Identifying and Backing Up the Necessary Data
On AWS, Amazon S3 is the backup destination of choice. It is a very reliable and highly durable storage option. It is extremely cost-efficient and also offers built-in life cycle management to transition your backup data through various and less expensive storage tiers as it ages.
In addition, whether you opt for the AWS built-in backup capabilities (such as Amazon EBS or Amazon RDS, for instance) or a centralized backup solution such as AWS Backup, they obviously support S3 as a target destination for backups. If you prefer to opt for one of the popular third-party backup software options out there, chances are that they also support S3 out of the box.
Securing and Encrypting Backup
As for all other data stored on AWS, data security and protection best practices apply. Assuming you back up your data on Amazon S3, you have several choices for encrypting your data at rest. Amazon S3 uses server-side encryption and accepts your objects as unencrypted data; it then encrypts them before persisting them. Using client-side encryption for your workload entails encrypting the data before sending it to S3. Both these methods allow you to use the AWS Key Management Service (KMS) with either an AWS-managed KMS key that is created and managed for you, or a customer-managed KMS key that you create and manage. AWS KMS allows you to set IAM policies to control access to and usage of your data keys. This lets you define who is authorized, or not, to encrypt or decrypt your data.
Performing Data Backup Automatically
As with many other administrative tasks, your objective is to automate as much as possible. Limiting, or even eliminating, manual work is not just a way to reduce operational overhead; it is also a way to reduce your risks since any manual action is error-prone in nature.
So, set up your backups to run automatically, based on a specific schedule. AWS services such as RDS, EBS, DynamoDB, and S3 can all be configured for automatic backup. The same goes for your preferred third-party backup solution. As already mentioned, you can also centralize your backups using AWS Backup, and define backup policies centrally at the AWS Organizations level. That lets you enforce regular automated backups across your entire organization and/or at the level of organizational units (OUs). Your organization may enforce some common backup policies by default across the entire organization, but let some OUs override certain elements of the backup policies, for instance, the backup frequency. What an OU or an account can override in an existing backup plan or policy depends on whether and how child control operators have been defined in the parent backup policies.
For more details on managing backup policies at the Organizations level, refer to the AWS Organizations documentation (the link is in the Further Reading section at the end of this chapter).