Here is twtech structured
deep dive into AWS Backup.
Focus:
- This deep
dive is Suitable for learning, teaching, documentation, & practice.
Scope:
- Intro,
- The concept AWS Backup and Benefits,
- Core Components of AWS Backup,
- How AWS Backup Works (Workflow),
- Supported AWS Services (2025),
- Encryption & Security,
- Cross-Region and
Cross-Account Backups,
- Lifecycle Policies (Warm to Cold Storage),
- Compliance & Monitoring,
- Pricing Model (Simplified),
- Best Practices,
- Typical Architecture Sample,
- AWS Backup vs. Service-Native
Backups,
- Limitations.
Intro:
- AWS Backup is a fully managed, policy-based backup service that centralizes and automates the data-protection process across AWS services and hybrid workloads.
- AWS Backup
helps ensure compliance, supports disaster recovery planning, and
reduces operational overhead.
1. The concept AWS Backup and Benefits
Traditionally,
backing up
AWS resources required service-specific solutions: EBS snapshots,
RDS snapshots, DynamoDB backup settings, etc. AWS Backup unifies the process by offering:
- Centralized policy management
- Automated backup scheduling
- Lifecycle
rules (transition from warm to cold storage)
- Cross-Region and cross-account backup copies
- Compliance reporting
- Vault-level security controls and encryption
- Support for on-premises (AWS Storage Gateway) backups
NB:
AWS Backup unifies the process is widely used in regulated industries that require backup
governance.
2. Core Components of AWS Backup
a. Backup Plans
A backup plan
is a set of rules defining:
- Backup
frequency (hourly, daily, weekly, monthly, cron)
- Backup
windows (start and completion windows)
- Lifecycle
rules (move to cold storage after X days; expire after
Y days)
- Copy
settings (define cross-Region or cross-account
replication)
Backup plans
can be assigned to resources by:
- Resource ID
- Tags
- AWS Organizations structure
b. Backup Vaults (Logical containers
that store recovery points) for backups.
The Backup Vaults provides:
- KMS encryption per vault
- Access policies for isolation
- Locking—prevents deletion or modification of backups WORM...(Write-Once-Read-many) retention
There are two
types of Backup Vaults:
- Standard Backup Vaults – support warm and cold storage
- Locked
Vaults (AWS Backup Vault Lock)
– regulatory compliance (e.g., FINRA,
SEC Rule 17a-4)
c. Recovery Points
These backups
created by AWS can be:
- EBS snapshots
- RDS automated backups
- DynamoDB point-in-time recovery
- FSx backups
- EFS backups
- Storage Gateway snapshots
- EC2 AMIs (through backup jobs)
- DocumentDB or Neptune snapshots
d. Backup Jobs
Jobs
represent the operational workflow:
- Creation of backup
- Copying of recovery point
- Restoration
NB:
Each job has
statuses (RUNNING, COMPLETED, FAILED).
3. How AWS Backup Works (Workflow)
1.
Create a
Backup Vault
- Choose KMS key
- Configure Vault Lock if needed
2.
Create a
Backup Plan
- Set schedules and lifecycle
- Add tags or explicit resources
3.
Assign
Resources
- Direct assignment or tag-based automatic assignment
4.
AWS Backup
Executes Jobs
- Backup jobs run based on plan
- Stores recovery points in vault
- Copies to other Regions/accounts if configured
5.
Restore as
Needed
- Choose vault → recovery point → restore
- AWS Backup re-creates the resource (volume, file system, DB, etc.)
4. Supported AWS Services (2025)
AWS Backup
supports a wide list of services, including:
|
Service |
Backup Type |
|
EC2 / EBS. |
Snapshots / AMIs |
|
RDS / Aurora. |
DB snapshots |
|
DynamoDB. |
PITR and backups |
|
EFS. |
Full backups |
|
FSx (Lustre, Windows, ONTAP). |
Native FSx backups |
|
S3. |
Backup and restore of buckets/objects |
|
DocumentDB, Neptune. |
Snapshots |
|
CloudFormation stacks. |
Configuration backups |
|
VMware Cloud on AWS. |
VM snapshots |
|
On-prem via Storage
Gateway. |
Volume and tape backups |
NB:
Coverage
continues to expand yearly.
5. Encryption & Security
a. KMS Integration
- All backups encrypted at rest.
- Vault-level key isolation helps segment workload environments.
b. IAM Policies
- Fine-grained control: who can create, delete, or restore backups.
- Separation of duties is common (Ops vs Security).
c. Backup Vault Lock (Write-Once-Read-many) WORM
Once Backup Vault Lock is enabled, it prevents:
- Deleting recovery points before retention period
- Changing retention to shorten it
- Disabling lock
NB
This is
critical for compliance (finance, healthcare).
6. Cross-Region and Cross-Account Backups
AWS
Backup can automatically replicate backups:
- Cross-Region (DR strategy)
- Cross-account (security boundary)
- Both simultaneously
NB
- twtech configures this in the backup rule as additional copy actions.
- Common architecture pattern:
- Prod Account → Shared Services Account → DR Account (multi-Region)
7. Lifecycle Policies (Warm to Cold
Storage)
AWS
Backup supports lifecycle transitions:
- Move to cold storage after
X days
- Delete/expire
after Y days
Cold storage
provides:
- Lower cost
- Higher retrieval time
- Required for long-term archiving (e.g., 7 years)
8. Compliance & Monitoring
AWS Backup
includes:
Backup Audit Manager
- Prebuilt frameworks (PCI-DSS, ISO, SOC)
- Custom controls
- Daily compliance reports
Event Notifications
- CloudWatch Events /
EventBridge for automation
- SNS alerts (success/failure)
Resource Assignments Report
Shows exactly what resources are covered by
backup plans.
9. Pricing Model (Simplified)
twtech
pays for:
- Backup storage (warm and cold)
- Recovery (restores)
- Cross-region copy
- Cross-account copy
Roughly:
- Warm storage: more expensive
- Cold storage: up to 75% cheaper
- Restores: charged per GB
There is
no charge for:
- Creating backup plans
- Managing vaults
- Backup Audit Manager (basic)
10. Best Practices
a. Use Tag-Based Backup
Ensures new resources automatically
inherit backup policies.
b. Enforce Vault Lock
Prevents accidental or malicious
deletion.
c. Separate Backup Accounts
Isolate recovery assets from
production.
d. Follow the 3-2-1 Rule
- 3 copies
- 2 different media
- 1 off-site (cross-Region)
e. Monitor Backup Compliance
Use Backup
Audit Manager + EventBridge
for automation.
11. Typical Architecture Sample
A common
enterprise setup:
1.
Production
Account
- Resources tagged for backup
- Backup plan triggers daily backups
- Vault with short-term retention
2.
Central
Backup Account
- Receives cross-account copies
- Long-term retention (up to 7+ years)
- Vault lock enforced
3.
DR Account +
Region
- Cross-Region copies for disaster recovery
- Restore resources during failover
NB:
This follows AWS’ recommended multi-account strategy.
12. AWS Backup vs. Service-Native Backups
|
Feature |
AWS Backup |
Native Snapshots |
|
Centralized control |
✔ |
✖ |
|
Cross-account copy |
✔ |
✖ |
|
Compliance reporting |
✔ |
✖ |
|
Vault lock |
✔ |
✖ |
|
Tag-based assignments |
✔ |
Limited |
|
Lifecycle to cold storage |
✔ |
✖ |
|
Manual granularity |
Good |
Often excellent |
NB:
AWS
Backup is preferred for enterprise governance; native backups sometimes provide
finer technical features but lack centralization.
13. Limitations
- Restore times vary by service.
- Not all services support PITR (only some, like DynamoDB).
- Cold storage retrieval may be slow.
- Some advanced DB features are not preserved (e.g., certain cluster settings).
- Backup jobs may require IAM or KMS adjustments in certain
cross-account setups.
Project: Hands—On
How twtech backup uses AWS Backup (a fully
managed, policy-based backup service) to centralize and automate its data-protection process across AWS services and hybrid workloads
Search for AWS service: Backup
How AWS backup works:
https://aws.amazon.com/backup/pricing/
Create a backup plan:
Create plan:
Assign resource to the backup plan:
Backup plan details:
Assign resources & Confirm
An example of aws resource assigned for automatic backup:
- Go into EC2 console and created: EBS volume to a predefined value (environment).
·
This
allows that resource created (EBS volume) is
automatically backed up in the tagged environment.
Create EBS volume:
Verify from resource tags created (EBS volume) would be backup in assigned environment: EBS volume tags
NB:
The backup plan run automatically and should have the assigned resources in the backup vault (this takes about a day for backups to be in the vault)
No comments:
Post a Comment