Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Backing up your Amazon EFS file systems

Amazon Backup is a simple and cost-effective way to protect your data by backing up your Amazon EFS file systems. Amazon Backup is a unified backup service designed to simplify the creation, migration, restoration, and deletion of backups, while providing improved reporting and auditing. Amazon Backup makes it easier to develop a centralized backup strategy for legal, regulatory, and professional compliance. Amazon Backup also makes protecting your Amazon storage volumes, databases, and file systems simpler by providing a central place where you can do the following:

Amazon EFS is natively integrated with Amazon Backup. You can use the EFS console, API, and Amazon Command Line Interface (Amazon CLI) to enable automatic backups for your file system. Automatic backups use a default backup plan with the Amazon Backup recommended settings for automatic backups. For more information, see Automatic backups. You can also use Amazon Backup to manually set your own backup plans where you specify the backup frequency, when to back up, how long to retain backups, and a lifecycle policy for backups. You can then assign Amazon EFS file systems, or other Amazon resources, to that backup plan.

Incremental backups

Amazon Backup performs incremental backups of EFS file systems. During the initial backup, a copy of the entire file system is made. During subsequent backups of that file system, only files and directories that have been changed, added, or removed are copied. With each incremental backup, Amazon Backup retains the necessary reference data to allow a full restore. This approach minimizes the time required to complete the backup and saves on storage costs by not duplicating data.

Backup consistency

Amazon EFS is designed to be highly available. You can access and modify your Amazon EFS file systems while your backup is occurring in Amazon Backup. However, inconsistencies, such as duplicated, skewed, or excluded data, can occur if you make modifications to your file system while the backup is occurring. These modifications include write, rename, move, or delete operations. To ensure consistent backups, we recommend that you pause applications or processes that are modifying the file system for the duration of the backup process. Or, schedule your backups to occur during periods when the file system is not being modified.

Backup performance

In general, you can expect the following backup and restore rates with Amazon Backup. The rates may be less for some workloads, such as those containing a large file or directory.

The maximum duration for a backup operation in Amazon Backup is 30 days.

Using Amazon Backup doesn't consume accumulated burst credits, and it doesn't count against the General Purpose performance mode file operation limits. For more information, see Quotas for Amazon EFS file systems.

Backup completion window

You can optionally specify a completion window for a backup. This window defines the period of time in which a backup needs to be completed. If you specify a completion window, make sure that you consider the expected performance and the size and makeup of your file system. Doing this helps make sure that your backup can be completed during the window.

Backups that aren't completed during the specified window are flagged with an incomplete status. During the next scheduled backup, Amazon Backup resumes at the point that it left off. You can see the status of all of your backups on the Amazon Backup Management Console.

EFS storage classes

You can use Amazon Backup to back up all data in an EFS file system, whatever storage class the data is in. You don't incur data access charges when backing up an EFS file system that has lifecycle management enabled and has data in the Infrequent Access (IA) or Archive storage class.

When you restore a recovery point, all files are restored to the Standard storage class. For more information on storage classes, see EFS storage classes and Managing file system storage.

IAM permissions for creating and restoring backups

You can use the elasticfilesystem:backup and elasticfilesystem:restore actions to allow or deny an IAM entity (such as a user, group, or role) the ability to create or restore backups of an EFS file system. You can use these actions in a file system policy or in an identity-based IAM policy. For more information, see Identity and access management for Amazon Elastic File System and Using IAM to control file system data access.

On-demand backups

Using either the Amazon Backup Management Console or the CLI, you can save a single resource to a backup vault on-demand. Unlike with scheduled backups, you don't need to create a backup plan to initiate an on-demand backup. You can still assign a lifecycle to your backup, which automatically moves the recovery point to the cold storage tier and notes when to delete it.

Concurrent backups

Amazon Backup limits backups to one concurrent backup per resource. Therefore, scheduled or on-demand backups might fail if a backup job is already in progress. For more information about Amazon Backup limits, see Amazon Backup Limits in the Amazon Backup Developer Guide.

Automatic backups

When you create a file system using the Amazon EFS console, automatic backups are turned on by default. You can turn on automatic backups after creating your file system using the CLI or API. The default EFS backup plan uses the Amazon Backup recommended settings for automatic backups—daily backups with a 35-day retention period. The backups created using the default EFS backup plan are stored in a default EFS backup vault, which is also created by EFS on your behalf. The default backup plan and backup vault cannot be deleted. You can edit the default backup plan settings using the Amazon Backup console. For more information, see Option 3: Create Automatic Backups in the Amazon Backup Developer Guide. You can see all of your automatic backups, and edit the default EFS backup plan settings using the Amazon Backup console. You can turn off automatic backups at any time using the Amazon EFS console or CLI, described in the following section.

Amazon EFS applies the aws:elasticfilesystem:default-backup system tag key with a value of enabled to EFS file systems when automatic backups are enabled.

Turning automatic backups on or off for existing file systems

After you create a file system you can turn automatic backups on or off using the console, the CLI, or the EFS API.

Using Amazon Backup to manually configure backups

When you use Amazon Backup to manually set up your file system backups, you first create a backup plan. The backup plan defines backup schedule, backup window, retention policy, lifecycle policy, and tags. You can create a backup plan using the Amazon Backup Management Console, the Amazon CLI, or the Amazon Backup API. As part of a backup plan, you can define the following:

After your backup plan is created, you assign the specific Amazon EFS file systems to the backup plan by using either tags or the Amazon EFS file system ID. After a plan is assigned, Amazon Backup begins automatically backing up the Amazon EFS file system on your behalf according to the backup plan that you defined. You can use the Amazon Backup console to manage backup configurations or monitor backup activity. For more information, see the Amazon Backup Developer Guide.

Restore a recovery point

Using either the Amazon Backup console or the CLI, you can restore a recovery point to a new EFS file system or to an existing file system. You can perform a Complete restore, which restores the entire file system. Or, you can restore specific files and directories using a Partial restore. To restore a specific file or directory, you must specify the relative path related to the mount point. For example, if the file system is mounted to /user/home/myname/efs and the file path is user/home/myname/efs/file1, enter /file1. Paths are case sensitive and cannot contain special characters, wildcard characters, or regular expression (regex) strings.

When you perform either a Complete or a Partial restore, your recovery point is restored to the restore directory, aws-backup-restore_timestamp-of-restore. When the restore is finished, you can see the restore directory at the root of the file system. If you attempt multiple restores for the same path, several directories containing the restored items might exist. If the restore fails to finish, you can see the directory aws-backup-failed-restore_timestamp-of-restore. You must manually delete the restore and failed-restore directories when you are through using them.

After restoring a recovery point, data fragments that can't be restored to the appropriate directory are placed in the aws-backup-lost+found directory. Fragments might be moved to this directory if modifications are made to the file system while the backup is occurring.

Deleting backups

The default EFS backup vault Access policy is set to deny deleting recovery points. To delete existing backups of your EFS file systems, you must change the vault access policy. If you attempt to delete an EFS recovery point without modifying the vault access policy, you receive the following error message:

"Access Denied: Insufficient privileges to perform this action. Please consult with the account administrator for necessary permissions."

To edit the default backup vault access policy, you must have permissions to edit policies. For more information, see Allow all IAM actions (admin access) in the IAM User Guide.