Q: What is AWS Backup?
AWS Backup is a fully managed service that enables you to centralize and automate data protection across on-premises and AWS services. Together with AWS Organizations, AWS Backup allows you to centrally deploy data protection (backup) policies to configure, manage, and govern your backup activity across your organization’s AWS accounts and resources. AWS Backup also enables you to audit and report on the compliance of your data protection policies with AWS Backup Audit Manager.
Q: How does AWS Backup work?
AWS Backup allows you to define a central data protection policy (called a backup plan) that works across AWS services for compute, storage, and databases. The backup plan defines parameters such as backup frequency and backup retention period. Once you define your data protection policies and assign AWS resources to the policies, AWS Backup automates the creation of backups and stores those backups in an encrypted backup vault that you designate. The centralized policies in AWS Backup also let you define access controls and automate backup access management across all your accounts within your AWS Organizations. You can use AWS Backup’s central console to view your AWS resources that are being protected, restore from a backup, and monitor backup and restore activity. Additionally, with AWS Backup, you can generate reports on compliance metrics such as backup frequency, data retention period, and backup coverage across your AWS resources, and demonstrate compliance to auditors.
Q: Why should I use AWS Backup?
Protecting your data is an important step towards ensuring that you meet your business and regulatory compliance requirements. Even durable resources are susceptible to threats such as bugs in your application that could cause accidental deletions or corruption. Building and managing your own backup workflows across all your applications in a compliant and consistent manner can be complex and costly. AWS Backup removes the need for costly, custom solutions or manual processes by providing a fully managed, policy-based data protection solution.
Q: What are the key features of AWS Backup?
AWS Backup provides a centralized console, automated backup scheduling, backup retention management, and backup monitoring and alerting. AWS Backup also offers advanced features such as lifecycling backups to a low-cost storage tier, backup storage and encryption that is independent from its source data, audit and compliance reporting capabilities with Backup Audit Manager, and delete protection with Backup Vault Lock.
Q: What can I back up using AWS Backup?
You can use AWS Backup to create and manage the backups of the following AWS services:
- Amazon Elastic Block Store (Amazon EBS) volumes
- Amazon Elastic Compute Cloud (Amazon EC2) instances (including Windows applications)
- Windows Volume Shadow Copy Service (VSS) supported applications (including Windows Server, Microsoft SQL Server, and Microsoft Exchange Server) on Amazon EC2.
- Amazon Relational Database Service (Amazon RDS) databases (including Amazon Aurora clusters)
- Amazon DynamoDB tables, Amazon Elastic File System (Amazon EFS) file systems
- Amazon FSx for NetApp ONTAP file systems
- Amazon FSx for OpenZFS file systems
- Amazon FSx for Windows File Server file systems
- Amazon FSx for Lustre file systems
- Amazon Neptune databases
- Amazon DocumentDB (with MongoDB compatibility) databases
- AWS Storage Gateway volumes
- Amazon Simple Storage Service (Amazon S3).
- You can also use AWS Backup to create and manage backups of Amazon Outposts, VMware CloudTM on AWS, and on-premises VMware virtual machines.
Q: Can I use AWS Backup to back up on-premises data?
Yes, you can use AWS Backup to back up your on-premises Storage Gateway volumes and VMware virtual machines, providing a common way to manage the backups of your application data both on premises and on AWS.
Q: Can I use AWS Backup to access backups created by services with existing backup capabilities?
Yes. Backups created using services with existing backup capabilities, such as EBS Snapshots, can be accessed using AWS Backup. Similarly, backups created by AWS Backup can be accessed using the source service.
Q: How does AWS Backup work with other AWS services that have backup capabilities?
Today, several AWS services offer backup features that help you protect your data, such as S3 replication, EBS snapshots, RDS snapshots, Amazon FSx backups, Amazon DynamoDB backups, and AWS Storage Gateway snapshots. All existing per-service backup capabilities remain unchanged. AWS Backup provides a common way to manage backups across AWS services both on AWS and on premises. AWS Backup is a centralized service that offers backup scheduling, retention management, and backup monitoring. AWS Backup supports existing backup functionality provided by Amazon S3, Amazon EBS, Amazon RDS, Amazon FSx, DynamoDB, and Storage Gateway. For AWS services that have backup functionality built on AWS Backup, such as Amazon EFS and DynamoDB, AWS Backup provides you with backup management capabilities, such as backup scheduling, retention management, and backup monitoring, as well as additional features, such as lifecycling backups to a low-cost storage tier, backup storage and encryption that is independent from its source data, and backup access policies.
Q: How does AWS Backup relate to Amazon Data Lifecycle Manager and when should I use one over the other?
Amazon Data Lifecycle Manager (DLM) policies and backup plans created in AWS Backup work independently from each other and provide two ways to manage EBS Snapshots. DLM provides a simple way to manage the lifecycle of EBS resources, such as volume snapshots. You should use DLM when you want to automate the creation, retention, and deletion of EBS Snapshots. You should use AWS Backup to manage and monitor backups across the AWS services you use, including EBS volumes, from a single place.
Q: What is a recovery point?
A recovery point represents the content of a resource at a specified time. Recovery points also include metadata such as information about the resource, restore parameters, and tags.
Q: What is a backup plan?
A backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as DynamoDB tables or EFS file systems. You assign resources to backup plans and AWS Backup will then automatically make and retain backups for those resources according to the backup plan. Backup plans are composed of one or more backup rules. Each backup rule is composed of 1) a backup schedule, which includes the backup frequency (Recovery Point Objective - RPO) and backup window, 2) a lifecycle rule that specifies when to transition a backup from one storage tier to another and when to expire the recovery point, 3) the backup vault in which to place the created recovery points, and 4) the tags to be added to backups upon creation. For example, a backup plan might have a “daily backup rule” and a “monthly backup rule.” The daily rule backs up resources every day at midnight and retains the backups for one month. The monthly rule takes a backup once a month on the beginning of every month and retains the backups for one year.
Q: What is a backup vault?
A backup vault (or backup storage vault) is an encrypted storage location in your AWS account that stores and organizes your backups (recovery points). You can create new backup vaults in every AWS Region where AWS Backup is available, and you can enable delete-protection on the backup vaults using AWS Backup Vault Lock to prevent malicious actors from re-encrypting your data. AWS Backup stores your continuous backups and periodic snapshots in the backup vault of your preference and lets you browse and restore as per your requirements.
Q: How does the AWS Backup lifecycle feature work?
The AWS Backup lifecycle feature allows you to automatically transition your recovery points from a warm storage tier to a lower-cost cold storage tier. Please note that cold storage tier is available only for backups of Amazon EFS, Amazon DynamoDB, and VMware virtual machines.
Q: How does encryption work in AWS Backup?
Backups for Amazon EFS, Amazon DynamoDB, Amazon S3, and VMware virtual machines are encrypted in transit and at rest independently from the source services, giving your backups an additional layer of protection. Encryption is configured at the backup vault level. Backups from other services (EC2, EBS, FSx, RDS, Aurora, DocumentDB, Neptune, Storage Gateway) are encrypted using the source service’s backup encryption methodology. For example, EBS snapshots are encrypted using the encryption key of the volume the snapshot was created from.
Q: How do I use access policies in a backup vault to control access to backups?
AWS Backup allows you to set resource-based policies on backup vaults, enabling you to control access to the backup vault and the backups in it.
Q: What services provide support for AWS Backup advanced features?
Services that have backup functionality built on AWS Backup support additional backup features, such as lifecycle tiering of backups to a low-cost storage tier, backup storage and encryption that is independent from its source data, and backup access policies. Currently, Amazon EFS and Amazon DynamoDB support AWS Backup advanced features with backup functionality integrated with AWS Backup. To enable AWS Backup advanced features for Amazon DynamoDB, you need to opt in through settings. Amazon EFS, Amazon S3, and VMware virtual machines automatically support AWS Backup advanced features. AWS Backup for Amazon S3 supports backup access policies and encryption of backups with a different key, but does not support cold storage tier.
Q: What is AWS Backup Audit Manager?
AWS Backup Audit Manager allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs. AWS Backup enables you to centralize and automate data protection policies across AWS services based on organizational best practices and regulatory standards, and AWS Backup Audit Manager helps you maintain and demonstrate compliance to those policies.
Q: Why should I use AWS Backup Audit Manager?
You should use AWS Backup Audit Manager if you want to verify that the workloads that you create in (or migrate to) AWS meet your data protection requirements. AWS Backup Audit Manager saves the time and effort required to implement, track, and demonstrate adherence to your backup governance and compliance policies, enabling you to focus more on your core competencies.
Q: How can I use AWS Backup Audit Manager?
You can use AWS Backup Audit Manager via the AWS Management Console, CLI, API, or SDK. AWS Backup Audit Manager provides built-in compliance controls and allows you to customize these controls to define your data protection policies. It is designed to automatically detect violations of your defined data protection policies and will prompt you to take corrective actions. With AWS Backup Audit Manager, you can continuously evaluate backup activity and generate audit reports that can help you demonstrate compliance with regulatory requirements to internal governance officers and external auditors.
Q: What is a Backup Audit Manager control and framework?
An AWS Backup Audit Manager control is a procedure designed to audit the compliance of a backup requirement, such as backup frequency or backup retention period. A Backup Audit Manager framework is a collection of controls that can be easily deployed and managed as a single entity.
Q: How does a Backup Audit Manager control work?
An AWS Backup Audit Manager control evaluates the configuration of your backup resources against your defined configuration settings. If the resource meets the configuration defined in the control, then the compliance status of the resource for that control is COMPLIANT. If it does not, then the status is NON_COMPLIANT. If all the resources evaluated by a Backup Audit Manager control are compliant, then the compliance status of the control is COMPLIANT. Similarly, if all the controls in a framework are compliant, then the compliance status of the framework is COMPLIANT.
Q: How can I view the compliance results of my Backup Audit Manager controls and frameworks?
On the AWS Backup console, you can navigate to the Backup Audit Manager Frameworks section and click on the framework name to view the compliance status of your framework and controls.
Q: What kind of reports can I create in Backup Audit Manager?
You can create reports related to your AWS Backup activity. These reports help you get details of your backup, copy, and restore jobs. You can use these reports to monitor your operational posture and identify any failures that may need further action.
Q: How does AWS Backup Audit Manager work with other AWS services?
AWS Conﬁg continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Backup Audit Manager integrates with AWS Config to track your backup activity and transcribe your data protection policies into backup controls. Once you have deployed your backup controls, AWS Backup Audit Manager evaluates your backup activity against your controls and records backup compliance status. You can also generate reports for auditing and monitoring purposes.
Q: Which compliance programs does AWS Backup support?
AWS has the longest-running compliance program in the cloud and is committed to helping customers navigate their requirements. AWS Backup has been assessed to meet global and industry security standards. It complies with PCI DSS, ISO 9001, 27001, 27017, and 27018, in addition to being HIPAA eligible. That makes it easier for you to verify our security and meet your own obligations. For more information and resources, visit our compliance pages. You can also go to the Services in Scope by Compliance Program page to see a full list of services and certifications.
Q: Is AWS Backup PCI compliant?
Yes. AWS Backup is PCI-DSS compliant, which means you can use it to transfer payment information. You can download the PCI Compliance Package in AWS Artifact to learn more about how to achieve PCI Compliance on AWS.
Q: Is AWS Backup HIPAA eligible?
Yes. AWS Backup is HIPAA eligible, which means if you have a HIPAA BAA in place with AWS, you can use AWS Backup to transfer protected health information (PHI).
Q: What is AWS Backup Vault Lock?
AWS Backup Vault Lock is a feature that enables you to prevent changes to backup lifecycle as well as prevent manual deletion of backups, helping you meet your compliance requirements. AWS Backup Vault Lock implements safeguards that ensure you are storing your backups using a Write-Once-Read-Many (WORM) model.
Q: Why should I use AWS Backup Vault Lock?
You should use AWS Backup Vault Lock to ensure that no user, including administrators or perpetrators of malicious actions, can delete your backups or change their lifecycle settings such as retention periods and transition to cold storage. AWS Backup keeps these backups according to your scheduled retention periods, helping you meet your business continuity goals. In addition, AWS Backup Vault Lock works seamlessly with backup policies such as retention periods, cold storage transitioning, cross-account, and cross-Region copy, providing you an additional layer of protection and helping you meet your compliance requirements. AWS Backup Vault Lock protects you from keeping backups that don’t meet your acceptable minimum and maximum retention periods.
Q: How does AWS Backup Vault Lock differ from Amazon S3 Glacier Vault Lock?
While AWS Backup Vault Lock applies to data residing in your AWS Backup backup vault, Amazon S3 Glacier Vault Lock applies to an individual Amazon S3 Glacier Vault. AWS Backup Vault Lock prevents manual deletion of backups and changes to backup lifecycle settings to help you centrally protect backups across AWS services. Amazon S3 Glacier Vault Lock enables you to enforce compliance controls that are designed to support long-term record retention for individual Amazon S3 Glacier vaults. Note that while Amazon S3 Glacier Vault has been assessed for compliance with SEC 17a-4f and CFTC 1.31(b)-(c), AWS Backup Vault Lock has not yet been assessed for compliance with these rules.
Q: How does AWS Backup Vault Lock work?
AWS Backup Vault Lock is an optional configuration at the AWS Backup vault level and comprises three properties: minimum acceptable retention days, maximum acceptable retention days, and a cooling-off period. It blocks backup deletion operations and changes to their lifecycle.
If you enable the AWS Backup Vault Lock configuration, then AWS Backup will protect all newly created recovery points in the vault against deletion and changes to their lifecycle. AWS Backup will also fail all backup jobs with retention periods not meeting the AWS Backup Vault Lock acceptable retention periods.
AWS Backup Vault Lock ensures that your backups are available until they reach their retention periods and expire. If any user, including the root account user, attempts to delete a backup or update its lifecycle properties in a locked vault, AWS Backup denies the operation.
The cooling-off period allows you to test the feature for a number of days you define. You can update and remove the AWS Backup Vault Lock configuration as long as the cooling-off period has not expired. Once the cooling-off period expires, AWS Backup will not allow any change to the configuration.
AWS Backup for Amazon S3
Q: How does AWS Backup for Amazon S3 work?
AWS Backup allows you to define a central backup policy to manage backup and restore for your application across AWS services for compute, storage, and database services. Once you define your backup policy and assign S3 resources to that policy, AWS Backup automates the creation of S3 backups and stores those backups in an encrypted storage vault that you designate. Create continuous point-in-time backups or periodic backups of S3 buckets, including object data, object tags, access control lists (ACLs), and user-defined metadata. The first backup is a full snapshot, while subsequent backups are incremental. If there is a data disruption event, you can choose a backup from the backup vault and restore an S3 bucket (or individual S3 objects) to a new or existing S3 bucket. The centralized policies in AWS Backup also let you define access controls and automate backup access management across all your accounts within your AWS Organizations.
Q: How are these capabilities different from what Amazon S3 provides?
Both AWS Backup and Amazon S3 offer capabilities that help you manage the business continuity of your applications. While AWS Backup allows you to centrally manage backup and restore for your applications across multiple AWS services, S3 allows you to manage data in S3 buckets and objects. If you’re a backup administrator responsible for the backups, restores, and compliance of your applications across multiple AWS services, you can use AWS Backup to meet those needs. S3 capabilities such as Versioning, Object Lock, and Replication help storage administrators preserve data and prevent the unintended deletion of S3 data. You can use both sets of capabilities together to manage backup and restore across your organization.
Q: Can I use an existing backup plan in AWS Backup to start backing up Amazon S3?
Yes, if you already have a backup plan for your application and you want to use the same backup plan for S3, simply add your S3 resources to the existing backup plan using tags or S3 bucket ARNs. AWS Backup matches the tags in S3 buckets to the ones assigned to your backup plan and centrally backs up those S3 resources, along with other AWS services that your application uses.
Q: What backup options are available in AWS Backup for Amazon S3?
You have two backup options available for S3 resources in AWS Backup: continuous and periodic. Continuous backups allow you to restore S3 resources to any point in time within the last 35 days. You can use this point-in-time feature to restore your S3 resources to their condition at any time within the last 35 days. Periodic backups, on the other hand, allow you to retain data for an infinite period of time. You can schedule snapshots using frequencies such as 1 hour, 12 hours, 1 day, 1 week, or 1 month, or create them on demand. Continuous backups are useful for undoing accidental deletions, while periodic snapshots can help you meet long-term data retention needs.
Q: Are there any prerequisites to creating backups of S3 buckets?
Yes, turning on S3 Versioning is a prerequisite to creating backups of S3 buckets and objects. Set a lifecycle expiration period for your versionsas well—if you don’t, your S3 costs could increase since AWS Backup backs up and stores all unexpired versions of your S3 data. See the technical documentation for more information.
AWS Backup support for VMware
Q: How does AWS Backup help with VMware data protection?
AWS Backup extends its in-cloud, fully managed service capabilities to your VMware environment, helping you provide a unified view of backups across your AWS and on-premises AWS environments. AWS Backup integrates with VMware ESXi VMs, schedules and manages VMware backups, and stores backups in AWS, allowing you to fully manage VMware data protection from AWS. Using AWS Backup, you can efficiently store backups in AWS, and copy them across AWS Regions and accounts for business continuity and ransomware protection. You can restore VMware backups on premises or in AWS for business continuity validation and test/dev use cases. The AWS Backup policy-driven approach enables you to centrally manage protection of VMware workloads along with supported AWS services for compute, storage, and databases in an automated, scalable way.
Q: How does AWS Backup support for VMware work?
AWS Backup connects to VMware workloads using AWS Backup gateway, which you’ll deploy in your VMware environment. AWS Backup gateway discovers VMs through VMware vCenter Server, takes VM snapshots, and manages backup and restore data between AWS Backup and your VMware environment. You can use tags or VM Resource IDs or group assignment by VM folder or hypervisor to assign VMs to your backup policies, which centrally govern data protection of VMware VMs with supported AWS Backup services. After completing these steps, AWS Backup starts backing up VMs securely into its storage vaults. You can view your VMware backups from AWS Backup and restore the backups on premises or in AWS as per your requirement.
Q: Which VMware versions and features do you support using AWS Backup?
AWS Backup supports VMware ESXi 6.7.X, and 7.0.X VMs running on NFS, VMFS, and VSAN datastores on premises, in VMware CloudTM on AWS, and on VMware CloudTM on AWS Outposts. In addition, AWS Backup supports both SCSI Hot-Add and Network Block Device (NBD) transport modes for copying data from source virtual machines (VMs) to AWS.
Q: What VMware CloudTM on AWS Outposts deployment use cases do you support?
You can use AWS Backup to protect your VMs on VMware CloudTM on AWS Outposts. AWS Backup stores your VM backups in the AWS Region your VMware CloudTM on AWS Outposts is connected to. You can use AWS Backup to protect your VMware CloudTM on AWS Outposts VMs when you’re using VMware CloudTM on AWS Outposts to meet your low latency and local data processing needs for your application data. Based on your data residency requirements, you may choose AWS Backup to store backups of your application data in the parent AWS Region that your Outposts is connected to.
Q: Where can I restore VMware backups?
You can restore VMware backups to a new on-premises VMware virtual host, VMware CloudTM on AWS, VMware CloudTM on AWS Outposts, or Amazon EBS from the AWS Backup console.
Q: Can I transition VMware backups to a cold storage tier?
Yes, based on your organizational needs, you can configure lifecycle policies in AWS Backup to automatically transition your VMware backups from warm storage to low-cost cold storage. Backups that are transitioned to cold storage have a minimum 90 days of storage, and backups deleted before 90 days incur a pro-rated charge equal to the storage charge for the remaining days.
Q: What backup modes do you support for VMware?
AWS Backup supports first full, then incremental-forever backups of VMware VMs that you can create on demand or via the schedule as configured in your backup plan.
Q: What level of consistency do you support for VMware backups?
AWS Backup, by default, captures app-consistent backups of VMware VMs using the VMware Tools quiescence setting on the VM. AWS Backup captures crash-consistent backups if the quiescence capability is not available.
Q: Does AWS Backup support compression for VMware backups?
Yes, AWS Backup compresses VMware backups in transit to AWS, enabling you to optimally use your network connection to AWS.
Q: Are my VMware backups encrypted?
Yes, your VM backups are encrypted in transit and at rest using AES-256 encryption algorithm. You can also use customer-managed keys to encrypt backups stored in the cloud.
Q: Can I copy VMware backups to another AWS Region?
Yes, you can store a copy of VMware backups in a different AWS Region from your production backups, helping you to more easily meet business continuity, disaster recovery, and compliance requirements.
Q: Can I copy VMware backups to another AWS account?
Yes, you can copy VMware backups to another AWS account, enabling you to use backups between your production and dev/test environments, or between different department and project accounts. Copying VMware backups to another AWS account, which is enabled by AWS Backup’s integration with AWS Organizations, also provides an extra level of account isolation and security.
Q: How much network bandwidth do I need to back up VMware VMs to AWS?
The network bandwidth you need depends on the number of VMware VMs you want to protect, the size of each VM, incremental data generated per VM, and your backup window and restore requirements. We recommend you have at least 100 Mbps bandwidth to AWS to backup on-premises VMware VMs using AWS Backup.
Q: Can I deploy a Backup gateway on my private non-routable network? Does Backup gateway support AWS PrivateLink?
Yes. You can deploy a Backup gateway on a private, non-routable network if that network is connected to your Amazon VPC via Direct Connect or VPN. Backup gateway traffic will be routed via VPC endpoints powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs.
Q: What is the cost for using VPC endpoints with Backup gateway?
You will be billed for each hour that your VPC endpoint remains provisioned. Data processing charges also apply for each Gigabyte processed through the VPC endpoint regardless of the traffic’s source or destination. Visit AWS PrivateLink pricing to learn more.
There are no upfront costs to use AWS Backup, and you pay only for the resources you use.
Instantly get access to the AWS Free Tier.
Get started building with AWS Backup in the AWS Management Console.