Use AWS CloudFormation This reference architecture describes how AWS Backup is implemented in a single AWS account to protect multiple services in an automated way. AWS Cloud supported services AWS compute services user AWS database services 2 backup plan AWS storage services 1 AWS CloudFormation AWS Backup Vault backup jobs 4 recovery points KMS key 3 access policies AWS Backup Audit Manager 1 to create the components that AWS Backup uses in this architecture. The AWS Backup plan 2 3 4 5 defines the frequency, retention period, lifecycle, backup copy destination and resources to be protected. The AWS Backup vault is a logical container that stores and organizes your backups. Encryption of certain backups is enforced through a defined AWS Key Management Service (AWS KMS) encryption key. A backup job runs within the backup window defined in the backup plan. Once the job is completed, a recovery point will be available in the vault and can be used to restore. Secure access to your resources through Identity and Access Management AWS (AWS IAM) by using AWS-managed policies as a starting point. At the vault level, access policies protect the vault and its contents and can be used to grant/deny access to certain vaults and its underlying operations (delete/restore). admin 5 AWS IAM 6 AWS CloudTrail backup flow 9 AWS Backup 7 Amazon CloudWatch 8 Amazon EventBridge configuration flow AWS Backup resource tracking authentication flow Reviewed for technical accuracy July 29, 2022 governance framework compliance reports monitoring flow AWS Reference Architecture 6 7 8 9 AWS Backup actions are recorded in AWS CloudTrail as events. Monitor AWS Backup service metrics through Amazon CloudWatch . Use Amazon EventBridge to monitor AWS Backup events, such as when a backup fails or gets deleted. Audit backups and automate reports through AWS Backup Audit Manager , which allows you to continuously monitor compliance of your backups.

http://ArchitectureDiagrams/data-protection-with-aws-backup-ra.pdf?did=wp_card&trk=wp_card