AWS Backup

Concepts Covered

• AWS Backup
• Backup plans
• Backup rules
• Backup vaults
• Recovery points
• Lifecycle to cold storage
• Cross-Region copies
• Cross-account copies
• AWS Organizations backup policies
• Vault Lock and restore testing
• Backup versus snapshots, lifecycle, and replication

1. Plain-English Mental Model

AWS Backup is centralized backup policy for supported AWS resources.

The simple model is:

backup plan -> selected resources -> recovery points in backup vaults -> restore when needed

Many AWS services have their own backup or snapshot features. AWS Backup gives teams one managed place to define schedules, retention, lifecycle, vaults, copies, and governance for supported resources.

The most important word is restore. A backup strategy is not complete because data was copied somewhere. It is complete only when the organization knows what recovery point exists, where it is stored, who can delete it, whether it is protected from compromise, and how to restore it.

2. Why This Service Exists

Backups become messy when every service and team handles them differently.

One team creates EBS snapshots manually. Another enables RDS automated backups. Another forgets EFS backups. A production database has backups but no cross-account copy. A critical file system has retention, but no one has tested restore. A compromised account can delete the same backups needed for recovery.

AWS Backup exists to centralize backup operations across supported services.

For SAA-C03, AWS Backup appears in questions about centralized backup management, backup plans, backup vaults, retention policies, cross-Region backup copies, cross-account backup copies, backup policies in AWS Organizations, protecting backups from accidental or malicious deletion, and restore testing.

It is not the same as S3 replication, lifecycle, or database read replicas. Those solve different problems.

3. The Naive Approach And Where It Breaks

The naive pattern is manual snapshots:

engineer remembers -> create snapshot -> hope it is enough

This breaks because people forget, schedules drift, retention is inconsistent, and no one knows whether backups cover every required resource.

Another naive pattern is treating replication as backup. If a bad delete, corrupted object, or ransomware-encrypted file is replicated, the destination can receive the bad state too. Versioning and recovery controls help, but replication by itself is not a backup plan.

Another mistake is storing backups in the same account with broad admin deletion access. If the source account is compromised, the attacker may delete the backups too.

AWS Backup is strongest when it is paired with cross-account copies, vault policies, Vault Lock where appropriate, and tested restore workflows.

4. Core Primitives

A backup plan defines when and how supported resources are backed up.

A backup rule defines schedule, backup window, lifecycle, vault destination, and copy actions.

A resource assignment selects which resources the plan protects. Selections can use tags or explicit resources depending on design.

A backup vault stores recovery points.

A recovery point is a backup that can be restored.

Lifecycle rules can move eligible backups from warm storage to cold storage and eventually expire them.

Cross-Region copy stores recovery points in another Region.

Cross-account copy stores recovery points in another account in the same AWS Organizations structure.

Vault Lock can help enforce write-once-read-many style retention controls for backup vaults.

5. Architecture Use Cases

Use AWS Backup for a multi-service workload that needs consistent backup schedules and retention.

Use tag-based backup plans for workload resources:

tag BackupTier=Gold -> daily backup -> 35-day retention -> cross-account copy

Use cross-Region copies for disaster recovery or compliance requirements that require distance from production data.

Use cross-account copies to protect backups from source-account compromise.

Use backup vault access policies to restrict who can delete or copy recovery points.

Use restore testing plans and documented runbooks so backup success is measured by recoverability, not only job completion.

7. Security Model

AWS Backup security includes IAM, vault policies, KMS keys, Organizations, and deletion controls.

Backup operators should not automatically have permission to delete every recovery point.

Use separate backup vaults for different sensitivity, retention, and access requirements.

Cross-account backups can put recovery points in a backup or security account that application administrators cannot modify.

KMS key policy matters for encrypted resources and backup copies. A backup that cannot be decrypted is not useful.

Vault Lock can help protect recovery points from deletion or shortened retention after governance mode is configured.

CloudTrail records AWS Backup API actions.

8. Reliability And Resilience

AWS Backup improves resilience by making recovery points consistent and discoverable.

However, the backup plan must match the recovery objective. A daily backup does not satisfy a 15-minute recovery point objective.

Backups need restore testing. A successful backup job does not prove the application can be restored correctly.

Cross-Region copies help with regional disaster recovery. Cross-account copies help with account compromise and administrative separation.

Not every supported service has identical backup features. Incremental backup behavior, cold storage support, copy support, and restore behavior can vary by resource type.

9. Performance And Scaling

AWS Backup is managed, but backup windows and resource behavior matter.

Large backup jobs can affect service-specific windows, API quotas, storage usage, and restore time.

Use backup windows to avoid operationally sensitive periods.

At organization scale, tag strategy and backup policy governance matter. A missed tag can mean a missed backup. A broad plan can create unexpected cost.

Restore time depends on service type, size, Region, cold storage, and application dependencies.

10. Cost Model

AWS Backup cost includes backup storage, warm and cold storage where supported, restore activity, cross-Region copy, cross-account copy, and related service costs.

Incremental backups can reduce storage growth for supported resource types, but not every resource behaves identically.

Long retention can be expensive, especially for large databases or file systems.

Cold storage can reduce cost but may increase restore time and have minimum retention considerations.

The cost question is not only "how cheap is storage?" It is "what recovery objective, retention, compliance, and deletion protection does this workload require?"

12. SAA-C03 Exam Signals

"Centralized backup across AWS services" points to AWS Backup.

"Backup plan, backup vault, recovery point" points to AWS Backup.

"Copy backups to another Region" points to cross-Region backup copy.

"Copy backups to another account for security" points to cross-account backup.

"Prevent deletion of backups during retention period" can point to Vault Lock.

"Move S3 objects to cheaper storage over time" points to S3 Lifecycle, not AWS Backup.

"Replicate new S3 objects to another bucket" points to S3 Replication, not backup.

13. Common Exam Traps

Do not confuse backup with replication.

Do not confuse backup with lifecycle transitions.

Do not assume every service feature is identical under AWS Backup.

Do not store all backups only in the same account if compromise isolation matters.

Do not forget restore testing.

Do not ignore KMS permissions for restore.

15. Related Topics

Review Amazon S3, S3 Replication, S3 Lifecycle And Storage Classes, Amazon EFS, and Amazon FSx.

Official AWS references:

• What is AWS Backup?
• Backup plans
• Creating backup copies across AWS accounts
• Backup vault creation and deletion