AWS Backup

Most AWS services can take their own snapshots, but managing a dozen different snapshot schedules by hand quickly becomes a mess. AWS Backup is a fully managed service that gives you one place to define backup rules, schedules, and retention, then applies them automatically across many services at once. It also handles copying backups to other Regions and accounts, and can lock your backups so nobody (not even an admin) can delete them early. This matters because backups are your last line of defense against accidental deletion, ransomware, and audit failures.

What AWS Backup is

AWS Backup is a centralized backup orchestration service. Instead of configuring EBS snapshots in EC2, RDS snapshots in the database console, and DynamoDB backups somewhere else, you write one backup plan (a policy that says what to back up, how often, and how long to keep it) and AWS Backup runs it for you.

A few terms you will see repeatedly:

• Recovery point — a single backup taken at a point in time (the AWS Backup name for “a snapshot”).
• Backup vault — an encrypted container (a logical storage location) where recovery points are stored.
• Backup plan — the schedule and retention rules.
• Resource assignment — which resources the plan applies to, selected by tag or by ID.

It supports EBS (block storage volumes), RDS and Aurora (managed databases), DynamoDB (a NoSQL database), EFS (a shared file system), Amazon FSx, S3, EC2 instances, VMware, and more.

Tip: AWS Backup does not replace per-service snapshots — those still exist and you can still take them manually. AWS Backup simply gives you one policy and one audit point across everything.

When to use this (and when not to)

Use AWS Backup when…	Use a per-service tool when…
You want one schedule and retention policy across many services	You only have a single resource and never expect to grow
You need cross-Region or cross-account copies for disaster recovery	You need point-in-time recovery features unique to a service (e.g. RDS continuous backups still help here)
Compliance requires immutable, auditable backups	You need an ad-hoc one-off snapshot before a risky change
You want centralized reporting and alerting on backup jobs	—

For an enterprise or anything under a compliance regime (a set of rules you must prove you follow, such as HIPAA or PCI DSS), AWS Backup is almost always the right answer because of its central audit and vault lock features.

Create a backup plan (Console)

1. Open the AWS Backup console and choose Backup plans > Create backup plan.
2. Choose Build a new plan, give it a name like daily-prod-plan.
3. Add a backup rule: pick a backup vault (the default Default vault or a custom one), a schedule (for example “Daily at 05:00 UTC”), and a retention period (for example 35 days).
4. (Optional) Enable Copy to destination to copy each recovery point to another Region or account for disaster recovery.
5. Choose Create plan.
6. On the plan page, choose Assign resources. Select resources by tags (recommended, e.g. Backup = true) or by specific resource IDs, then save.

Create a backup plan (CLI)

First create the plan from a JSON definition, then assign resources to it.

aws backup create-backup-plan --backup-plan '{
  "BackupPlanName": "daily-prod-plan",
  "Rules": [{
    "RuleName": "DailyBackups",
    "TargetBackupVaultName": "Default",
    "ScheduleExpression": "cron(0 5 * * ? *)",
    "StartWindowMinutes": 60,
    "CompletionWindowMinutes": 180,
    "Lifecycle": { "DeleteAfterDays": 35 }
  }]
}'

Output:

{
    "BackupPlanId": "a1b2c3d4-1111-2222-3333-444455556666",
    "BackupPlanArn": "arn:aws:backup:us-east-1:123456789012:backup-plan:a1b2c3d4-1111-2222-3333-444455556666",
    "CreationDate": "2026-06-15T05:00:00.000000+00:00",
    "VersionId": "ZjQ2...=="
}

Now assign resources by tag:

aws backup create-backup-selection \
  --backup-plan-id a1b2c3d4-1111-2222-3333-444455556666 \
  --backup-selection '{
    "SelectionName": "tag-based",
    "IamRoleArn": "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole",
    "ListOfTags": [{ "ConditionType": "STRINGEQUALS", "ConditionKey": "Backup", "ConditionValue": "true" }]
  }'

Any EBS volume, RDS database, or EFS file system tagged Backup=true is now backed up daily and kept for 35 days.

Cross-Region and cross-account copies

A backup that lives in the same Region and account as the original resource does not protect you if that whole Region or account is compromised. AWS Backup can automatically copy each recovery point to a vault in another Region (for Region-failure resilience) or another account (so an attacker who breaches your main account cannot delete the copies). Add a copy action to your backup rule and point it at the destination vault’s Amazon Resource Name (ARN, a unique ID for an AWS resource).

Backup Vault Lock for compliance and ransomware protection

This is the single most important feature for serious data protection. Backup Vault Lock makes recovery points immutable — once locked, they cannot be deleted or have their retention shortened before the configured period expires, even by the account root user.

aws backup put-backup-vault-lock-configuration \
  --backup-vault-name prod-locked-vault \
  --min-retention-days 35 \
  --max-retention-days 1095 \
  --changeable-for-days 3

The changeable-for-days value is a grace window. During those days you can still undo the lock; after it passes, the lock becomes compliance mode and is permanent. Use a short grace window in testing and the full window only when you are sure.

Warning: Vault Lock in compliance mode cannot be removed by anyone, including AWS Support. This is intentional — it is what makes the backups ransomware- and tamper-proof. Test your configuration with a short grace period first.

Verify your restores

An untested backup is not a backup. Schedule a regular restore test (AWS Backup has a built-in restore testing feature) so you know your recovery points actually restore.

aws backup start-restore-job \
  --recovery-point-arn "arn:aws:ec2:us-east-1::snapshot/snap-0a1b2c3d4e5f" \
  --iam-role-arn "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole" \
  --metadata '{"volumeType":"gp3","availabilityZone":"us-east-1a"}' \
  --resource-type EBS

Output:

{
    "RestoreJobId": "B2C3D4E5-1111-2222-3333-444455556666"
}

Cost note: AWS Backup charges for warm storage (around $0.05/GB-month for EBS-backed recovery points in us-east-1), restores, and cross-Region data transfer. Cold storage (for EFS) is much cheaper (around $0.01/GB-month) but has a 90-day minimum. Long retention plus cross-Region copies multiply storage cost, so right-size your retention windows.

Best Practices

• Select resources by tag (such as Backup=true) rather than by ID, so new resources are protected automatically when they are tagged.
• Always configure cross-Region or cross-account copies for production data so a single Region or account failure cannot wipe out everything.
• Enable Backup Vault Lock on production vaults to make backups immutable against accidental deletion and ransomware.
• Test restores regularly using restore testing or manual restore jobs — verify the data, not just that a job succeeded.
• Use AWS Backup Audit Manager to prove compliance and alert on resources that fall outside your backup policy.
• Right-size retention and use cold storage where supported to keep costs predictable.

Related Topics

• Storage options overview
• EBS vs EFS vs S3 — when to use which
• Amazon EFS
• S3 replication
• S3 Glacier