What is Amazon Backup?
Amazon Backup is a fully-managed service that makes it easy to centralize and automate data protection across Amazon services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your Amazon resources in one place. It allows you to automate and consolidate backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes. With a few clicks in the Amazon Backup console, you can automate your data protection policies and schedules.
Amazon Backup does not govern backups you take in your Amazon environment outside of Amazon Backup. Therefore, if you want a centralized, end-to-end solution for business and regulatory compliance requirements, start using Amazon Backup today.
Feature overview
Amazon Backup provides many features and capabilities, including the following.
Centralized backup management
Amazon Backup provides a centralized backup console, a set of backup APIs, and the Amazon Command Line Interface (Amazon CLI) to manage backups across the Amazon services that your applications use. With Amazon Backup, you can centrally manage backup policies that meet your backup requirements. You can then apply them to your Amazon resources across Amazon services, enabling you to back up your application data in a consistent and compliant manner. The Amazon Backup centralized backup console offers a consolidated view of your backups and backup activity logs, making it easier to audit your backups and ensure compliance.
Policy-based backup
With Amazon Backup, you can create backup policies known as backup plans. Use these backup plans to define your backup requirements and then apply them to the Amazon resources that you want to protect across the Amazon services that you use. You can create separate backup plans that each meet specific business and regulatory compliance requirements. This helps ensure that each Amazon resource is backed up according to your requirements. Backup plans make it easy to enforce your backup strategy across your organization and across your applications in a scalable manner.
For all the configuration options for backup plans, see Backup plan options and configuration.
Tag-based backup policies
You can use Amazon Backup to apply backup plans to your Amazon resources in a wide variety of ways, including tagging them. Tagging makes it easier to implement your backup strategy across all your applications and to ensure that all your Amazon resources are backed up and protected. Amazon tags are a great way to organize and classify your Amazon resources. Integration with Amazon tags enables you to quickly apply a backup plan to a group of Amazon resources, so that they are backed up in a consistent and compliant manner.
For all the ways you can assign your resources to backup plans, see Select Amazon services to backup.
Lifecycle management policies
Amazon Backup enables you to meet compliance requirements while minimizing backup storage costs by storing backups in a low-cost cold storage tier. You can configure lifecycle policies that automatically transition backups from warm storage to cold storage according to a schedule that you define.
For a list of resources which can be transitioned to cold storage, see Feature availability by resource. For steps to turn on cold storage in your backup plan, see Lifecycle and storage tiers.
Cross-Region backup
Using Amazon Backup, you can copy backups to multiple different Amazon Web Services Regions on demand or automatically as part of a scheduled backup plan. Cross-Region backup is particularly valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data. For more information, see Creating backup copies across Amazon Web Services Regions.
Cross-account management and cross-account backup
You can use Amazon Backup to manage your backups across all Amazon Web Services accounts inside your Amazon Organizations structure. With cross-account management, you can automatically use backup policies to apply backup plans across the Amazon Web Services accounts within your organization. This makes compliance and data protection efficient at scale and reduces operational overhead. It also helps eliminate manually duplicating backup plans across individual accounts. For more information, see Managing Amazon Backup resources across multiple Amazon Web Services accounts.
You can also copy backups to multiple different Amazon Web Services accounts inside your Amazon Organizations management structure. This way, you can "fan in" backups to a single repository account, then "fan out" backups for greater resilience. Creating backup copies across Amazon Web Services accounts.
Before you can use the cross-account management and cross-account backup features, you must have an existing organization structure configured in Amazon Organizations. An organizational unit (OU) is a group of accounts that can be managed as a single entity. Amazon Organizations is a list of accounts that can be grouped into organizational units and managed as a single entity.
Auditing and reporting with Amazon Backup Audit Manager
Amazon Backup Audit Manager helps you simplify data governance and compliance management of your backups across Amazon. Amazon Backup Audit Manager provides built-in, customizable controls that you can align with your organizational requirements. You can also use these controls to automatically track your backup activities and resources.
Amazon Backup Audit Manager can help you locate specific activities and resources that are not yet compliant with the controls that you defined. It also generates daily reports that you can use to demonstrate evidence of compliance with your controls over time.
To include your backup compliance alongside your overall compliance posture, you can automatically import Amazon Backup Audit Manager findings into Amazon Audit Manager.
Incremental backups
Amazon Backup efficiently stores your periodic backups incrementally. The first backup of an Amazon resource backs up a full copy of your data. For each successive incremental backup, only the changes to your Amazon resources are backed up. Incremental backups enable you to benefit from the data protection of frequent backups while minimizing storage costs.
For a list of which resources support incremental backups, see Feature availability by resource.
For more information on behaviors in vaults, see Incremental backups.
Full Amazon Backup management
Some resource types support full Amazon Backup management. The benefits of full Amazon Backup management include:
-
Independent encryption. Amazon Backup automatically encrypts your backups with the KMS key of your Amazon Backup vault, instead of using the same encryption key as your source resource. This increases your layers of defense. See Encryption for backups in Amazon Backup for more information.
-
awsbackupAmazon Resource Names (ARNs). Backup ARNs begin witharn:aws:backupinstead ofarn:aws:. This allows you to create access policies that apply specifically to backups and not the source resources. See Access control for more information.source-resource -
Centralized backup billing and Cost Explorer cost allocation tags.. Charges for Amazon Backup (including storage, data transfers, restores, and early deletion) appear under "Backup" in your Amazon Web Services bill, instead of appearing under each supported resource. You can also use Cost Explorer cost allocation tags to track and optimize your backup costs. See Metering, costs, and billing for Amazon Backup for more information.
To see which resource types are eligible for full Amazon Backup management, see Feature availability by resource.
Backup activity monitoring
Amazon Backup provides a dashboard that makes it simple to audit backup and restore activity across Amazon services. With just a few clicks on the Amazon Backup console, you can view the status of recent backup jobs. You can also restore jobs across Amazon services to ensure that your Amazon resources are properly protected.
Amazon Backup integrates with Amazon CloudWatch and Amazon EventBridge. CloudWatch allows you to track metrics and create alarms. EventBridge allows you to view and monitor Amazon Backup events. For more information, see Monitoring Amazon Backup events using EventBridge and Monitoring Amazon Backup metrics with CloudWatch.
Amazon Backup integrates with Amazon CloudTrail. CloudTrail gives you a consolidated view of backup activity logs that make it quick and easy to audit how your resources are backed up. Amazon Backup also integrates with Amazon Simple Notification Service (Amazon SNS), providing you with backup activity notifications, such as when a backup succeeds or a restore has been initiated. For more information, see Logging Amazon Backup API calls with CloudTrail and Amazon SNS and Amazon Backup events.
Secure your data in backup vaults
The content of each Amazon Backup backup is immutable, meaning that no one can alter that content. Amazon Backup further secures your backups in backup vaults, which separates them safely from their source instances. For example, your vault will retain your Amazon EC2 and Amazon EBS backups according to the lifecycle policy you choose, even if you delete the source Amazon EC2 instance and Amazon EBS volumes.
Backup vaults offer encryption and resource-based access policies that let you define who has access to your backups. You can define access policies for a backup vault that define who has access to the backups within that vault and what actions they can take. This provides a simple and secure way to control access to your backups across Amazon services. To review Amazon and customer managed policies for Amazon Backup, see Managed policies for Amazon Backup.
You can use Amazon Backup Vault Lock to prevent anyone (including you) from deleting backups or altering their retention period. Amazon Backup Vault Lock helps you enforce a write-once-read-many (WORM) model and add another layer of defense to your defense in depth. To get started, see Amazon Backup Vault Lock.
Getting started
To learn more about Amazon Backup, we recommend that you start with Getting started with Amazon Backup.
Supported Amazon resources and applications
The following are Amazon resources and third-party applications that you can back up and restore using Amazon Backup. For more information, see Amazon Backup feature availability.
| Service | Supported resource types |
|---|---|
| Amazon Elastic Compute Cloud (Amazon EC2) | Amazon EC2 instances backed by Amazon EBS volumes |
| Amazon Simple Storage Service (Amazon S3) | Amazon S3 data |
| Amazon Elastic Block Store (Amazon EBS) | Amazon EBS volumes |
| Amazon DynamoDB | Amazon DynamoDB tables |
| Amazon Relational Database Service (Amazon RDS) | Amazon RDS database instances (including all database engines); Multi-Availability Zone clusters |
| Amazon Aurora | Aurora clusters |
| Amazon Elastic File System (Amazon EFS) | Amazon EFS file systems |
| FSx for Lustre | FSx for Lustre file systems |
| FSx for Windows File Server | FSx for Windows File Server file systems |
| Amazon FSx for NetApp ONTAP | FSx for ONTAP file systems |
| Amazon FSx for OpenZFS | FSx for OpenZFS file systems |
| Amazon Storage Gateway (Volume Gateway) | Amazon Storage Gateway volumes |
| Amazon DocumentDB | Amazon DocumentDB instance-based clusters |
| Amazon Neptune | Amazon Neptune clusters |
| Amazon Redshift | Amazon Redshift clusters |
| Amazon Timestream | Amazon Timestream tables |
| VMware Cloud™ on Amazon |
VMware Cloud™ virtual machines on Amazon |
| VMware Cloud™ on Amazon Outposts |
VMware Cloud™ virtual machines on Amazon Outposts |
| Amazon CloudFormation | Amazon CloudFormation stacks |
| SAP HANA databases | SAP HANA databases on Amazon EC2 instances |
Pricing
With Amazon Backup, you pay for backup storage, data restored, restore testing, cross-Region data transfer, and
Amazon Backup Audit Manager. For more information, see Amazon Backup Pricing