Customers often come to us with questions about backups and Disaster Recovery on AWS.
In this post, I’m only going to talk about backups on AWS and I’ll save the other aspects of Disaster Recovery for another post. The reason for that is that backups are, fundamentally, the first and most important part of a DR strategy. Businesses can survive outages, but if you lose your critical data, and you don’t have backups, that can be game over for the business.
1. What's the best way to back up data on AWS?
Use AWS Backup. It's a fully managed service that lets you centrally configure and manage backups across your AWS environment, covering EC2, RDS, DynamoDB, EFS, S3, EBS, and many more. You define backup policies (called backup plans), set schedules and retention rules, and AWS Backup handles the rest.
2. Should we back up to a separate AWS account?
Yes. Or more accurately, AWS Backup will create a backup in the source account (where the AWS infrastructure is) and then use the cross-account backup feature to copy your backups to a dedicated AWS account.
The dedicated “backup” AWS account should be restricted in terms of who can access the account.
You can also use the cross-region feature to copy the backups to a different region for extra resilience.
2. How do we stop backups being deleted (accidentally or maliciously)?
Use AWS Backup Vault Lock. There are two modes: governance and compliance. Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions. In compliance mode, the vault and its lock are immutable and cannot be changed or deleted by any user or even by AWS.
3. Should we replicate backups to a different cloud?
Maybe, but prioritise getting AWS Backup right first: cross-account replication to another region with Vault Lock enabled. Then consider additional solutions like multi-cloud if you still feel the need.
4. Do I need to back up S3 buckets?
Yes. AWS S3 is highly durable, but that doesn't protect you from accidental or malicious deletion (even with versioning enabled). Treat S3 buckets like any other critical data store.
5. Do our backups actually meet our RTO and RPO?
Probably not, if you've never tested a restore. Most teams set backup schedules but never validate that they can actually recover within the timeframe the business expects. Choose a workload to test, every month or every quarter.
If you're reading this and thinking, "wait a minute, what backups?" or want a quick sanity check on your setup, get in touch with us at phil@makecloud.com.
