What is Amazon Backup?
Amazon Backup is a fully-managed service that makes it easy to centralize and automate data protection across Amazon services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your Amazon resources in one place. It allows you to automate and consolidate backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes. With a few clicks in the Amazon Backup console, you can automate your data protection policies and schedules.
Amazon Backup does not govern backups you take in your Amazon environment outside of Amazon Backup. Therefore, if you want a centralized, end-to-end solution for business and regulatory compliance requirements, start using Amazon Backup today.
Supported Amazon resources and third-party applications
The following are Amazon resources and third-party applications that you can back up and restore using Amazon Backup.
| Supported resource | Supported resource type |
|---|---|
| Amazon Elastic Compute Cloud (Amazon EC2) | Amazon EC2 instances (excluding store-backed AMIs) |
| Amazon Simple Storage Service (Amazon S3) | Amazon S3 data |
| Amazon Elastic Block Store (Amazon EBS) | Amazon EBS volumes |
| Amazon DynamoDB | Amazon DynamoDB tables |
| Amazon Relational Database Service (Amazon RDS) | Amazon RDS database instances (including all database engines); Multi-Availability Zone clusters |
| Amazon Aurora | Aurora clusters |
| Amazon Elastic File System (Amazon EFS) | Amazon EFS file systems |
| FSx for Lustre | FSx for Lustre file systems |
| FSx for Windows File Server | FSx for Windows File Server file systems |
| Amazon FSx for NetApp ONTAP | FSx for ONTAP file systems |
| Amazon FSx for OpenZFS | FSx for OpenZFS file systems |
| Amazon Storage Gateway (Volume Gateway) | Amazon Storage Gateway volumes |
| Amazon DocumentDB | Amazon DocumentDB clusters |
| Amazon Neptune | Amazon Neptune clusters |
| Amazon Redshift | Amazon Redshift clusters |
| Amazon Timestream | Amazon Timestream clusters |
| VMware Cloud™ on Amazon |
VMware Cloud™ virtual machines on Amazon |
| VMware Cloud™ on Amazon Outposts |
VMware Cloud™ virtual machines on Amazon Outposts |
| Amazon CloudFormation | Amazon CloudFormation stacks |
| SAP HANA databases | SAP HANA databases on Amazon EC2 instances |
Features available for all supported resources
Amazon Backup features are offered according to resource and Amazon Web Services Region. The following sections and tables can help you determine feature availability.
Amazon Backup offers the following features for its supported Amazon services, as well as for supported third-party applications. Support for a feature or service should not be assumed unless explicitly mentioned.
-
Incremental backups, except for DynamoDB, Aurora, DocumentDB, and Neptune.
-
Automated backup audits and reports with Amazon Backup Audit Manager
Feature availability by resource
To use Amazon Backup with a supported Amazon service in a particular Region, the service must be available in the Region. To determine service availability in a Region, view the service's endpoints in the Amazon General Reference.
| Amazon Backup supports | Cross-Region backup | Cross-account backup | Amazon Backup Audit Manager | Incremental backup | Continuous backup and point-in-time restore (PITR) | Full Amazon Backup management | Lifecycle to cold storage | Item-level restore‡ |
|---|---|---|---|---|---|---|---|---|
| EC2 | ✓ | ✓ | ✓ | ✓ | ||||
| S3 | ✓^ | ✓^ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| EBS | ✓ | ✓ | ✓ | ✓ | ||||
| RDS single instance | ✓* | ✓* | ✓** | ✓ | ✓ | |||
| RDS cluster | ✓* | ✓* | ✓** | ✓ | ||||
| Aurora | ✓* | ✓* | ✓ | ✓+ | ✓ | |||
| EFS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| FSx for Lustre | ✓ | ✓ | ✓ | ✓ | ||||
| FSx for Windows File Server | ✓ | ✓ | ✓ | ✓ | ||||
| FSx for ONTAP | ✓† | ✓ | ||||||
| FSx for OpenZFS | ✓ | ✓ | ✓ | ✓ | ||||
| Storage Gateway | ✓ | ✓ | ✓ | ✓ | ||||
| DocumentDB | ✓* | ✓* | ✓ | |||||
| Neptune | ✓* | ✓* | ✓ | |||||
| Amazon Redshift | ✓ | |||||||
| Timestream | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Windows VSS | ✓ | ✓ | ✓ | ✓ | ||||
| Virtual machines | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| CloudFormation templates | ✓ | ✓ | ✓' | ✓ | ✓' | |||
| DynamoDB without Amazon Backup advanced features | ✓ | |||||||
| DynamoDB with Amazon Backup advanced features | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| SAP HANA databases on Amazon EC2 instances | ✓ | ✓ | ✓ | ✓ |
^ Destination copies from S3 buckets and RDS databases with PITR are not Point-in-Time restorable (PITR).
* RDS, Aurora, DocumentDB, and Neptune do not support a single copy action that performs both cross-Region AND cross-account backup. You can choose one or the other. You can also use a Amazon Lambda script to listen for the completion of your first copy, perform your second copy, then delete the first copy. RDS multi availability zone (Multi-AZ) database instances can be copied, but Multi-AZ clusters do not currently support cross-Region or cross-account copy.
+ Amazon Backup supports Aurora snapshots, billed as incremental or full backups.
** See RDS multi-availability zone backups for Regions where Backup Audit Manager support is available.
† Amazon Backup Audit Manager supports this resource across all controls except cross-account copy and cross-Region copy.
‡ The "item" in an item-level restore varies depending on the supported resource. For example, a file system item is a file or directory, whereas an S3 item is an S3 object. A VMware item is a disk. For more information, see the Restoring a backup section for the supported resource.
' In CloudFormation stack backups, nested resources retain their source resources' features. However, resources within the stack do not retain Point-in-Time Restore (PITR) functionality (such as S3 and RDS). Properties within the matrix above apply just to CloudFormation templates and not to the resources within the stack.
Feature availability by Amazon Web Services Region
Amazon Backup is available in all the following Amazon Web Services Regions. Amazon Backup features are available in all these Regions unless otherwise noted in the following table.
| Amazon Backup supports | Cross-Region backup | Cross-account management | Cross-account backup | Amazon Backup Audit Manager |
|---|---|---|---|---|
| US East (Ohio) | ✓ | ✓ | ✓ | ✓ |
| US East (N. Virginia) | ✓ | ✓ | ✓ | ✓ |
| US West (N. California) | ✓ | ✓ | ✓ | ✓ |
| US West (Oregon) | ✓ | ✓ | ✓ | ✓ |
| Africa (Cape Town) | ✓ | ✓ | ✓ | |
| Asia Pacific (Hong Kong) | ✓ | ✓ | ✓ | |
| Asia Pacific (Hyderabad) | ✓ | ✓ | ||
| Asia Pacific (Jakarta) | ✓ | ✓ | ||
| Asia Pacific (Melbourne) | ✓ | ✓ | ||
| Asia Pacific (Mumbai) | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Osaka) | ✓ | ✓ | ✓ | |
| Asia Pacific (Seoul) | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Singapore) | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Sydney) | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Tokyo) | ✓ | ✓ | ✓ | ✓ |
| Canada (Central) | ✓ | ✓ | ✓ | ✓ |
| China (Beijing) | ✓ | |||
| China (Ningxia) | ✓ | |||
| Europe (Frankfurt) | ✓ | ✓ | ✓ | ✓ |
| Europe (Ireland) | ✓ | ✓ | ✓ | ✓ |
| Europe (London) | ✓ | ✓ | ✓ | ✓ |
| Europe (Milan) | ✓ | ✓ | ✓ | |
| Europe (Paris) | ✓ | ✓ | ✓ | ✓ |
| Europe (Spain) | ✓ | ✓ | ||
| Europe (Stockholm) | ✓ | ✓ | ✓ | ✓ |
| Europe (Zurich) | ✓ | ✓ | ||
| Israel (Tel Aviv) | ✓ | ✓ | ||
| Middle East (Bahrain) | ✓ | ✓ | ✓ | |
| Middle East (UAE) | ✓ | |||
| South America (São Paulo) | ✓ | ✓ | ✓ | ✓ |
| Amazon GovCloud (US-East) | ✓ | ✓ | ✓ | ✓ |
| Amazon GovCloud (US-West) | ✓ | ✓ | ✓ | ✓ |
Supported services by Amazon Web Services Region
Amazon Backup supports Aurora, DynamoDB, DynamoDB with Amazon Backup advanced features, Amazon EBS, Amazon EC2, Amazon EFS, Amazon Redshift, and Amazon RDS in all supported Regions.
The following Regions support the indicated services:
| Region and service | Amazon FSx | SAP HANA on EC2 instances | Amazon S3 | Storage Gateway | Amazon Timestream | VMware |
|---|---|---|---|---|---|---|
| US East (N. Virginia) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| US East (Ohio) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| US West (N. California) | Windows; Lustre; ONTAP | ✓ | ✓ | ✓ | ✓ | ✓ |
| US West (Oregon) | Windows; Lustre; ONTAP | ✓ | ✓ | ✓ | ✓ | ✓ |
| Africa (Cape Town) | Windows; Lustre; ONTAP | ✓ | ✓ (no cross-account/cross-Region copy) | ✓ | ✓ | ✓ |
| Asia Pacific (Hong Kong) | ✓ | ✓ | ✓ (no cross-account/cross-Region copy) | ✓ | ✓ | ✓ |
| Asia Pacific (Hyderabad) | ✓ (no cross-account/cross-Region copy) | |||||
| Asia Pacific (Jakarta) | ✓ | |||||
| Asia Pacific (Melbourne) | ✓ (no cross-account/cross-Region copy) | |||||
| Asia Pacific (Mumbai) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Osaka) | Windows; Lustre | ✓ | ✓ (no cross-account/cross-Region copy) | ✓ | ||
| Asia Pacific (Seoul) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Singapore) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Sydney) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Asia Pacific (Tokyo) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Canada (Central) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| China (Beijing) | Windows; Lustre | ✓ | ✓ | |||
| China (Ningxia) | Windows; Lustre | ✓ | ✓ | |||
| Europe (Frankfurt) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Europe (Ireland) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Europe (London) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Europe (Milan) | Windows; Lustre; ONTAP | ✓ | ✓ (no cross-account/cross-Region copy) | ✓ | ✓ | ✓ |
| Europe (Paris) | Windows; Lustre; ONTAP | ✓ | ✓ | ✓ | ✓ | ✓ |
| Europe (Spain) | ✓ (no cross-account/cross-Region copy) | |||||
| Europe (Stockholm) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Europe (Zurich) | ✓ (no cross-account/cross-Region copy) | |||||
| Israel (Tel Aviv) | ✓ (no cross-account/cross-Region copy) | |||||
| Middle East (Bahrain) | Windows; Lustre; ONTAP | ✓ | ✓ (no cross-account/cross-Region copy) | ✓ | ✓ | ✓ |
| Middle East (UAE) | Windows; Lustre; ONTAP | ✓ (no cross-account/cross-Region copy) | ||||
| South America (São Paulo) | ✓ | ✓ | ✓ | ✓ | ||
| Amazon GovCloud (US-West) | Windows; Lustre; ONTAP | ✓ (no cross-account/cross-Region copy) | ✓ | ✓ | ✓ | |
| Amazon GovCloud (US-East) | Windows; Lustre; ONTAP | ✓ (no cross-account/cross-Region copy) | ✓ | ✓ | ✓ |
A check under Amazon FSx indicates that FSx for Windows File Server, FSx for Lustre, FSx for ONTAP, and FSx for OpenZFS are all supported in that Region by Amazon Backup; otherwise, the supported configurations will be listed.
Feature overview
Amazon Backup provides many features and capabilities, including:
Centralized backup management
Amazon Backup provides a centralized backup console, a set of backup APIs, and the Amazon Command Line Interface (Amazon CLI) to manage backups across the Amazon services that your applications use. With Amazon Backup, you can centrally manage backup policies that meet your backup requirements. You can then apply them to your Amazon resources across Amazon services, enabling you to back up your application data in a consistent and compliant manner. The Amazon Backup centralized backup console offers a consolidated view of your backups and backup activity logs, making it easier to audit your backups and ensure compliance.
Policy-based backup
With Amazon Backup, you can create backup policies known as backup plans. Use these backup plans to define your backup requirements and then apply them to the Amazon resources that you want to protect across the Amazon services that you use. You can create separate backup plans that each meet specific business and regulatory compliance requirements. This helps ensure that each Amazon resource is backed up according to your requirements. Backup plans make it easy to enforce your backup strategy across your organization and across your applications in a scalable manner.
For all the configuration options for backup plans, see Backup plan options and configuration.
Tag-based backup policies
You can use Amazon Backup to apply backup plans to your Amazon resources in a wide variety of ways, including tagging them. Tagging makes it easier to implement your backup strategy across all your applications and to ensure that all your Amazon resources are backed up and protected. Amazon tags are a great way to organize and classify your Amazon resources. Integration with Amazon tags enables you to quickly apply a backup plan to a group of Amazon resources, so that they are backed up in a consistent and compliant manner.
For all the ways you can assign your resources to backup plans, see Assigning resources to a backup plan.
Lifecycle management policies
Amazon Backup enables you to meet compliance requirements while minimizing backup storage costs by storing backups in a low-cost cold storage tier (backups to cold storage are full backups). You can configure lifecycle policies that automatically transition backups from warm storage to cold storage according to a schedule that you define.
Amazon Backup lifecycles data (that is, transitions data from warm to cold storage) that is no longer referenced by warm backups. Data in cold backups that is only referenced by other cold backups are billed at cold storage tier prices. Others continue at warm storage tier pricing.
For which resources support tiering to cold storage, see Feature availability by resource. The cold storage expression is ignored for other backups.
Cross-Region backup
Using Amazon Backup, you can copy backups to multiple different Amazon Web Services Regions on demand or automatically as part of a scheduled backup plan. Cross-Region backup is particularly valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data. For more information, see Creating backup copies across Amazon Web Services Regions.
Cross-account management and cross-account backup
You can use Amazon Backup to manage your backups across all Amazon Web Services accounts inside your Amazon Organizations structure. With cross-account management, you can automatically use backup policies to apply backup plans across the Amazon Web Services accounts within your organization. This makes compliance and data protection efficient at scale and reduces operational overhead. It also helps eliminate manually duplicating backup plans across individual accounts. For more information, see Managing Amazon Backup resources across multiple Amazon Web Services accounts.
You can also copy backups to multiple different Amazon Web Services accounts inside your Amazon Organizations management structure. This way, you can "fan in" backups to a single repository account, then "fan out" backups for greater resilience. Creating backup copies across Amazon Web Services accounts.
Before you can use the cross-account management and cross-account backup features, you must have an existing organization structure configured in Amazon Organizations. An organizational unit (OU) is a group of accounts that can be managed as a single entity. Amazon Organizations is a list of accounts that can be grouped into organizational units and managed as a single entity.
Auditing and reporting with Amazon Backup Audit Manager
Amazon Backup Audit Manager helps you simplify data governance and compliance management of your backups across Amazon. Amazon Backup Audit Manager provides built-in, customizable controls that you can align with your organizational requirements. You can also use these controls to automatically track your backup activities and resources.
Amazon Backup Audit Manager can help you locate specific activities and resources that are not yet compliant with the controls that you defined. It also generates daily reports that you can use to demonstrate evidence of compliance with your controls over time.
To include your backup compliance alongside your overall compliance posture, you can automatically import Amazon Backup Audit Manager findings into Amazon Audit Manager.
Incremental backups
Amazon Backup efficiently stores your periodic backups incrementally. The first backup of an Amazon resource backs up a full copy of your data. For each successive incremental backup, only the changes to your Amazon resources are backed up. Incremental backups enable you to benefit from the data protection of frequent backups while minimizing storage costs (backups to cold storage are full backups).
For a list of which resources support incremental backups, see Feature availability by resource.
Full Amazon Backup management
Some resource types support full Amazon Backup management. The benefits of full Amazon Backup management include:
-
Independent encryption. Amazon Backup automatically encrypts your backups with the KMS key of your Amazon Backup vault, instead of using the same encryption key as your source resource. This increases your layers of defense. See Encryption for backups in Amazon Backup for more information.
-
awsbackupAmazon Resource Names (ARNs). Backup ARNs begin witharn:aws:backupinstead ofarn:aws:. This allows you to create access policies that apply specifically to backups and not the source resources. See Access control for more information.source-resource -
Centralized backup billing and Cost Explorer cost allocation tags.. Charges for Amazon Backup (including storage, data transfers, restores, and early deletion) appear under "Backup" in your Amazon Web Services bill, instead of appearing under each supported resource. You can also use Cost Explorer cost allocation tags to track and optimize your backup costs. See Metering, costs, and billing for more information.
To see which resource types are eligible for full Amazon Backup management, see Feature availability by resource.
Backup activity monitoring
Amazon Backup provides a dashboard that makes it simple to audit backup and restore activity across Amazon services. With just a few clicks on the Amazon Backup console, you can view the status of recent backup jobs. You can also restore jobs across Amazon services to ensure that your Amazon resources are properly protected.
Amazon Backup integrates with Amazon CloudWatch and Amazon EventBridge. CloudWatch allows you to track metrics and create alarms. EventBridge allows you to view and monitor Amazon Backup events. For more information, see Monitoring Amazon Backup events using EventBridge and Monitoring Amazon Backup metrics with CloudWatch.
Amazon Backup integrates with Amazon CloudTrail. CloudTrail gives you a consolidated view of backup activity logs that make it quick and easy to audit how your resources are backed up. Amazon Backup also integrates with Amazon Simple Notification Service (Amazon SNS), providing you with backup activity notifications, such as when a backup succeeds or a restore has been initiated. For more information, see Logging Amazon Backup API calls with CloudTrail and Using Amazon SNS to track Amazon Backup events.
Secure your data in backup vaults
The content of each Amazon Backup backup is immutable, meaning that no one can alter that content. Amazon Backup further secures your backups in backup vaults, which separates them safely from their source instances. For example, your vault will retain your Amazon EC2 and Amazon EBS backups according to the lifecycle policy you choose, even if you delete the source Amazon EC2 instance and Amazon EBS volumes.
Backup vaults offer encryption and resource-based access policies that let you define who has access to your backups. You can define access policies for a backup vault that define who has access to the backups within that vault and what actions they can take. This provides a simple and secure way to control access to your backups across Amazon services. To review Amazon and customer managed policies for Amazon Backup, see Managed policies for Amazon Backup.
You can use Amazon Backup Vault Lock to prevent anyone (including you) from deleting backups or altering their retention period. Amazon Backup Vault Lock helps you enforce a write-once-read-many (WORM) model and add another layer of defense to your defense in depth. To get started, see Amazon Backup Vault Lock.
Support for compliance obligations
Amazon Backup helps you meet your global compliance obligations. Amazon Backup is in scope of the following Amazon compliance programs:
Getting started
To learn more about Amazon Backup, we recommend that you start with Getting started with Amazon Backup.