Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Copying backups

You can use Amazon FSx to manually copy backups within the same Amazon account to another Amazon Region (cross-Region copies) or within the same Amazon Region (in-Region copies). You can make cross-Region copies only within the same Amazon partition. You can create user-initiated backup copies using the Amazon FSx console, Amazon CLI, or API. When you create a user-initiated backup copy, it has the type USER_INITIATED.

You can also use Amazon Backup to copy backups across Amazon Regions and across Amazon accounts. Amazon Backup is a fully managed backup management service that provides a central interface for policy-based backup plans. With its cross-account management, you can automatically use backup policies to apply backup plans across the accounts within your organization.

Cross-Region backup copies are particularly valuable for cross-Region disaster recovery. You take backups and copy them to another Amazon Region so that in the event of a disaster in the primary Amazon Region, you can restore from backup and recover availability quickly in the other Amazon Region. You can also use backup copies to clone your file dataset to another Amazon Region or within the same Amazon Region. You make backup copies within the same Amazon account (cross-Region or in-Region) by using the Amazon FSx console, Amazon CLI, or Amazon FSx for Lustre API. You can also use Amazon Backup to perform backup copies, either on-demand or policy-based.

Cross-account backup copies are valuable for meeting your regulatory compliance requirements to copy backups to an isolated account. They also provide an additional layer of data protection to help prevent accidental or malicious deletion of backups, loss of credentials, or compromise of Amazon KMS keys. Cross-account backups support fan-in (copy backups from multiple primary accounts to one isolated backup copy account) and fan-out (copy backups from one primary account to multiple isolated backup copy accounts).

You can make cross-account backup copies by using Amazon Backup with Amazon Organizations support. Account boundaries for cross-account copies are defined by Amazon Organizations policies. For more information about using Amazon Backup to make cross-account backup copies, see Creating backup copies across Amazon Web Services accounts in the Amazon Backup Developer Guide.

Backup copy limitations

The following are some limitations when you copy backups:

Permissions for cross-Region backup copies

You use an IAM policy statement to grant permissions to perform a backup copy operation. To communicate with the source Amazon Region to request a cross-Region backup copy, the requester (IAM role or IAM user) must have access to the source backup and the source Amazon Region.

You use the policy to grant permissions to the CopyBackup action for the backup copy operation. You specify the action in the policy's Action field, and you specify the resource value in the policy's Resource field, as in the following example.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "fsx:CopyBackup",
            "Resource": "arn:aws-cn:fsx:*:111122223333:backup/*"
        }
    ]
}

For more information on IAM policies, see Policies and permissions in IAM in the IAM User Guide.

Full and incremental copies

When you copy a backup to a different Amazon Web Services Region from the source backup, the first copy is a full backup copy. After the first backup copy, all subsequent backup copies to the same destination Region within the same Amazon account are incremental, provided that you haven't deleted all previously-copied backups in that Region and have been using the same Amazon KMS key. If both conditions aren't met, the copy operation results in a full (not incremental) backup copy.