AWS Backup: Top 15 Questions, How It Works, Pricing and Pros/Cons

What Is AWS Backup?

AWS Backup can have two meanings: 

1. Backing Up Your Resources on Amazon Web Services (AWS)

Backing up resources on AWS involves creating copies of your data and configurations to ensure they can be restored in case of loss or corruption. This typically involves taking snapshots of instances, databases, and file systems, storing these backups securely, and ensuring they are regularly updated. 

The goal is to provide data redundancy and enable disaster recovery, ensuring that business operations can quickly resume after data loss. Effective AWS backups include strategies for automating backup schedules, managing retention policies, and testing recovery processes to guarantee data integrity and availability.

2. A Service Offered by AWS to Manage Your Backups

AWS Backup, a policy-based service provided by Amazon Web Services, automates the process of backing up data across multiple AWS services. It allows users to define backup plans that specify when and how often backups should be taken, the retention period, and lifecycle management for moving backups to lower-cost storage. 

This service supports a range of AWS resources, including EBS volumes, RDS databases, DynamoDB tables, and EFS file systems, among others. We’ll discuss the capabilities of AWS Backup, its pricing, and key limitations, further in this article.

This is part of an extensive series of guides about cybersecurity.

In this article:

• Top 15 AWS Backup Questions Answered
• Key Features of the AWS Backup Service
• AWS Backup Pricing
• AWS Backup Limitations
• N2WS: The Easier Way to Recover Cloud Workloads

Top 15 AWS Backup Questions Answered

1. What Do You Need to Backup on AWS?

Organizations can run hundreds of different workloads on AWS, and any workload that contains sensitive data or is important to the business should be backed up. Here are the most common systems to consider for backup:

1. EBS volumes: These volumes serve as the block storage for your AWS backup of EC2 instances, hosting everything from the operating system to applications and critical data. Regular backups of EBS volumes are essential to recover instances in case of failure or corruption.
2. RDS databases: Amazon RDS manages relational databases such as MySQL, PostgreSQL, SQL Server, and MariaDB. These databases often contain essential business data and transactional information, making their regular backups critical for data integrity and recovery purposes.
3. DynamoDB tables: DynamoDB is a managed NoSQL database service that supports key-value and document data structures. Backing up DynamoDB tables ensures that you can recover your application data without significant downtime, which is particularly important for high-availability applications.
4. EFS file systems: Amazon EFS provides scalable and elastic file storage for use with AWS Cloud services and on-premises resources. Regular backups of EFS file systems protect file data from accidental deletions or corruption, ensuring that shared file data can be restored promptly.
5. Storage Gateway Volumes: AWS Storage Gateway enables hybrid cloud storage by integrating on-premises environments with the AWS cloud. Backing up Storage Gateway volumes ensures that both on-premises and cloud-stored data can be recovered, providing flexibility and resilience for hybrid storage architectures.

2. AWS Backup vs. AWS Snapshots

What’s the different between AWS Backup vs snapshots? AWS snapshots are point-in-time copies of individual AWS resources, such as EBS volumes. They capture the state of a specific resource at a given moment, allowing you to restore that resource to its previous state if needed. Snapshots are incremental, meaning that after the first full snapshot, only changes made to the resource are saved in subsequent snapshots. However, managing snapshots requires manual intervention to schedule, organize, and retain these backups. This can become cumbersome as the number of resources grows.

AWS Backup is Amazon’s backup management service that automates and centralizes backup processes across multiple AWS services. It not only handles EBS snapshots but also supports other services like RDS, DynamoDB, EFS, and Storage Gateway. With AWS Backup, you can define backup plans that specify schedules, retention policies, and lifecycle rules for your backups.It also supports cross-region and cross-account backups, providing enhanced data protection and compliance capabilities that snapshots alone cannot offer.

3. Who Is Responsible for Backups in AWS and What Is the Shared Responsibility Model?

In the AWS shared responsibility model, AWS manages the security of the cloud infrastructure, while customers are responsible for the security of their data within the cloud. This includes creating and maintaining backups. AWS takes care of the security of the hardware, software, networking, and cloud facilities.

Customers must manage the security of everything they deploy in AWS, including data protection, access management, and network configuration. This involves implementing their own backup strategies, ensuring that their data is regularly backed up, stored securely, and can be restored as needed. This includes setting up backup schedules, managing retention policies, and testing the restore processes to ensure data integrity and availability.

4. Can You Use AWS to Backup On-Premises Data?

AWS provides solutions to back up on-premises data to the cloud, primarily through AWS Storage Gateway. Storage Gateway is a hybrid cloud storage service that enables your on-premises applications to use AWS cloud storage. There are several types of Storage Gateways: 

• File Gateway allows you to store and retrieve objects in Amazon S3 using NFS and SMB protocols.
• Tape Gateway provides a virtual tape library (VTL) interface, enabling you to backup data using your existing tape-based backup application.
• Volume Gateway presents cloud-backed iSCSI block storage volumes to your on-premises applications. Data written to these volumes can be asynchronously backed up as point-in-time snapshots, which are stored in AWS and can be restored to on-premises or cloud environments.
• AWS Outposts extends AWS infrastructure and services to on-premises environments. AWS Backup supports backups for AWS services running on Outposts, allowing you to use the same backup policies and lifecycle management for both cloud and on-premises workloads.

N2WS also supports backing up data from AWS Outposts, offering a comprehensive solution for hybrid environments by integrating both on-premises and cloud backups with advanced recovery features.

5. How Does AWS Backup Work with AWS Services that Have Their Own Backup?

Services like Amazon RDS, DynamoDB, EFS, and others have built-in capabilities to create snapshots or backups. AWS Backup leverages these capabilities, offering a unified management interface where users can define backup policies, schedules, and retention rules that apply across multiple services.

For example:

• Amazon RDS: While RDS allows you to create automated and manual snapshots, AWS Backup enables you to manage these snapshots through a centralized policy-based approach.
• Amazon DynamoDB: DynamoDB’s on-demand backups and point-in-time recovery features can be managed through AWS Backup to automate and streamline the backup process.
• Amazon EFS: EFS provides lifecycle management for files, but with AWS Backup, you can automate the backup process and apply consistent backup policies across your file systems.

6. Does AWS Backup Cost Money?

Using AWS Backup incurs costs based on the amount of storage used for backups and the data transfer during restore operations. The pricing model is straightforward and varies depending on the type of resource being backed up. Here are some examples:

• EBS Volumes: Backing up EBS volumes costs $0.05 per GB per month. Restoring data from these backups is free.
• RDS Databases: The cost for backing up RDS databases is $0.095 per GB per month, with free restore operations.
• DynamoDB Tables: DynamoDB backups cost $0.10 per GB per month, with restore operations costing $0.15 per GB.
• EFS File Systems: EFS backups cost $0.05 per GB per month, or $0.01 per GB if using cold storage. Restoring data costs $0.02 per GB, or $0.03 per GB from cold storage.

7. Does AWS Charge for Snapshots?

AWS charges for snapshots based on the storage used. For example, EBS snapshots cost $0.05 per GB per month. Since EBS snapshots are incremental, the first snapshot is a full backup, and subsequent snapshots only store changes made since the last snapshot. This incremental approach helps reduce costs and storage requirements.

There are additional charges for data transfers associated with snapshot copying between regions or accounts, and for storing these snapshots in different regions. It’s crucial to monitor and manage snapshot usage to avoid unnecessary costs, especially in large-scale environments with numerous resources.

8. Where Is AWS Backup Stored?

AWS Backup stores backups in region-specific storage called backup vaults. These vaults are designed to provide secure and organized storage for backups. When you create a backup using AWS Backup, it is stored in a designated backup vault within the same AWS region as the resource being backed up. These vaults support encryption using AWS Key Management Service (KMS), ensuring that the data is encrypted both in transit and at rest.

Backup vaults allow you to manage and categorize backups logically, providing options for creating multiple vaults to separate and organize backups according to your business needs or compliance requirements. The use of KMS for encryption also ensures that you have fine-grained control over access to your backups.

9. Is AWS Backup Full or Incremental?

AWS Backup offers a hybrid approach, using a full backup for the initial backup and incremental backups for subsequent backups. The first backup taken of a resource is a complete copy of the data. Subsequent backups are incremental, meaning they only capture changes made to the resource since the last backup. This approach reduces the amount of storage required and speeds up the backup process.

Incremental backups are particularly useful for large datasets or environments with frequent changes, as they minimize the amount of data that needs to be transferred and stored with each backup operation.

10. How Reliable Is AWS backup?

AWS Backup is designed to be highly reliable, leveraging AWS’s global infrastructure and redundant storage solutions. AWS ensures data durability by replicating data across multiple facilities within an AWS region, providing high availability and resilience against hardware failures or data center outages.

AWS Backup also supports cross-region and cross-account backups, enhancing data protection by allowing you to replicate backups to different geographic locations or separate AWS accounts. This ensures that the data is protected against regional disasters and account-level failures.

AWS Backup is integrated with AWS security and compliance frameworks, offering features like encryption, access control, and audit logging, which further enhance the reliability and security of backups.

11. How Long Does an AWS Backup Take?

The time required to complete an AWS backup depends on several factors, including the size of the data, the type of resource being backed up, and the network bandwidth available. Initial full backups typically take longer because they involve copying all the data. Incremental backups, on the other hand, are generally faster as they only capture and transfer the changes made since the last backup.

For example, backing up a large EBS volume or RDS database can take several hours, especially if the network bandwidth is limited or the data set is extensive. To minimize impact on production workloads, AWS Backup allows you to schedule backups during off-peak hours and provides options to optimize backup windows and performance.

12. Should You Use S3 for AWS Backup?

Amazon S3 for backups can be useful for storing backup data due to its durability, scalability, and cost-effectiveness. S3 supports various storage classes, such as Standard, Intelligent-Tiering, and Glacier, allowing customers to optimize costs based on data access patterns. For infrequently accessed data, you can use lower-cost storage classes like S3 Glacier or S3 Glacier Deep Archive.

However, AWS Backup provides a more integrated solution for managing backups across multiple AWS services. It offers features like centralized backup management, policy-based automation, and lifecycle management, which are not available when using S3 alone. AWS Backup simplifies the process of defining backup schedules, retention policies, and cross-region replication, making it a more complete solution for enterprise backup needs.

13. What Is an AWS Backup Vault?

An AWS Backup Vault is a secure, logical container for storing backups created by AWS Backup. These vaults help you organize and manage your backups within a region. By default, a backup vault named “default” is provided, but you can create multiple vaults to separate backups based on criteria such as business units, compliance requirements, or data sensitivity.

Backup vaults use AWS Key Management Service (KMS) for encryption, ensuring that your data is protected both in transit and at rest. You can assign different KMS keys to each vault to control access and encryption policies. Backup vaults also support access control policies, allowing you to define who can create, restore, or delete backups within each vault.

Related content: Read our guide to AWS immutable backups

14. Does an AWS RDS Snapshot Cause Downtime?

Creating an RDS snapshot should be a non-intrusive operation that does not cause downtime for database instances. The snapshot process leverages the underlying storage technology to capture a point-in-time snapshot without interrupting database operations. However, there might be a slight performance impact during the snapshot creation, especially for large databases or instances with high I/O activity.

It’s important to monitor database performance during snapshot operations, especially if these include critical applications that require consistent performance. Scheduling snapshots during off-peak hours can help mitigate the potential performance impact.

15. Does AWS Backup Support Redshift Databases?

Yes, AWS Backup does support Amazon Redshift databases. AWS Backup integrates with Amazon Redshift to provide a centralized, automated solution for managing the backups of your Redshift clusters. You can create Redshift backup plans that specify schedules, retention periods, and lifecycle rules for Redshift snapshots, ensuring that your data is protected and easily recoverable.

Key Features of the AWS Backup Service

Resources Supported by AWS Backup

As of the time of this writing, AWS Backup can be used to back up your EBS volumes (block storage used by various AWS instances), RDS databases (Amazon’s relational database offering) including Amazon Aurora, DynamoDB tables (a key-value and document database), EFS file systems (a fully managed network shared storage), Storage Gateway volumes (a hybrid cloud storage service designed to work with on-premises resources), EC2 instances (including Windows applications), Amazon Neptune databases, Amazon DocumentDB (MongoDB), Amazon FSx for Lustre and Windows File Server, and VMware workloads (both on premises and in VMware Cloud on AWS).

Related content: learn more about FSx backup with N2WS.

Backup Policies and Backup Plans

AWS Backup uses backup policies, known as “backup plans,” which help you to define the various requirements that can be applied to your AWS resources. You can, for example, create a backup plan to ensure a daily, weekly, monthly, 12-hour, or even custom (created in cron format) backup schedule. You can then run that schedule using the recommended default backup window or a custom one that you prefer. 

When you choose your backup plan, you can also establish a lifecycle for your backups. They can be sent to cold storage (this option is currently only available for EFS file systems) or expired completely. For other resource types, consider using third-party tools like N2WS that offer more flexible cold storage options. These options allow you to reduce the cost of storing backups.

Your backup plan can be created from scratch by choosing one of the options mentioned above. Alternatively, you can start with an existing plan and pick a premade template that suits you, such as a daily backup with a 35-day retention period or a monthly backup with a one-year retention period.

You can also define a plan from scratch using JSON. This can be used when you want to create a new plan based upon an already-existing one or when you want to share plans with your other AWS accounts.

AWS Backup only creates a complete copy of your data the first time the backup is initiated. Every subsequent backup is incremental, meaning that only the changes being made to your AWS resources will be backed up.

Related content: read more about AWS backup strategy (and the GFS method)

Assigning Resources

After you create a backup plan, you need to assign the desired resources that will be backed up. You can do this either by choosing a resource ID—the best option to select if you don’t have too many resources to add—or by specifying tags. AWS Tag-based resource selection allows you to easily create backups while also maintaining logical segmentation. Each group can have its own backup plan. For example, the EBS volumes that need daily backups can be tagged one way and added to a backup plan that will make sure they are backed up every day at a specific time. You can tag your RDS instances with a different tag and add them to another backup plan—maybe one that will back them up hourly. Finally, you can assign a tag to your EFS file system that ensures weekly backups.

AWS Backup Vaults

All data backups created by the AWS Backup service are stored in vaults, which are containers that help you organize your backups. By default, the available vault will be the one named “default;” however, you can create multiple vaults if you want to have a logical separation of resources. These vaults use AWS KMS (Key Management Service) to both encrypt your backups and provide access control for the backups stored within the vault. If your business requires multiple KMS keys to be used, you can have a different one for each of your vaults.

For compliance purposes, AWS Backup encrypts your data backups both in transit and at rest.

Hybrid Cloud Use Cases

AWS Backup is most commonly used for backing up and restoring your AWS cloud resources, but it can also be used for your on-premises resources. Its integration with AWS Storage Gateway (a hybrid cloud storage service) allows you to back up the data stored within your Storage Gateway volumes. These volumes can later be restored both on-premises and in the cloud since they are compatible with EBS volumes.

Related content: Read our post on AWS backup with CloudFormation

AWS Backup Pricing

AWS Backup is priced for the backup storage being used (making incremental backups very handy) and for the data being restored. The prices listed here are for the US East (Ohio) region.

Backing up EBS volumes costs $0.05 per GB per month, and restoring that data is free. 

AWS Storage Gateway Volumes are also $0.05 per GB per month.

RDS database backups are priced at $0.095 per GB per month, and restores are also free. 

DynamoDB tables are backed up at $0.10 per GB per month. Restoring them will cost you $0.15 per GB of data. 

Backing up an EFS file system costs $0.05 per GB ($0.01 if you decide to opt for cold storage), and restoring it costs $0.02 per GB ($0.03 per GB from cold storage).

AWS Backup Limitations

AWS Backup focuses on basic backup automation and has some limitations, such as lacking built-in features for disaster recovery, granular recovery, or recovery orchestration and drills. However, for organizations with simpler backup needs, it can be a useful solution. For more advanced requirements, third-party tools like N2WS can be more cost-effective or efficient.

• No one-click Restore: Automation of restore operations using AWS Backup must be done programmatically using API operations, which might be suitable for businesses with robust DevOps practices. For those seeking easier recovery options,  N2WS provides easy and near-instant one-click recovery without any need for scripts.
• No Granular Recovery: AWS Backup recovers entire servers without file/folder-level granularity. (AWS Data Lifecycle Manager or other AWS services might be able to help with more granular backup strategies.) For full flexibility and granularity, you can use N2WS to drill into a backup and recovery file/folder, or  search through multiple generations of backups to locate specific files. No need to pre-plan or pre-index the categorization of backups. N2WS automatically provides drill-down access.
• No Disaster Recovery: AWS Backup allows users to manually copy snapshots to another region but lacks automated recovery options.  Many companies today run multiple AWS accounts as a part of AWS Organizations, so the lack of cross-account backup will be a significant limitation for them. Cross-account disaster recovery is an essential part of any DR plan which protects against your AWS account being compromised whether that be due to ransomware, an internal malicious attack or human error.

N2WS provides full support for cross-region and cross-account disaster recovery. For example, users can fully recover an EC2 instance in another region or account in 30 seconds or less – lowering their RTO (Recovery Time Objective).

• No Network Restore: Another key feature missing is the inability to clone and capture Amazon VPC, which is essential in ensuring high availability of your entire AWS infrastructure. N2WS Backup & Recovery, on the other hand, provides this feature guaranteeing that you can very quickly and completely recover your infrastructure in the event of an outage or failure in mere minutes.
• No Recovery Scenarios: AWS Backup has no Recovery Scenarios capability (without scripting). N2WS allows you to create an in-depth orchestration of a complete DR failover, make changes to the resource you want to restore within Recovery Scenarios, prioritize the order of recovery, and automate DR drills.
• No True Archiving: AWS Backup does not allow archiving of EBS backups into affordable S3 tiering (with the exception of support for EFS). N2WS Backup and Recovery has the ability to archive data into real, true S3 buckets and can be tiered into ANY S3 tier. And the N2WS ZeroEBS option even allows you to archive backups without the need for ANY AWS snapshots. This means that storage cost savings using N2WS can be as high as 98%.

Other limitations include:

• inability to see which of your resources are protected/unprotected
• limited search function (must know the volume ID in order to search for your resources)
• no single pane of glass – all management is done on an account-by-account basis without ability to manage multiple accounts unless they’re under the same master payer account, (this is especially important for MSPs who are managing independent users and clients)
• no reporting, daily summaries and alerts in case something goes wrong which are particularly important for audits
• lack of knowledge of exact backup time (backups will be performed within a window of time) – with N2WS you can take backups every 60 seconds, with AWS Backup you can only choose an hour window as the smallest interval
• no support for automatic cold tier/long-term storage (i.e. copying EBS snapshots to Amazon S3 or Amazon Glacier)
• service limits with each account being restricted to 100 backup vaults and 100 backup plans.
• when running backup jobs, only one concurrent job per resource can be run.
• limited support for disaster recovery drills
• inability to keep backup logs without keeping the backups themselves
• no support for resource control so user cannot schedule the start/stop of their instances in order to optimize and minimize resource spend
• no support for file or folder level recovery
• major limitations with tag management – it’s not possible to have more than 50 tags on a resource, although this number is generally enough for most use cases.
• no support for Amazon S3 bucket replication in other accounts/regions
• no support for application consistency as it is in most cases highly important to guarantee that the application is brought to quiescence prior to the backup copy operation
• no 24/7 free support. Customers generally have to wait until business hours and it may take days for a ticket to be responded to. This is a big risk to take when minutes of downtime cost companies millions of dollars, customer distrust and the potential to even completely go out of business.

There are other methods for ensuring granular and more reliable backup management and it is important to explore and test out other options to see which tool covers your specific bases.

N2WS: The Easier Way to Recover Cloud Workloads

N2WS Backup & Recovery has a 30-day free trial edition which is fully functional and incorporates all of the above missing AWS Backup features as well as other key Enterprise level features. In addition, the product is launched as an AMI giving you complete control of your AWS environment, all under one easy to use console.

See Additional Guides on Key Cybersecurity Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of cybersecurity.

Disaster Recovery

Authored by Cloudian

• What Is Disaster Recovery? – Features and Best Practices
• The Easy Way to Create Your Own IT Disaster Recovery Plan
• What Is BCDR? Business Continuity and Disaster Recovery Guide

Zero-Day Attack

Authored by Cynet

• Zero-Day Attacks, Exploits, and Vulnerabilities: A Complete Guide
• 5 Ways to Defend Against Zero-Day Malware
• What is a Zero-Day Exploit?

What Are TTPs

Authored by Exabeam

• What Is Lateral Movement and How to Detect and Prevent It 
• What Are TTPs and How Understanding Them Can Help Prevent the Next Incident 
• 9 Lateral Movement Techniques and Defending Your Network