# Usage note differences between on-demand backups managed by Amazon Backup and DynamoDB This section describes the technical differences between on-demand backups managed by Amazon Backup and DynamoDB. Amazon Backup has some different workflows and behaviors than DynamoDB. These include: **Encryption** - Backups created with the Amazon Backup plan are stored in an encrypted vault with a key that is managed by the Amazon Backup service. The vault has access control policies for additional security. **Backup ARN** - The backup files created by Amazon Backup will now have an Amazon Backup ARN, which could impact the user permission model. Backup resource names (ARNs) will change from `arn:aws:dynamodb` to `arn:aws:backup`. **Deleting backups** - Backups that are created with Amazon Backup can only be deleted from the Amazon Backup vault. You will not be able to delete Amazon Backup files from the DynamoDB console. **Backup process** - Unlike DynamoDB backups, backups made with Amazon Backup are not instantaneous. **Billing** - Backups of DynamoDB tables with Amazon Backup features are billed from Amazon Backup. **IAM roles** - If you're managing access through IAM roles, you will also need to configure a new IAM role with these new permissions: ``` 1. "dynamodb:StartAwsBackupJob", 2. "dynamodb:RestoreTableFromAwsBackup" ``` `dynamodb:StartAwsBackupJob` is needed for a successful backup with Amazon Backup features, and `dynamodb:RestoreTableFromAwsBackup` is needed to restore from a backup made with Amazon Backup features. To see these permissions in a complete IAM policy, see Example 8 in [Using IAM](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/backuprestore_IAM.html).