AWS Backup
A centralized service for managing and automating backups across EC2, RDS, S3, DynamoDB, and other AWS services with policy-based controls
Overview
AWS Backup is a fully managed service for centrally managing and automating backups of AWS resources. It supports over 20 AWS services including EC2 instances (EBS snapshots), RDS databases, DynamoDB tables, EFS file systems, S3 buckets, and FSx file systems. Backup plans define schedules, retention periods, and lifecycle rules (transition to cold storage), applying consistent backup policies across your organization. It also supports cross-account backups via AWS Organizations and cross-region copies for disaster recovery.
Designing Backup Plans and Vaults
The core concepts of AWS Backup are backup plans (defining schedules and retention rules) and backup vaults (where backup data is stored). Backup plans can combine multiple rules such as daily backups retained for 30 days, weekly backups for 1 year, and monthly backups for 7 years to meet compliance requirements like HIPAA or PCI DSS. Each rule can specify a lifecycle policy to transition recovery points from warm storage to cold storage after a defined period, reducing long-term costs. Vaults are encrypted with KMS keys, and vault access policies can restrict which IAM principals are allowed to perform backup, restore, or deletion operations. You can create separate vaults for different data classifications (production vs. development, sensitive vs. non-sensitive) to enforce distinct access controls and encryption keys. A key cost optimization point is configuring lifecycle rules to transition from warm to cold storage - cold storage costs roughly one-quarter of warm storage, but has a 90-day minimum retention period, making it unsuitable for short-term backups.
Ransomware Protection with Vault Lock
Vault Lock enables WORM (Write Once Read Many) mode on a backup vault. Once enabled with a compliance retention period, even root account users and administrators cannot delete backups or shorten retention periods, making it one of the most effective ransomware countermeasures available. If an attacker gains administrative access and attempts to destroy backups, Vault Lock ensures recovery points remain intact and immutable for the configured duration. Vault Lock operates in two modes: governance mode (allows users with specific IAM permissions to modify the lock) and compliance mode (truly immutable - no one can remove the lock once the cooling-off period expires). For production environments, compliance mode is recommended despite its irreversibility, as governance mode could be circumvented by a sufficiently privileged attacker. AWS Backup also supports S3 bucket backups natively, whereas Azure Backup requires separate Blob versioning or point-in-time restore for Azure Blob Storage. Data protection books on Amazon provide further reading.
Centralized Multi-Account Management with Organizations
The most effective practical use of AWS Backup is combining it with Organizations backup policies. Define backup plans in the management account (or a delegated administrator account) and automatically apply them across all member accounts in the organization, ensuring new accounts immediately receive backup coverage without manual configuration. Cross-account backup copies store recovery points in a central vault in a dedicated backup account, isolating backup data from the source accounts - even if a source account is compromised, the backups in the central vault remain protected. For disaster recovery, configure automatic cross-region copies so that production region backups are replicated to a secondary region, and regularly test restores to verify recovery point integrity and measure actual RTO. Backup audit reports, generated through AWS Backup Audit Manager, provide compliance evidence showing which resources are protected and whether backup jobs are completing successfully across the organization.