Amazon RDS Backup & Restore using AWS Backup

10 minute tutorial


AWS Backup enables you to centralize and automate data protection across AWS services. AWS Backup offers a cost-effective, fully managed, policy-based service that simplifies data protection at scale. AWS Backup helps you support your regulatory compliance obligations and meet your business continuity goals.

With just a few clicks in the AWS Backup console, you can create backup policies that automate backup schedules and retention management. With AWS Backup, you can create backup policies called backup plans. You can use these plans to define your backup requirements, such as how frequently to back up your data and how long to retain those backups. AWS Backup lets you apply backup plans to your AWS resources by simply tagging them. AWS Backup then automatically backs up your AWS resources according to the backup plan that you defined. 

AWS Backup currently supports Amazon Relational Database Service (Amazon RDS) database engines and Amazon Aurora clusters. When using AWS Backup with Amazon RDS and Amazon Aurora, you can centralize your compliance and policy control for backups, increase security choices for your organization, and access instant enterprise level features and functionality. You pay only for the RDS backup capacity you use, and no other added costs. You can use AWS Backup to manage backups of Amazon RDS DB instances. Backups managed by AWS Backup are considered manual DB snapshots, but don't count toward the DB snapshot quota for Amazon RDS. 

What you will learn

  • How to create an on-demand backup job of an Amazon RDS database
  • How to use a backup plan to backup Amazon RDS resources - using a backup plan within AWS Backup lets you automate your backups on a schedule
  • How to add resources to an existing backup plan using tags

 AWS Experience


 Time to Complete

10 minutes

 Cost to Complete


You will need the following resources or permissions to proceed with this tutorial:
  • An AWS account will be needed for this tutorial. For more information on using AWS Backup for the first time, view the AWS Backup documentation.
  • One or more Amazon RDS databases (including those that are free tier eligible). For the pricing of databases not in the free tier, refer to Amazon RDS pricing. For AWS Backup pricing, refer to AWS Backup Pricing.
  • IAM roles used by AWS Backup to create a backup of the Amazon RDS database. 
    • If a subsequent role is not created, then the default IAM role can be used - AWSBackupDefaultRole
  • Step 1: Automating Amazon RDS backup and restore
    Go to AWS Backup in the AWS Management Console (2)
  • Step 2: Configure an on-demand AWS Backup Job of an Amazon RDS database
    • 2.1 — Configure the services used with AWS Backup
      • On the navigation pane on the left side of the AWS Backup console, under My account, choose Settings
      • On the Service opt-in page, choose Configure resources.
      • On the Configure resources page, use the toggle switches to enable or disable the services used with AWS Backup. Choose Confirm when your services are configured.
        • AWS resources that you're backing up should be in the Region you are using for this tutorial, and resources must all be in the same AWS Region (however, see step 3.2 for information on cross-Region copy). This tutorial uses the US East (N. Virginia) Region (us-east-1). 
    • 2.2 — Create an on-demand backup Job of an Amazon RDS database
      • Back in the AWS Backup console, under My account on the left navigation pane, select Protected resources.
      • From the dashboard, select the Create on-demand backup button.
    • 2.2 — Create an on-demand backup Job of an Amazon RDS database (continued)
      • On the Create on-demand backup page, choose the resource type that you want to back up; for example, choose RDS for Amazon RDS.
      • Choose the database name or ID of the resource that you want to protect; for example, analytics.
    • 2.2 — Create an on-demand backup Job of an Amazon RDS database (continued)
      • Ensure that Create backup now is selected. This initiates your backup job immediately and enables you to see your saved resource sooner on the Protected resources page.
      • Only Amazon EFS backups support transition to cold storage. All other resource types are saved to warm storage. The Expire value is valid for all resource types.
      • Choose an existing backup vault. Choosing Create new Backup vault opens a new page to create a vault and then returns you to the Create on-demand backup page when you are finished.
      • Under IAM role, choose Default role.
          Note: If the AWS Backup Default role is not present in your account, then an AWS Backup Default role is created with the correct permissions.
      • Select the Create on-demand backup button. This takes you to the Jobs page, where you will see a list of jobs.
    • 2.2 — Create an on-demand backup Job of an Amazon RDS database (continued)
      • Choose the Backup job ID for the resource that you chose to back up to see the details of that job.
  • Step 3: Configure automatic AWS Backup Jobs of an Amazon RDS database
    • 3.1  — To configure the services used with AWS Backup
      • Back on the left navigation pane in the AWS Backup console, under My account, choose Settings.
      • On the Service opt-in page, choose Configure resources
      • On the Configure resources page, use the toggle switches to enable or disable the services used with AWS Backup. Choose Confirm when your services are configured.
        • AWS resources that you're backing up should be in the Region you are using for this tutorial, and resources must all be in the same AWS Region (however, see step 3.2 for information on cross-Region copy). This tutorial uses the US East (N. Virginia) Region (us-east-1). 
    • 3.2  — Configure a backup plan for an Amazon RDS database
      • In the AWS Backup console, select Backup plans on the left navigtation pane under My account, and then Create Backup plan.
    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • AWS Backup provides three ways to get started using the AWS Backup console:
        • Start from an existing plan — You can create a new backup plan based on the configurations in an existing plan. Be aware that backup plans created by AWS Backup are based on backup best practices and common backup policy configurations. When you select an existing backup plan to start from, the configurations from that backup plan are automatically populated for your new backup plan. You can then change any of these configurations according to your backup requirements.
        • Build a new plan from scratch — You can create a new backup plan by specifying each of the backup configuration details, as described in the next section. You can choose from the recommended default configurations.
        • Define a plan using JSON - You can modify the JSON expression of an existing backup plan or create a new expression.
      • Backup plan name - You must provide a unique backup plan name. If you try to create a backup plan that is identical to an existing plan, you get an AlreadyExistsException error.
      • Backup Rules - Backup plans are composed of one or more backup rules. Backup rule names are case sensitive. They must contain from 1 to 63 alphanumeric characters or hyphens.
    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • Backup Frequency - The backup frequency determines how often a backup is created. You can choose a frequency of every 12 hours, daily, weekly, or monthly. When selecting weekly, you can specify which days of the week you want backups to be taken. When selecting monthly, you can choose a specific day of the month.
      • Backup Window - Backup windows consist of the time that the backup window begins and the duration of the window in hours. The default backup window is set to start at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours.
      • Lifecycle
        • Transition to Cold Storage - Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold storage expression is ignored for the backups of Amazon Elastic Block Store (Amazon EBS), Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon DynamoDB, and AWS Storage Gateway.
        • Expire - The Expire value is valid for all resource types. The backups are automatically purged after the days indicated in the expire value are surpassed.
      • Backup Vault - A backup vault is a container to organize your backups in. Backups created by a backup rule are organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to help you organize them. If you don't want to use the default vault, you can create your own.
    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • Create New Backup Vault - Instead of using the default backup vault that is automatically created for you in the AWS Backup console, you can create specific backup vaults to save and organize groups of backups in the same vault.
      • To create a backup vault in the AWS Backup console, in the navigation pane on the left, choose Backup vaults.
      • Choose Create Backup vault.
      • Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it FinancialBackups.
      • Select an AWS KMS key. You can use either a key that you already created, or select the default AWS Backup master key.
    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • Optionally, add tags that will help you search for and identify your backup vault. 
      • Select Create Backup vault button.
    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • Generate Copy to Regions - As part of your backup plan, you can optionally create a backup copy in another AWS Region. Using AWS Backup, you can copy backups to multiple AWS Regions on-demand, or automatically as part of a scheduled backup plan. Cross-Region Replication (CRR) is particularly valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data. When you define a backup copy, you configure the following options:
        • Destination Region - The destination Region for the backup copy.
        • (Advanced Settings) Backup Vault - The destination backup vault for the copy.
        • (Advanced Settings) IAM Role - The IAM role that AWS Backup uses when creating the copy. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. If you choose Default and the AWS Backup Default role is not present in your account, a role is created for you with the correct permissions.
        • (Advanced Settings) Lifecycle - Specifies when to expire (delete) the copy.

    Note: Cross-Region Copy incurs additional data transfer costs. You can refer to the AWS Backup pricing page for more information.

    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • Tags Added to Recovery Points - The tags that you list here are automatically added to backups when they are created. 
      • Tags Added to Backup Plans - These tags are associated with the backup plan itself to help you organize and track your backup plan. 
      • Advanced Backup Settings - Enables application consistent backups for third-party applications that are running on Amazon EC2 instances. Currently, AWS Backup supports Windows VSS backups. This is only applicable for Windows EC2 Instances running SQL Server or Exchange databases.
    • 3.2  — Configure a backup plan for an Amazon RDS database (continued)
      • Choose Create Backup plan.

    Assign resources to the backup plan

    When you assign a resource to a backup plan, that resource is backed up automatically according to the backup plan. The backups for that resource are managed according to the backup plan. You can assign resources using tags or resource IDs. Using tags to assign resources is a simple and scalable way to back up multiple resources.

    • Select the created backup plan, and select the Assign Resources button.
    • Resource Assignment Name - Provide a resource assignment name. 
    • IAM Role - When creating a tag-based backup plan, if you choose a role other than Default role, make sure that it has the necessary permissions to back up all tagged resources. AWS Backup tries to process all resources with the selected tags. If it encounters a resource that it doesn't have permission to access, the backup plan fails.
    • Assign By - You can select Tags or Resource ID. For tags-based resource assignment, provide the key-value pair of the Amazon RDS database. 
    • For Resource ID-based assignment, select Resource ID, RDS, and select the name of the RDS database.
    • Select Assign Resources and the backup plan has the resources assigned to it.
    • Navigate to the AWS Backup console and the backup jobs will be seen under Jobs. 
    • A backup, or recovery point, represents the content of a resource, such as an Amazon Elastic Block Store (Amazon EBS) volume or Amazon RDS database, at a specified time. Recovery point is a term that refers generally to the different backups in AWS services, such as Amazon EBS snapshots and Amazon RDS backups. In AWS Backup, recovery points are saved in backup vaults, which you can organize according to your business needs. Each recovery point has a unique ID. 
  • Step 4: Restore of an Amazon RDS database using AWS Backup

    4.1 — Navigate to the backup vault that was selected in the backup plan and select the latest completed backup. To restore the database, click on the recovery point ARN and select Restore

    • The restore of the ARN will bring you to a Restore backup screen that will have Instance specifications and configurations for the Amazon RDS database. Select the DB engine, License Model, and DB instance class.
    • Multi AZ - Using a Multi-AZ deployment will automatically provision and maintain a synchronous standby replica in a different Availability Zone. Note that you will have to pay for Multi-AZ deployment. 
    • Storage Type - Leave at Provisioned IOPS (SSD).
    • Provisioned IOPS - The requested number of I/O operations per second that the DB instance can support. 
    • DB Instance Identifier - Type a name for the DB instance that is unique for your account in the Region that you selected. If you're restoring from a DB instance that you deleted after you made the DB snapshot, you can use the name of that DB instance.
    • VPC - Select the VPC where the database needs to be restored to.
    • Subnet Group - Select the subnet group in the VPC where the database needs to be restored to.
    • Public accessibility - You can choose if you need the DB Instances to have a public address or not. If you choose Yes, this will allocate an IP address for your database instance so that you can directly connect to the database from your own device.
    • Availability Zone - Choose No Preference
    • Database Port - Leave the default value of 3306.
    • DB Parameter Group - Leave the default value
    • Option Group - Leave the default value. Amazon RDS uses option groups to enable and configure additional features. 
    • IAM DB Authentication Enabled - You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. Select Enable IAM DB authentication.
    • Copy Tags to Snapshots - Tags can be set on the database instances to be automatically copied to any automated or manual database snapshots that are created from your instances. 
    • Encryption - This is the master key that will be used to protect the key that is used to encrypt the database volume. You can choose from master keys in your AWS account or enter the Amazon Resource Name (ARN) of a key from a different account. 
    • Log exports - Select the log types to publish to Amazon CloudWatch logs.
    • Maintenance - Select Yes if the DB instance should receive automatic engine version upgrades.
    • Restore role - Select the Default role or Choose an IAM role.
    • Select Restore backup.
    • Your job will then appear under the Jobs section in the Restore jobs tab in the AWS Backup console.
    • Once the restore job is completed, you can navigate to the Amazon RDS console and use the endpoint to connect to the database.
  • Step 5: Clean up

    In the following steps, you will clean up the resources you created in this tutorial. It is a best practice to delete instances and resources that you are no longer using so that you are not continually charged for them.

    5.1 — Open the Amazon RDS console.
    5.2 — In the navigation pane, choose Databases.
    5.3 — Select the restored RDS database, and choose Actions, Delete.
    5.4 — To confirm deletion, type delete me into the field.

    Note: This process can take several seconds to complete. 

Additional resources: Working with Amazon RDS and Amazon Aurora

Was this module helpful?

Thank you
Please let us know what you liked.
Sorry to disappoint you
Is something out-of-date, confusing or inaccurate? Please help us improve this tutorial by providing feedback.


You successfully created an on-demand backup job of an Amazon RDS database! You also used a backup plan to backup Amazon RDS resources. As a great next step, check out recently published AWS Backup blogs to further your AWS Cloud knowledge.