AWS Backup | Deep Dive & Hands-On.

AWS Backup - Deep Dive & Hands-On.

Scope:

• Intro,
• The concept AWS Backup and Benefits,
• Core Components of AWS Backup,
• How AWS Backup Works (Workflow),
• Supported AWS Services (2025),
• Encryption & Security,
• Cross-Region and Cross-Account Backups,
• Lifecycle Policies (Warm to Cold Storage),
• Compliance & Monitoring,
• Pricing Model (Simplified),
• Best Practices,
• Typical Architecture Sample,
• AWS Backup vs. Service-Native Backups,
• Limitations,
• Project: Hands-On

Intro:

• AWS Backup is a fully managed, policy-based backup service that centralizes and automates the data-protection process across AWS services and hybrid workloads.
• AWS Backup helps ensure:
• Compliance, 
• Supports disaster recovery planning, 
• Reduces operational overhead.

1. The concept AWS Backup and Benefits

• Traditionally, backing up AWS resources required service-specific solutions: 
• EBS snapshots, 
• RDS snapshots, 
• DynamoDB 
• backup settings, etc. 
• AWS Backup unifies the process by offering:
• Centralized policy management
• Automated backup scheduling
• Lifecycle rules (transition from warm to cold storage)
• Cross-Region and cross-account backup copies
• Compliance reporting
• Vault-level security controls and encryption
• Support for on-premises (AWS Storage Gateway) backups

NB:

• AWS Backup unifies the process is widely used in regulated industries that require backup governance.

2. Core Components of AWS Backup

a. Backup Plans

A backup plan is a set of rules defining:

•         Backup frequency (hourly, daily, weekly, monthly, cron)
•         Backup windows (start and completion windows)
•         Lifecycle rules (move to cold storage after X days; expire after Y days)
•         Copy settings (define cross-Region or cross-account replication)

Backup plans can be assigned to resources by:

•        Resource ID
•         Tags
•         AWS Organizations structure

b. Backup Vaults (Logical containers that store recovery points) for backups.

The Backup Vaults provides:

• KMS encryption per vault
• Access policies for isolation
• Locking—prevents deletion or modification of backups WORM...(Write-Once-Read-many) retention

There are two types of Backup Vaults:

•  Standard Backup Vaults – support warm and cold storage
•  Locked Vaults (AWS Backup Vault Lock) –
• regulatory compliance (e.g., FINRA, SEC Rule 17a-4)

c. Recovery Points

These backups created by AWS can be:

• EBS snapshots
• RDS automated backups
• DynamoDB point-in-time recovery
• EFS backups
• Storage Gateway snapshots
• EC2 AMIs (through backup jobs)
• DocumentDB or Neptune snapshots

d. Backup Jobs

Jobs represent the operational workflow:

• Creation of backup
• Copying of recovery point
• Restoration

NB:

Each job has statuses (RUNNING, COMPLETED, FAILED).

3. How AWS Backup Works (Workflow)

1.     Create a Backup Vault

•    Choose KMS key
•    Configure Vault Lock if needed

2.     Create a Backup Plan

•    Set schedules and lifecycle
•    Add tags or explicit resources

3.     Assign Resources

•    Direct assignment or tag-based automatic assignment

4.     AWS Backup Executes Jobs

•    Backup jobs run based on plan
•    Stores recovery points in vault
•    Copies to other Regions/accounts if configured

5.     Restore as Needed

•    Choose vault → recovery point → restore
•    AWS Backup re-creates the resource (volume, file system, DB, etc.)

4. Supported AWS Services (2025)

AWS Backup supports a wide list of services, including:

Service	Backup Type
EC2 / EBS.	Snapshots / AMIs
RDS / Aurora.	DB snapshots
DynamoDB.	PITR and backups
EFS.	Full backups
FSx (Lustre, Windows, ONTAP).	Native FSx backups
S3.	Backup and restore of buckets/objects
DocumentDB, Neptune.	Snapshots
CloudFormation stacks.	Configuration backups
VMware Cloud on AWS.	VM snapshots
On-prem via Storage Gateway.	Volume and tape backups

NB:

• Coverage continues to expand yearly.

5. Encryption & Security

a. KMS Integration

• All backups encrypted at rest.
• Vault-level key isolation helps segment workload environments.

b. IAM Policies

•  Fine-grained control: who can create, delete, or restore backups.
•  Separation of duties is common (Ops vs Security).

c. Backup Vault Lock (Write-Once-Read-many) WORM

Once Backup Vault Lock is enabled, it prevents:

• Deleting recovery points before retention period
• Changing retention to shorten it
• Disabling lock

NB

• This is critical for compliance (finance, healthcare).

6. Cross-Region & Cross-Account Backups

AWS Backup can automatically replicate backups:

• Cross-Region (DR strategy)
• Cross-account (security boundary)
• Both simultaneously

NB

•  twtech configures this in the backup rule as additional copy actions.
•   Common architecture pattern:
• Prod Account → Shared Services Account → DR Account (multi-Region)

7. Lifecycle Policies (Warm to Cold Storage)

AWS Backup supports lifecycle transitions:

• Move to cold storage after X days
• Delete/expire after Y days

Cold storage provides:

• Lower cost
• Higher retrieval time
• Required for long-term archiving (e.g., 7 years)

8. Compliance & Monitoring

AWS Backup includes:

Backup Audit Manager

• Prebuilt frameworks (PCI-DSS, ISO, SOC)
• Custom controls
• Daily compliance reports

Event Notifications

• CloudWatch Events / EventBridge for automation
• SNS alerts (success/failure)

Resource Assignments Report

• Shows exactly what resources are covered by backup plans.

9. Pricing Model (Simplified)

twtech pays for:

• Backup storage (warm & cold)
• Recovery (restores)
• Cross-region copy
• Cross-account copy

Roughly:

• Warm storage: more expensive
• Cold storage: up to 75% cheaper
• Restores: charged per GB

There is no charge for:

• Creating backup plans
• Managing vaults
•  Backup Audit Manager (basic)

10. Best Practices

a. Use Tag-Based Backup

• Ensures new resources automatically inherit backup policies.

b. Enforce Vault Lock

• Prevents accidental or malicious deletion.

c. Separate Backup Accounts

• Isolate recovery assets from production.

d. Follow the 3-2-1 Rule

• 3 copies
• 2 different media
• 1 off-site (cross-Region)

e. Monitor Backup Compliance

• Use Backup Audit Manager + EventBridge for automation.

11. Typical Architecture Sample

A common enterprise setup:

1.     Production Account

•    Resources tagged for backup
•    Backup plan triggers daily backups
•    Vault with short-term retention

2.     Central Backup Account

•    Receives cross-account copies
•    Long-term retention (up to 7+ years)
•    Vault lock enforced

3.     DR Account + Region

•    Cross-Region copies for disaster recovery
•    Restore resources during failover

NB:

• This follows AWS’ recommended multi-account strategy.

12. AWS Backup vs. Service-Native Backups

Feature	AWS Backup	Native Snapshots
Centralized control	✔	✖
Cross-account copy	✔	✖
Compliance reporting	✔	✖
Vault lock	✔	✖
Tag-based assignments	✔	Limited
Lifecycle to cold storage	✔	✖
Manual granularity	Good	Often excellent

NB:

• AWS Backup is preferred for enterprise governance; native backups sometimes provide finer technical features but lack centralization.

13. Limitations

• Restore times vary by service.
• Not all services support PITR (only some, like DynamoDB).
• Cold storage retrieval may be slow.
• Some advanced DB features are not preserved (e.g., certain cluster settings).
• Backup jobs may require IAM or KMS adjustments in certain cross-account setups.

 

Project: Hands-On

• How twtech backup uses AWS Backup (a fully managed, policy-based backup service) to centralize and automate its data-protection process across AWS services and hybrid workloads.

Search for AWS service: Backup

How AWS backup works:

https://aws.amazon.com/backup/pricing/

Create a backup plan:

Create plan:

Assign resource to the backup plan:

Backup plan details:

Assign resources & Confirm

An example of aws resource assigned for automatic backup:

•  Go into EC2 console and create: EBS volume to a predefined value (environment).
•  This allows the resource created (EBS volume) to automatically backed up in the tagged environment.

Create EBS volume:

• Verifying from resource tags created (EBS volume)>
• Resource would backup in the assigned environment:  EBS volume tags

Final thought

• twtech backup plan run automatically & should eventually have the assigned resources in the backup vault.
•  This takes about a day for backups to be in the vault.