AWS Backup – Clear Overview in 2020!

  • by

If you are an AWS user or if you would like to host your application on AWS, then you should also consider backing up of your application in order to maintain your business integrity. There are couple of mechanism that you can think – you can initiate snapshot backup of your volumes, you can schedule an AMI backup for your instance. You can do it either manually or through a piece of code. But, right now, AWS is providing their managed service for backing up your AWS infrastructure. They named this managed service as ‘AWS Backup’. Today in this article, we will see how can we use AWS Backup and what are the advantages and disadvantages of AWS Backup.

AWS Backup is not limited to AWS only. You can also use their managed service for backing up your on-premises servers using AWS storage Gateway.

Like any other AWS Managed Service, AWS Backup can be set up either through AWS Management Console or using Cloud-formation. You can also use Terraform for setting up this service.

We will review three of the methods one after another.

Setting up AWS Backup using AWS Management Console

First, you need to login to AWS Management Console. I believe, you are already aware by now about the process of AWS Account Creation and Login thorough a secure way. If you are not sure about the steps, I suggest you to click to enjoy the step-by-step guide. Once you login to AWS Management Console, you will see an interface like below:

You can click on Services drop-down option shown in point 1 and select AWS Backup. Alternatively, you can type ‘AWS Backup’ in the search bar as shown in point 2 and click on ‘AWS Backup’. When you select AWS Backup properly, it will take you to another console as shown below:

Either, you can click on option 1 or you can click ‘Create Backup Plan’ as shown in point 2.

Be careful, make sure you are on same Availability Zone where your resources are hosted. In other words, you have to choose same availability zone where you launched your instance earlier.

If you click on option 1, it will be expanded. Let me explain each option for your better understanding.

Refer to the image shown on right hand side ->

A Backup vault2 is a container that you organize your backups in.

You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults. Otherwise, you can have all your backups organized in the default backup vault.

A Backup plan3 is the frequency of backup that you want for your resource. Each execution of your plan will have a backup as an end product. Those end product can be considered as recovery point. It is a term that refers generally to the different backups in AWS services, such as Amazon EBS snapshots and DynamoDB backups.

The terms recovery point and backup are used interchangeably.

In AWS Backup, recovery points are saved in backup vaults, which you can organize according to your business needs.

The Protected resources4 are the resources for which you want to take the backup. The resources are protected using AWS Backup. Hence the name.

AWS Backup jobs history is listed with the tab ‘Jobs5. Jobs can be divided into 3 distinct types – Backup, Copy and Restore.

As the name symbolizes, “Settings6” is the option where you can configure the services for which you want to enable the backup.

In addition, if you’ve multiple AWS account to be backed up, you can take advantage of AWS Cross Account. Point 7 and 8 of last AWS Backup Image of is also for the cross account setup. In our today’s article, we won’t get into AWS cross account as it requires some initial idea about cross accounts configuration. I prefer to create a separate article for that if you need it. So, please feel free to drop me a mail if you want to know more on AWS Cross Account.

How to setup scheduled AWS Backup from AWS Management Console?

Scheduled AWS Backup can be configured into 3 simple steps.

  1. First, you need to create a backup plan. You can choose the predefined backup plan of AWS or you can define by your own.
  2. Next, you select the resources that you want to backup
  3. The last but not the least is to create a backup vault. You can use default vault as well.

Here, we will see one after another.

How do you create a backup plan?

A backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or AWS EC2 or Amazon Elastic File System (Amazon EFS) file systems.

You assign resources to backup plans, and AWS Backup then automatically backs up and retains backups for those resources according to the backup plan.

There are two ways to create a new backup plan: You can build one from scratch or build one based on an existing backup plan. This example uses the AWS Backup console to create a backup plan by modifying an existing backup plan.

  1. Sign in to the AWS Management Console, and open the AWS Backup console at
  2. From the dashboard, choose Manage Backup plans. Or, using the navigation pane, choose Backup plans.
  3. Choose a plan from the list (for example, Daily-Monthly-1yr-Retention), and enter a name in the Backup plan name box.
  4. On the plan summary page, choose the radio button for the backup rule and then choose Edit. Review and choose the values that you want for your rule. For example, you can extend the retention period of the backup in the Monthly rule to three years instead of one year.
  5. For the backup vault, choose Default
  6. When you have finished editing the rule, choose Save

How to assign resource for the backup?

To apply backup plans to your AWS resources, you choose a backup plan and assign resources to it by using tags or listing the resource IDs directly.

If you don’t already have existing AWS resources that you want to assign to a backup plan, create some new resources to use for this exercise. You can create multiple resources from several or all of the supported services.

These resources can include the following:

  • DynamoDB tables
  • Amazon EBS volumes
  • AWS EC2 instances
  • Amazon EFS file systems
  • AWS RDS instances and Amazon Aurora clusters
  • AWS Storage Gateway volumes

To assign resources to a backup plan, you need to follow the steps mentioned below:

  1. On the AWS Backup console dashboard, choose Manage Backup plans. Or, using the navigation pane, choose Backup plans.
  2. Choose a plan from the list; for example, Daily-Monthly-1yr-Retention.
  3. On the plan summary page, choose Assign resources.
  4. In the Resource assignment name field, choose a name for the resource assignment.
  5. Under IAM role, choose Default role.
  6. n the Assign resources section, ensure that the Assign by control displays Tags. Enter a key and value that your resources are tagged with; for example, BackupPlan:MissionCritical. Choose Add assignment to add all resources that are tagged with your chosen key-value pair. Any supported resource in the selected Region that is tagged with this key-value pair is automatically assigned to this backup plan.
  7. When a new Assign by control appears below your first resource assignment, change the value to Resource ID.
  8. Choose the resource type that you want to add to your selection, for example, EBS. Place your cursor in the Volume ID field, and the available resources for this type will appear.
  9. Choose a resource from the list, and then choose Add assignment.
  10. When you have finished adding resources, choose Assign resources.

How to create backup vault?

  1. On the AWS Backup console, in the navigation pane, choose Backup vaults.
  2. Choose Create backup vault.
  3. Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it FinancialBackups.
  4. Select an AWS KMS key. You can use either a key that you already created, or select the default AWS Backup master key.
  5. Optionally, add tags that will help you search for and identify your backup vault. For example, you could add a BackupType:Financial tag
  6. Choose Create Backup vault.
  7. In the navigation pane, choose Backup vaults, and verify that your backup vault has been added.

Now, you’re done with the backup setup. The last important part that is remaining is to set a notification for the backup jobs. Unfortunately, AWS do not provide any option in GUI to trigger a SNS notification from AWS Backup. However, you can trigger a SNS notification of AWS Backup through AWS CLI. If you are new to AWS CLI, I suggest to take a look at Complete Reference of AWS CLI.

If your AWS CLI setup is complete, you have to execute the below command to enable SNS notification of AWS Backup jobs.

aws backup put-backup-vault-notifications --endpoint-url \
            --backup-vault-name Default \
            --sns-topic-arn $sns_topic_arn \
            --backup-vault-events BACKUP_JOB_FAILED BACKUP_JOB_SUCCESSFULL

You’ve to specify your SNS Topic ARN in place of $sns_topic_arn. You will now get the notification for the backup job that are successful or failed.

However, this SNS notification is not well formatted for better readability. You can involve Lambda and DynamoDB to populate a proper report and send it to your mail. If you need any assistance on AWS Lambda or integration of Lambda with AWS Backup, let me know in mail. I shall create a separate article for your assistance.

Thanks for reading!

If you like this article or find it useful, feel FREE to share for the help of someone else.

Next topic -> Setting up AWS Backup using Cloud-formation