This chapter covers AWS Backup, a fully managed backup service that centralizes and automates backups across AWS services. For the SOA-C02 exam, AWS Backup is a core topic under Reliability (Objective 2.2), appearing in approximately 5-8% of questions. You will need to understand how to create backup plans, configure lifecycle policies, manage backup vaults, and enforce compliance using backup policies. This chapter provides the detailed technical knowledge required to design and troubleshoot backup solutions on the exam.
Jump to a section
Imagine a large office building with 50 different departments, each storing important documents in their own filing cabinets. Each department has its own schedule for making copies of those documents—some make copies every night, others only on weekends, and some only when they remember. The copies are stored in random boxes in the basement, with no labels or organization. If a fire destroys the original documents, the departments scramble to find the right boxes, often discovering that the copies are outdated or missing. Now, the building hires a dedicated document manager. The manager installs a centralized vault with labeled shelves. The manager works with each department to create a backup plan: a schedule (e.g., every 6 hours for critical documents, daily for less important ones) and a retention rule (e.g., keep daily copies for 30 days, weekly for 1 year). The manager also enforces a policy that all copies must be encrypted and stored in the vault, not in random boxes. When a document is copied, the manager tags it with metadata (department, date, version) and stores it in the vault. If a fire occurs, the manager can quickly retrieve the exact copy needed, and because the policy was enforced, the copy is guaranteed to be recent and secure. In AWS Backup, the centralized vault is the backup vault, the document manager is AWS Backup, the filing cabinets are AWS services (EC2, RDS, EFS, etc.), the backup plans are the schedules and lifecycle rules, and the policies are the IAM permissions and compliance rules that ensure backups are created and retained correctly.
What is AWS Backup and Why It Exists
AWS Backup is a centralized, fully managed service that enables you to define backup policies (backup plans) and apply them to AWS resources across multiple services and accounts. Before AWS Backup, each service (RDS, EBS, DynamoDB, etc.) had its own backup mechanisms, leading to inconsistent schedules, retention policies, and monitoring. AWS Backup unifies these into a single service, providing a single place to manage backups, automate scheduling, enforce compliance, and restore data.
How AWS Backup Works Internally
AWS Backup operates through a combination of backup plans, backup vaults, and backup policies. A backup plan defines the schedule, lifecycle, and backup window for creating recovery points. When you assign resources (e.g., EC2 instances, RDS databases) to a backup plan, AWS Backup triggers backup jobs according to the schedule. Each backup job creates a recovery point (a snapshot or backup) in a backup vault. The vault is a logical container that stores recovery points, and it can be encrypted with AWS KMS keys. Lifecycle rules automatically transition recovery points from a warm tier (standard storage) to a cold tier (Amazon S3 Glacier) after a specified number of days, and then expire them after a retention period. Backup policies (AWS Organizations-based) allow you to deploy backup plans across multiple accounts in an organization, enforcing compliance at scale.
Key Components, Values, Defaults, and Timers
- Backup Plan: Contains one or more backup rules. Each rule specifies: - Schedule: Can be hourly, daily, weekly, or custom cron expression. Default: daily at 5:00 AM UTC. - Lifecycle: Transition to cold storage after N days (default: 30 days, min 0), expire after M days (default: 35 days, min 1). - Backup Vault: The vault where recovery points are stored. You can create multiple vaults (e.g., per environment). - Backup Window: The time window during which the backup job must start (e.g., 1 hour). Default: 8 hours. - IAM Role: The role that AWS Backup assumes to create backups. You must provide an IAM role with appropriate permissions. - Backup Vault: Stores recovery points. Can have a vault lock (compliance or governance mode) to prevent deletion. Default: no lock. - Backup Policy: An SCP-like policy applied via AWS Organizations to enforce backup plans on member accounts. - Recovery Point: A snapshot or backup of a resource. Stored in the vault. Can be encrypted. - Default Values:
Backup rule schedule: daily at 5:00 AM UTC.
Lifecycle transition to cold: 30 days.
Expiration: 35 days (if not set, permanent).
Backup window: 8 hours.
Timers:
Backup job starts within the backup window. If the window is missed, the job fails.
Lifecycle transitions occur after the specified number of days from creation.
Vault lock: Once enabled, cannot be removed; in governance mode, locks can be overridden with appropriate permissions.
Configuration and Verification Commands
To create a backup plan using AWS CLI:
aws backup create-backup-plan --backup-plan file://plan.jsonExample plan.json:
{
"BackupPlanName": "Daily-30DayRetention",
"Rules": [
{
"RuleName": "DailyBackup",
"TargetBackupVaultName": "MyVault",
"ScheduleExpression": "cron(0 5 * * ? *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 120,
"Lifecycle": {
"DeleteAfterDays": 30
}
}
]
}To assign resources to a backup plan:
aws backup create-backup-plan --backup-plan-arn arn:aws:backup:region:account:backup-plan:plan-id --resources arn:aws:ec2:region:account:volume/vol-xxxTo list backup jobs:
aws backup list-backup-jobs --by-state COMPLETEDTo restore a recovery point:
aws backup start-restore-job --recovery-point-arn arn:aws:backup:region:account:recovery-point:point-id --metadata file://metadata.jsonInteraction with Related Technologies
IAM: AWS Backup uses IAM roles to assume permissions for creating and restoring backups. The role must have a trust policy allowing backup.amazonaws.com and permissions to the target resource (e.g., ec2:CreateSnapshot).
AWS KMS: Backup vaults can be encrypted with a KMS key. Recovery points inherit the vault's encryption. Cross-account backups require KMS key policies that allow the target account.
AWS Organizations: Backup policies are deployed at the organization level to enforce backup plans across accounts. Member accounts cannot opt out.
Amazon CloudWatch: Backup jobs emit metrics (e.g., NumberOfBackupJobs) and events (e.g., Backup Job Completed). You can set alarms for failures.
AWS Config: Can track changes to backup plans and vaults via Config rules.
AWS Service Catalog: Can provision backup plans as part of product portfolios.
Advanced Topics
Cross-Region Backup: You can copy recovery points to another region by adding a copy action in the backup rule. The source vault must allow cross-region copies.
Cross-Account Backup: Using backup policies, you can deploy a backup plan to multiple accounts. The backup vault in the management account can store recovery points from member accounts.
Vault Lock: Prevents deletion of recovery points. In governance mode, authorized users can override; in compliance mode, no one can delete until the retention period expires. Once locked, the lock cannot be removed.
Backup Plan Tags: Tags applied to the backup plan are propagated to recovery points.
Common Pitfalls and Exam Traps
IAM Role Missing Permissions: The most common reason for backup failure. The role must have permissions to the resource (e.g., rds:CreateDBSnapshot) and to the vault (e.g., backup:PutBackupVaultAccessPolicy).
Backup Window Too Short: If the backup window is too short for the resource size, the job may fail. The default window is 8 hours, but you can adjust.
Lifecycle Transition to Cold Storage: If you set MoveToColdStorageAfterDays to 0, the recovery point is immediately moved to cold storage. This can cause restore delays (hours). Exam questions often test that cold storage restores take longer.
Vault Lock in Compliance Mode: Once set, even the root user cannot delete recovery points until the retention period expires. This is a common exam scenario for compliance requirements.
Backup Policy vs. Backup Plan: A backup policy is an organization-level construct that enforces backup plans on accounts. A backup plan is the actual schedule and lifecycle definition.
Verification and Monitoring
Use aws backup list-backup-jobs to check job status.
Use CloudWatch metrics: NumberOfBackupJobs, NumberOfRestoreJobs.
Use AWS Config rules like backup-plan-exists to ensure resources are backed up.
Use AWS Backup Audit Manager to generate reports on backup compliance.
Summary
AWS Backup provides a unified backup solution across AWS services. Understanding backup plans, vaults, lifecycle policies, and IAM permissions is critical for the SOA-C02 exam. Pay special attention to default values, cross-account/cross-region backup, vault lock, and common failure modes.
Define Backup Plan
Create a backup plan with a name, one or more backup rules, and optionally tags. Each rule defines a schedule (cron expression or predefined frequency like daily), a backup window, a lifecycle (transition to cold storage and expiration), and a target backup vault. The schedule determines when the backup job is triggered. The backup window specifies the time period during which the job must start. If the job cannot start within the window, it fails. The lifecycle defines how long the recovery point stays in warm storage before moving to cold (Glacier) and when it expires. Default: no transition, expiration after 35 days.
Assign Resources to Plan
You assign AWS resources (EC2 instances, RDS databases, EFS file systems, DynamoDB tables, etc.) to the backup plan using resource assignments. You can assign resources by ARN, by tags, or by resource type. When you assign by tags, any resource with the specified tag key-value pair is automatically included. This is dynamic: new resources with matching tags are automatically backed up. You can also exclude resources using tags. The assignment also specifies the IAM role that AWS Backup assumes to create backups. The role must have permissions to the resource and to the vault.
Backup Job Execution
At the scheduled time (or within the backup window), AWS Backup triggers a backup job. The service assumes the IAM role and calls the appropriate API to create a snapshot or backup of the resource. For example, for an EC2 instance, it calls `ec2:CreateSnapshot` on the attached EBS volumes. For RDS, it calls `rds:CreateDBSnapshot`. The job status can be `CREATED`, `PENDING`, `RUNNING`, `ABORTED`, `FAILED`, or `COMPLETED`. The job runs until completion or until the backup window expires. If the window expires, the job is aborted. You can monitor jobs via the console, CLI, or CloudWatch events.
Store Recovery Point in Vault
Once the backup job completes, the recovery point is stored in the specified backup vault. The vault is a logical container that groups recovery points. It can be encrypted with a KMS key. The recovery point is tagged with metadata such as the resource ARN, backup plan, and rule. The vault also tracks the lifecycle state: `CREATING`, `AVAILABLE`, `EXPIRED`, or `DELETING`. Lifecycle rules are applied automatically: after the specified number of days, the recovery point is transitioned to cold storage (if configured) and later expired. Expired recovery points are deleted after the retention period.
Restore from Recovery Point
To restore a resource, you initiate a restore job from a recovery point. You specify the recovery point ARN and the metadata required for the restore (e.g., instance type, subnet for EC2; DB instance class for RDS). AWS Backup assumes the IAM role and calls the appropriate restore API (e.g., `ec2:CreateVolume` from snapshot, `rds:RestoreDBInstanceFromDBSnapshot`). The restore job status can be `PENDING`, `RUNNING`, `COMPLETED`, `FAILED`. Restores from cold storage can take hours because the data must be retrieved from Glacier. After restore, you may need to attach volumes or configure the resource.
In a large enterprise with hundreds of EC2 instances, RDS databases, and EFS file systems across multiple AWS accounts, managing backups manually is impossible. AWS Backup centralizes backup management. For example, a financial services company uses AWS Backup to enforce a 35-day retention policy on all production databases. They create a backup plan with a daily schedule and a lifecycle that transitions recovery points to cold storage after 30 days. They assign the plan to all RDS instances using a tag Environment=Production. The backup vault is encrypted with a KMS key managed by the security team. They also enable vault lock in compliance mode to prevent any deletion of recovery points before the retention period expires, satisfying regulatory requirements. Another scenario: a SaaS provider uses cross-region backup to replicate recovery points to a secondary region for disaster recovery. They configure a copy action in the backup rule to copy recovery points to a vault in another region. The source vault must allow cross-region copies via a vault access policy. They also use AWS Organizations backup policies to deploy the same backup plan to all member accounts, ensuring consistent backup coverage. Common issues include: backup jobs failing due to insufficient IAM permissions (e.g., missing ec2:CreateSnapshot), backup window too small for large databases (e.g., a 1 TB RDS instance may take hours to back up), and cold storage restores taking too long (up to 12 hours for Glacier). To troubleshoot, engineers check CloudWatch logs and backup job status, and adjust the backup window or IAM role as needed.
The SOA-C02 exam tests AWS Backup under Domain 2: Reliability, Objective 2.2: Implement backup and recovery strategies. Key areas: backup plans, backup vaults, lifecycle policies, cross-region/cross-account backup, vault lock, and IAM permissions. Common wrong answers: 1) 'You can use AWS Backup to back up on-premises servers' — AWS Backup supports only AWS resources (EC2, RDS, EFS, DynamoDB, Storage Gateway, and VMware on AWS). 2) 'Vault lock can be disabled at any time' — In compliance mode, vault lock cannot be removed; in governance mode, it can be overridden with appropriate permissions, but the lock itself persists. 3) 'Lifecycle transition to cold storage is immediate' — The transition occurs after the specified number of days; setting MoveToColdStorageAfterDays to 0 means immediate transition, but this is an edge case. 4) 'Cross-account backup requires no additional configuration' — You must configure a backup policy in AWS Organizations and ensure KMS key policies allow cross-account access. Exam numbers: default retention is 35 days, default backup window is 8 hours, default schedule is daily at 5:00 AM UTC. Know that DeleteAfterDays is required; MoveToColdStorageAfterDays is optional. Edge cases: If you set DeleteAfterDays to 1, the recovery point is deleted after 1 day. If you set MoveToColdStorageAfterDays to 0, the recovery point is immediately moved to cold storage. The exam loves to ask about vault lock: 'Which mode allows deletion with proper permissions?' Governance mode. 'Which mode prevents all deletion?' Compliance mode. Also, know that AWS Backup supports incremental backups for some services (e.g., EBS snapshots are incremental). To eliminate wrong answers, focus on the underlying mechanism: AWS Backup is a managed service that creates snapshots via the native snapshot APIs of each service. It does not create file-level backups. It does not support third-party databases. It does not back up data in transit. Use process of elimination: if the answer mentions a feature that AWS Backup does not support (e.g., agent-based backup for on-premises), it is wrong.
AWS Backup supports EC2, RDS, DynamoDB, EFS, Storage Gateway, and VMware on AWS only.
Default backup schedule is daily at 5:00 AM UTC with an 8-hour backup window.
Default retention for a backup rule is 35 days if not specified.
Lifecycle transition to cold storage can be set to 0 days (immediate) or any positive integer.
Vault lock in compliance mode prevents deletion of recovery points by anyone, including root.
Cross-account backup requires AWS Organizations backup policies and proper KMS key policies.
IAM role used by AWS Backup must have permissions to create snapshots and write to vault.
Restores from cold storage (Glacier) can take hours; plan accordingly.
Backup plans can be assigned to resources by tags, making it dynamic.
AWS Backup jobs emit CloudWatch events for monitoring and automation.
These come up on the exam all the time. Here's how to tell them apart.
AWS Backup
Centralized management across multiple services and accounts.
Supports custom lifecycle policies (transition to cold storage, expiration).
Can enforce compliance via vault lock and organization policies.
Supports cross-region copy and cross-account backup.
Provides a single dashboard for monitoring all backup jobs.
Native Service Backups (e.g., RDS automated snapshots)
Service-specific, managed separately for each service.
Limited retention control (e.g., RDS max 35 days for automated snapshots).
No built-in compliance enforcement across accounts.
No native cross-region copy (requires manual scripting).
Monitoring is service-specific (e.g., RDS events).
Mistake
AWS Backup can back up any AWS resource.
Correct
AWS Backup supports only specific resources: EC2 (EBS-backed instances), RDS (including Aurora), DynamoDB, EFS, Storage Gateway (Volume Gateway), and VMware on AWS. It does not support S3, Lambda, or other services natively (though S3 can be backed up via other means).
Mistake
Vault lock can be removed once enabled.
Correct
In compliance mode, vault lock is permanent and cannot be removed. In governance mode, the lock can be overridden by users with the `backup:PutBackupVaultLockConfiguration` permission, but the lock itself remains until the retention period expires. Once locked, the configuration cannot be changed.
Mistake
Lifecycle transition to cold storage is immediate after backup.
Correct
The transition occurs after the number of days specified in `MoveToColdStorageAfterDays`. Setting it to 0 causes immediate transition, but otherwise the recovery point stays in warm storage for that many days. Restoring from cold storage takes longer (hours).
Mistake
AWS Backup supports cross-account backup without any additional setup.
Correct
Cross-account backup requires AWS Organizations backup policies. The management account creates a backup policy and attaches it to organizational units (OUs) or accounts. Member accounts must have a backup vault in the management account (or a shared vault) and appropriate KMS key policies to allow cross-account access.
Mistake
AWS Backup creates full backups every time.
Correct
For EBS snapshots and RDS snapshots, AWS Backup uses incremental snapshots. Only the first backup is full; subsequent backups capture only changed blocks. This reduces storage costs and backup time. However, for services like EFS, backups are full copies.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, AWS Backup only supports AWS resources (EC2, RDS, DynamoDB, EFS, Storage Gateway, and VMware on AWS). For on-premises, you can use AWS Storage Gateway or third-party solutions like Veeam. The exam tests this limitation frequently.
A backup plan defines the schedule, lifecycle, and target vault for backups of specific resources. A backup policy is an AWS Organizations construct that deploys backup plans across multiple accounts to enforce compliance. Backup policies are attached to OUs or accounts, and member accounts cannot opt out.
You initiate a restore job as usual. AWS Backup automatically retrieves the data from cold storage (Glacier). The restore may take several hours (up to 12) because data must be retrieved from Glacier. You can speed this up by using expedited retrieval if enabled, but this incurs additional costs.
In compliance mode, no one can delete the recovery point until the retention period expires. In governance mode, users with the `backup:PutBackupVaultLockConfiguration` permission can override the lock and delete. The exam loves this distinction.
AWS Backup retries the job up to three times within the backup window. If it still fails, the job is marked as FAILED. You can view the error message in the console or via CLI. Common causes: insufficient IAM permissions, resource not found, or backup window too short.
Yes, for EBS snapshots and RDS snapshots, backups are incremental. Only the first backup is a full snapshot; subsequent backups capture only changed blocks. This reduces storage costs and backup time. For EFS, backups are full copies.
In the backup rule, enable 'Copy to destination region' and specify the destination region and vault. The source vault must allow cross-region copies via a vault access policy. You also need an IAM role that allows copying to the destination region. Recovery points are copied after the initial backup completes.
You've just covered AWS Backup Plans and Policies — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?