3.3.1. AWS Backup: Plans, Vaults, and Policies

💡 First Principle: Managing backups for 20 different AWS resources (EC2, RDS, EFS, DynamoDB, S3, FSx) individually is operationally complex and prone to gaps. AWS Backup provides a single control plane for backup policy, scheduling, retention, and compliance reporting across all supported services.

AWS Backup Core Concepts:

Tag-Based Resource Selection: You can assign backup plans to all resources tagged Backup: daily-30day. New resources automatically get backed up when they receive the tag. This is the recommended approach for large environments — no manual resource registration.

Cross-Region and Cross-Account Backup:

• Cross-region: Copy recovery points to another region for DR purposes
• Cross-account: Copy to a separate "backup account" so that even if the production account is compromised, backups are protected

Backup Vault Lock: Enables WORM (Write Once Read Many) protection on a vault. Once enabled in compliance mode, no one — not even the root user — can delete recovery points before their retention period expires. Critical for regulatory compliance (SEC Rule 17a-4, HIPAA).

AWS Backup Audit Manager: Generates compliance reports showing which resources are backed up, the frequency, and retention periods. Use this to demonstrate compliance to auditors.

⚠️ Exam Trap: AWS Backup does not back up all services automatically. You must explicitly assign resources to backup plans. If a question describes a scenario where some RDS instances are missing backups, the likely cause is that those instances weren't tagged with the tag used in the backup selection rule, or they weren't included in the plan's resource selection.

Reflection Question: A compliance requirement mandates that all production databases must be backed up daily, retained for 7 years, and that backups cannot be deleted (even by admins) for the entire retention period. What AWS Backup features do you configure?