Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon Backup?

Amazon Backup is a fully-managed service that makes it easy to centralize and automate data protection across Amazon services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your Amazon resources in one place. It allows you to automate and consolidate backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes. With a few clicks in the Amazon Backup console, you can automate your data protection policies and schedules.

Amazon Backup does not govern backups you take in your Amazon environment outside of Amazon Backup. Therefore, if you want a centralized, end-to-end solution for business and regulatory compliance requirements, start using Amazon Backup today.

Feature overview

Amazon Backup provides many features and capabilities, including the following.

Centralized backup management

Amazon Backup provides a centralized backup console, a set of backup APIs, and the Amazon Command Line Interface (Amazon CLI) to manage backups across the Amazon services that your applications use. With Amazon Backup, you can centrally manage backup policies that meet your backup requirements. You can then apply them to your Amazon resources across Amazon services, enabling you to back up your application data in a consistent and compliant manner. The Amazon Backup centralized backup console offers a consolidated view of your backups and backup activity logs, making it easier to audit your backups and ensure compliance.

Policy-based backup

With Amazon Backup, you can create backup policies known as backup plans. Use these backup plans to define your backup requirements and then apply them to the Amazon resources that you want to protect across the Amazon services that you use. You can create separate backup plans that each meet specific business and regulatory compliance requirements. This helps ensure that each Amazon resource is backed up according to your requirements. Backup plans make it easy to enforce your backup strategy across your organization and across your applications in a scalable manner.

For all the configuration options for backup plans, see Backup plan options and configuration.

Tag-based backup policies

You can use Amazon Backup to apply backup plans to your Amazon resources in a wide variety of ways, including tagging them. Tagging makes it easier to implement your backup strategy across all your applications and to ensure that all your Amazon resources are backed up and protected. Amazon tags are a great way to organize and classify your Amazon resources. Integration with Amazon tags enables you to quickly apply a backup plan to a group of Amazon resources, so that they are backed up in a consistent and compliant manner.

For all the ways you can assign your resources to backup plans, see Assigning resources to a backup plan.

Lifecycle management policies

Amazon Backup enables you to meet compliance requirements while minimizing backup storage costs by storing backups in a low-cost cold storage tier. You can configure lifecycle policies that automatically transition backups from warm storage to cold storage according to a schedule that you define.

For a list of resources which can be transitioned to cold storage, see Feature availability by resource. For steps to turn on cold storage in your backup plan, see Lifecycle and storage tiers.

Cross-Region backup

Using Amazon Backup, you can copy backups to multiple different Amazon Web Services Regions on demand or automatically as part of a scheduled backup plan. Cross-Region backup is particularly valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data. For more information, see Creating backup copies across Amazon Web Services Regions.

Cross-account management and cross-account backup

You can use Amazon Backup to manage your backups across all Amazon Web Services accounts inside your Amazon Organizations structure. With cross-account management, you can automatically use backup policies to apply backup plans across the Amazon Web Services accounts within your organization. This makes compliance and data protection efficient at scale and reduces operational overhead. It also helps eliminate manually duplicating backup plans across individual accounts. For more information, see Managing Amazon Backup resources across multiple Amazon Web Services accounts.

You can also copy backups to multiple different Amazon Web Services accounts inside your Amazon Organizations management structure. This way, you can "fan in" backups to a single repository account, then "fan out" backups for greater resilience. Creating backup copies across Amazon Web Services accounts.

Before you can use the cross-account management and cross-account backup features, you must have an existing organization structure configured in Amazon Organizations. An organizational unit (OU) is a group of accounts that can be managed as a single entity. Amazon Organizations is a list of accounts that can be grouped into organizational units and managed as a single entity.

Auditing and reporting with Amazon Backup Audit Manager

Amazon Backup Audit Manager helps you simplify data governance and compliance management of your backups across Amazon. Amazon Backup Audit Manager provides built-in, customizable controls that you can align with your organizational requirements. You can also use these controls to automatically track your backup activities and resources.

Amazon Backup Audit Manager can help you locate specific activities and resources that are not yet compliant with the controls that you defined. It also generates daily reports that you can use to demonstrate evidence of compliance with your controls over time.

To include your backup compliance alongside your overall compliance posture, you can automatically import Amazon Backup Audit Manager findings into Amazon Audit Manager.

Incremental backups

Amazon Backup efficiently stores your periodic backups incrementally. The first backup of an Amazon resource backs up a full copy of your data. For each successive incremental backup, only the changes to your Amazon resources are backed up. Incremental backups enable you to benefit from the data protection of frequent backups while minimizing storage costs.

For a list of which resources support incremental backups, see Feature availability by resource.

Full Amazon Backup management

Some resource types support full Amazon Backup management. The benefits of full Amazon Backup management include:

To see which resource types are eligible for full Amazon Backup management, see Feature availability by resource.

Backup activity monitoring

Amazon Backup provides a dashboard that makes it simple to audit backup and restore activity across Amazon services. With just a few clicks on the Amazon Backup console, you can view the status of recent backup jobs. You can also restore jobs across Amazon services to ensure that your Amazon resources are properly protected.

Amazon Backup integrates with Amazon CloudWatch and Amazon EventBridge. CloudWatch allows you to track metrics and create alarms. EventBridge allows you to view and monitor Amazon Backup events. For more information, see Monitoring Amazon Backup events using EventBridge and Monitoring Amazon Backup metrics with CloudWatch.

Amazon Backup integrates with Amazon CloudTrail. CloudTrail gives you a consolidated view of backup activity logs that make it quick and easy to audit how your resources are backed up. Amazon Backup also integrates with Amazon Simple Notification Service (Amazon SNS), providing you with backup activity notifications, such as when a backup succeeds or a restore has been initiated. For more information, see Logging Amazon Backup API calls with CloudTrail and Using Amazon SNS to track Amazon Backup events.

Secure your data in backup vaults

The content of each Amazon Backup backup is immutable, meaning that no one can alter that content. Amazon Backup further secures your backups in backup vaults, which separates them safely from their source instances. For example, your vault will retain your Amazon EC2 and Amazon EBS backups according to the lifecycle policy you choose, even if you delete the source Amazon EC2 instance and Amazon EBS volumes.

Backup vaults offer encryption and resource-based access policies that let you define who has access to your backups. You can define access policies for a backup vault that define who has access to the backups within that vault and what actions they can take. This provides a simple and secure way to control access to your backups across Amazon services. To review Amazon and customer managed policies for Amazon Backup, see Managed policies for Amazon Backup.

You can use Amazon Backup Vault Lock to prevent anyone (including you) from deleting backups or altering their retention period. Amazon Backup Vault Lock helps you enforce a write-once-read-many (WORM) model and add another layer of defense to your defense in depth. To get started, see Amazon Backup Vault Lock.

Support for compliance obligations

Amazon Backup helps you meet your global compliance obligations. Amazon Backup is in scope of the following Amazon compliance programs:

Getting started

To learn more about Amazon Backup, we recommend that you start with Getting started with Amazon Backup.

Supported Amazon resources and applications

The following are Amazon resources and third-party applications that you can back up and restore using Amazon Backup. For more information, see Amazon Backup feature availability.

Pricing

With Amazon Backup, you pay for backup storage, data restored, restore testing, cross-Region data transfer, and Amazon Backup Audit Manager. For more information, see Amazon Backup Pricing.