AWS Backup features

Overview

AWS Backup is a fully managed service that centralizes and automates data protection across AWS services and hybrid workloads. It provides core data protection features, ransomware recovery capabilities, and compliance insights and analytics for data protection policies and operations. AWS Backup offers a cost-effective, policy-based service with features that simplify data protection at exabyte scale across your AWS estate. 

Data protection of application resources on AWS and hybrid services

AWS Backup helps protect application resources, including your AWS storage, database, and compute services as well as hybrid workloads like VMware. AWS Backup supports the following capabilities for all its supported services and third-party applications: automated backup scheduling and retention management, centralized data protection monitoring, AWS KMS-integrated backup encryption, cross-account management with AWS Organizations, data protection auditing and compliance reporting with AWS Backup Audit Manager, and write-once, read-many (WORM) with AWS Backup Vault Lock.

AWS Backup helps protect application resources, including your AWS storage, database, and compute services as well as hybrid workloads like VMware. AWS Backup supports the following capabilities for all its supported services and third-party applications: automated backup scheduling and retention management, centralized data protection monitoring, AWS KMS-integrated backup encryption, cross-account management with AWS Organizations, data protection auditing and compliance reporting with AWS Backup Audit Manager, and write-once, read-many (WORM) with AWS Backup Vault Lock.

AWS Backup provides a backup console, public APIs, and a command line interface to centrally manage backups across the AWS storage, compute, database, and hybrid services your applications run on, including Amazon Simple Storage Service (S3), Amazon Elastic Block Store (EBS), Amazon FSx, Amazon Elastic File System (EFS), AWS Storage Gateway, Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), Amazon Aurora, Amazon DynamoDB, Amazon Neptune, Amazon DocumentDB (with MongoDB compatibility), Amazon Timestream, Amazon Redshift, SAP HANA on Amazon EC2 and the entire application stack defined by AWS CloudFormation, as well as hybrid applications like VMware workloads running on premises and in VMware CloudTM on AWS and AWS Outposts.

The AWS Backup vault is a logical container that stores and manages your encrypted backups. When creating a backup vault, you must specify the AWS Key Management Service (AWS KMS) encryption key that encrypts the backups placed in this vault. All copied backups are encrypted with the key of the target vault. For more information about encryption, see the chart in Encryption for backups in AWS.

AWS Backup encrypts your backup data at rest and in transit, providing a comprehensive encryption solution that secures your backup data and helps meet compliance requirements. Your backup data is encrypted using encryption keys managed by the AWS Key Management Service (KMS), reducing the need to build and maintain a key management infrastructure. The keys used to encrypt your AWS Backup data are independent of the keys used to encrypt the resources that the backups are based on. Having separate encryption keys for your production and backup data provides an important layer of protection for your applications.

You can create backups managed by backup plans, enabling you to define your backup requirements and apply these policies to the AWS resources you want to protect. Backup plans simplify and scale your data protection strategy across your applications and organization.

You can apply backup plans to your AWS resources by tagging them. AWS tags are a great way to consistently organize and classify your AWS resources.

You can customize backup schedules or choose from predefined backup schedules based on common best practices. AWS Backup automatically backs up your application resources according to the policies and schedules you define to avoid conflicting with production.

You can set backup retention policies that automatically retain and expire backups, minimizing backup storage costs. Configure lifecycle policies that automatically transition backups from warm storage to cold storage, helping lower backup storage costs by storing backups in a low-cost cold storage tier.

You can copy backups across different AWS Regions and accounts from a central console to meet compliance and disaster recovery needs. You can copy backups either manually as an on-demand copy, or automatically as part of a scheduled backup plan to multiple different Regions and accounts, and recover those backups in a new Region or account.

You can create data protection policies and use AWS Organizations to enforce the protection policies throughout all the accounts in that organization. This provides multi-account backups and gives an additional layer of protection should the source account experience disruption from accidental or malicious deletion, disasters, or ransomware.

With AWS Backup, a backup operator can back up all supported resources on AWS without requiring the backup operator to have direct access to those resources. This provides a separation of control where resource owners can't impact the retention of backups, and backup operators can't mutate or exfiltrate data.

You can set resource-based access policies on backup vaults. With resource-based access policies, you can control access to backups in a backup vault across all users, rather than having to define permissions for each user.

You can delegate backup policy management in AWS Organizations and cross account monitoring in AWS Backup. This enables delegating backup management to a dedicated backup administration account, removing the need for member accounts to access management accounts for backup administration. Delegated backup administrators can create and manage backup policies and monitor backup activity across accounts. Organization-wide backup administration delegation through AWS Organizations enables securely centralized backup management at scale.

AWS Backup console includes an Amazon CloudWatch dashboard to see metrics on completed or failed backup, copy, and restore jobs. Within this dashboard, you can view job status by time period, customized to the schedule you desire.

AWS Backup integrates with AWS CloudTrail, which provides a consolidated view of backup activity logs and simplifies the audit process for protected resources.

AWS Backup integrates with Amazon Simple Notification Service (Amazon SNS), which can automatically alert you on backup activity such as when a backup succeeds or a restore is initiated.

For a fully managed experience, you can use AWS Backup Audit Manager to monitor your backup activity across your accounts and Regions.

Multi-account and multi-Region ransomware recovery

AWS Backup provides capabilities that help protect and recover critical data from ransomware events and account compromise. Ransomware refers to a business model and wide range of associated technologies that bad actors use to extort money from entities. These actors use a range of tactics to gain unauthorized access to their victims’ data and systems, including exploiting unpatched vulnerabilities and weak or stolen credentials. Access to data and systems is then restricted by these actors, and a ransom demand is made for the safe return of these digital assets. There are several methods such actors use to restrict or reduce legitimate access to resources including encryption and deletion, modified access controls, and network-based denial of service attacks. 

You can back up your AWS CloudFormation stack along with its resources like AWS IAM roles and Amazon VPC security groups. This means you can more easily recover your entire application stack, and manage compliance of your data protection policies across the entire application stack.

You can import application definitions and create application-wide protection plans managed on a recurring schedule and cross-account or cross-Region copy for additional protection from ransomware events.

You can perform automated and periodic evaluation of restore viability as well as monitor restore job duration times with the restore testing feature. You can conduct recovery readiness test drills to prepare for possible data downtime or data loss events, satisfying compliance or regulatory requirements.

AWS Backup Vault Lock allows you to protect your backups from deletion or changes to their lifecycle (making data immutable) by inadvertent or malicious changes. You can use the AWS CLI, AWS Backup API, or AWS Backup SDK to apply the AWS Backup Vault Lock protection to an existing vault or a new one. AWS Backup Vault Lock works with backup policies such as retention periods, cold storage transitioning, cross-account, and cross-Region copy. This provides an additional layer of protection and helps meet your compliance requirements. AWS Backup Vault Lock has been assessed by Cohasset Associates for use in environments subject to SEC 17a-4, CFTC, and FINRA regulations.

NIST defines Zero Trust as an evolving set of cybersecurity controls that shifts from static, network-based perimeters to active defense in depth focused on users, assets, and resources. Use AWS Backup delegated admin with AWS OrganizationsAWS Backup Audit Manager, and AWS Backup Vault Lock to help build your defense in depth as part of a Zero Trust architecture.

Data protection compliance with real-time analytics and insights

AWS Backup Audit Manager is a capability that monitors and generates audit reports of your data protection activity, such as backup frequency or backup retention period. AWS Backup Audit Manager is a fully managed experience that can generate daily reports with insights on the compliance status of your data protection frameworks.

You can audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs with AWS Backup Audit Manager. It provides built-in compliance controls which you can customize to define your data protection policies (such as backup frequency or retention period). It is designed to automatically detect violations against what you have defined as your data protection guardrails and will prompt you to take remediation actions. With AWS Backup Audit Manager, you can continuously evaluate backup activity and generate audit reports that can help you demonstrate compliance with regulatory requirements.

AWS Backup supports legal hold, which is used when an organization must retain certain data either for preservation, auditing, or as evidence in legal proceedings and e-Discovery. You can use legal holds to prevent backups from being deleted even if their retention period is over, and remain in place until they are explicitly released.

You can use compliance report templates to generate you daily reports on the compliance of your backup activity and resources against the controls you defined in one or more frameworks. A framework is a collection of controls that helps you to evaluate your compliance posture.

You can use pre-built or customizable controls to define your policies and evaluate whether your backup practices comply with your policies. For more information on controls, visit the AWS Backup Developer Guide. You can also set up automatic daily reports to gain insights into the compliance status of your frameworks.