AWS Backup Strategies & AWS Backup
In the AWS ecosystem, data is the most valuable asset. A robust backup strategy ensures business continuity, compliance, and protection against accidental deletion or ransomware. For the SAA-C03 exam, you must distinguish between individual service features and the centralized management provided by AWS Backup.
The “Digital Time Machine” Analogy:
Imagine your AWS infrastructure is a high-end office building. Individual service snapshots are like employees taking photos of their desks before leaving (decentralized). AWS Backup is like a professional security firm that automatically enters every room at midnight, takes high-resolution 3D scans of everything, and stores them in a separate, fireproof vault in another city.
Core Concepts: The Well-Architected View
Under the Reliability Pillar, AWS emphasizes the importance of testing recovery procedures and automating backups. The two critical metrics to remember are:
- RPO (Recovery Point Objective): How much data can you afford to lose? (Time since last backup).
- RTO (Recovery Time Objective): How quickly must you be back online? (Downtime duration).
Comparison: Backup Mechanisms
| Feature | EBS Snapshots | S3 Versioning | AWS Backup |
|---|---|---|---|
| Scope | Single Block Volume | Object Level | Centralized Multi-Service |
| Automation | Data Lifecycle Mgr (DLM) | Automatic on upload | Backup Plans (Policy-based) |
| Cross-Account | Manual Sharing | Replication Rules | Native Support via Organizations |
| Storage Tiering | Snapshot Archive | S3 Glacier tiers | Cold Storage (Lifecycle) |
Scenario-Based Decision Matrix
If the requirement is…
- …to centralize backups for RDS, EBS, and EFS: Use AWS Backup.
- …to protect against accidental S3 deletion: Enable S3 Versioning and MFA Delete.
- …to minimize RPO for a global application: Use Cross-Region Replication (CRR).
- …to ensure backups cannot be deleted even by the root user: Use AWS Backup Vault Lock in Compliance mode.
Exam Tips: Golden Nuggets
- Cross-Account Backup: SAA-C03 loves scenarios where you need to protect against a compromised account. AWS Backup integrated with AWS Organizations allows you to copy backups to a completely different AWS Account.
- Incremental vs. Full: Most AWS snapshots (EBS, RDS) are incremental. You only pay for the changed blocks, but you can still restore a full volume from any single snapshot.
- Vault Lock: If the exam mentions “WORM” (Write Once Read Many) or “regulatory compliance” for backups, look for AWS Backup Vault Lock.
- VPC Endpoints: Remember that AWS Backup can use Interface VPC Endpoints to keep backup traffic within the AWS private network.
Visualizing AWS Backup Architecture
Centralized Governance & Automated Recovery
Key Services
- Backup Plans: Define frequency (cron) and lifecycle.
- Backup Vaults: Logical containers for backups.
- Resource Assignment: Use tags to automate backup inclusion.
Common Pitfalls
- Manual Deletion: Without Vault Lock, a compromised admin can delete backups.
- Region Silos: Forgetting that snapshots are Region-specific unless copied.
Quick Patterns
- Tag-Based: Assign “Backup: Daily” tag to resources for auto-discovery.
- Cold Storage: Transition EFS backups to cold storage after 30 days for 90% savings.