AWS | Cloud | Data | Data Residency | Technology
Enterprise AWS Backup – Part 3 
Khurram Shahzad 20 May, 2025
Share 
Introduction
Backup of data is essential to protect against data corruption and data loss. Xebia provides this as a strong shared platform capability in their Xebia Cloud Foundation, for all workloads to use.
A similar approach is described in this article, so backup can be provided as a shared capability across the AWS workloads.
AWS Backup is an AWS managed backup service that can help you setup an organization-wide policy-based service that simplifies data protection at scale. It provides automated backup scheduling, retention management, centralized data protection, cross-account management and more.
AWS Backup can be used in various configurations. The configuration in this article will allow Platform/Backup administrators to provide pre-configured backup plans to all existing and future workloads/application teams. Backed up data will be stored and managed in a centralized manner.
This backup article is provided in a 3-part series:
Part 1 – Enterprise AWS Backup – What you will get
Part 2 – Enterprise AWS Backup – Getting Started
Part 3 – Enterprise AWS Backup – Verifying & Troubleshooting
What you will get
- A single shared mature backup capability across all your AWS accounts.
- A single central vault for critical workload backups. Local workload vaults for non-critical backups.
- Data encrypted with a customer owned key.
- Backup plans for Hourly, Daily, Weekly & Monthly targeted towards a local backup vault.
- Replicated backup plans for Hourly, Daily, Weekly & Monthly targeted towards a central organizational-wide backup vault in a separate backup account in a separate region for critical workloads. This secondary region will provide cross-region replication capability and will enable you to recover from a region failure.
- Data moved to cold storage for backup plans having long term retention.
- Data deleted after retention period.
- Enabled for data sources RDS, EBS, EC2, DynamoDB, EFS, Storage Gateway for on-premises data, and more.
- Enroll data stores onto backup plans using tags.
Backup plans available:
| Tag key | Cold storage | Deleted | Description |
|---|---|---|---|
| BackupPlanHourly | – | After 1 day | Backup once an hour on the hour to the local vault |
| BackupPlanDaily | – | After 1 month | Backup at 05:00 UTC to the local vault |
| BackupPlanWeekly | After 1 month | After 4 months | Backup at 05:00 UTC every Monday to the local vault |
| BackupPlanMonthly | After 3 months | After 1 year | Backup at 05:00 UTC every first day of the month to the local vault |
| BackupPlanHourlyReplicate | – | After 1 day | Backup once an hour on the hour to the local vault and replicate to the central vault |
| BackupPlanDailyReplicate | – | After 1 month | Backup at 05:00 UTC to the local vault and replicate to the central vault |
| BackupPlanWeeklyReplicate | After 1 month | After 4 months | Backup at 05:00 UTC every Monday to the local vault and replicate to the central vault |
| BackupPlanMonthlyReplicate | After 3 months | After 1 year | Backup at 05:00 UTC every first day of the month to the local vault and replicate to the central vault |
All tag values are True. The key decides the plan to use.
Example of enrolling single plan: By adding the tag BackupPlanDaily with value True on a RDS instance, will result in that database instance being backed up daily to the local backup vault of that workload account.
Example of enrolling multiple plans: By adding the tag BackupPlanDaily with value True and tag BackupPlanWeeklyReplicate with value True on a RDS instance, will result in that database instance being backed up daily to the local backup vault of that workload account and weekly to local and the central vault.
Considerations & Limitations
For the critical workloads, where backup data is copied cross-account and cross-region, there can be limitations for specific resource types and/or encryption settings.
For more information:
Creating backup copies across AWS Regions
Creating backup copies across AWS accounts
High-level design
Continue to Part 2 – Enterprise AWS Backup – Getting Started
