This chapter covers AWS Backup, a fully managed backup service that centralizes and automates data protection across AWS services. For the SOA-C02 exam, AWS Backup appears in roughly 5-8% of questions, primarily in Domain 2 (Reliability) and Domain 1 (Monitoring and Reporting). You must understand backup plans, vaults, policies, and cross-region/account backup to answer scenario-based questions correctly. This chapter provides the depth needed to distinguish between AWS Backup and native service backup features, and to configure compliant, cost-effective backup strategies.
Jump to a section
Imagine a large office building with 20 departments, each storing critical documents in their own file cabinets. Previously, each department had its own set of keys, its own labeling system, and its own schedule for making photocopies of important files. Some departments made copies daily, some weekly, and others only when they remembered. The building manager decides to centralize: she installs a secure, fireproof vault in the basement with a single access log. She gives each department a labeled storage box and a standardized form to fill out: what files to copy, how often, and how long to keep them. Now, instead of each department managing its own photocopying, a dedicated team collects the forms, makes the copies on a unified schedule, places them in the vault, and logs every action. If a department needs a file restored, they submit a request with the box number and date; the vault team retrieves the copy and logs the retrieval. This centralization ensures consistent retention policies, encrypted storage, auditable access, and eliminates the chaos of 20 independent backup systems. AWS Backup works exactly like this: it centralizes backup management across AWS services (EC2, RDS, EFS, DynamoDB, etc.) into one console, with backup plans, vaults, and automated schedules, replacing the need for service-specific backup scripts and manual processes.
What is AWS Backup and Why It Exists
AWS Backup is a centralized, fully managed backup service that enables you to define backup policies (backup plans) and apply them consistently across supported AWS resources. It eliminates the need to create custom backup scripts or use service-specific backup features individually. The service supports EC2 instances, EBS volumes, RDS databases, DynamoDB tables, EFS file systems, FSx file systems, Storage Gateway volumes, and more.
Before AWS Backup, SysOps administrators had to manually configure backups for each service: create EBS snapshots via CLI/console, set up automated RDS snapshots, write Lambda functions for DynamoDB on-demand backups, and manage retention separately. This led to inconsistent policies, missed backups, and higher operational overhead. AWS Backup solves this by providing a single pane of glass for backup policies, monitoring, and restoration.
How AWS Backup Works Internally
AWS Backup operates through four core components: - Backup plans: A policy document that defines when backups occur (frequency), how long they are retained (retention period), and the backup vault destination. - Backup vaults: Logical containers that store backup recovery points. Each vault can have its own AWS KMS encryption key and resource-based access policy. - Recovery points: The actual backup data (snapshot or backup) stored in a vault. Each recovery point is associated with a specific resource and timestamp. - Backup policies (tag-based): You can assign a backup plan to resources by tagging them. AWS Backup automatically discovers resources matching the tag and applies the plan.
When a backup plan triggers, AWS Backup creates a recovery point using the underlying service’s native backup mechanism. For example, for an EC2 instance, it creates an EBS snapshot; for RDS, it triggers an automated snapshot; for DynamoDB, it uses on-demand backup. AWS Backup then copies the recovery point to the designated vault(s). If cross-region copy is enabled, the recovery point is asynchronously copied to a vault in another region.
Key Components, Values, Defaults, and Timers
Backup frequency: Can be set to hourly (every 1, 2, 3, 4, 6, 8, 12 hours), daily, weekly, or monthly. You can also use a cron expression for custom schedules.
Retention period: Range from 1 day to 100 years. Default is 30 days for continuous backups and 7 days for snapshot backups (if not specified).
Backup window: The time window in which the backup must start. Default is 5 hours. The backup must complete within the window; otherwise, it fails.
Cold storage transition: For recovery points in a vault, you can transition them to cold storage after a specified number of days (minimum 90 days for cold storage). This reduces storage costs for older backups.
Expiration: Recovery points are automatically deleted after their retention period expires. You cannot manually delete a recovery point before its expiration unless you modify the retention period.
Cross-region copy: You can copy recovery points to another region. The copy is asynchronous and may take time depending on the size.
Cross-account backup: You can copy recovery points to another AWS account using AWS Organizations or resource-based policies on the vault.
Encryption: By default, recovery points are encrypted using the AWS managed key (aws/backup) or a customer managed KMS key. You can specify a KMS key per vault.
Backup plan limits: You can have up to 100 backup plans per region per account. Each plan can have up to 100 rule assignments.
Configuration and Verification Commands
To create a backup plan using AWS CLI:
aws backup create-backup-plan --backup-plan file://plan.jsonExample plan.json:
{
"BackupPlanName": "Daily30DayRetention",
"Rules": [
{
"RuleName": "DailyBackup",
"TargetBackupVaultName": "MyVault",
"ScheduleExpression": "cron(0 5 * * ? *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 120,
"Lifecycle": {
"DeleteAfterDays": 30
}
}
]
}To assign resources via tags:
aws backup tag-resource --resource-arn arn:aws:ec2:us-east-1:123456789012:volume/vol-0abcdef1234567890 --tags Key=BackupPlan,Value=Daily30DayRetentionTo list recovery points:
aws backup list-recovery-points-by-backup-vault --backup-vault-name MyVaultTo restore a recovery point:
aws backup start-restore-job --recovery-point-arn arn:aws:backup:us-east-1:123456789012:recovery-point:abc123 --metadata file://restore-metadata.jsonInteraction with Related Technologies
AWS Organizations: You can use backup policies (a type of service control policy) to enforce backup plans across all accounts in an organization. For example, you can require that all RDS instances have a backup plan with at least 30-day retention.
AWS Config: You can use Config rules to verify that resources are covered by a backup plan. For example, a rule can check that each EC2 instance has a tag that matches an active backup plan.
AWS CloudTrail: All AWS Backup API calls are logged in CloudTrail, enabling auditing of backup and restore actions.
Amazon S3: AWS Backup can back up S3 data (since 2022), but it uses point-in-time restore capabilities. Note that S3 backup is different from S3 versioning or cross-region replication.
AWS KMS: Backup vaults can be encrypted with a customer managed KMS key. If you use cross-account backup, you must share the KMS key with the target account.
Backup Plan Rules and Vault Lock
A backup plan can have multiple rules, each with different schedules and retention. For example, you can have a daily backup with 30-day retention and a weekly backup with 1-year retention. Vault Lock allows you to enforce a retention policy on a vault that cannot be changed, even by root users. This is crucial for compliance (e.g., SEC 17a-4). Once vault lock is in compliance mode, recovery points cannot be deleted before their expiration date. Vault lock has two modes: governance mode (can be overridden with appropriate permissions) and compliance mode (cannot be overridden).
Continuous Backups and Point-in-Time Recovery (PITR)
Some services support continuous backups, which enable point-in-time recovery to any point within the retention window. For example, RDS continuous backups (with automated backups) and DynamoDB continuous backups (with PITR) can be managed via AWS Backup. When you enable continuous backups in a backup plan, AWS Backup creates incremental backups every few minutes. The retention for continuous backups is typically up to 35 days. During restore, you can specify a timestamp.
Monitoring and Alerts
You can monitor backup jobs via CloudWatch metrics (e.g., NumberOfBackupJobs, NumberOfRestoreJobs) and set alarms for failures. AWS Backup also integrates with EventBridge to trigger notifications or Lambda functions on backup events (e.g., backup job completed, failed, or restored). The AWS Backup console provides a dashboard showing backup compliance, job status, and vault inventory.
Pricing
AWS Backup charges based on the amount of backup data stored and the data transferred for cross-region copies. There is no charge for creating backup plans or vaults. Restores are also charged based on the amount of data restored. Costs can be reduced by using cold storage for older backups and by deleting unnecessary recovery points.
Define Backup Plan
Create a backup plan with rules specifying the backup frequency, retention, and target vault. You can use predefined schedules (e.g., daily at 5 AM) or custom cron expressions. Each rule can have a lifecycle policy to transition to cold storage or expire. The plan is stored as a JSON document in AWS Backup. You can create up to 100 plans per region.
Assign Resources
Assign resources to the backup plan either by specifying individual resource ARNs or by using tags. Tag-based assignment is recommended for scalability: you tag resources with a key-value pair (e.g., BackupPlan=DailyBackup), and AWS Backup automatically discovers and backs up all matching resources. You can also assign resources via the console by selecting resource IDs.
Backup Execution
At the scheduled time, AWS Backup initiates the backup using the native backup mechanism of the resource type. For EBS, it creates a snapshot; for RDS, it triggers an automated snapshot; for DynamoDB, it performs an on-demand backup. The backup must complete within the completion window (default 5 hours). If it fails, AWS Backup retries up to 3 times by default. The recovery point is stored in the specified vault.
Cross-Region Copy (Optional)
If the backup plan includes a cross-region copy rule, AWS Backup asynchronously copies the recovery point to a vault in the target region. The copy operation is charged per GB transferred. The copied recovery point inherits the retention and lifecycle settings of the target vault. You can also copy recovery points manually from the console or CLI.
Restore Resource
When you need to restore, you select a recovery point from a vault and initiate a restore job. AWS Backup uses the native restore mechanism (e.g., create an EBS volume from snapshot, restore an RDS instance from snapshot, restore a DynamoDB table). You can specify metadata like instance type, subnet, or security groups during restore. The restore job status can be monitored in the console or via CloudWatch.
Enterprise Scenario 1: Compliance-Driven Backup for Financial Services
A financial services company must retain transaction logs stored in RDS and DynamoDB for 7 years to comply with SEC regulations. They use AWS Backup with vault lock in compliance mode. They create a backup plan with a monthly backup and a retention period of 7 years (2555 days). The vault is locked with a compliance mode lock, preventing any deletion of recovery points before the retention expires. Cross-region copy to a secondary region ensures disaster recovery. The backup plan is applied via tagging all production RDS and DynamoDB resources with 'BackupPlan=Compliance7Year'. AWS Config rules verify that all resources have this tag. If a developer accidentally tries to delete a recovery point, the operation fails because vault lock is in compliance mode. The company also sets up CloudWatch alarms for backup failures and EventBridge notifications to the security team.
Enterprise Scenario 2: Multi-Account Backup with AWS Organizations
A large enterprise uses AWS Organizations with 50 accounts. They want to enforce a minimum backup policy across all accounts: all EC2 instances must have daily backups with 30-day retention, and all RDS instances must have daily backups with 60-day retention. They use AWS Backup policies (a type of service control policy) to mandate these backup plans. The backup plans are created in a central administration account, and resources in member accounts are assigned via tags. Cross-account backup copies recovery points to a central vault in the administration account for auditing. This ensures that even if a member account admin disables backups, the policy prevents them from removing the backup plan. The central team monitors backup compliance via a dashboard in the administration account.
Common Misconfigurations and Pitfalls
Missing IAM permissions: AWS Backup requires specific IAM roles to back up resources. If the role is missing or has insufficient permissions, backups fail silently. Always use the AWS managed role AWSBackupDefaultServiceRole or create a custom role with the required policies.
Incorrect tag assignment: Tag-based assignment uses exact match. A typo in the tag key or value means the resource is not backed up. Use AWS Config to verify coverage.
Vault lock misconfiguration: If vault lock is set in governance mode, an administrator with appropriate permissions can still delete recovery points. For true immutability, use compliance mode.
Cross-region copy delays: Large recovery points can take hours to copy. Plan your RTO accordingly. Also, cross-region copy incurs data transfer costs.
Retention period conflicts: If a backup plan rule has a retention period that is shorter than the lifecycle transition to cold storage, the recovery point may expire before transitioning. Ensure the retention period is longer than the transition time.
What SOA-C02 Tests on AWS Backup
The SOA-C02 exam focuses on the following specific areas (Objective 2.2 - Implement backup and recovery strategies): - Backup plans and vaults: Understand how to create and configure backup plans, including schedules, retention, and lifecycle policies. - Tag-based backup assignment: Know that tags are the primary mechanism for associating resources with backup plans. - Cross-region and cross-account backup: Understand the steps to copy recovery points across regions and accounts, including IAM roles and KMS key sharing. - Vault lock: Know the difference between governance and compliance modes, and when to use each. - Restoration: Understand that restore jobs use the native service mechanism (e.g., creating a new volume from snapshot) and that you can specify metadata during restore. - Monitoring: Know that CloudWatch metrics and EventBridge are used for monitoring backup jobs. - Continuous backups: Understand which services support continuous backups (RDS, DynamoDB) and that PITR is available within the retention window.
Common Wrong Answers and Why Candidates Choose Them
"AWS Backup can back up any AWS resource." - Wrong. AWS Backup supports a specific set of services. Candidates assume it covers all services, but it does not, e.g., Lambda functions, SQS queues, or API Gateway are not supported.
"You can delete a recovery point from a vault locked in compliance mode." - Wrong. In compliance mode, no one can delete recovery points before expiration. Candidates confuse governance mode (which allows deletion with permissions) with compliance mode.
"AWS Backup uses its own snapshot technology." - Wrong. AWS Backup uses the native backup mechanisms of each service. Candidates think AWS Backup creates its own snapshots, but it actually triggers EBS snapshots, RDS snapshots, etc.
"Backup plans can only be assigned to resources individually." - Wrong. Tag-based assignment is the recommended method. Candidates may think you must manually select each resource.
Specific Numbers and Terms That Appear on the Exam
Default backup window: 5 hours
Maximum retention: 100 years
Minimum cold storage transition: 90 days
Continuous backup retention: up to 35 days
Maximum backup plans per region: 100
Vault lock modes: governance and compliance
Cross-region copy: asynchronous
Edge Cases and Exceptions
If a resource is deleted, its recovery points remain in the vault until they expire.
You cannot use AWS Backup to back up resources that are already using native continuous backups (e.g., RDS with automated backups enabled) if you want to avoid duplicate costs? Actually, AWS Backup can manage RDS automated backups, but you must disable the native automated backup if you want AWS Backup to control retention. The exam may test that you should use AWS Backup to centralize, not both.
For EFS, AWS Backup creates a backup of the file system, not an EBS snapshot.
When restoring an EC2 instance, you must specify metadata like instance type, subnet, etc. The exam might ask what you cannot change during restore (e.g., you cannot change the AMI).
AWS Backup centralizes backup management across supported AWS services using backup plans and vaults.
Backup plans define frequency (hourly to monthly) and retention (1 day to 100 years).
Resources are assigned to backup plans via tags or direct ARN selection.
Vault lock has two modes: governance (overridable) and compliance (immutable).
Cross-region copy is asynchronous and incurs data transfer costs.
Continuous backups enable point-in-time recovery (PITR) with up to 35 days retention.
AWS Backup uses native backup mechanisms of each service (e.g., EBS snapshots).
Monitor backup jobs using CloudWatch metrics and EventBridge notifications.
IAM roles must have appropriate permissions for AWS Backup to function.
Restore jobs require metadata such as instance type, subnet, and security groups.
These come up on the exam all the time. Here's how to tell them apart.
AWS Backup
Centralized management across multiple services
Supports cross-region and cross-account copy
Vault lock for compliance
Tag-based policy assignment
Integrated monitoring via CloudWatch and EventBridge
Native Service Backup (e.g., RDS automated snapshots)
Service-specific management (separate console/CLI for each)
Limited to same region/account (unless manual copy)
No vault lock capability
Manual or scripted assignment
Service-specific monitoring (e.g., RDS events)
Mistake
AWS Backup can back up any AWS service.
Correct
AWS Backup supports a defined list of services including EC2, RDS, DynamoDB, EFS, FSx, Storage Gateway, and S3. It does not support Lambda, SQS, SNS, API Gateway, etc. Always check the supported services list.
Mistake
You can delete a recovery point from a vault locked in compliance mode.
Correct
In compliance mode, no user or AWS account can delete recovery points before their expiration date. Only compliance mode vault lock guarantees immutability. Governance mode allows deletion with appropriate permissions.
Mistake
AWS Backup creates its own type of backup independent of the service.
Correct
AWS Backup uses the native backup mechanism of each service. For EC2, it creates EBS snapshots; for RDS, it creates DB snapshots; for DynamoDB, it creates on-demand backups. It does not invent a new backup format.
Mistake
Tag-based backup assignment is optional and rarely used.
Correct
Tag-based assignment is the recommended and most scalable method. It allows automatic discovery of new resources that match the tag. Manual assignment is possible but not scalable.
Mistake
Cross-region backup copies are synchronous and instant.
Correct
Cross-region copies are asynchronous. The copy job runs in the background and may take minutes to hours depending on the size of the recovery point and network conditions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. When you back up an EC2 instance, AWS Backup creates snapshots of all attached EBS volumes. However, it does not capture instance metadata like instance type, security groups, or tags. To restore, you must specify these parameters. This is different from an AMI backup, which captures the full instance configuration.
Governance mode allows users with the `backup:DeleteRecoveryPoint` permission to delete recovery points even if vault lock is enabled. Compliance mode prevents any deletion, even by root users, until the retention period expires. Compliance mode is used for strict regulatory requirements. You can upgrade from governance to compliance, but not downgrade.
Use AWS Organizations and create a backup plan in a central administration account. Then use cross-account backup by configuring the vault's resource-based policy to allow the target account to copy recovery points. Alternatively, use AWS Backup policies (service control policies) to enforce backup plans across accounts. Ensure KMS keys are shared if using customer managed keys.
Yes, AWS Backup added support for S3 in 2022. It creates point-in-time backups of S3 bucket contents. However, it is different from S3 versioning or replication. You must enable S3 backup within a backup plan. Note that S3 backup does not support continuous backups; only snapshot-based backups are available.
Recovery points remain in the vault until their retention period expires. They are not automatically deleted when the source resource is deleted. This allows you to restore the resource after deletion. You can manually delete recovery points (if not protected by vault lock) by modifying the retention period or using the delete API.
Use CloudWatch metrics like `NumberOfBackupJobs` (with dimension `Status=FAILED`) and set an alarm. Also, use EventBridge rules to trigger notifications (e.g., SNS, Lambda) on `AWS Backup Backup Job State Change` events with `state=FAILED`. The AWS Backup console also shows job status.
Yes. During restore, you can specify a different DB instance class, VPC, subnet group, and security groups. However, you cannot change the engine version or storage type (e.g., from gp2 to io1) directly; you must restore and then modify. The restore uses the native RDS restore from snapshot mechanism.
You've just covered AWS Backup — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?