You probably already know that backing up your systems is an important part of responsible IT management. Specifically, it can help your safeguard against malware, ransomware, disasters, and intrusion. Any mission critical system needs a backup plan. Certainly, a backup may be your only way to recover from one of the previously mentioned, or any other potential disaster.
You may not be aware that AWS provides a service called AWS Backup, which you can use to centralize backups for both AWS based and on premises data.
What is AWS Backup?
AWS Backup is a fully managed service that centralizes and automates data protection across AWS services and on premises. Although AWS services provide service-specific methods to backup resources, Backup allows you to create backup policies and monitors backup activity from one place. In some cases it removes the need for custom scripts or manual processes to create backups.
Even though AWS Backup provides centralized backup, Backup does not govern backups taken from outside of Backup. For example, RDS or S3 snapshots taken from their respective consoles or APIs.
Above all Backup efficiently stores your backups incrementally. Although the first backup or a resource is a full copy of the data, each successive backup is incremental. Hence only changes to your resource are backed up. Accordingly, incremental backups provide the benefit of frequent backups without the storage costs. AWS Backup seamlessly manages your backup chain, allowing you to restore from any backup. Particularly, this includes automatically managing full backups and lifecycle so you always have a full backup when older backups are deleted.
AWS Backup Key Concepts
A backup vault is a container that stores and organizes your backups. Additionally, a backup vault requires an AWS KMS encryption key to create. This encryption key is used to encrypt some backed up resources, while others are managed from their source AWS services.
Access to a backup vault is controlled by creating access policies. For example, this can limit which users have access to on-demand backups, creating backup plans, and delete previous backups.
A backup plan is a JSON document that defines when and how you want to back up your resources. Accordingly, you can assign individual resources to backup plans. Once added, AWS backs up and retains the resources according to the backup plan. Backup allows you to create multiple backup plans for different frequency or retention needs.
Powerful Centralized Multi-account Backups
The real benefit and power from AWS backup comes from the ability to create an organization wide multi-account backup system. Obviously, multiple accounts managed through AWS Organizations is required. For the best results, you should set up AWS Control Tower to help manage your multi-account AWS environment.
The setup is to create an account for management to control your backup policies and a second account for your centralized backup vault. Any other accounts need to have their own backup vaults as well, where AWS resources are backup to. Finally, the “local” backup vaults have their data synced to the central backup vault. Each individual account has access to that account’s backups through the local backup vault, making it easy for each account to manage backups on their own. The centralized backup vault has an enterprise wide repository of backups with controlled access. This creates a second backup copy and helps prevent against other treats such as ransomware and intrusions.
The AWS Storage Blog has a great blog post with example automation for setting up the above configuration.
AWS Backup Supported AWS Resources
The following list may have some exceptions. Check the AWS Backup documentation for details.
- Amazon Simple Storage Service (Amazon S3)
- Amazon Elastic Compute Cloud (Amazon EC2)
- Windows Volume Shadow Copy Service (VSS)
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Relational Database Service (Amazon RDS)
- FSx for Lustre
- Amazon Elastic File System (Amazon EFS)
- FSx for Windows File Server
- Amazon FSx for NetApp ONTAP
- Amazon FSx for OpenZFS
- AWS Storage Gateway (Volume Gateway)
- Amazon DocumentDB
- Amazon Aurora
- VMware Cloud on AWS
- VMware Cloud on AWS Outposts
- Amazon DynamoDB
- Amazon Neptune
As usual, if you have any questions or want to set something up like we have outlined in this blog post. Please reach out to us for a consultation.