Q: What is AWS Backup?
AWS Backup is a centralized backup service that makes it easy and cost-effective for you to back up your application data across AWS services in the AWS Cloud, helping you meet your business and regulatory backup compliance requirements. AWS Backup makes protecting your AWS storage volumes, databases, and file systems simple by providing a central place where you can configure and audit the AWS resources you want to backup, automate backup scheduling, set retention policies, and monitor all recent backup and restore activity.
Q: How does AWS Backup work with other AWS services that have backup capabilities?
Today, several AWS services offer backup features that help you protect your data, such as EBS snapshots, RDS snapshots, Amazon FSx backups, DynamoDB backups, and Storage Gateway snapshots. All existing per-service backup capabilities remain unchanged. AWS Backup provides a new, common way to manage backups across AWS services both in the AWS Cloud and on premises. AWS Backup introduces a centralized backup console that offers backup scheduling, retention management, and backup monitoring. AWS Backup supports existing backup functionality provided by EBS, RDS, Amazon FSx, DynamoDB, and Storage Gateway. For AWS services that have backup functionality built on AWS Backup, such as Amazon EFS, AWS Backup provides you with backup management capabilities, such as backup scheduling, retention management and backup monitoring, as well as additional features, such as lifecycling backups to a low-cost storage tier, backup storage and encryption that is independent from its source data, and backup access policies.
Q: Why should I use AWS Backup?
Backing up your data is an important step towards protecting your application and ensuring that you meet your business and regulatory backup compliance requirements. Even durable resources are susceptible to threats like bugs in your application that could cause accidental deletions or corruption. Building and managing your own backup workflows across all your applications in a compliant and consistent manner can be complex and costly. AWS Backup removes the need for costly, custom solutions or manual processes by providing a fully managed, policy-based backup solution that provides automated backup scheduling and backup retention management.
Q: How does AWS Backup work?
To get started with AWS Backup, create a backup policy called a backup plan, which defines parameters such as how frequently to back up your resources and how long to store those backups. You can then assign resources to backup plans and AWS Backup will start automatically backing up these resources and managing backup retention on your behalf according to your backup plan. You can use AWS Backup’s central console to view your AWS resources that are being protected, restore from a backup, and monitor backup and restore activity.
Q: What are the key features of AWS Backup?
AWS Backup provides a centralized console, automated backup scheduling, backup retention management, and backup monitoring and alerting. AWS Backup also offers advanced features such as lifecycling backups to a low-cost storage tier, backup storage and encryption that is independent from its source data, and backup access policies.
Q: What can I backup using AWS Backup?
You can use AWS Backup to manage the backups of EBS volumes, EC2 instances, RDS databases, DynamoDB tables, EFS file systems, Amazon FSx file systems, and Storage Gateway volumes.
Q: Can I use AWS Backup to back up on-premises data?
Yes. AWS Backup integrates with Storage Gateway to enable you to back up your on-premises Storage Gateway volumes, providing a common way to manage the backups of your application data both on premises and in the AWS cloud.
Q: Can I use AWS Backup to access backups created by services with existing backup capabilities?
Yes. Backups created using services with existing backup capabilities, such as EBS snapshots or DynamoDB backups, can be accessed using AWS Backup. Conversely, backups created by AWS Backup can be accessed using the source service, like EBS or DynamoDB.
Q: How does AWS Backup relate to Amazon Data Lifecycle Manager and when should I use one over the other?
Amazon Data Lifecycle Management (DLM) policies and backup plans created in AWS Backup work independently from each other and provide two ways to manage EBS snapshots. DLM provides a simple way to manage the lifecycle of EBS resources, such as volume snapshots. You should use DLM when you want to automate the creation, retention, and deletion of EBS snapshots. You should use AWS Backup to manage and monitor backups across the AWS services you use, including EBS volumes, from a single place.
Q: Does AWS Backup offer a Service Level Agreement (SLA)?
Yes. The AWS Backup SLA provides for a service credit if a customer's monthly uptime percentage is below our service commitment in any billing cycle.
Q: What is a recovery point?
A recovery point represents the content of a resource at a specified time. Recovery points also include metadata such as information about the resource, restore parameters, and tags.
Q: What is a backup plan?
A backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as DynamoDB tables or EFS file systems. You assign resources to backup plans and AWS Backup will then automatically backup and retain backups for those resources according to the backup plan. Backup plans are composed of one or more backup rules. Each backup rule is composed of 1) a backup schedule, which includes the backup frequency (Recovery Point Objective - RPO) and backup window, 2) a lifecycle rule that specifies when to transition a backup from one storage tier to another and when to expire the recovery point, 3) the backup vault in which to place the created recovery points in, and 4) the tags to be added to backups upon creation. For example, a backup plan might have a “daily backup rule” and a “monthly backup rule”. The daily rule backs up resources every day at midnight and retains the backups for one month. The monthly rule takes a backup once a month on the beginning of every month and retains the backups for one year.
Q: What is a backup vault?
A backup vault is a logical backup container for your recovery points that allows you to organize your backups.
Q: How does AWS Backup’s lifecycle feature work?
For AWS services that introduce backup functionality built on AWS Backup, such as Amazon EFS, AWS Backup provides a lifecycle feature that allows you to automatically transition your recovery points from a warm storage tier backed by Amazon S3 that provides millisecond access time to your backups to a lower-cost cold storage tier backed by Glacier that provides a restore time of 3-5 hours.
Q: How does encryption work in AWS Backup?
Backups from AWS services that introduce backup functionality built on AWS Backup, such as Amazon EFS, are encrypted in-transit and at-rest independently from the source services, giving your backups an additional layer of protection. Encryption is configured at the backup vault level. Backups from services with existing backup capabilities are encrypted using the source service’s backup encryption methodology. For example, EBS snapshots are encrypted using the encryption key of the volume the snapshot was created from.
Q: How do I use access policies in a backup vault to control access to backups?
AWS Backup allows you to set resource-based policies on backup vaults, enabling you to control access to the backup vault and the backups in it.
Q: What services provide support for AWS Backup’s advanced features?
Amazon EFS supports AWS Backup’s advanced features with backup functionality integrated with AWS Backup.
Q: What is AWS Backup Audit Manager?
AWS Backup Audit Manager allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs. AWS Backup enables you to centralize and automate data protection policies across AWS services based on organizational best practices and regulatory standards, and AWS Backup Audit Manager helps you maintain and demonstrate compliance to those policies.
Q: Why should I use AWS Backup Audit Manager?
You should use AWS Backup Audit Manager if you want to verify that the workloads that you create in (or migrate to) AWS meet your data protection requirements. AWS Backup Audit Manager saves the time and effort required to implement, track, and demonstrate adherence to your backup governance and compliance policies, enabling you to focus more on your core competencies.
Q: How can I use AWS Backup Audit Manager?
You can use AWS Backup Audit Manager via AWS management console, CLI, API, or SDK. AWS Backup Audit Manager provides built-in compliance controls and allows you to customize these controls to define your data protection policies. It is designed to automatically detect violations of your defined data protection policies and will prompt you to take corrective actions. With AWS Backup Audit Manager, you can continuously evaluate backup activity and generate audit reports that can help you demonstrate compliance with regulatory requirements to internal governance officers and external auditors.
Q: What is a Backup Audit Manager control and framework?
An AWS Backup Audit Manager control is a procedure designed to audit the compliance of a backup requirement, such as backup frequency or backup retention period. A Backup Audit Manager framework is a collection of controls that can be easily deployed and managed as a single entity.
Q: How does a Backup Audit Manager control work?
An AWS Backup Audit Manager control evaluates the configuration of your backup resources against your defined configuration settings. If the resource meets the configuration defined in the control, then the compliance status of the resource for that control is COMPLIANT. If it does not, then the status is NON_COMPLIANT. If all the resources evaluated by a Backup Audit Manager control are compliant, then the compliance status of the control is COMPLIANT. Similarly, if all the controls in a framework are compliant, then the compliance status of the framework is COMPLIANT.
Q: How can I view the compliance results of my Backup Audit Manager controls and frameworks?
On the AWS Backup console, you can navigate to the Backup Audit Manager Frameworks section and click on the framework name to view the compliance status of your framework and controls.
Q: What kind of reports can I create in Backup Audit Manager?
You can create reports related to your AWS Backup activity. These reports help you get details of your backup, copy, and restore jobs. You can use these reports to monitor your operational posture and identify any failures that may need further action.
Q: How does AWS Backup Audit Manager work with other AWS services?
AWS Conﬁg continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Backup Audit Manager integrates with AWS Config to track your backup activity and transcribe your data protection policies into backup controls. Once you have deployed your backup controls, AWS Backup Audit Manager evaluates your backup activity against your controls and records backup compliance status. You can also generate reports for auditing and monitoring purposes.
Q: Which compliance programs does AWS Backup support?
AWS has the longest-running compliance program in the cloud and are committed to helping customers navigate their requirements. AWS Backup has been assessed to meet global and industry security standards. It complies with PCI DSS, ISO 9001, 27001, 27017, and 27018), in addition to being HIPAA eligible. That makes it easier for you to verify our security and meet your own obligations. For more information and resources, visit our compliance pages. You can also go to the Services in Scope by Compliance Program page to see a full list of services and certifications.
Q: Is AWS Backup PCI compliant?
Yes. AWS Backup is PCI-DSS compliant, which means you can use it to transfer payment information. You can download the PCI Compliance Package in AWS Artifact to learn more about how to achieve PCI Compliance on AWS.
Q: Is AWS Backup HIPAA eligible?
Yes. AWS Backup is HIPAA eligible, which means if you have a HIPAA BAA in place with AWS, you can use AWS Backup to transfer protected health information (PHI).
Q: What is AWS Backup Vault Lock?
AWS Backup Vault Lock is a feature that enables you to prevent changes to backup lifecycle as well as prevent manual deletion of backups, helping you meet your compliance requirements. AWS Backup Vault Lock implements safeguards that ensure you are storing your backups using a Write-Once-Read-Many (WORM) model.
Q: Why should I use AWS Backup Vault Lock?
You should use AWS Backup Vault Lock to ensure that no user, including administrators or perpetrators of malicious actions, can delete your backups or change their lifecycle settings such as retention periods and transition to cold storage. AWS Backup keeps these backups according to your scheduled retention periods, helping you meet your business continuity goals. In addition, AWS Backup Vault Lock works seamlessly with backup policies such as retention periods, cold storage transitioning, cross-account, and cross-Region copy, providing you an additional layer of protection and helping you meet your compliance requirements. AWS Backup Vault Lock protects you from keeping backups that don’t meet your acceptable minimum and maximum retention periods.
Q: How does AWS Backup Vault Lock differ from Amazon S3 Glacier Vault Lock?
While AWS Backup Vault Lock applies to data residing in your AWS Backup backup vault, Amazon S3 Glacier Vault Lock applies to an individual Amazon S3 Glacier Vault. AWS Backup Vault Lock prevents manual deletion of backups and changes to backup lifecycle settings to help you centrally protect backups across AWS services. Amazon S3 Glacier Vault Lock enables you to enforce compliance controls that are designed to support long-term records retention for individual Amazon S3 Glacier vaults. Note that while Amazon S3 Glacier Vault has been assessed for compliance with SEC 17a-4f and CFTC 1.31(b)-(c), AWS Backup Vault Lock has not yet been assessed for compliance with these rules.
Q: How does AWS Backup Vault Lock work?
AWS Backup Vault Lock is an optional configuration at the AWS Backup vault level and comprises three properties: minimum acceptable retention days, maximum acceptable retention days, and a cooling-off period. It blocks backup deletion operations and changes to their lifecycle.
If you enable the AWS Backup Vault Lock configuration, then AWS Backup will protect all newly created recovery points in the vault against deletion and change to their lifecycle. AWS Backup will also fail all backup jobs, with retention periods not meeting the AWS Backup Vault Lock acceptable retention periods.
AWS Backup Vault Lock ensures that your backups are available until they reach their retention periods and expire. If any user, including the root account user, attempts to delete a backup or update its lifecycle properties in a locked vault, AWS Backup denies the operation.
The cooling-off period allows you to test the feature for a number of days you define. You can update and remove the AWS Backup Vault Lock configuration as long as the cooling-off period has not expired. Once the cooling-off period expires, AWS Backup will not allow any change to the configuration.