Skip to main content

AWS Backup Documentation

Data protection of application resources on AWS and hybrid services overview

AWS Backup is designed to help protect application resources, including your AWS storage, database, and compute services as well as hybrid workloads like VMware.

Centralized, policy-based data protection

AWS Backup is designed to provide a backup console, public APIs, and a command line interface to centrally manage backups across the AWS storage, compute, database, and hybrid services your applications run on.

The AWS Backup vault is a logical container that is designed to store and manage your encrypted backups. When creating a backup vault, you must specify the AWS Key Management Service (AWS KMS) encryption key that encrypts the backups placed in this vault. All copied backups are designed to be encrypted with the key of the target vault.

AWS Backup is designed to encrypt your backup data at rest and in transit. Your backup data is designed to be encrypted using encryption keys managed by the AWS Key Management Service (KMS). The keys used to encrypt your AWS Backup data are designed to be independent of the keys used to encrypt the resources that the backups are based on.

You are enabled to create backups managed by backup plans, enabling you to define your backup requirements and apply these policies to the AWS resources by tagging them. You are enabled customize backup schedules or choose from predefined backup schedules based on common best practices. AWS Backup is designed to back up your application resources according to the policies and schedules you define.

You are also enabled to set backup retention policies that retain and expire backups and configure lifecycle policies that transition backups from warm storage to cold storage.

You are enabled to copy backups across different AWS Regions and accounts from a central console.

You are enabled to create data protection policies and use AWS Organizations to enforce the protection policies throughout all the accounts in that organization.

Backup role-based access control

With AWS Backup, a backup operator is enabled to back up supported resources on AWS without requiring the backup operator to have direct access to those resources.

You are enabled to set resource-based access policies on backup vaults to help control access to backups in a backup vault across users.

You are enabled to delegate backup policy management in AWS Organizations and cross account monitoring in AWS Backup. Delegated backup administrators are enabled to create and manage backup policies and monitor backup activity across accounts.

Backup activity monitoring

AWS Backup console is designed to include a dashboard to see metrics on completed or failed backup, copy, and restore jobs. This dashboard is designed to assist you viewing job status by time period, customized to the schedule you desire.

You are enabled to use AWS Backup Audit Manager to monitor your backup activity across your accounts and Regions.

Multi-account and multi-Region ransomware recovery

AWS Backup is designed to help protect and recover data from a ransomware events and account compromise.

Data protection, analytics, and insights

Overview

AWS Backup Audit Manager is designed to monitor and generate audit reports of your data protection activity, such as backup frequency or backup retention period. AWS Backup Audit Manager is designed to generate reports with insights on the compliance status of your data protection frameworks.

Backup audits

You are enabled to audit and report on the compliance of your data protection policies to help meet your business and regulatory needs with AWS Backup Audit Manager. It is designed to provide compliance controls which you can customize to define your data protection policies (such as backup frequency or retention period). It is designed to detect violations against what you have defined as your data protection guardrails and to prompt you to take remediation actions. With AWS Backup Audit Manager, you are enabled to evaluate backup activity and generate audit reports.

Retention for legal hold

AWS Backup is designed to support legal holds to prevent backups from being deleted even if their retention period is over, and remain in place until they are explicitly released.

Reporting

You are enabled to use compliance report templates to generate your reports on the compliance of your backup activity and resources against the controls you defined in one or more frameworks. You are enabled to use pre-built or customizable controls to define your policies and to set up reports to gain insights into the compliance status of your frameworks.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.