct