hamburger icon close icon
AWS Backup

AWS Backup Vault: Step by Step

What is AWS Backup Vault?

AWS Backup offers fully-managed data protection with automation features for both cloud and on premises assets. It lets you set up backup policies, automate backups, and monitor backup activity in one centralized interface. There is no need to create custom scripts or perform manual processes.

AWS Backup uses Recovery Services Vaults to organize backup copies. You can configure AWS Key Management Service (AWS KMS) encryption keys to encrypt backup copies located in each vault. Additionally, the vault lets you control access to backup copies. You can keep all backups in one vault or create multiple vaults (each with its own encryption keys and access policies).

In this article, you will learn:

Creating a Backup Vault

AWS Backup automatically creates a default backup vault, which you can use “as-is”. Alternatively, you can create a custom Azure Recovery Services vault for your backups.

To create a backup vault:

  1. In the AWS Management Console, navigate to AWS Backup. Find the navigation pane and select the Backup vaults option.
  2. Select the Create backup vault option.
  3. Specify a name for your custom backup vault. Ideally, you should choose a name that reflects what is stored in the vault, such as FinancialBackups. This can make it easier to find backups later.
  4. Choose an AWS KMS key, which can either be a previously created key or a default AWS Backup KMS key.
  5. Optionally, add tags (such as BackupType:Financial) that can help you search for your backup vault.
  6. Select the Create Backup vault option.
  7. Go to the navigation pane, select the Backup vaults, and check that the vault was successfully created.

Setting Access Policies on Backup Vaults and Recovery Points

The Amazon Identity and Access Management (IAM) service can help you control access to your AWS resources. You can use IAM to control who can sign in (authentication) and what actions the user can perform (authorization) on AWS resources.

In AWS, a policy is an object that lets you define permissions for associated resources or identities. To restrict access to a resource, you can either use a resource-based policy or an identity-based policy. Here is how the two policies differ:

  • Identity-based policies—can be attached to an IAM role, group, or user. Each policy lets you define the permissions allowed for the identity.
  • Resource-based policies—can be attached to AWS resources. Each policy lets you define who is allowed access to a resource and what permissions they should get.

AWS Backup lets you assign policies to each backup vault and all resources kept in the vault. Policies can define which users can access vaults, define backup plans, perform on-demand backups, or delete backup recovery points.

To create a resource-based access policy:

This policy can help you prevent the deletion of backups stored in a backup vault.

  1. Open the AWS Backup console and select Backup vaults.
  2. You should see a list of backup vaults. Choose a vault.
  3. Go to the Access policy section, and paste the JSON code for the policy you want to apply. Amazon provides code examples for several policies to get you started—you can use a ready-made template that denies access to a specific resource type, an entire backup vault, or prevents the user from deleting a backup recovery point. Get the code here.

Here are two ways to customize your policy:

To allow a list of multiple IAM identities to use their ARN, you specify the aws:PrincipalArn global condition key, as shown in the example below.


To limit the policy it to a specific resource type, replace "Resource": "*", with the recovery point types you want to deny. The example below shows how to allow access for Amazon EBS snapshots:


4. Select the Attach policy option.

Deleting a Backup Vault

To protect against malicious or accidental mass deletion, AWS Backup lets you delete a backup vault only after all recovery points are deleted. You can manually delete recovery points, or let a lifecycle policy automatically perform this task.

You can delete AWS resources that you restored from a recovery point, by accessing the AWS Console and navigating to the specific service you restored.

To delete recovery points from a backup vault:

  1. Go to the AWS Backup console.
  2. Go to the navigation pane and select the Backup vaults option.
  3. In the Backup vaults page, find and select a backup vault.
  4. Find a recovery point and select the Delete option.
  5. To delete more than one recovery point, review the list of recovery points you want to delete. Edit the list by choosing the Modify selection option. Specify whether you want to keep or delete the continuous backup data.
  6. To delete all listed recovery points, you need to enter delete, and then select the Delete recovery points option.

Note: You must Keep your browser open until you see a green success sign displayed at the top of the page. Closing the browser prematurely ends the deletion process and some recovery points may not be deleted.

To delete a backup vault through the AWS Backup console:

  1. Go to the AWS Backup console in the AWS Management Console.
  2. From the navigation pane, select the Backup vaults option.
  3. Find and select a backup vault for deletion.
  4. Select and delete any backup copies associated with the chosen backup vault.
  5. Choose Delete to erase the backup vault.

NetApp Cloud Backup: Enterprise-Grade Backup to Amazon S3

NetApp Cloud Backup is a backup and restore service for NetApp Cloud Volumes deployments and on-premises ONTAP clusters. Integrated into NetApp Cloud Manager, Cloud Backup is easily enabled, automated, and scaled allowing you to keep your data safe and compliant, overcoming traditional industry challenges.

Leveraging NetApp’s SnapMirror Cloud replication technology, backups are transferred and stored in a highly durable cloud-based object storage. Backups are automatically generated and stored in an object store within your cloud account, independent of volume Snapshot copies used for near-term recovery or cloning, so that you can effortlessly restore data anytime and to anywhere you need it.

By preserving storage efficiencies and performing block level incremental updates forever, Cloud Backup guarantees minimal data footprint to transfer, leading to optimal bandwidth consumption, reduced performance impact on production and meeting SLA.

The highest level of security as backup copies are stored in your own object storage. As well, data is end-to-end encrypted with AES-256-bit encryption at-rest and with TLS 1.2 HTTPS connections when in-flight.New call-to-action

Denisse Soker, Cloud Backup

Cloud Backup