Advanced DynamoDB backup - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Advanced DynamoDB backup

Amazon Backup supports additional, advanced features for your Amazon DynamoDB data protection needs. After you enable Amazon Backup's advanced features in your Amazon Web Services Region, you unlock the following features for all new for DynamoDB table backups you create:

New customers onboarding to Amazon Backup after November 2021 have advanced DynamoDB backup features enabled by default. Specifically, advanced DynamoDB backup features are enabled by default to customers who have not created a backup vault prior to November 21, 2021.

We recommend all existing Amazon Backup customers enable advanced features for DynamoDB. There is no difference in warm backup storage pricing after you enable advanced features. You can save money by tiering backups to cold storage and optimize your costs by using cost allocation tags. You can also start taking advantage of Amazon Backup's business continuity and security features.


If you use a custom role or policy instead of Amazon Backup's default service role, you must add or use the following permissions policies (or add their equivalent permissions) to your custom role:

  • AWSBackupServiceRolePolicyForBackup to perform advanced DynamoDB backup.

  • AWSBackupServiceRolePolicyForRestores to restore advanced DynamoDB backups.

To learn more about Amazon-managed policies and view examples of customer-managed policies, see Managed policies for Amazon Backup.

Enabling advanced DynamoDB backup using the console

You can enable Amazon Backup advanced features for DynamoDB backups using either the Amazon Backup or DynamoDB console.

To enable advanced DynamoDB backup features from the Amazon Backup console:
  1. Open the Amazon Backup console at

  2. In the left navigation menu, choose Settings.

  3. Under the Supported services section, verify that DynamoDB is Enabled.

    If it is not, choose Opt-in and enable DynamoDB as an Amazon Backup supported service.

  4. Under the Advanced features for DynamoDB backups section, choose Enable.

  5. Choose Enable features.

For how to enable Amazon Backup advanced features using the DynamoDB console, see Enabling Amazon Backup features in the Amazon DynamoDB User Guide.

Enabling advanced DynamoDB backup programmatically

You can also enable Amazon Backup advanced features for DynamoDB backups using the Amazon Command Line Interface (CLI). You enable advanced DynamoDB backups when you set both of the following values to true:

To programmatically enable Amazon Backup advanced features for DynamoDB backups:
  1. Check if you already enabled Amazon Backup advanced features for DynamoDB using the following command:

    $ aws backup describe-region-settings

    If "DynamoDB":true under both "ResourceTypeManagementPreference" and "ResourceTypeOptInPreference", you have already enabled advanced DynamoDB backup.

    If, like the following output, you have at least one instance of "DynamoDB":false, you have not yet enabled advanced DynamoDB backup, proceed to the next step.

    { "ResourceTypeManagementPreference":{ "DynamoDB":false, "EFS":true } "ResourceTypeOptInPreference":{ "Aurora":true, "DocumentDB":false, "DynamoDB":false, "EBS":true, "EC2":true, "EFS":true, "FSx":true, "Neptune":false, "RDS":true, "Storage Gateway":true } }
  2. Use the following UpdateRegionSettings operation to set both "ResourceTypeManagementPreference" and "ResourceTypeOptInPreference" to "DynamoDB":true:

    aws backup update-region-settings \ --resource-type-opt-in-preference DynamoDB=true \ --resource-type-management-preference DynamoDB=true

Editing an advanced DynamoDB backup

When you create a DynamoDB backup after you enable Amazon Backup advanced features, you can use Amazon Backup to:

  • Copy a backup across Regions

  • Copy a backup across accounts

  • Change when Amazon Backup tiers a backup to cold storage

  • Tag the backup

To use those advanced features on an existing backup, see Editing a backup.

If you later disable Amazon Backup advanced features for DynamoDB, you can continue to perform those operations to DynamoDB backups that you created during the period of time when you enabled advanced features.

Restoring an advanced DynamoDB backup

You can restore DynamoDB backups taken with Amazon Backup advanced features enabled in the same way you restore DynamoDB backups taken prior to enabling Amazon Backup advanced features. You can perform a restore using either Amazon Backup or DynamoDB.

You can specify how to encrypt your newly-restored table with the following options:

  • When you restore in the same Region as your original table, you can optionally specify an encryption key for your restored table. If you do not specify an encryption key, Amazon Backup will automatically encrypt your restored table using the same key that encrypted your original table.

  • When you restore in a different Region than your original table, you must specify an encryption key.

To restore using Amazon Backup, see Restoring an Amazon DynamoDB table.

To restore using DynamoDB, see Restoring a DynamoDB table from a backup in the Amazon DynamoDB User Guide.

Deleting an advanced DynamoDB backup

You cannot delete backups created using these advanced features in DynamoDB. You must use Amazon Backup to delete backups to maintain global consistency throughout your Amazon environment.

To delete a DynamoDB backup, see Deleting backups.

Other benefits of full Amazon Backup management when you enable advanced DynamoDB backup

When you enable Amazon Backup advanced features for DynamoDB, you give full management of your DynamoDB backups to Amazon Backup. Doing so gives you the following, additional benefits:


Amazon Backup automatically encrypts the backups with the KMS key of your destination Amazon Backup vault. Previously, they were encrypted using the same encryption method of your source DynamoDB table. This increases the number of defenses you can use to safeguard your data. See Encryption for backups in Amazon Backup for more information.

Amazon Resource Name (ARN)

Each backup ARN’s service namespace is awsbackup. Previously, the service namespace was dynamodb. Put another way, the beginning of each ARN will change from arn:aws:dynamodb to arn:aws:backup. See ARNs for Amazon Backup in the Service Authorization Reference.

With this change, you or your backup administrator can create access policies for backups using the awsbackup service namespace that now apply to DynamoDB backups created after you enable advanced features. By using the awsbackup service namespace, you can also apply policies to other backups taken by Amazon Backup. See Access control for more information.

Location of charges on billing statement

Charges for backups (including storage, data transfers, restores, and early deletion) appear under “Backup” in your Amazon bill. Previously, charges appeared under “DynamoDB” in your bill.

This change ensures that you can use Amazon Backup billing to centrally monitor your backup costs. See Metering, costs, and billing for more information.