AWS Backup provides a backup console, public APIs, and a command line interface to centrally manage backups across the AWS storage, compute, database, and hybrid services your applications run on, including Amazon Simple Storage Service (S3), Amazon Elastic Block Store (EBS), Amazon FSx, Amazon Elastic File System (EFS), AWS Storage Gateway, Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), Amazon Aurora, Amazon DynamoDB, Amazon Neptune, Amazon DocumentDB (with MongoDB compatibility), Amazon Timestream, Amazon Redshift, SAP HANA on Amazon EC2 and the entire application stack defined by AWS CloudFormation, as well as hybrid applications like VMware workloads running on premises and in VMware CloudTM on AWS and AWS Outposts.
The AWS Backup vault is a logical container that stores and manages your encrypted backups. When creating a backup vault, you must specify the AWS Key Management Service (AWS KMS) encryption key that encrypts the backups placed in this vault. All copied backups are encrypted with the key of the target vault. For more information about encryption, see the chart in Encryption for backups in AWS.
AWS Backup encrypts your backup data at rest and in transit, providing a comprehensive encryption solution that secures your backup data and helps meet compliance requirements. Your backup data is encrypted using encryption keys managed by the AWS Key Management Service (KMS), reducing the need to build and maintain a key management infrastructure. The keys used to encrypt your AWS Backup data are independent of the keys used to encrypt the resources that the backups are based on. Having separate encryption keys for your production and backup data provides an important layer of protection for your applications.
You can create backups managed by backup plans, enabling you to define your backup requirements and apply these policies to the AWS resources you want to protect. Backup plans simplify and scale your data protection strategy across your applications and organization.
You can apply backup plans to your AWS resources by tagging them. AWS tags are a great way to consistently organize and classify your AWS resources.
You can customize backup schedules or choose from predefined backup schedules based on common best practices. AWS Backup automatically backs up your application resources according to the policies and schedules you define to avoid conflicting with production.
You can set backup retention policies that automatically retain and expire backups, minimizing backup storage costs. Configure lifecycle policies that automatically transition backups from warm storage to cold storage, helping lower backup storage costs by storing backups in a low-cost cold storage tier.
You can copy backups across different AWS Regions and accounts from a central console to meet compliance and disaster recovery needs. You can copy backups either manually as an on-demand copy, or automatically as part of a scheduled backup plan to multiple different Regions and accounts, and recover those backups in a new Region or account.
You can create data protection policies and use AWS Organizations to enforce the protection policies throughout all the accounts in that organization. This provides multi-account backups and gives an additional layer of protection should the source account experience disruption from accidental or malicious deletion, disasters, or ransomware.