Protecting data using AWS Backup

Overview :

Before the launch of AWS Backup, customers had to separately schedule backups from native service consoles. This overhead was also present when there was a need to change backup schedules or initiate a restore across multiple AWS services. AWS Backup solves this problem by providing customers with a single pane of glass to create/maintain backup schedules, perform restores, and monitor backup/restore jobs.

Customers want the ability to have a standardized way to manage their backups at scale with AWS Backup and their AWS Organizations. AWS Backup offers a centralized, managed service to back up data across AWS services in the cloud and on premises using AWS Storage Gateway. AWS Backup serves as a single dashboard for backup, restore, and policy-based retention of different AWS resources, which include:

With customers scaling up their AWS workloads across hundreds, if not thousands of AWS accounts, customers have expressed the need to centrally manage and monitor their backups.

AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services. Using AWS Backup, you can centrally configure backup policies and monitor backup activity for AWS resources, such as Amazon EBS volumes, Amazon EC2 instances, Amazon RDS databases, Amazon DynamoDB tables, Amazon EFS file systems, and AWS Storage Gateway volumes. AWS Backup automates and consolidates backup tasks previously performed service-by-service, removing the need to create custom scripts and manual processes. With just a few clicks in the AWS Backup console, you can create backup policies that automate backup schedules and retention management. AWS Backup provides a fully managed, policy-based backup solution, simplifying your backup management, enabling you to meet your business and regulatory backup compliance requirements.

Benefits :

Centrally manage backups :

Configure backup policies from a central backup console, simplifying backup management and making it easy to ensure that your application data across AWS services is backed up and protected. Use AWS Backup’s central console, APIs, or command line interface to back up, restore, and set backup retention policies across AWS services.

Automate backup processes :

Save time and money with AWS Backup’s fully managed, policy-based solution. AWS Backup provides automated backup schedules, retention management, and lifecycle management, removing the need for custom scripts and manual processes. With AWS Backup, you can apply backup policies to your AWS resources by simply tagging them, making it easy to implement your backup strategy across all your AWS resources and ensuring that all your application data is appropriately backed up.

Improve backup compliance :

Enforce your backup policies, encrypt your backups, and audit backup activity from a centralized console to help meet your backup compliance requirements. Backup policies make it simple to align your backup strategy with your internal or regulatory requirements. AWS Backup secures your backups by encrypting your data in transit and at rest. Consolidated backup activity logs across AWS services makes it easier to perform compliance audits. AWS Backup is PCI and ISO compliant as well as HIPAA eligible.

How it Works :

Use Cases :

Cloud-native backup :

AWS Backup provides a centralized console to automate and manage backups across AWS services. AWS Backup supports Amazon EBSAmazon RDSAmazon DynamoDBAmazon EFSAmazon EC2, and AWS Storage Gateway, to enable you to backup key data stores, such as your storage volumes, databases, and filesystems.

Hybrid backup :

AWS Backup integrates with AWS Storage Gateway, a hybrid storage service that enables your on-premises applications to seamlessly use AWS cloud storage. You can use AWS Backup to back up your application data stored in AWS Storage Gateway volumes. Backups of AWS Storage Gateway volumes are securely stored in the AWS Cloud and are compatible with Amazon EBS, allowing you to restore your volumes to the AWS Cloud or to your on-premises environment. This integration also allows you to apply the same backup policies to both your AWS Cloud resources and your on-premises data stored on AWS Storage Gateway volumes. 

Working with Resource Assignments :

AWS Backup supports two ways to assign resources to a backup plan: by tag or by resource ID. Using tags is the recommended approach for several reasons:

  • It’s an easy way to ensure that any new resources are automatically added to a backup plan, just by adding a tag.
  • Because resource IDs are static, managing a backup plan can become burdensome, as resource IDs must be added or removed over time.

Here are some recommendations to help make the best use of tags with AWS Backup:

Multiple Tags :

AWS Backup allows customers to assign resources via multiple tags to a backup plan. The plan backs up resources matching any of the tag keys that are specified in a backup plan’s resource assignment. In the example shown in the below screenshot, the backup plan backs up all supported resources that match eitherthe Application: Ecommerce or the Application: Datawarehouse tags:

Resource Relationships :

There may be cases where, for audit or compliance purposes, you must identify the relationship of a deleted resource with a recovery point in AWS Backup. For example, you may have EBS volume snapshots going back a number of years after an underlying Amazon EC2 instance was terminated. You must be able to provide evidence to an auditor that the EBS volume for your snapshot was associated with the terminated EC2 instance.

For situations like these, I recommend enabling AWS Config configuration recording of your AWS resources. This helps identify and track AWS resource relationships (including deleted resources) for up to seven years.

Backup Overlaps :

If you use any scripts or AWS Lambda functions to take snapshots of AWS resources that are also being protected by AWS Backup, I recommend ensuring that there is no overlap between AWS Backup and your scripts/Lambda functions, as this can lead to backup job failures.

Regional Resource Assignments :

AWS Backup supports resource assignments within the same Region. Separate backup plans must be created to back up AWS resources within that Region. For an up-to-date listing of Regions currently supported by AWS Backup.

Restore Validation :

Generally, the most comprehensive data-protection strategies include regular testing and validation of your restore procedures before you need them. Testing your restores also helps in preparing and maintaining recovery runbooks. That, in turn, ensures operational readiness during a disaster recovery exercise, or an actual data loss scenario.

Encryption Permissions :

When using AWS Backup with encrypted resources, such as EBS volumes, the AWS Backup IAM service role must be granted permissions to the AWS KMS keys used to encrypt your resources. For more information about adding the default service role AWS Backup Default Service Roleas a new KMS key user.

Snapshot Limits :

As your AWS footprint grows over time, the number of snapshots in your account will also grow. You will want to review your service limits on a regular basis to ensure you aren’t in danger of getting close to snapshot-related service limits, which can cause your backups to fail. An easy way to keep track of these and other service limits is to utilize AWS Trusted Advisor , as it will report on major service limits regardless of which support plan you subscribe to. In the event that you notice any service limits reaching the Yellow or Red Criteria, you can open a Service Limit Increase case for the protected service (i.e. RDS, EBS, etc.) through the AWS Support Center. You can find more information on managing service limits and requesting service limit increases in our AWS Support Knowledge Center.

AWS Backup and APN Storage Partners :

It’s been often asked, “How does AWS Backup relate to our APN Storage Partner Solutions?” I think it’s important to understand that AWS Backup complements our Partners’ ability to deliver value to their customers.

For our Partners, AWS Backup makes it easier and faster to work with AWS services, providing them the ability to integrate with all of the AWS services that AWS Backup supports through a single API set. By providing a single point of interaction with all AWS services, AWS Backup can lower the development timeline and help accelerate time-to-customer value in our Partner solutions.

Through a single purpose-built API, AWS Backup enables partners to quickly support new AWS services that have native backup capabilities. It also supports services that don’t have a native backup API, such as Amazon EFS.

Conclusion :

In this post, I’ve provided an overview of AWS Backup and offered suggestions for scheduling backups and assigning resources. I’ve also given hints and tips to help you get started using AWS Backup, and discussed how AWS Backup adds value to our APN Storage Partner Solutions.

Leave A Comment

You must be logged in to post a comment.