REL 9: How do you back up data?

Back up data, applications, and configuration to meet your requirements for recovery time objectives (RTO) and recovery point objectives (RPO).

Resources

What Is AWS Backup?
AWS re:Invent 2019: Deep dive on AWS Backup, ft. Rackspace (STG341)
Well-Architected lab: Level 200: Testing Backup and Restore of Data
Amazon S3: Protecting Data Using Encryption
Encryption for Backups in AWS
On-demand backup and restore for DynamoDB
EFS-to-EFS backup
AWS Marketplace: products that can be used for backup
APN Partner: partners that can help with backup

Best Practices:

• Identify and back up all data that needs to be backed up, or reproduce the data from sources: Amazon S3 can be used as a backup destination for multiple data sources. AWS services such as Amazon EBS, Amazon RDS, and Amazon DynamoDB have built in capabilities to create backups. Third-party backup software can also be used. Alternatively, if the data can be reproduced from other sources to meet RPO, you might not require a backup

• Secure and encrypt backups: Detect access using authentication and authorization, such as AWS IAM, and detect data integrity compromise by using encryption.

• Perform data backup automatically: Configure backups to be taken automatically based on a periodic schedule, or by changes in the dataset. RDS instances, EBS volumes, DynamoDB tables, and S3 objects can all be configured for automatic backup. AWS Marketplace solutions or third-party solutions can also be used.

• Perform periodic recovery of the data to verify backup integrity and processes: Validate that your backup process implementation meets your recovery time objectives (RTO) and recovery point objectives (RPO) by performing a recovery test.

Improvement Plan

Identify and back up all data that needs to be backed up, or reproduce the data from sources

Understand and use the backup capabilities of the AWS services and resources used by your workload: AWS provides capabilities to back up your workload data
What Is AWS Backup?
Well-Architected lab: Level 200: Testing Backup and Restore of Data
Creating a DB Snapshot
Amazon EBS Snapshots
On-Demand Backup and Restore for DynamoDB
Creating a DB Cluster Snapshot in Neptune
Cross-Region Replication
Working with Amazon OpenSearch Service Index Snapshots
Backup and Restore for ElastiCache for Redis
Backing Up Amazon EFS
Exporting Log Data to Amazon S3

Take snapshots of your encrypted Amazon EC2 EBS volumes: You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. Set up snapshot schedules and retention policies that meet your requirements.

• Use AWS CloudFormation (or a trusted third-party provider) to create your EBS volume with KMS encryption.
  AWS CloudFormation: AWS::EC2::Volume
• Take regular snapshots: Determine the schedule and appropriate processes for taking regular snapshots of EBS volumes. It may vary by application.
  Amazon EBS snapshots
  • Determine the need to replicate these snapshots based on your disaster recovery requirements.: You may need to replicate these to other accounts or AWS Regions
    Copying an Amazon EBS snapshot

Replicate your Amazon EFS file systems: AWS does not take snapshots of Amazon EFS file systems by default. Set up snapshot schedules and retention policies that meet your requirements.

• Automate an EFS to EFS backup
  EFS-to-EFS AWS Backup
  Using AWS Backup with Amazon EFS
• Create a scheduled event to cause the backup solution to deploy and execute.
  • After you have the copy, you can use AWS API operations (or a trusted third-party solution) to copy the data to Amazon S3 for higher durability: If the AWS Region you are using doesn't support Amazon EFS, use AWS Data Pipeline.
    Backing up Amazon EFS file systems using AWS Data Pipeline

Take snapshots of your encrypted Amazon RDS instances: By default, AWS takes a snapshot each day and retains it for that day. Set up snapshot schedules and retention policies that meet your requirements.

• Use AWS CloudFormation (or a trusted third-party provider) to create your RDS instance with KMS encryption.
  AWS::RDS::DBInstance
• Set the preferred backup window, back up retention period, KMS key ID, and storage encryption options.
  • Determine the need to replicate these snapshots based on your disaster recovery requirements.
    Encrypting Amazon RDS resources
    How Amazon Relational Database Service (Amazon RDS) uses AWS KMS

Take snapshots of your Amazon DynamoDB tables: AWS does not take snapshots of DynamoDB tables by default. Set up snapshot schedules and retention policies that meet your requirements.

• Use CloudFormation or a trusted third-party provider to create your DynamoDB table and its associated TTL settings, IAM policies, and CloudWatch Alarms: Use the AWS CLI or AWS SDKs or a trusted third-party provider to create your DynamoDB Auto Scaling.
  AWS::DynamoDB::Table
  Using the AWS CLI to manage DynamoDB automatic scaling
  Application programming with DynamoDB automatic scaling
• Use the DynamoDB API operations to create backups and restore backups: The snapshot is automatically encrypted using AWS managed keys.
  On-Demand Instance backup and restore for DynamoDB.
• Use the DynamoDB API operations to enable Point-in-Time recovery: This allows you to restore to any time in the last 35 days.
  Point-in-time recovery for DynamoDB

Copy the log files in CloudWatch Logs to Amazon S3 for retention and archiving: AWS stores CloudWatch Logs log files for as long as you specify in your retention policy. If you need the logs longer for analytics, forensics, and archiving, you can export them to Amazon S3.
Exporting log data to Amazon S3

• Use CloudFormation or a trusted third-party provider to create your CloudWatch Logs log groups and their associated retention period in days.
  AWS::Logs::LogGroup
• Create the scheduled event to invoke an AWS Lambda function that will use the CloudWatch Logs GetLogEvents API and put the log data into Amazon S3.
  Creating an EventBridge Rule That Triggers on a Schedule
  Using AWS Lambda with scheduled events
  Exporting log data to Amazon S3
  • Specify the lifecycle policy on the S3 bucket for when the logs will be put into Amazon S3 Glacier for archiving and eventual deletion.
    Object lifecycle management

Secure and encrypt backups

Use encryption on each of your data stores: If your source data is encrypted, then the backup will also be encrypted.

• Enable encryption in RDS: You can configure encryption at rest using AWS Key Management Service when you create an RDS instance.
  Encrypting Amazon RDS Resources
• Enable encryption on EBS Volumes: You can configure default encryption or specify a unique key upon volume creation.
  Amazon EBS Encryption
• Use the required Amazon DynamoDB encryption: DynamoDB encrypts all data at rest. You can either use an AWS owned Customer Master Key (CMK) or an AWS managed CMK, specifying a key that is stored in your account.
  DynamoDB Encryption at Rest
  Managing Encrypted Tables
• Encrypt your data stored in Amazon EFS: Configure the encryption when you create your file system.
  Encrypting Data and Metadata in EFS
• Configure the encryption in the source and destination Regions: You can configure encryption at rest in S3 using keys stored in KMS, but the keys are Region-specific. You can specify the destination keys when you configure the replication.
  CRR Additional Configuration: Replicating Objects Created with Server-Side Encryption (SSE) Using Encryption Keys stored in AWS KMS

Implement least privilege permissions to access your backups: Follow best practices to limit the access to the backups, snapshots, and replicas in accordance with security best practices.
Security Pillar: AWS Well-Architected

Perform data backup automatically

Use AWS Backup to schedule your backups of services they support.: AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises.
What Is AWS Backup?
AWS re:Invent 2019: Deep dive on AWS Backup, ft. Rackspace (STG341)

• Create backup plans: A backup plan is a policy expression that defines when and how you want to back up your AWS resources.
  Managing Backups Using AWS Backup Plans
• Create backup vaults: A backup vault is a container for organizing your backups.
  Organizing Backups Using AWS Backup Vaults
• Create backups: A backup represents the content of the resources at a specified time.
  AWS Backup: Backups

Create a EventBridge Event that invokes a Step Function State Machine to perform your backups.: You can create a State Machine in AWS Step Functions that coordinates your backups.
Creating an EventBridge Rule That Triggers on a Schedule
What Is AWS Step Functions?
Amazon States Language

Perform periodic recovery of the data to verify backup integrity and processes

Include restoration in the automation of your backups.: You can extend your State Machine in AWS Step Functions to perform the restoration of each of the systems that you perform a backup.
Creating an EventBridge Rule That Triggers on a Schedule
What Is AWS Step Functions?
Amazon States Language