← Back to Tutorials
Tutorial 15 Intermediate

How to Implement AWS Backup for Disaster Recovery

Build bulletproof backup strategies with encrypted vaults, cross-region replication, and automated recovery plans to protect your organization from ransomware and data loss.

30 min implementation
12 min read
Disaster Recovery

What You'll Learn

Why Backup Strategies Fail in Ransomware Attacks

Ransomware attacks have demonstrated that inadequate backup strategies can cripple entire industries. The 2024 CDK Global ransomware attack—which affected approximately 15,000 auto dealerships and caused an estimated $1 billion+ in collective losses—illustrates how backup failures amplify the impact of cyberattacks. When backups fail, organizations face extended downtime, ransom payments, and cascading losses.

The Three Deadly Backup Failures

1

Inadequate Cross-Region Isolation

Backups stored in the same region as production systems create single points of failure. When ransomware spreads across a network, attackers can access and encrypt backup data in the same geographic location, eliminating recovery options.

2

Compromised Backup Network Isolation

Backup systems that share network credentials and access paths with production systems allow ransomware to "follow the backups." Proper network segmentation prevents attackers from re-infecting systems during recovery.

3

Insufficient Backup Vault Encryption

Without customer-managed KMS keys and proper vault lock policies, backup data becomes vulnerable to both external attacks and insider threats. AWS managed keys provide convenience but not the access controls needed for enterprise security.

⚠️
Key Lesson: Backup isn't just about data recovery—it's about business survival. Organizations with proper cross-region, encrypted backups can recover in hours. Those without may face weeks of downtime and millions in losses.
1

Create Encrypted Backup Vaults with Cross-Region Replication

~10 minutes

Properly configured backup vaults with customer-managed encryption and cross-region replication ensure your backups survive both targeted attacks and regional disasters.

Console Steps

1.1 Create Customer-Managed KMS Key

  • Navigate to AWS KMS service
  • Click "Create key"
  • Key type: Symmetric
  • Key usage: Encrypt and decrypt
  • Key alias: backup-vault-primary-key
  • Key administrators: Add your IAM user/role
  • Key users: Add AWSServiceRoleForBackup

1.2 Create Primary Backup Vault

  • Navigate to AWS Backup service
  • Click "Backup vaults" → "Create Backup vault"
  • Vault name: production-backup-vault-primary
  • KMS key: Select your customer-managed key
  • Add tags: Environment=Production, BackupType=Primary
  • Click "Create Backup vault"
AWS CLI - Create Encrypted Backup Vault 
# Create backup vault with customer-managed KMS key
aws backup create-backup-vault \
    --backup-vault-name production-backup-vault-primary \
    --encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/your-key-id \
    --backup-vault-tags Environment=Production,BackupType=Primary

1.3 Create Cross-Region Backup Vault

  • Switch to a different AWS region (e.g., us-west-2 if primary is us-east-1)
  • Create another customer-managed KMS key in this region
  • Key alias: backup-vault-secondary-key
  • Create backup vault: production-backup-vault-secondary
  • Use the new region's KMS key for encryption
AWS CLI - Create Cross-Region Backup Vault 
# Create cross-region backup vault in secondary region
aws backup create-backup-vault \
    --backup-vault-name production-backup-vault-secondary \
    --encryption-key-arn arn:aws:kms:us-west-2:123456789012:key/your-secondary-key-id \
    --backup-vault-tags Environment=Production,BackupType=Secondary \
    --region us-west-2

1.4 Configure Vault Access Policies

JSON - Restrictive Vault Access Policy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyUnauthorizedDeletion",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "backup:DeleteBackupVault",
                "backup:DeleteRecoveryPoint"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::123456789012:role/BackupAdminRole"
                    ]
                }
            }
        }
    ]
}
AWS CLI - Apply Vault Access Policy 
# Apply access policy to backup vault
aws backup put-backup-vault-access-policy \
    --backup-vault-name production-backup-vault-primary \
    --policy file://vault-access-policy.json
Security Achievement: You now have encrypted backup vaults in multiple regions with customer-managed keys, providing the foundation for enterprise-grade backup security.
2

Configure Automated Backup Plans and Lifecycle Policies

~8 minutes

Automated backup plans ensure consistent data protection while lifecycle policies manage costs by transitioning older backups to cheaper storage tiers.

Console Steps

2.1 Create Backup Plan

  • Navigate to AWS Backup → "Backup plans"
  • Click "Create Backup plan"
  • Select "Build a new plan"
  • Plan name: production-backup-plan

2.2 Configure Backup Rules

  • Rule name: daily-backup-rule
  • Backup vault: Select your primary vault
  • Backup frequency: Daily
  • Backup window: Start within 1 hour, Complete within 8 hours
  • Lifecycle: Move to cold storage after 30 days, Delete after 365 days
JSON - Backup Plan Configuration 
{
    "BackupPlanName": "production-backup-plan",
    "Rules": [
        {
            "RuleName": "daily-backup-rule",
            "TargetBackupVaultName": "production-backup-vault-primary",
            "ScheduleExpression": "cron(0 2 ? * * *)",
            "StartWindowMinutes": 60,
            "CompletionWindowMinutes": 480,
            "Lifecycle": {
                "MoveToColdStorageAfterDays": 30,
                "DeleteAfterDays": 365
            },
            "CopyActions": [
                {
                    "DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:production-backup-vault-secondary",
                    "Lifecycle": {
                        "MoveToColdStorageAfterDays": 7,
                        "DeleteAfterDays": 90
                    }
                }
            ]
        }
    ]
}
AWS CLI - Create Backup Plan 
# Create backup plan from JSON file
aws backup create-backup-plan \
    --backup-plan file://backup-plan.json

# Note the BackupPlanId from the output for the next step

2.3 Assign Resources to Backup Plan

JSON - Resource Selection Configuration 
{
    "SelectionName": "production-resources",
    "IamRoleArn": "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole",
    "ListOfTags": [
        {
            "ConditionType": "STRINGEQUALS",
            "ConditionKey": "Environment",
            "ConditionValue": "Production"
        }
    ]
}
AWS CLI - Assign Resources 
# Assign resources to backup plan using tags
aws backup create-backup-selection \
    --backup-plan-id YOUR_BACKUP_PLAN_ID \
    --backup-selection file://resource-selection.json
💡
Cost Tip: Test your backup plan with non-critical resources first. Backup charges include storage costs in both regions plus data transfer fees for cross-region copies.
Automation Success: Your backup plan now automatically protects production resources with cross-region replication and cost-optimized lifecycle management.
3

Set Up Cross-Account Backup Isolation

~7 minutes

Cross-account backup isolation ensures that even if your production AWS account is compromised, attackers cannot access or delete your backup data stored in a separate, hardened account.

Prerequisites

  • A separate AWS account dedicated to backups (recommended for enterprise security)
  • AWS Organizations configured with both accounts
  • Cross-account IAM roles and trust relationships

3.1 Create Backup Account Vault

  • Sign in to your dedicated backup AWS account
  • Create a new customer-managed KMS key
  • Key alias: backup-account-vault-key
  • Create backup vault: isolated-backup-vault
  • Use the backup account's KMS key

3.2 Configure Cross-Account KMS Permissions

JSON - KMS Key Policy for Cross-Account Access 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountBackup",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/AWSServiceRoleForBackup"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:ReEncrypt*"
            ],
            "Resource": "*"
        }
    ]
}

3.3 Add Cross-Account Copy to Backup Plan

JSON - Cross-Account Copy Action 
{
    "CopyActions": [
        {
            "DestinationBackupVaultArn": "arn:aws:backup:us-east-1:BACKUP-ACCOUNT-ID:backup-vault:isolated-backup-vault",
            "Lifecycle": {
                "MoveToColdStorageAfterDays": 30,
                "DeleteAfterDays": 2555
            }
        }
    ]
}

3.4 Configure Backup Account Security

  • Enable AWS CloudTrail in backup account
  • Set up SCPs (Service Control Policies) to restrict backup deletion
  • Configure MFA requirements for all backup account access
  • Set up separate monitoring and alerting
Isolation Complete: Your backups are now stored in a separate account with independent access controls, providing air-gap-like protection against account-level compromises.
4

Implement Backup Monitoring and Alerting

~5 minutes

Proactive monitoring ensures backup failures are detected immediately, and alerting provides early warning of potential attacks or misconfigurations.

4.1 Enable AWS Backup Audit Manager

  • Navigate to AWS Backup → "Audit Manager"
  • Click "Get started"
  • Select frameworks: AWS Backup best practices
  • Enable continuous compliance monitoring

4.2 Create CloudWatch Backup Alarms

AWS CLI - Create Backup Failure Alarm 
# Create SNS topic for backup alerts
aws sns create-topic --name backup-alerts

# Subscribe your email to the topic
aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:123456789012:backup-alerts \
    --protocol email \
    --notification-endpoint security-team@example.com

# Create CloudWatch alarm for backup failures
aws cloudwatch put-metric-alarm \
    --alarm-name "BackupJobFailures" \
    --alarm-description "Alert on backup job failures" \
    --metric-name "NumberOfBackupJobsFailed" \
    --namespace "AWS/Backup" \
    --statistic Sum \
    --period 3600 \
    --threshold 1 \
    --comparison-operator GreaterThanOrEqualToThreshold \
    --evaluation-periods 1 \
    --alarm-actions arn:aws:sns:us-east-1:123456789012:backup-alerts

4.3 Set Up EventBridge Rules

JSON - EventBridge Rule for Backup Monitoring 
{
    "source": ["aws.backup"],
    "detail-type": ["Backup Job State Change"],
    "detail": {
        "state": ["FAILED", "EXPIRED", "PARTIAL"]
    }
}
AWS CLI - Create EventBridge Rule 
# Create EventBridge rule for backup state changes
aws events put-rule \
    --name "BackupJobStateChange" \
    --description "Monitor backup job failures" \
    --event-pattern '{"source":["aws.backup"],"detail-type":["Backup Job State Change"],"detail":{"state":["FAILED","EXPIRED","PARTIAL"]}}'

# Add SNS target to the rule
aws events put-targets \
    --rule "BackupJobStateChange" \
    --targets "Id"="1","Arn"="arn:aws:sns:us-east-1:123456789012:backup-alerts"
Monitoring Active: You now have comprehensive visibility into backup operations with immediate alerting for failures, policy violations, and security events.

Validate Your Disaster Recovery Strategy

Testing is the only way to ensure your backup strategy will work when disaster strikes. Run through this checklist:

Backup Validation Script

Bash - Backup Strategy Validation Script 
#!/bin/bash
# Comprehensive Backup Validation Script

PRIMARY_VAULT="${1:-production-backup-vault-primary}"
SECONDARY_VAULT="${2:-production-backup-vault-secondary}"
SECONDARY_REGION="${3:-us-west-2}"

echo "============================================"
echo "AWS Backup Strategy Validation"
echo "============================================"

# Test 1: Verify backup vault encryption
echo -e "\n[1/4] Checking backup vault encryption..."
VAULT_KEY=$(aws backup describe-backup-vault \
    --backup-vault-name $PRIMARY_VAULT \
    --query 'EncryptionKeyArn' --output text 2>/dev/null)

if [[ $VAULT_KEY == *"alias/aws/backup"* ]]; then
    echo "⚠ WARNING: Using AWS managed key (not customer-managed)"
elif [[ -n "$VAULT_KEY" ]]; then
    echo "✓ Customer-managed encryption confirmed: $VAULT_KEY"
else
    echo "✗ ERROR: Could not determine encryption status"
fi

# Test 2: Check cross-region replication
echo -e "\n[2/4] Verifying cross-region backup copies..."
CROSS_REGION_BACKUPS=$(aws backup list-recovery-points-by-backup-vault \
    --backup-vault-name $SECONDARY_VAULT \
    --region $SECONDARY_REGION \
    --query 'RecoveryPoints | length(@)' \
    --output text 2>/dev/null)

if [ "$CROSS_REGION_BACKUPS" -gt 0 ] 2>/dev/null; then
    echo "✓ Cross-region backups confirmed: $CROSS_REGION_BACKUPS recovery points"
else
    echo "⚠ WARNING: No cross-region backups found in $SECONDARY_REGION"
fi

# Test 3: Check backup plan compliance
echo -e "\n[3/4] Checking backup plan status..."
BACKUP_PLANS=$(aws backup list-backup-plans \
    --query 'BackupPlansList[*].[BackupPlanName,BackupPlanId]' \
    --output table 2>/dev/null)

if [ -n "$BACKUP_PLANS" ]; then
    echo "✓ Active backup plans found:"
    echo "$BACKUP_PLANS"
else
    echo "✗ ERROR: No backup plans found"
fi

# Test 4: Check recent backup job status
echo -e "\n[4/4] Checking recent backup job status..."
FAILED_JOBS=$(aws backup list-backup-jobs \
    --by-state FAILED \
    --by-created-after $(date -d '7 days ago' --iso-8601) \
    --query 'BackupJobs | length(@)' \
    --output text 2>/dev/null)

if [ "$FAILED_JOBS" -eq 0 ] 2>/dev/null; then
    echo "✓ No failed backup jobs in the last 7 days"
else
    echo "⚠ WARNING: $FAILED_JOBS failed backup jobs in the last 7 days"
fi

echo -e "\n============================================"
echo "Backup validation complete!"
echo "============================================"

AWS Backup Vault Lock (Optional - For Compliance)

For organizations with strict compliance requirements, Backup Vault Lock provides WORM (Write Once, Read Many) protection:

AWS CLI - Enable Backup Vault Lock (Governance Mode) 
# Enable Backup Vault Lock in governance mode
# (allows authorized users to modify retention)
aws backup put-backup-vault-lock-configuration \
    --backup-vault-name production-backup-vault-primary \
    --min-retention-days 7 \
    --max-retention-days 365

# For compliance mode (immutable after grace period), add:
# --changeable-for-days 3
# Note: Compliance mode becomes IMMUTABLE after the grace period
⚠️
Vault Lock Warning: Compliance mode vault locks become immutable after the grace period and cannot be changed or deleted by anyone, including AWS. Use governance mode for testing.

Common AWS Backup Mistakes to Avoid

Using AWS managed keys for backup vault encryption. This prevents cross-account backup copies and limits access control granularity. Always use customer-managed KMS keys.

Storing all backups in the same region as production. Regional disasters or targeted attacks can eliminate all recovery options. Always configure cross-region replication.

Not testing backup restores regularly. Backup without proven restore capability is just expensive data storage. Test monthly at minimum.

Inadequate backup monitoring and alerting. Silent backup failures can persist for months until a disaster reveals the gap. Configure CloudWatch alarms and EventBridge rules.

Sharing network access between production and backup systems. This allows ransomware to follow network connections to backup data. Use separate accounts and network isolation.

Insufficient backup retention policies. Attackers often remain in systems for months before activating ransomware. Keep backups long enough to recover from delayed attacks.

Want Comprehensive AWS Backup Monitoring?

Don't wait for disaster to test your backup strategy. AWSight provides continuous monitoring of your AWS backup configurations, cross-region replication status, and compliance posture—alerting you before backup failures become business disasters.

View Pricing Plans Browse All Tutorials

References