AWS Backup Complete Guide: Centralized Backup Management
Learn how to centrally manage backups for EC2, RDS, EFS, and other services with AWS Backup. Covers backup plans, cross-region/cross-account replication.
Related Exam Domains
- Design Resilient Architectures
Key Takeaway
AWS Backup is a fully managed service that centrally automates and manages backups across multiple AWS services. Define a backup plan once and EC2, RDS, EFS, DynamoDB backups run automatically.
Exam Tip
Exam Essential: "Centrally manage backups across multiple AWS services?" → AWS Backup. "Need to automate cross-region backups?" → Use AWS Backup cross-region replication.
1. What is AWS Backup?
Concept
AWS Backup is a fully managed backup service that centralizes and automates data protection across AWS services.
Traditional vs AWS Backup
┌─────────────────────────────────────────────────────────┐
│ Traditional Approach (Per-Service Management) │
├─────────────────────────────────────────────────────────┤
│ EC2 → Manually create AMI/snapshots │
│ RDS → Configure auto backup (individual) │
│ EFS → Separate backup solution │
│ DynamoDB → On-demand backup (manual) │
│ │
│ Problems: Distributed management, inconsistency, manual │
└─────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────┐
│ AWS Backup (Centralized) │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ │
│ │ AWS Backup │ │
│ │ (Central) │ │
│ └──────┬───────┘ │
│ │ │
│ ┌────────┼────────┬────────┬────────┐ │
│ ▼ ▼ ▼ ▼ ▼ │
│ EC2 RDS EFS DynamoDB FSx │
│ │
│ Benefits: Single policy, automation, consistent mgmt │
└─────────────────────────────────────────────────────────┘
Supported Services
| Category | Services |
|---|---|
| Compute | EC2 (AMI) |
| Storage | EBS, EFS, FSx, S3, Storage Gateway |
| Database | RDS, Aurora, DynamoDB, DocumentDB, Neptune |
| Other | Redshift, CloudFormation, VMware Cloud |
2. Core Components
Backup Plan
A policy that defines backup schedule, retention period, and target resources.
Backup Plan Components
├── Backup Rule
│ ├── Backup frequency (e.g., daily, weekly)
│ ├── Backup time (UTC)
│ ├── Backup window (start to completion)
│ ├── Retention period (days/weeks/months/years/indefinite)
│ └── Copy rules (cross-region/account)
│
└── Resource Assignment
├── Tag-based selection
└── Direct resource ID specification
Backup Vault
An encrypted container where backups are stored.
| Feature | Description |
|---|---|
| Encryption | Auto-encrypted with AWS KMS |
| Access Control | Controlled via resource-based policies |
| Locking | Vault Lock prevents deletion |
Recovery Point
Snapshot or backup data created by backup jobs.
3. Creating a Backup Plan
Console Creation
1. Access AWS Backup Console
└── https://console.aws.amazon.com/backup
2. Create Backup Plan
├── Choose "Build a new plan"
└── Enter backup plan name
3. Configure Backup Rule
├── Rule name: daily-backup
├── Backup frequency: Daily
├── Backup window: 05:00 UTC (8 hours)
├── Retention period: 35 days
└── Target vault: Default
4. Resource Assignment
├── Assignment name: prod-resources
├── IAM role: Default role
└── Resource selection: Tag-based (Environment=Production)
Tag-Based Backup
┌─────────────────────────────────────────────────────────┐
│ Tag-Based Auto Backup │
├─────────────────────────────────────────────────────────┤
│ │
│ Backup Plan: "prod-daily-backup" │
│ Condition: Tag "Backup" = "Daily" │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ EC2 │ │ RDS │ │ EFS │ │
│ │Backup: │ │Backup: │ │Backup: │ │
│ │ Daily │ │ Daily │ │ Daily │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ └────────────┼────────────┘ │
│ ▼ │
│ Automatically included in backup plan │
│ │
└─────────────────────────────────────────────────────────┘
Exam Tip
Exam Point: With tag-based backup, new resources are automatically included in backup targets. Just tag resources appropriately and they're backed up without separate configuration.
4. Advanced Features
Cross-Region Backup
Automatically replicate backups to other regions for disaster recovery.
┌─────────────────────────────────────────────────────────┐
│ Cross-Region Backup │
├─────────────────────────────────────────────────────────┤
│ │
│ Seoul Region Tokyo Region │
│ ┌──────────┐ ┌──────────┐ │
│ │ EC2/RDS │ │ Backup │ │
│ │ Source │ ────────▶ │ Replica │ │
│ └──────────┘ └──────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ │
│ │ Seoul │ │ Tokyo │ │
│ │ Vault │ │ Vault │ │
│ └──────────┘ └──────────┘ │
│ │
│ Config: Specify target region and vault in copy rules │
└─────────────────────────────────────────────────────────┘
Cross-Account Backup
Manage backups from multiple AWS accounts in a central account.
Backup Account (Central)
├── Define backup policies
├── Store all accounts' backups
└── Unified monitoring
Production Account
├── Operate resources
└── Send backups to central account
Development Account
├── Operate resources
└── Send backups to central account
Point-in-Time Recovery (PITR)
Restore to specific points in time with continuous backup.
| Service | PITR Support |
|---|---|
| RDS/Aurora | Yes (5-minute granularity) |
| DynamoDB | Yes (35 days) |
| S3 | Yes (versioning required) |
Vault Lock
Lock backups to make them undeletable for compliance.
Vault Lock Modes
├── Governance Mode
│ └── Can unlock with specific permissions
│
└── Compliance Mode
└── Cannot delete even with root account (WORM)
5. Retention Policy Design
Retention Period Strategy
┌─────────────────────────────────────────────────────────┐
│ Retention Policy Example │
├─────────────────────────────────────────────────────────┤
│ │
│ Daily backup ──────────▶ 7 days retention │
│ │ │
│ ├── Weekly backup ──────▶ 4 weeks retention │
│ │ │ │
│ │ └── Monthly backup ──▶ 12 months retention │
│ │ │ │
│ │ └── Yearly backup ──▶ 7 years │
│ │
│ Result: Maintain 7 daily + 4 weekly + 12 monthly + 7 yearly │
└─────────────────────────────────────────────────────────┘
Cold Storage Transition
Move long-term backups to cheaper storage.
| Option | Description |
|---|---|
| Warm Storage | Default, fast restore |
| Cold Storage | Cheaper, increased restore time |
6. Cost Optimization
Cost Components
| Item | Pricing Basis |
|---|---|
| Backup Storage | Per GB-month |
| Restore | Per GB |
| Cross-Region Replication | Per GB transfer |
| PITR | Continuous backup storage |
Cost Saving Tips
1. Set appropriate retention periods
└── Avoid unnecessarily long retention
2. Use Cold Storage
└── Auto-transition for 90+ day retention
3. Incremental Backups
└── AWS Backup uses incremental by default
4. Optimize backup frequency
└── Differentiate based on workload importance
7. Monitoring and Alerts
CloudWatch Integration
AWS Backup → CloudWatch → SNS → Alerts
Monitorable Items:
├── Backup job success/failure
├── Restore job status
├── Recovery point count
└── Storage capacity
EventBridge Rules
{
"source": ["aws.backup"],
"detail-type": ["Backup Job State Change"],
"detail": {
"state": ["FAILED", "EXPIRED"]
}
}
8. Service-Specific Backup vs AWS Backup
Comparison Table
| Feature | Service-Specific Backup | AWS Backup |
|---|---|---|
| Central Management | Distributed | Unified |
| Consistent Policy | Varies by service | Single policy |
| Cross-Region | Some services only | All services |
| Cross-Account | No | Supported |
| Compliance | Requires separate implementation | Vault Lock |
| Cost Tracking | Distributed | Unified |
Selection Criteria
AWS Backup Recommended Scenarios:
├── Using multiple services (EC2 + RDS + EFS, etc.)
├── Compliance requirements (finance, healthcare)
├── Multi-region/multi-account environment
├── Need centralized backup policy
└── Automation and consistency important
Service-Specific Backup Scenarios:
├── Using single service only
├── Simple backup requirements
└── Need service-specific special features
SAA-C03 Exam Focus Points
Common Question Types
-
Service Selection
- "Centrally manage EC2, RDS, EFS backups?" → AWS Backup
- "Centralize backups across multiple AWS accounts?" → AWS Backup + Organizations
-
Feature Related
- "Prevent backup deletion for compliance?" → Vault Lock
- "Automated replication for disaster recovery?" → Cross-region backup
-
Comparison Questions
- "Difference between AWS Backup vs service-specific auto backup?" → Central management, consistency
Exam Tip
Key Memory Points:
- AWS Backup = Centralized backup management
- Supported: EC2, EBS, RDS, Aurora, DynamoDB, EFS, FSx, S3
- Cross-region/account replication supported
- Vault Lock for compliance
Frequently Asked Questions (FAQ)
Q: What's the difference between AWS Backup and service-specific auto backup?
Service-specific backup (e.g., RDS auto backup) is managed within that service only, while AWS Backup manages multiple services from a single console. AWS Backup is advantageous for consistency and efficiency in multi-service environments.
Q: How is AWS Backup cost calculated?
Charges are based on backup storage (GB-month) and restore operations (per GB). Cross-region replication incurs additional data transfer charges. Incremental backups mean only changed data is stored.
Q: How do I exclude specific resources from AWS Backup?
With tag-based selection, you can include or exclude resources with specific tags. Example: Exclude resources with Backup=Exclude tag.
Q: Can AWS Backup backup on-premises data?
You can bring on-premises data to AWS via AWS Storage Gateway, then backup with AWS Backup. Virtual machines in VMware environments are also supported.
Summary
AWS Backup is a core service for centrally automating backups across multiple AWS services:
- Single policy for multiple service management
- Tag-based auto resource assignment
- Cross-region/account replication for disaster recovery
- Vault Lock for compliance
On exams, when you see "centrally manage backups for multiple services," think AWS Backup.