AWS Backup¶
What Is This Service?¶
AWS Backup is a fully managed centralized backup and recovery orchestration service that protects AWS and hybrid workloads using policy-driven backup automation.
Provides:
- Centralized backup governance
- Cross-account backup
- Cross-region backup
- Retention management
- Restore orchestration
- Compliance controls
Supported examples:
- EBS
- EC2
- RDS
- Aurora
- DynamoDB
- EFS
- FSx
- S3
- VMware workloads
Mental model:
AWS Backup = centralized backup policy engine + governed recovery platform.
AWS Backup does not replace replication or HA architectures.
Why It Matters for Security¶
Backups are security controls.
Protects against:
- Ransomware
- Accidental deletion
- Account compromise
- Regional failures
- Data corruption
- Insider mistakes
Security goals:
- Immutable recovery
- Isolated backup accounts
- Enforced retention
- Restore confidence
- Compliance reporting
Security outcomes:
- Reduced blast radius
- Faster recovery
- Stronger resilience
- Better audit posture
Typical use cases:
- Organization-wide backup
- Disaster recovery
- Compliance retention
- Ransomware defense
- Cross-account recovery
Architecture Example¶
flowchart LR
Org[AWS Organizations]
Backup[AWS Backup]
Plan[Backup Plan]
Vault[Backup Vault]
Lock[Vault Lock]
KMS[KMS]
Resources[Protected Resources]
Recovery[Recovery Account]
Audit[Backup Audit Manager]
Restore[Restore Testing]
Org --> Backup
Backup --> Plan
Plan --> Resources
Resources --> Vault
Vault --> Lock
KMS --> Vault
Vault --> Recovery
Backup --> Audit
Backup --> RestoreCore architecture:
Plan
↓
Selection
↓
Vault
↓
Recovery Point
↓
Restore
Recommended security pattern:
Production
↓
Cross-Account Backup
↓
Immutable Vault
↓
Restore Validation
Workflow(s)¶
Organization Backup Workflow¶
sequenceDiagram
participant Org
participant Backup
participant Resource
participant Vault
Org->>Backup: Apply backup policy
Backup->>Resource: Execute backup
Resource->>Vault: Create recovery point
Vault-->>Backup: Backup completeCross-Account Recovery¶
sequenceDiagram
participant Source
participant Backup
participant Vault
participant Recovery
Source->>Backup: Backup
Backup->>Vault: Store
Vault->>Recovery: Copy
Recovery-->>Source: RestoreRestore Testing Workflow¶
sequenceDiagram
participant Backup
participant Vault
participant Test
participant Cleanup
Backup->>Vault: Select recovery point
Vault->>Test: Launch isolated restore
Test-->>Backup: Validate restore
Backup->>Cleanup: Remove resourcesVault Lock Protection¶
sequenceDiagram
participant Admin
participant Backup as AWS Backup
participant Vault as Vault Lock (Compliance)
Admin->>Backup: Delete recovery point
Backup->>Vault: Check retention policy
Vault-->>Backup: Immutable (lock active)
Backup-->>Admin: Delete rejectedCore Concepts¶
Backup Plan (MOST TESTED)¶
Defines:
When?
How long?
Where?
Contains:
- Schedule
- Lifecycle
- Retention
- Copy rules
Example:
Daily
↓
35 Days
↓
Archive
Backup Rule¶
Controls:
- Frequency
- Backup window
- Retention
Multiple rules supported.
Backup Selection¶
Determines:
What gets protected?
Methods:
- Tags
- Resource IDs
- Resource types
Backup Vault¶
Logical container for:
Recovery Points
Supports:
- Encryption
- Access policies
- Cross-account copy
Exam trap:
Vault ≠ storage service.
Recovery Point¶
Actual backup artifact.
Used during:
Restore
Restore Job¶
Recovery operation.
Creates:
- Restored resources
- Recovery environments
Lifecycle¶
Moves recovery points:
Warm
↓
Cold Archive
Optimizes cost.
Important Integrations¶
AWS Organizations (VERY HIGH VALUE)¶
Supports:
- Central governance
- Backup policies
- Delegated administration
Pattern:
Management
↓
Backup Account
↓
Member Accounts
AWS KMS¶
Provides:
- Backup encryption
- Key isolation
Amazon S3¶
Supports:
- Centralized object recovery
Exam nuance:
Backup ≠ replication.
Amazon DynamoDB¶
Supports:
- Backup orchestration
- PITR integration
Advanced feature required for some cross-account/cross-region scenarios.
Amazon RDS / Aurora¶
Supports:
- Database recovery
Amazon EFS¶
Supports:
- Filesystem recovery
Amazon FSx¶
Supports:
- Managed filesystem backup
AWS Backup Audit Manager (HIGH VALUE)¶
Continuously evaluates backup posture.
Examples:
Daily backups enforced?
Retention compliant?
Coverage complete?
Outputs:
- Audit reports
- Compliance evidence
Often exported for auditors.
Security Features¶
Encryption At Rest¶
Supports:
AWS KMS
Protects:
- Recovery points
Vault Access Policies¶
Controls:
- Restore
- Delete
- Read
Separate from source permissions.
Cross-Account Backup¶
Supports:
Backup isolation
Critical ransomware pattern.
Cross-Region Backup¶
Protects against:
- Regional disasters
Backup Vault Lock (VERY HIGH VALUE)¶
Provides:
WORM
Write Once Read Many.
Prevents:
- Deletion
- Retention reduction
Even by administrators.
Governance Mode¶
Allows privileged override.
Compliance Mode (MOST TESTED)¶
Creates immutable backups.
Cannot be modified after lock becomes active.
Supports:
Grace Period
During grace period:
- Lock can still be removed
- Backup deletion possible
After grace period:
Immutable until retention expires
Massive exam trap.
Audit Visibility¶
Supports:
- CloudTrail
- Backup Audit Manager
Advanced Security and Operational Concepts¶
Backup ≠ Replication (MOST TESTED)¶
Backup:
Point-in-time recovery
Replication:
Near real-time availability
Example:
RDS Backup ≠ Read Replica
Restore Testing (HIGH VALUE)¶
Automatically validates recoverability.
Capabilities:
- Launch isolated restores
- Verify backup usability
- Measure restore success
- Clean up automatically
Exam scenario:
Validate RTO automatically.
Answer:
AWS Backup Restore Testing
Vault Lock = Ransomware Protection¶
Pattern:
Production
↓
Backup
↓
Immutable Vault
↓
Recovery Account
Protects against:
- Compromised admins
- Credential abuse
Service Opt-In Requirement (HIGH VALUE)¶
AWS Backup may require explicit service enablement.
Examples:
- S3
- DynamoDB advanced features
Exam symptom:
Backup plan exists
But backups never run
Check:
Backup service opt-in
Backup Account Isolation¶
Recommended:
Production
↓
Cross Account Copy
↓
Recovery Account
Reduces blast radius.
Cross-Region Recovery¶
Pattern:
Primary Region
↓
Backup
↓
Secondary Region
Supports DR.
Backup Windows¶
Controls:
- Start timing
- Completion timing
Useful for production scheduling.
Cold Archive Lifecycle¶
Pattern:
Warm
↓
Cold
Reduces long-term retention cost.
Backup Does NOT Improve Availability¶
Backup protects:
Recoverability
Not:
Availability
Comparisons¶
| Service | Purpose | Recovery | Replication | Immutability |
|---|---|---|---|---|
| AWS Backup | Central backup | Yes | No | Vault Lock |
| EBS Snapshot | Volume backup | Yes | No | No |
| S3 Replication | Object replication | Partial | Yes | No |
| Elastic Disaster Recovery | DR orchestration | Yes | Partial | No |
| Storage Gateway | Hybrid storage | No | No | No |
Common Exam Traps¶
-
Backup ≠ replication.
-
Recovery points live inside vaults.
-
Vault Lock provides immutability.
-
Compliance Mode supports grace period.
-
Cross-account backup improves security.
-
Restore Testing validates recoverability.
-
Backup Audit Manager measures compliance.
-
Service opt-in may be required.
-
Backup does not increase availability.
-
S3 backup ≠ S3 replication.
-
Recovery points remain encrypted.
-
Organizations centralize governance.
5-Second Recall¶
- Backup = centralized protection
- Vault = recovery container
- Vault Lock = WORM
- Restore Testing validates RTO
- Compliance Mode = immutable
- Backup ≠ replication
- Cross-account backup recommended
Quick Revision Notes¶
- Central backup orchestration
- Policy-driven backups
- Recovery points stored in vaults
- KMS encryption supported
- Vault Lock protects backups
- Restore Testing validates restores
- Backup Audit Manager measures compliance
- Service opt-in can block execution
- Cross-account + cross-region supported
- Excellent ransomware defense