Skip to content

AWS Backup: A Tool for Central Backup Management

You probably already know that backing up your systems is an important part of responsible IT management. Specifically, it can help your safeguard against malware, ransomware, disasters, and intrusion. Any mission critical system needs a backup plan. Certainly, a backup may be your only way to recover from one of the previously mentioned, or any other potential disaster.

You may not be aware that AWS provides a service called AWS Backup, which you can use to centralize backups for both AWS based and on premises data.

What is AWS Backup?

AWS Backup is a fully managed service that centralizes and automates data protection across AWS services and on premises. Although AWS services provide service-specific methods to backup resources, Backup allows you to create backup policies and monitors backup activity from one place. In some cases it removes the need for custom scripts or manual processes to create backups.

Even though AWS Backup provides centralized backup, Backup does not govern backups taken from outside of Backup. For example, RDS or S3 snapshots taken from their respective consoles or APIs.

Above all Backup efficiently stores your backups incrementally. Although the first backup or a resource is a full copy of the data, each successive backup is incremental. Hence only changes to your resource are backed up. Accordingly, incremental backups provide the benefit of frequent backups without the storage costs. AWS Backup seamlessly manages your backup chain, allowing you to restore from any backup. Particularly, this includes automatically managing full backups and lifecycle so you always have a full backup when older backups are deleted.

AWS Backup Key Concepts

Backup Vault

A backup vault is a container that stores and organizes your backups. Additionally, a backup vault requires an AWS KMS encryption key to create. This encryption key is used to encrypt some backed up resources, while others are managed from their source AWS services.

Access to a backup vault is controlled by creating access policies. For example, this can limit which users have access to on-demand backups, creating backup plans, and delete previous backups.

Backup Plan

A backup plan is a JSON document that defines when and how you want to back up your resources. Accordingly, you can assign individual resources to backup plans. Once added, AWS backs up and retains the resources according to the backup plan. Backup allows you to create multiple backup plans for different frequency or retention needs.

Powerful Centralized Multi-account Backups

AWS Backup, centralized vault metaphor

The real benefit and power from AWS backup comes from the ability to create an organization wide multi-account backup system. Obviously, multiple accounts managed through AWS Organizations is required. For the best results, you should set up AWS Control Tower to help manage your multi-account AWS environment.

The setup is to create an account for management to control your backup policies and a second account for your centralized backup vault. Any other accounts need to have their own backup vaults as well, where AWS resources are backup to. Finally, the “local” backup vaults have their data synced to the central backup vault. Each individual account has access to that account’s backups through the local backup vault, making it easy for each account to manage backups on their own. The centralized backup vault has an enterprise wide repository of backups with controlled access. This creates a second backup copy and helps prevent against other treats such as ransomware and intrusions.

The AWS Storage Blog has a great blog post with example automation for setting up the above configuration.

AWS Backup Supported AWS Resources

The following list may have some exceptions. Check the AWS Backup documentation for details.

Final Thoughts

As usual, if you have any questions or want to set something up like we have outlined in this blog post. Please reach out to us for a consultation.

Michael McCarthy

Michael is veteran software engineer and cloud computing aficionado. After starting his career as a Java software engineer, he evolved into a consultant, focusing first on enterprise content management and later on AWS. He is currently an AWS Cloud Practitioner and AWS Solutions Architect Associate, although he has held many more certifications in the past.