This chapter covers AWS Backup, the fully managed backup service that centralizes and automates data protection across AWS services. For the SAA-C03 exam, AWS Backup appears in roughly 5-8% of questions, primarily in the Resilient Architectures domain (Objective 2.6). You must understand how to create backup plans, configure lifecycle policies, use backup vaults and vault lock, and implement cross-region and cross-account backups. The exam tests your ability to design automated, compliant backup strategies that meet RPO and RTO requirements while minimizing cost.
Jump to a section
Imagine you run a large office building with hundreds of employees, each storing critical documents in their own desks. You need to ensure copies of all documents are stored off-site in a fireproof vault every night, but each employee has their own preferred filing system. AWS Backup is like hiring a professional records management company. They install a standardized lockbox in every desk (the backup plan) that automatically collects documents at a set time each day (backup schedule). The company provides a single key (IAM role) that only works for copying documents, not reading them. They also offer different vault types: a standard steel vault (backup vault) for general use, and a special fireproof, delay-lock vault (logically air-gapped vault) that can only be opened after a 72-hour waiting period, preventing ransomware from deleting backups quickly. The records company keeps a master catalog (backup index) of every document in every vault, searchable by date, employee name, or document type. If a fire destroys the office, the records company can restore all documents to a new office (cross-region copy) or even to a different city (cross-account copy). Without AWS Backup, each employee would have to manually copy their files to a shared drive using different tools, leading to inconsistent schedules, missed backups, and no unified recovery plan. AWS Backup centralizes this, ensuring every resource is backed up consistently, automatically, and with compliance-grade security controls.
What is AWS Backup and Why It Exists
AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services. Before AWS Backup, administrators had to use service-specific backup features (e.g., RDS automated snapshots, EBS snapshots, DynamoDB on-demand backups) with different consoles, scripts, and retention policies. This led to inconsistent coverage, manual errors, and difficulty in meeting compliance requirements. AWS Backup solves this by providing a single policy engine (backup plans) that can target multiple resource types, schedule backups, define retention, and apply lifecycle rules to transition backups to cold storage or expire them.
How AWS Backup Works Internally
AWS Backup operates through a set of core components that work together to create, manage, and restore backups. The service uses a regional service endpoint and integrates with AWS KMS for encryption, AWS CloudTrail for auditing, and AWS Organizations for cross-account management.
Backup Plans: A backup plan is a policy that defines when and how to back up your resources. It includes: - Backup schedule: Can be hourly, daily, weekly, or custom cron expressions. Default minimum interval is 1 hour. - Backup window: The time window during which the backup job can start. Default is 8 hours. If the window closes before the backup completes, the job is canceled. - Lifecycle rules: Transition backups from warm storage (standard) to cold storage (expedited or bulk) after a set number of days, and expire (delete) them after a set number of days or years. For example, move to cold storage after 30 days, expire after 1 year. - Backup vault: The logical container where backups are stored. You can use a default vault or create custom vaults with specific encryption keys and access policies. - IAM role: The role that AWS Backup assumes to create backups. Must have permissions to describe and create snapshots for the target resources.
Backup Vaults: A backup vault is a container that stores recovery points (backups). Each vault has: - Encryption: Uses AWS KMS customer managed key (CMK) or AWS managed key (aws/backup). Default is aws/backup. - Access policies: Resource-based policies that control who can create, restore, or delete backups in the vault. - Vault Lock: An optional feature that enforces a retention policy that cannot be changed after a grace period. Once locked, no one can delete backups earlier than the specified retention, even with full administrative privileges. This protects against ransomware and malicious deletions. - Notifications: Can send events to Amazon CloudWatch Events and Amazon SNS for backup job state changes.
Backup Jobs: When a schedule triggers, AWS Backup creates a backup job. The job performs the following steps: 1. AWS Backup assumes the IAM role specified in the backup plan. 2. It calls the service-specific API to create a snapshot or backup (e.g., CreateSnapshot for EBS, CreateDBSnapshot for RDS, CreateContinuousBackup for DynamoDB). 3. The backup is stored in the specified vault. For EBS snapshots, they are stored in the vault as EBS snapshots; for RDS, they are stored as RDS snapshots; but AWS Backup manages them centrally. 4. After creation, the recovery point is indexed in the vault with metadata (resource ARN, creation date, size, encryption status). 5. Lifecycle rules are evaluated and applied asynchronously.
Restore Jobs: Restoring from a backup involves: 1. Selecting a recovery point from a vault. 2. Specifying restore parameters (e.g., instance type, subnet, security group for EC2; table name for DynamoDB). 3. AWS Backup assumes the restore role (can be different from backup role) and calls the service-specific restore API. 4. The resource is created in the specified region and account.
Key Components, Values, Defaults, and Timers
Backup Plan Limits: You can create up to 100 backup plans per region per account (soft limit, can be increased).
Backup Vault Limits: Up to 100 vaults per region per account.
Recovery Point Limits: Up to 1,000,000 recovery points per vault.
Backup Window: Default is 8 hours. Minimum is 1 hour. If the window closes, the backup job is canceled and not retried automatically.
Lifecycle Transitions: Move to cold storage after a minimum of 14 days (for EBS) or 30 days (for RDS). Expiration can be up to 100 years.
Vault Lock: Grace period can be set from 1 to 3650 days (10 years). Once locked, the retention policy is immutable.
Cross-Region Backup: Replicates recovery points to another region. The source vault and destination vault must exist. Additional costs for data transfer and storage in the destination region.
Cross-Account Backup: Uses AWS Organizations to share backup plans and copy backups to a central account. The destination account must have a backup vault with appropriate permissions.
Supported Services: Amazon EC2 (EBS), Amazon RDS (all database engines), Amazon DynamoDB, Amazon EFS, Amazon FSx (Lustre and Windows File Server), Amazon S3 (via optional agent), AWS Storage Gateway, and VMware Cloud on AWS.
Configuration and Verification Commands
Creating a Backup Plan (AWS CLI):
aws backup create-backup-plan --backup-plan file://plan.jsonExample plan.json:
{
"BackupPlanName": "DailyBackup",
"Rules": [
{
"RuleName": "DailyRule",
"TargetBackupVaultName": "MyVault",
"ScheduleExpression": "cron(0 5 ? * * *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 120,
"Lifecycle": {
"MoveToColdStorageAfterDays": 30,
"DeleteAfterDays": 365
},
"RecoveryPointTags": {
"Environment": "Production"
}
}
]
}Assigning Resources to a Backup Plan:
aws backup create-backup-plan --backup-plan file://plan.json
aws backup tag-resource --resource-arn arn:aws:ec2:us-east-1:123456789012:volume/vol-123 --tags Key=BackupPlan,Value=DailyBackupOr use resource assignment via console or API.
Listing Backup Jobs:
aws backup list-backup-jobs --by-state COMPLETEDRestoring a Backup:
aws backup start-restore-job --recovery-point-arn arn:aws:backup:us-east-1:123456789012:recovery-point:1234-5678-9012 --metadata file://restore.jsonCreating a Vault Lock:
aws backup put-backup-vault-lock-configuration --backup-vault-name MyVault --min-retention-days 30 --max-retention-days 3650 --changeable-for-days 3How AWS Backup Interacts with Related Technologies
AWS KMS: Backup vaults can be encrypted with a customer managed key. AWS Backup uses KMS to encrypt recovery points at rest. When restoring, the key must be accessible.
AWS CloudTrail: All AWS Backup API calls are logged to CloudTrail for auditing.
Amazon CloudWatch: Backup job state changes can trigger CloudWatch Events and SNS notifications.
AWS Organizations: Cross-account backup management uses Organizations to share backup plans and enable centralized backup administration.
Amazon S3: For S3 backup, AWS Backup uses a backup agent installed on the S3 bucket (via a service-linked role) to create backup points. S3 backup supports continuous backups (point-in-time restore) and periodic backups.
AWS Storage Gateway: Backup of volume and tape gateways is supported, with recovery points stored in vaults.
AWS Systems Manager: Backup plans can use SSM documents for pre- and post-scripts (e.g., to quiesce applications before backup).
Define Backup Requirements
Determine RPO (Recovery Point Objective) and RTO (Recovery Time Objective) for each resource. For example, a production database may need hourly backups with a 1-hour RPO, while a development server may only need daily backups. Also define retention: how long to keep backups in warm storage, cold storage, and total retention. Compliance requirements may mandate a minimum retention (e.g., 7 years) and immutable backups via Vault Lock.
Create Backup Vaults
Create one or more backup vaults to organize recovery points. For production resources, use a vault encrypted with a customer managed KMS key. For compliance, enable Vault Lock with a grace period (e.g., 3 days) and a retention policy (e.g., minimum 30 days, maximum 7 years). For cross-account backups, create a vault in the central account and grant permissions to source accounts.
Create IAM Roles
Create an IAM role that AWS Backup will assume to create backups. The role must have permissions to describe and create snapshots for the target services (e.g., ec2:CreateSnapshot, rds:CreateDBSnapshot). For cross-account backups, the role must also have permissions to copy snapshots to the destination account. Optionally create a separate role for restores.
Create Backup Plan
Define a backup plan with rules specifying schedule, backup window, lifecycle, and target vault. Use cron expressions for fine-grained schedules (e.g., cron(0 2 * * ? *) for daily at 2 AM). Set the start window to allow the backup job some flexibility (e.g., 60 minutes). Set the completion window to cancel jobs that take too long. Add lifecycle rules to transition to cold storage after a number of days (e.g., 30) and expire after a number of days (e.g., 365).
Assign Resources to Plan
Assign resources to the backup plan using tags or resource IDs. You can assign resources by tag (e.g., all EC2 instances with tag Backup=Daily) or by individual resource ARN. AWS Backup will automatically discover new resources that match the tag. You can also exclude resources using tags. For cross-account, use AWS Organizations to share the backup plan with member accounts.
Monitor and Validate Backups
Use AWS Backup console, CLI, or API to monitor backup jobs. Check for completed, failed, or expired jobs. Set up CloudWatch alarms for failed backup jobs. Periodically perform test restores to validate that backups are restorable. Use AWS Backup audit manager to check compliance with backup policies (e.g., ensuring all resources have a backup plan).
Enterprise Scenario 1: Financial Compliance with Immutable Backups
A financial services company must retain transaction data for 7 years and ensure backups cannot be deleted before the retention period ends, even by administrators. They deploy AWS Backup with Vault Lock enabled. They create a vault named ComplianceVault with a KMS key managed by the security team. They set MinRetentionDays to 2555 (7 years) and ChangeableForDays to 3. After 3 days, the vault lock becomes immutable. They create a backup plan that backs up RDS databases and EFS file systems daily, with lifecycle rules to move to cold storage after 30 days and expire after 3650 days (10 years). The backup window is set to 4 hours starting at 2 AM. They assign resources using tags (e.g., Compliance=PCI). They also set up cross-region copy to us-west-2 for disaster recovery. In production, they have 50 TB of data across 20 databases and 10 file systems. The backup window is sufficient because incremental backups take less than 2 hours. They monitor via CloudWatch and receive SNS alerts on backup failures. Common issue: if the backup window is too short, jobs fail and must be manually retried. They set the window to 6 hours for safety.
Enterprise Scenario 2: Centralized Backup for Multi-Account Environment
A large e-commerce company uses AWS Organizations with 50 accounts (dev, test, prod, etc.). They want to centralize backup management in a single BackupAdmin account. They enable AWS Backup with cross-account management. In the BackupAdmin account, they create backup plans and share them via Organizations. Each member account creates a local vault (e.g., ProdVault) and assigns resources. The backup plans copy recovery points to a central vault in BackupAdmin account for long-term retention. They use lifecycle policies to expire local copies after 30 days and keep central copies for 1 year. They use IAM roles with sts:AssumeRole to allow the admin account to perform cross-account copies. Scale: they manage 500 TB of backups across 200 EC2 instances and 100 RDS databases. Performance is generally good, but cross-region copy can take hours for large snapshots. They use the completion window to avoid overrunning maintenance windows. Misconfiguration: if the IAM role in the member account does not have permissions to copy to the admin vault, the cross-account copy fails silently. They use CloudTrail to audit failures.
Enterprise Scenario 3: S3 Backup with Continuous Recovery A media company stores raw video files in Amazon S3. They need point-in-time recovery to protect against accidental deletion or corruption. They enable AWS Backup for S3, which requires installing a backup agent (service-linked role). They create a backup plan with continuous backups (every 1 hour) and a retention of 14 days for continuous recovery points, plus periodic daily backups retained for 90 days. They use Vault Lock to prevent deletion of daily backups for 90 days. They assign the S3 bucket by ARN. In production, they have 10 TB of data with 100,000 objects. Continuous backups add minimal overhead (only changed objects). Restore is fast: they can restore to any point within the last 14 days. Common issue: if the bucket has a large number of objects (millions), the initial backup may take a long time. They schedule the first backup during a maintenance window. Also, S3 backup does not support versioning-enabled buckets that already have many versions; they must ensure the bucket is in a consistent state.
The SAA-C03 exam tests AWS Backup under Objective 2.6 (Resilient Architectures) and also ties into Objective 1.2 (Design for Security and Compliance) when discussing Vault Lock and encryption. Expect 2-3 questions directly on AWS Backup, and several more where backup is a component of a larger solution (e.g., disaster recovery, compliance).
Common Wrong Answers and Traps: 1. Choosing 'Use AWS Backup with S3 Lifecycle Policies' – Candidates confuse S3 Lifecycle with AWS Backup lifecycle. AWS Backup lifecycle transitions recovery points between storage tiers within a vault, not S3 storage classes. The exam may ask: 'How to automatically move backups to cold storage after 30 days?' The correct answer is 'Define a lifecycle rule in the backup plan.' The wrong answer is 'Use S3 Lifecycle policy on the vault.' But vaults are not S3 buckets; they are logical containers. Lifecycle is applied to recovery points, not objects. 2. Selecting 'Enable Vault Lock with a 0-day grace period' – Vault Lock requires a grace period (minimum 1 day) to allow changes before locking. A 0-day grace period is invalid. The exam may test that once locked, the retention policy cannot be changed. The wrong answer might be 'Vault Lock can be disabled at any time.' Reality: after the grace period, it is immutable. 3. Thinking AWS Backup can back up on-premises servers directly – AWS Backup supports on-premises workloads only through AWS Storage Gateway (volume/tape gateways) or via the AWS Backup agent for VMware. It does not natively back up physical servers or generic VMs. The exam may present a scenario with on-premises servers and ask for a backup solution. The correct answer might involve Storage Gateway, not AWS Backup alone. 4. Confusing backup plans with resource assignment – A backup plan without assigned resources does nothing. The exam may ask: 'You created a backup plan but no backups are running. Why?' The answer: 'No resources are assigned to the plan.' Candidates may think the plan automatically applies to all resources, but it requires explicit assignment via tags or ARNs.
Specific Numbers and Values to Memorize: - Vault Lock grace period: 1-3650 days. - Minimum retention for cold storage transition: 14 days (EBS), 30 days (RDS). - Default backup window: 8 hours. - Maximum recovery points per vault: 1,000,000. - Cross-region copy: requires a vault in the destination region. - AWS Backup supports: EC2, RDS, DynamoDB, EFS, FSx, S3 (with agent), Storage Gateway, VMware.
Edge Cases: - If you delete a resource (e.g., EC2 instance) that has backups, the recovery points remain in the vault. You can still restore to a new instance. - Cross-account backup requires both accounts to be in the same AWS Organization, or you must manually share the backup plan. - Backup of encrypted resources: the KMS key must be available in the region where the backup is created. For cross-region copy, the key must be present in the destination region.
How to Eliminate Wrong Answers: 1. If the question mentions 'immutable backups' or 'ransomware protection', look for Vault Lock. 2. If the question mentions 'centralized management across accounts', look for AWS Organizations integration. 3. If the question mentions 'cost optimization by moving older backups to cheaper storage', look for lifecycle rules. 4. If the question mentions 'point-in-time recovery for S3', look for AWS Backup with continuous backup (not just periodic). 5. Always check if the resource type is supported by AWS Backup. If not (e.g., on-premises MySQL), the answer may involve a different service like DMS or Storage Gateway.
AWS Backup centralizes backup management across supported services: EC2, RDS, DynamoDB, EFS, FSx, S3, Storage Gateway, and VMware.
A backup plan defines schedule, window, lifecycle, and target vault. Resources must be assigned via tags or ARNs.
Backup window default is 8 hours; if the window closes, the job is canceled.
Lifecycle rules can transition recovery points to cold storage after a minimum of 14 days (EBS) or 30 days (RDS), and expire after up to 100 years.
Vault Lock provides immutable backups with a configurable grace period (1-3650 days). After lock, retention cannot be changed.
Cross-region backup copy requires a vault in the destination region; cross-account copy requires AWS Organizations or manual sharing.
AWS Backup uses IAM roles for backup and restore; ensure proper permissions for each resource type.
The maximum number of recovery points per vault is 1,000,000.
S3 backup requires a backup agent and supports continuous (point-in-time) backups with a retention of up to 14 days for continuous points.
AWS Backup is not a replacement for S3 versioning or replication; it is for backup and restore compliance.
These come up on the exam all the time. Here's how to tell them apart.
AWS Backup
Centralized management across multiple services via a single console and API.
Automated scheduling with flexible cron expressions and backup windows.
Built-in lifecycle policies to transition to cold storage and expire backups.
Vault Lock for immutable backups to meet compliance requirements.
Cross-region and cross-account backup copy for disaster recovery and centralization.
Service-Specific Backups (e.g., RDS snapshots, EBS snapshots)
Each service has its own backup interface (e.g., RDS console, EC2 console) with different scheduling options.
Manual scripting required for automation (e.g., AWS CLI or Lambda).
No built-in lifecycle management; you must manage snapshot deletion yourself.
No built-in immutability; you need to use IAM policies to prevent deletion, which can be bypassed by admins.
Cross-region copy requires manual scripting or additional services (e.g., DMS for RDS).
AWS Backup Vault Lock
Enforces a minimum retention period that cannot be changed after a grace period.
Prevents deletion even by root user or administrators with full permissions.
Auditable via CloudTrail; lock status is visible in console.
Grace period allows changes before lock becomes immutable.
Supports both compliance and regulatory requirements (e.g., SEC 17a-4).
IAM Policies with Deny Delete
Can be overridden by any user with iam:DeletePolicy or iam:PassRole permissions.
Root user can bypass IAM policies (unless using SCPs, which still have exceptions).
No built-in grace period; policies can be changed at any time.
Complex to manage across multiple accounts and resources.
Not sufficient for strict compliance requirements that demand immutable backups.
Mistake
AWS Backup can back up any AWS resource automatically.
Correct
AWS Backup supports a specific set of services: EC2 (EBS), RDS, DynamoDB, EFS, FSx, S3 (with agent), Storage Gateway, and VMware. It does not support services like Lambda, API Gateway, or ElastiCache. Always check the supported services list.
Mistake
Vault Lock can be disabled after it is enabled.
Correct
Vault Lock has a configurable grace period (1-3650 days) during which you can modify or disable the lock. After the grace period expires, the lock is immutable and cannot be removed or changed. This is a permanent protection.
Mistake
Backup plans automatically back up all resources in the account.
Correct
Backup plans must have resources assigned to them, either by individual ARNs or by tags. Without assignment, no backups are created. The plan itself is just a policy template.
Mistake
AWS Backup lifecycle rules are the same as S3 Lifecycle rules.
Correct
AWS Backup lifecycle rules move recovery points between warm and cold storage within a backup vault, not between S3 storage classes. The vault is not an S3 bucket; it is a logical container managed by AWS Backup.
Mistake
You can restore a backup to a different AWS region without additional setup.
Correct
Cross-region restore requires that the recovery point was copied to the destination region via cross-region backup copy. You cannot restore a backup directly from one region to another unless a copy exists in the destination region.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS Backup can back up on-premises workloads only if they are running on VMware (via the AWS Backup agent for VMware) or if they use AWS Storage Gateway (volume or tape gateways). It does not natively support physical servers or generic virtual machines. For on-premises databases, consider AWS Database Migration Service (DMS) or third-party tools.
A backup vault is a logical container for recovery points managed by AWS Backup. It is not an S3 bucket; you cannot access recovery points directly via S3 APIs. The vault has its own encryption, access policies, and Vault Lock features. Recovery points are stored in a service-managed storage backend, not in your S3 buckets.
Use AWS Backup Vault Lock to enforce a minimum retention period. Once locked (after the grace period), no one can delete recovery points before the retention expires, even with root permissions. Additionally, use IAM policies to restrict the `backup:DeleteRecoveryPoint` action to specific roles or users.
Yes, when you restore an EC2 backup, you can specify a different instance type, security groups, subnet, and other parameters. The restore creates a new EBS volume from the snapshot and launches a new instance. You cannot restore to an existing instance; you must create a new one.
No, continuous backups (point-in-time recovery) are only supported for Amazon S3 (with a backup agent) and Amazon DynamoDB (via on-demand backups). For other services like RDS and EBS, backups are periodic snapshots. For DynamoDB, you can use AWS Backup to create on-demand backups, but continuous backups are not supported via AWS Backup (use DynamoDB continuous backups separately).
AWS Backup will retry the job up to 3 times (by default) within the backup window. If it still fails, the job is marked as FAILED. You can set up CloudWatch Events and SNS notifications to alert on failures. You can also manually start a backup job from the console or CLI. Common causes: insufficient IAM permissions, resource limits, or backup window too short.
Cross-account backup requires both accounts to be in the same AWS Organization (or you can manually share the backup plan). In the source account, create a backup plan and assign resources. In the destination account, create a backup vault. The source account's IAM role must have permissions to copy recovery points to the destination vault. Use the `CopyAction` in the backup plan rule to specify the destination vault ARN.
You've just covered AWS Backup Service — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?