Backup

AWS Backup

~ Last updated on : ~ jayendrapatil

AWS Backup

  • AWS Backup is a fully-managed service that helps centralize and automate data protection across AWS services, in the cloud, and on premises.
  • helps configure backup policies and monitor activity for the AWS resources in one place.
  • helps automate and consolidate backup tasks previously performed service-by-service and removes the need to create custom scripts and manual processes.
  • helps create backup policies called backup plans that help define the backup requirements like frequency, window, retention period, etc.
  • automatically backs up the AWS resources according to the defined backup plan.
  • can apply backup plans to the AWS resources by simply tagging them.
  • stores the periodic backups incrementally which provides benefit from the data protection of frequent backups while minimizing storage costs.
  • provides ransomware detection and recovery capabilities, and compliance insights and analytics for data protection policies and operations.
  • integrates with AWS Organizations to centrally deploy data protection policies across multiple accounts.

AWS Backup Features

  • Centralized Backup Management
    • provides a centralized backup console, APIs, and CLI to manage backups across all supported AWS services.
    • offers a consolidated view of backups and backup activity logs for auditing and compliance.
  • Policy-based Backup (Backup Plans)
    • Backup plans define backup requirements including schedule, window, retention, and lifecycle.
    • supports predefined backup schedules based on common best practices or custom schedules.
    • provides schedule preview that shows the next ten scheduled backup runs to validate schedules.
  • Tag-based Resource Assignment
    • can apply backup plans to AWS resources using tags for consistent and scalable protection.
    • supports assignment by resource ID, tags, or all resources of a specific type.
  • Lifecycle Management
    • supports automatic transition of backups from warm storage to cold storage to minimize costs.
    • supports a low-cost warm storage tier for Amazon S3 backup data (up to 30% cost reduction).
    • supports Amazon FSx Intelligent-Tiering for automatic cost optimization.
    • lifecycle policies automatically expire backups based on defined retention periods.
  • Cross-Region Backup
    • allows copying backups to multiple AWS Regions on demand or as part of a scheduled backup plan.
    • supports cross-Region and cross-account snapshot copy in a single operation for RDS, Aurora, DocumentDB, and Neptune.
  • Cross-Account Management and Backup
    • uses AWS Organizations to manage backups across all AWS accounts centrally.
    • supports delegated administrator for backup management without accessing management accounts.
    • can “fan in” backups to a single repository account or “fan out” for greater resilience.
  • Incremental Backups
    • stores periodic backups incrementally for supported resource types.
    • first backup is a full copy; subsequent backups capture only changes.
  • Full AWS Backup Management
    • provides independent encryption using the KMS key of the AWS Backup vault.
    • uses awsbackup ARNs for backup-specific access policies.
    • offers centralized backup billing and Cost Explorer cost allocation tags.
  • Backup Activity Monitoring
    • integrates with Amazon CloudWatch for metrics and alarms on backup/restore jobs.
    • integrates with AWS CloudTrail for audit logs of backup activity.
    • integrates with Amazon EventBridge for event-driven backup monitoring.
    • integrates with Amazon SNS for backup activity notifications.

AWS Backup Vault Lock

  • AWS Backup Vault Lock enables a write-once-read-many (WORM) model for backups.
  • prevents anyone (including root user) from deleting backups or altering their retention periods.
  • provides immutability to protect backups from inadvertent or malicious deletion.
  • has been assessed by Cohasset Associates for use in environments subject to SEC 17a-4, CFTC, and FINRA regulations.
  • supports both Governance mode (allows authorized users to modify) and Compliance mode (prevents all changes including by root user).
  • can be configured via the AWS Console, CLI, API, or SDK.

AWS Backup Logically Air-Gapped Vault

  • Logically air-gapped vaults store immutable backup copies that are locked by default in Compliance mode.
  • backups are isolated in a separate AWS Backup service-owned account for additional security.
  • supports encryption using AWS-owned keys (AOKs) or AWS KMS customer-managed keys (CMKs).
  • supports secure sharing of backup access across accounts and organizations using AWS Resource Access Manager (RAM).
  • supports direct restore from the vault to reduce recovery time.
  • supports primary backups directly to logically air-gapped vaults, eliminating the need for secondary copy operations.
  • supports Multi-party approval to authorize access to backups even when the owning account is compromised.
  • supports Amazon EBS, Amazon S3, Amazon EC2, Amazon RDS, Amazon Aurora, Amazon EFS, Amazon FSx (Lustre, Windows, OpenZFS), Amazon DynamoDB, and Amazon EKS.
  • provides robust protection against ransomware, insider threats, and account compromise.

AWS Backup Restore Testing

  • Restore testing enables automated, periodic evaluation of restore viability and recovery readiness.
  • allows scheduling automated restore operations in isolated environments to validate backups.
  • monitors restore job duration times to help meet Recovery Time Objectives (RTOs).
  • supports event-driven validation that runs when a restore testing job completes.
  • integrates with 3rd party malware scanning services to verify backup integrity.
  • helps demonstrate compliance with regulatory requirements for data recovery validation.

AWS Backup Audit Manager

  • AWS Backup Audit Manager helps simplify data governance and compliance management of backups.
  • provides built-in, customizable compliance controls aligned with organizational requirements.
  • automatically tracks backup activities and resources and detects violations.
  • generates daily reports on the compliance status of data protection frameworks.
  • reports include vault type, lock status, encryption details, archive settings, and retention periods.
  • findings can be imported into AWS Audit Manager for overall compliance posture.
  • supports legal hold to prevent backups from being deleted for preservation, auditing, or e-Discovery.

AWS Backup Search and Item-Level Recovery

  • allows searching the metadata of backups at a granular level for specific files or objects.
  • supports item-level search and recovery for Amazon EBS snapshots and Amazon S3 backups.
  • can be extended to Amazon EC2 instances for granular file-level recovery.
  • enables recovery of up to 5 items at a time without restoring the entire backup.
  • significantly reduces recovery time objectives (RTOs) for granular recovery scenarios.
  • supports creating backup indexes within backup policies for organization-wide search.

Amazon GuardDuty Malware Protection for AWS Backup

  • enables automated malware scanning of AWS Backup recovery points.
  • can be automated through backup plans or run as on-demand scans of existing backups.
  • detects malicious content before restoration to prevent reintroduction of compromised data.
  • uses multiple AWS and third-party malware scanning engines for comprehensive detection.
  • addresses a critical gap in ransomware recovery strategies.

AWS Backup Supported Services

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. For the production account, a SysOps administrator must ensure that all data is backed up daily for all current and future Amazon EC2 instances and Amazon Elastic File System (Amazon EFS) file systems. Backups must be retained for 30 days. Which solution will meet these requirements with the LEAST amount of effort?
    1. Create a backup plan in AWS Backup. Assign resources by resource ID, selecting all existing EC2 and EFS resources that are running in the account. Edit the backup plan daily to include any new resources. Schedule the backup plan to run every day with a lifecycle policy to expire backups after 30 days.
    2. Create a backup plan in AWS Backup. Assign resources by tags. Ensure that all existing EC2 and EFS resources are tagged correctly. Schedule the backup plan to run every day with a lifecycle policy to expire backups after 30 days.
    3. Create a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM). Assign all resources by resource ID, selecting all existing EC2 and EFS resources that are running in the account. Edit the lifecycle policy daily to include any new resources. Schedule the lifecycle policy to create snapshots every day with a retention period of 30 days.
    4. Create a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM). Assign all resources by tags. Ensure that all existing EC2 and EFS resources are tagged correctly. Schedule the lifecycle policy to create snapshots every day with a retention period of 30 days.
  2. A company needs to protect its AWS backups from ransomware attacks and ensure that even if an attacker compromises an administrator account, the backups cannot be deleted. Which AWS Backup feature should the company implement?
    1. Cross-Region backup copy
    2. AWS Backup Audit Manager
    3. AWS Backup Vault Lock in Compliance mode
    4. Tag-based backup policies
  3. A security team wants to ensure backup copies are stored in an isolated environment that is separate from the production account and protected from account compromise. The solution must also support direct restore capabilities. Which solution meets these requirements?
    1. Enable cross-Region backup with AWS Backup Vault Lock
    2. Copy backups to a separate AWS account using cross-account backup
    3. Store backups in AWS Backup logically air-gapped vaults
    4. Enable S3 Object Lock on the backup storage bucket
  4. A company wants to centrally manage backup policies across 50 AWS accounts and ensure compliance with data protection regulations. They need daily reports showing backup compliance status. Which combination of AWS services should be used? (Choose TWO)
    1. AWS Backup with AWS Organizations for cross-account backup management
    2. Amazon Data Lifecycle Manager with AWS Config
    3. AWS Backup Audit Manager for compliance reporting
    4. AWS Systems Manager with custom automation documents
    5. Amazon EventBridge with custom compliance rules
  5. A DevOps team needs to verify that their backup recovery process meets the organization’s Recovery Time Objective (RTO) of 4 hours. They want automated validation without manual intervention. Which AWS Backup feature should they use?
    1. AWS Backup Audit Manager compliance controls
    2. Amazon CloudWatch alarms on restore job duration
    3. AWS Backup restore testing with scheduled validation
    4. Cross-Region backup copy with monitoring
  6. A data engineer needs to quickly locate and restore a specific file from an Amazon EBS snapshot without restoring the entire volume. Which AWS Backup capability allows this?
    1. Point-in-time recovery
    2. AWS Backup search and item-level recovery
    3. Cross-Region restore
    4. Full volume restore with custom configuration
  7. A company wants to scan their AWS Backup recovery points for malware before restoring them to production to prevent reintroduction of compromised data. Which solution should they implement?
    1. AWS Config rules to check backup integrity
    2. AWS Backup restore testing with custom validation scripts
    3. Amazon GuardDuty Malware Protection for AWS Backup
    4. AWS Security Hub integrated with backup monitoring

References