AWSGlossary

AWS Backup: What It Is and When to Use It

Definition

AWS Backup is a fully managed, policy-driven backup service that centralizes and automates data protection across more than a dozen AWS services. Instead of configuring snapshots separately in EBS, RDS, DynamoDB, EFS, FSx, and the other services that each have their own backup mechanism, you define a single Backup Plan in AWS Backup, tag the resources it should protect, and let AWS Backup handle scheduling, retention, cross-Region/cross-account copy, encryption, monitoring, and compliance reporting. It is the recommended control plane for backups on AWS and is typically the answer whenever an exam asks for "centralized backup across multiple AWS services with a single policy."

How It Works

AWS Backup orchestrates the native snapshot or export APIs of the underlying services. The moving parts:

  1. Backup Plans — policies containing one or more rules. Each rule specifies: backup frequency (cron/rate), window, retention, lifecycle to cold storage, and destination vault.
  2. Backup Vaults — KMS-encrypted containers that hold recovery points. Create additional vaults with independent KMS keys for segregation of duties.
  3. Resource assignment — target resources by tag, by resource type, or by individual ARN. Tag-based assignment is the most common pattern.
  4. Backup jobs — when a rule's schedule fires, AWS Backup creates a recovery point using the service's native snapshot API (e.g., CreateSnapshot for EBS).
  5. Restore jobs — restore to the original Region or to a different Region/account, into a new resource.
  6. Cross-Region / cross-account copy — rules can automatically replicate recovery points to a vault in another Region or account for DR.
  7. AWS Backup Audit Manager — continuous compliance reporting against frameworks.

Key Features and Limits

Supported services (2026)

AWS Backup protects Amazon EC2 (via AMI + EBS snapshots), EBS, RDS (all engines), Aurora, DynamoDB (on-demand + continuous PITR), EFS, FSx (Windows / ONTAP / OpenZFS / Lustre), Storage Gateway, Neptune, DocumentDB, Redshift, S3, VMware on AWS, Timestream, and SAP HANA on EC2.

Core features

  • Backup Plan — up to 20 rules per plan, 100 plans per account, unlimited resource assignments.
  • Lifecycle to cold storage — transition of EFS/EBS/DynamoDB/RDS recovery points to cold tier (minimum 90-day cold retention).
  • Cross-Region copy — replicate to any supported Region, even in another account.
  • Cross-account copy — requires AWS Organizations.
  • Vault Lockgovernance (admin-relaxable) or compliance (immutable for the retention period, even against root). Meets SEC 17a-4(f), FINRA WORM rules.
  • Encryption — every recovery point is encrypted with the vault's KMS key.
  • Audit Manager — frameworks flag non-compliant resources (missing daily backup, insufficient retention, no cross-Region copy).
  • Restore testing — scheduled automated restore + evaluation.

Common Use Cases

  1. Enterprise-wide backup policy — one Backup Plan (e.g., daily 35-day, weekly 13-week, monthly 7-year) applied via tag across dozens of accounts in AWS Organizations.
  2. Cross-Region DR — recovery points automatically copied to a second Region for BCDR; a ransomware or Region-wide outage cannot destroy both copies.
  3. Compliance archive — Vault Lock in compliance mode enforces immutable WORM retention for regulated data (financial trade records, healthcare imaging).
  4. DynamoDB point-in-time recovery — coordinate short-term PITR with long-term 35-day+ snapshots all under one policy.
  5. Restore testing — automated monthly restore of critical RDS backups to confirm recoverability, with CloudWatch alarms if anything fails.
  6. Consolidated cost reporting — view all snapshot spend in one service rather than hunting through individual console pages.

Pricing Model

AWS Backup itself does not charge a subscription fee — you pay for:

  1. Backup storage per GB-month, billed per underlying service (EBS snapshot rate, RDS snapshot rate, DynamoDB backup rate, etc.). Cold storage tiers are cheaper.
  2. Restore operations — per GB restored (for services that meter it, such as EFS cold restores) or free for native snapshot restores.
  3. Cross-Region copies — inter-Region data transfer + destination storage.
  4. Cross-account copies — source Region copy cost + destination vault storage.
  5. Audit Manager — priced per evaluation of a resource against a framework.

Because AWS Backup uses the same underlying snapshot mechanisms, the storage price is identical to what you'd pay using the native service APIs — you pay for the policy engine and orchestration with your time, not your dollars.

Pros and Cons

Pros

  • Single, declarative policy engine across many AWS services.
  • Cross-Region and cross-account replication built in.
  • Vault Lock in compliance mode is regulator-grade WORM.
  • Audit Manager continuously reports coverage gaps.
  • Restore testing makes "are my backups good?" a measurable property.
  • No premium on underlying storage — same price as native snapshots.

Cons

  • Recovery-point formats are service-native; you restore to the same service (no portable open format).
  • Some workloads (for example, certain legacy EC2 drivers) need extra configuration for application-consistent snapshots.
  • Policy changes apply on the next schedule, not immediately.
  • Cross-account copy requires AWS Organizations trust — not usable for standalone accounts.
  • S3 backup is a newer feature and has specific requirements (bucket versioning, EventBridge integration) to enable.

Comparison with Alternatives

| Approach | Pros | Cons | | --- | --- | --- | | AWS Backup | Central, multi-service, cross-Region/account, WORM, audit | AWS-only restore targets | | Native snapshots (EBS, RDS, DynamoDB) | Simple for single-service | No central policy, no cross-service audit | | Data Lifecycle Manager (DLM) | EBS/AMI only | Narrow scope | | Third-party (Veeam, Commvault, Rubrik) | Cross-cloud, long-time enterprise features | License cost, operational complexity | | Custom Lambda + EventBridge | Total flexibility | You build and maintain everything |

AWS Backup has largely replaced DLM and one-off Lambda backup scripts for multi-service estates. Third-party tools still win for hybrid on-prem + multi-cloud estates.

Exam Relevance

  • Solutions Architect Associate (SAA-C03) — know that AWS Backup is the centralized policy service and supports EBS, RDS, DynamoDB, EFS, FSx, Aurora, DocumentDB, Neptune, Storage Gateway, and S3. Understand cross-Region and cross-account copy for DR.
  • Solutions Architect Professional (SAP-C02) — Vault Lock modes (governance vs compliance), AWS Organizations delegation, Audit Manager compliance frameworks.
  • SysOps Administrator (SOA-C02) — scheduling with cron expressions, cold-storage transitions (90-day minimum), restore testing.
  • Security Specialty (SCS-C02) — separation of duties via separate backup accounts, KMS key policies on vault keys, compliance-mode Vault Lock for WORM.

Classic exam trap: "We want one backup policy across EBS, RDS, and DynamoDB" — the answer is AWS Backup, not scripts, Lambda, or individual service snapshots.

Frequently Asked Questions

Q: Which AWS services does AWS Backup protect?

A: As of 2026, AWS Backup supports Amazon EC2, EBS, RDS (all engines + Aurora), DynamoDB (including continuous PITR), EFS, FSx (Windows / NetApp ONTAP / OpenZFS / Lustre), Neptune, DocumentDB, Redshift, Storage Gateway volumes, Timestream, S3, VMware workloads on AWS, and SAP HANA on EC2. You define one Backup Plan and tag resources to apply it consistently across all of them.

Q: What is AWS Backup Vault Lock used for?

A: Vault Lock enforces WORM (write-once-read-many) retention on a backup vault. In governance mode, admins with IAM permission can still unlock it. In compliance mode, the lock becomes immutable — even the AWS root user cannot shorten retention or delete recovery points before they expire. Compliance mode is designed to meet SEC 17a-4(f), FINRA, CFTC, and similar regulations, and is the standard choice for financial and healthcare archives.

Q: How is AWS Backup priced?

A: You pay for backup storage per GB-month (at the same rate as each underlying service's native snapshot storage), plus restore fees for services that meter restores (for example, EFS cold restore), plus inter-Region or cross-account copy charges. AWS Backup itself does not charge a management fee — you pay only for the storage and data transfer, making it effectively "free" to adopt over native snapshot APIs.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS Backup documentation before making production decisions.

Published: 4/17/2026 / Updated: 4/17/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Storage

S3 Object Lock: WORM Storage for Data Protection

Amazon S3 Object Lock offers WORM storage to prevent object deletion/overwriting. Essential for regulatory compliance and ransomware protection. Learn how it works.

S3 Requester Pays: How It Works & When to Use It

S3 Requester Pays shifts data transfer & API costs to the requester, not the bucket owner. Ideal for public datasets. Learn when to choose it.

S3 Transfer Acceleration: Fast, Easy, Secure Long-Distance Transfers

Amazon S3 Transfer Acceleration speeds up file transfers over long distances. Learn how it works and when to use this bucket-level feature for faster uploads and downloads.

S3 Pre-Signed URL: Temporary Access Explained

An S3 Pre-Signed URL grants temporary access to S3 objects without AWS credentials. Learn how it works and when to use it for secure uploads/downloads.

S3 Cross-Region Replication: How It Works & When to Use It

Amazon S3 Cross-Region Replication (CRR) automatically copies objects to another AWS Region. Enhance durability, minimize latency, and meet compliance. Learn when to use it.

View all Storageterms →