Deploy a PoC of AWS Backup

Table of Contents

1. Overview
2. Methodology for conducting a PoC
3. Example of a PoC key success criteria matrix
4. AWS Backup configuration guidance
5. Prerequisites
6. PoC deployment steps
7. Deployment validation
8. Running the Guidance and PoC testing
9. Next Steps and testing for different scenarios
10. Cleanup

Overview

Proof-of-Concept (PoC) deployments that are not sized or configured to reflect real workload needs—and PoCs without clear success criteria—often lead to inconclusive results and longer evaluation cycles.

This Guidance provides a self-service PoC guide for AWS Backup, including example AWS CloudFormation templates and configuration guidance to help you deploy and validate baseline data protection for representative services (Amazon EC2/EBS, Amazon Aurora MySQL v3, and Amazon S3). The objective is to enable more informed deployment choices during PoC exercises. Using the PoC configuration guidance and the sample CloudFormation environment, you can quickly stand up, configure, and test policy-driven backups (with CMK encryption, local copies, restore testing, and compliance reporting) and evaluate fit for your workloads across recovery, governance, and operational readiness. You can test with your own applications and datasets.

AWS Backup is a fully managed service for centralized, policy-based data protection across AWS services. It simplifies creating and managing backup vaults, backup plans (frequency, retention), selections (e.g., tag-based), copies (same-Region or cross-Region/account), and lifecycle (warm→cold). AWS Backup also supports Restore testing to automate recovery validation and integrates with AWS Backup Audit Manager for continuous compliance reporting—while using your AWS KMS CMKs to meet encryption requirements.

This diagram illustrates the Guidance architecture, how it’s deployed, key components, and their interactions, with a step-by-step flow.

The diagram highlights the following:

• You deploy the PoC template from this Guidance using AWS CloudFormation in the AWS Management Console.
• AWS CloudFormation creates a VPC with two private subnets and required VPC endpoints for private access (no Internet Gateway or NAT Gateway).
• AWS CloudFormation launches one Amazon EC2 instance (t3.small) with an attached EBS data volume and Session Manager access (no inbound SSH).
• AWS CloudFormation deploys one Amazon Aurora MySQL v3 cluster (single writer, db.t3.medium) and one S3 data bucket with Object Lock enabled (30-day compliance retention).
• AWS CloudFormation creates two AWS Backup vaults encrypted with SSE-KMS (CMK), a backup plan (every 6 hours, 7-day retention) with a same-Region copy rule, and a tag-based selection.
• Three AWS Backup Audit Manager report plans (BackupJobs, RestoreJobs, CopyJobs) to S3; Restore testing is configured post-deploy in the console.

Cost

You are responsible for the AWS costs incurred while running this Guidance. Costs depend on the Region and on the dimensions below.

What drives cost in this PoC

Area	What you pay for
AWS Backup – backup storage	GB-month of backup data stored in vaults.
AWS Backup – restores	Per-GB restored.
AWS Backup – restore testing	An evaluation charge per tested recovery point plus per-GB restored (same rates as restore).
AWS Backup – cross-Region data transfer	Per-GB transferred out of a Region when copying.
Amazon EBS snapshots	GB-month of snapshot storage (incremental), by tier.
Amazon Aurora MySQL	DB instance hours, storage, and I/O (Aurora Standard), plus optional features.
Amazon EC2	Instance hours for the t3.small bastion/test host.
Amazon S3	Object storage and request charges for your data bucket and report bucket (empty initially).
VPC endpoints (PrivateLink)	Hourly charge per interface endpoint (8 endpoints) and data processing.
AWS KMS	Monthly charge per customer-managed key (3 keys) plus API requests.
Amazon CloudWatch Logs	Log ingestion and storage for Aurora exported logs (error, general, slowquery).

We recommend creating a Budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this Guidance.

Sample Cost Table

Note: Assumes us-east-1 on-demand rates and 720 hours per 30-day month; verify your Region on the official pricing pages.

AWS service	Dimensions	Example sizing	Example cost per-month [USD]
Amazon Aurora MySQL (instance)	db.t3.medium on-demand	1 writer	$51.84 (720 hrs × $0.072)
Amazon EC2	t3.small on-demand (Linux)	1 instance	$14.99 (720 hrs × $0.02083)
Amazon Aurora storage (Standard)	Standard storage	Minimal (empty initially)	$1.00 (10 GB × $0.10/GB-mo)
Amazon EBS (gp3)	General Purpose SSD	16 GB data + root volume	$1.60 (20 GB × $0.08/GB-mo)
Amazon S3 (Standard)	First 50 TB / month tier	Empty buckets initially	$0.00 (no objects stored initially)
S3 Object Lock (Compliance)	30-day compliance retention	Per object stored	Variable (depends on objects added)
VPC Interface Endpoints	8 endpoints × $0.01/hour	8 endpoints	$57.60 (8 × $0.01 × 720 hrs)
AWS KMS	3 customer-managed keys	3 keys	$3.00 (3 × $1.00/key-mo)
CloudWatch Logs	Log ingestion and storage	Minimal logs	~$2.00 (estimated for Aurora logs)

AWS Backup — storing backup copies (depends on your data size)

Protected resource type	Backup storage rate	Notes
Aurora cluster snapshot	$0.021 / GB-month	Incremental snapshots; depends on data size and change rate
EBS volume snapshot	$0.05 / GB-month	Incremental snapshots; 16 GB allocated but depends on actual usage
S3 backup	$0.05 / GB-month	Depends on objects you add to buckets

Backup frequency impact: Every 6 hours = 4 backups/day × 7 days retention = up to 28 recovery points per resource.

AWS Backup — restoring backups (per restore operation)

Restore type	Restore rate	Notes
Aurora cluster snapshot restore	Free	No charge for restore operation
EBS volume snapshot restore	Free	No charge for restore operation
S3 backup restore	$0.02 / GB	Charged per GB of data restored

AWS Backup Audit Manager — evaluation cost

• $1.25 per 1,000 evaluations per account per Region.
  Example: 1,000 evaluations in a month → $1.25; 10,000 evaluations → $12.50.

Important cost considerations

• Allocated vs. used storage: EBS (16 GB) and Aurora (minimum allocation) are charged regardless of actual data usage.
• Usage-based storage: S3 buckets are empty initially; you only pay for objects you add. Both buckets have lifecycle policies (30 days to Standard-IA, 90 days to Glacier).
• S3 Object Lock: Both data and reports buckets have 30-day compliance retention enabled - additional costs apply per object stored.
• Backup frequency: Every 6 hours with 7-day retention creates more recovery points than daily backups.
• VPC endpoints: Significant cost driver ($50.40/month) but eliminates need for NAT Gateway.
• Incremental snapshots: EBS and Aurora snapshots only store changed data after the first full snapshot.
• Aurora port: Uses non-standard port 3307 instead of default 3306.
• Aurora features: Backtrack enabled (24-hour window) and IAM database authentication enabled.
• CloudWatch Logs: Aurora exports error, general, and slowquery logs to CloudWatch.

Use the official pricing pages to plug in your Region-specific rates and any larger data sizes:
AWS Backup pricing, Amazon Aurora pricing, Amazon EC2 pricing, Amazon EBS pricing, Amazon S3 pricing, VPC pricing, KMS pricing.

Methodology for conducting a PoC

1. Define workload requirements and PoC outcomes. Create a key success criteria matrix covering: coverage scope (EC2/EBS, Aurora, S3), RPO/frequency, retention, encryption (CMK), copy behavior (same-Region), restore testing pass/fail + durations, and compliance reporting (BAM).

2. Integration & operational needs. Note access patterns (tags to include/exclude), monitoring/alerting expectations, audit/report consumers, and any app checks you’ll run after a restore.

3. Select tools & test data. Use your own datasets and plan to validate in the AWS Backup console and AWS Backup Audit Manager.

4. Confirm privileges. Ensure permissions to deploy CloudFormation, create IAM roles, KMS CMKs, and VPC endpoints. (See prerequisites.)

5. Deploy the PoC environment. Launch the template once the above are ready.

6. Tune the backup configuration. Adjust tags, plan frequency/retention, optional lifecycle (warm→cold), and local copy based on your RPO/retention targets.

7. Evaluate against the success matrix. Trigger on-demand backups (or wait for schedule), verify jobs/copies/recovery points, run Restore Testing, and generate BAM reports.

8. Iterate if needed. Refine tags, frequency/retention, or resource sizes; re-run tests to confirm objectives.

9. Tear down. Remove recovery points/reports as needed, then delete the stack when finished.
   
   

Example of a PoC key success criteria matrix

Below is an example PoC key success criteria table that you can populate when you run different PoC configurations and test scenarios. Prior to conducting a PoC, note your workload configuration so results are comparable across runs.

Scenario 1

Workload configuration

Item	PoC Value
In-scope services (EC2/EBS, Aurora MySQL v3, S3)
Number of in-scope resources
Approximate data set size (files/rows/objects)
Daily change rate
Business RPO target
Business RTO target (per service)

AWS Backup configuration (this PoC)

Item	PoC Value
Backup vaults & encryption
Plan frequency & retention
Start/Complete windows
Selection method
Copy rule
Lifecycle (warm→cold)
Restore Testing plan
Reporting

Protection & compliance testing

Metric	Target value	PoC value
Coverage (tag-based)
Backup job success (6h)
Copy job success (6h)
RPO achieved
Retention applied
Encryption on recovery points (CMK)
BAM reports delivered (S3)

Restore testing (recoverability)

Metric	Target value	PoC value
EC2/EBS restore result
EC2/EBS restore duration (vs RTO)
Aurora restore result
Aurora restore duration (vs RTO)
S3 restore result (test prefix)
S3 restore duration (vs RTO)

Functional testing

Feature	Outcome
Tag-based selection includes/excludes as expected
Local copy to secondary vault completes
(If enabled) Lifecycle transitions occur on schedule
Restore Testing plan runs on schedule/on-demand
BAM report plan generates daily & on-demand reports

AWS Backup configuration guidance

This section lists the configuration options you can control for AWS Backup and the PoC defaults we use here. Each item links to the deeper explanation in PrescriptiveGuidance_AWSBackup.md.

1. Backup vaults & encryption

   • What you can configure: number of vaults (by environment or criticality), vault resource policies, and encryption with AWS-managed or customer-managed (CMK) KMS keys; immutability options (Vault Lock, LAG) are strategic controls.
   • PoC default: two CMK-encrypted vaults (Primary + same-Region Secondary).
   • Where to read more: Section 2.3 – Backup Vaults and Encryption

2. Access control (IAM, vault policy, KMS policy)

   • What you can configure: who can start backup/copy/restore; what each vault allows (e.g., deny delete); and which principals can use CMKs. Effective control spans IAM identity policies, vault resource policies, and KMS key policies.
   • PoC default: creates a new service role BackupPoC-ServiceRole-${AWS::Region} and keep vault policies minimal.
   • Where to read more: Section 2.4 – Access Control (IAM and Backup Vault Policies)

3. Assignments (what gets protected)

   • What you can configure: tag-based vs resource-based assignments; tag logic (AND/OR) for inclusion/exclusion; recommended tag sets by tier/compliance.
   • PoC default: tag-based (Backup=Hourly7) on the EC2 instance + EBS volume, Aurora cluster, and S3 bucket.
   • Where to read more: Section 3.1 – Tag-Based vs Resource-Based Assignments

4. Plan & rule structure (frequency, windows, retention, lifecycle)

   • What you can configure: one or more rules per plan; schedules (cron/hourly), Start window and Complete within windows, retention; lifecycle (warm→cold) for cost control.
   • Frequency by tier (examples): mission-critical (hourly/continuous where supported), business-essential (every X hours or daily), non-prod (weekly/on-demand).
   • PoC default: one every 6 hours rule, 7-day retention, Start window 60 min / Complete within 720 min, lifecycle off.
   • Where to read more: Section 3 – Designing Backup Plan Frequency and Rule Structure

5. Copy strategy (none, local, cross-Region, cross-account)

   • What you can configure: copy to another vault in-Region or to another Region/account; copies become independent recovery points with their own retention and encryption (destination CMK). Copies run after the source backup in their own window.
   • PoC default: same-Region copy to a secondary vault (ownership unchanged).
   • Where to read more: Section 2.5 – Cross-Region and Cross-Account Copies

6. Service-specific behaviors (use for expectations, not configs)

   • EC2/EBS: multi-volume crash-consistent backups; EBS snapshots are incremental.
   • Aurora/RDS: snapshot vs continuous/PITR choices impact retention and copy semantics.
   • S3: baseline in this PoC; advanced options (e.g., versioning/Object Lock) are evaluated later.
   • Where to read more: Section 4 – Service-Specific Backup Modules

7. Monitoring, validation, and reporting (evidence)

   • What you can configure: operational monitoring via jobs/copies/recovery points; Restore Testing cadence and retain-for; AWS Backup Audit Manager report plans to S3.
   • PoC default: weekly Restore Testing (configured in the console) for EC2/EBS, Aurora, S3; three BAM report plans (BackupJobs, RestoreJobs, CopyJobs) delivered to S3 (on-demand and daily).
   • Where to read more: Section 3.4 – Validating Backup Health and Compliance and Section 5 – Validation and Testing

Prerequisites

Test data

• Identify any test data needed for the PoC:
  • Files on the EC2/EBS data volume
  • Rows in the Aurora MySQL v3 database
  • Objects in the S3 data bucket

Networking & security groups

• The PoC CloudFormation template creates a VPC, 2 private subnets, route tables, VPC endpoints for private access, and security groups:
  • EC2 security group to allow Aurora access (no inbound SSH; SSM Session Manager is used).
  • Aurora security group to allow traffic only from the EC2 security group on port 3307 (non-standard MySQL port).
  • VPC endpoints provide private access to AWS services without Internet Gateway or NAT Gateway.

Getting started with AWS Backup

• Review Getting started with AWS Backup for service setup and regional considerations.

Operating system

• All installable packages/modules used by the PoC (e.g., mysql client) are deployed via the template.
• The EC2 instance uses Amazon Linux 2023 as the base AMI.

AWS account requirements

• Access to the AWS Management Console or AWS CLI, with privileges to deploy the PoC CloudFormation template and create/manage resources.

You can run the following example permission checks (Linux/macOS shell) to verify your principal can create key PoC resources (adjust as needed for your environment):

# Get caller identity
MYARN="$(aws sts get-caller-identity --query Arn --output text)"

Below are examples of how you can check if you have the required permissions to create an EC2 instance, Aurora Database, S3 bucket, VPC Security Group, Backup Plans and Vaults

# Core CloudFormation & IAM pass role
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "cloudformation:CreateStack" | grep -i decision
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "iam:CreateRole" "iam:PassRole" | grep -i decision

# Networking (VPC, endpoints) and EC2/EBS
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "ec2:CreateVpc" "ec2:CreateSubnet" "ec2:CreateSecurityGroup" "ec2:CreateVpcEndpoint" | grep -i decision
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "ec2:RunInstances" "ec2:CreateVolume" | grep -i decision

# RDS / Aurora (cluster + subnet group)
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "rds:CreateDBSubnetGroup" "rds:CreateDBCluster" "rds:CreateDBInstance" | grep -i decision

# S3 (data bucket + BAM reports bucket)
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "s3:CreateBucket" | grep -i decision

# KMS (CMKs for vaults and data services)
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names "kms:CreateKey" "kms:CreateAlias" "kms:PutKeyPolicy" "kms:DescribeKey" | grep -i decision

# AWS Backup (vaults, plans, selections, copies, reporting, restore testing)
aws iam simulate-principal-policy --policy-source-arn "$MYARN" --action-names \
  "backup:CreateBackupVault" "backup:PutBackupVaultAccessPolicy" \
  "backup:CreateBackupPlan" "backup:CreateBackupSelection" | grep -i decision

PoC Guidance deployment steps

Deploying the AWS Backup PoC environment using CloudFormation

Deploy the PoC CloudFormation template from this repository:

PoC template	Description
assets/code/backup_poc_baseline.yaml	VPC (2 private subnets) with VPC endpoints for private access; EC2 (t3.small) + EBS data volume; Aurora MySQL v3 (single writer); S3 data bucket with Object Lock; two CMK-encrypted AWS Backup vaults; backup plan (every 6 hours, 7-day retention) with same-Region copy rule; tag-based selection (targets EC2/EBS, Aurora, S3); and three BAM report plans (BackupJobs, RestoreJobs, CopyJobs) to S3.

1. Open the AWS CloudFormation console → Create stack → With new resources (standard).
2. Upload a template file and select assets/code/backup_poc_baseline.yaml.
3. Provide a stack name and parameters (see Template parameters below).
4. Choose Next → acknowledge capabilities → Create stack.
5. Wait for CREATE_COMPLETE.
6. In Outputs, record the values listed under Stack outputs below.

Template parameters (reference)

Parameter	Purpose	Suggested default
VpcCidr	VPC IPv4 CIDR	10.0.0.0/16
PrivateSubnetCidr	Private subnet CIDR (AZ1)	10.0.1.0/24
PrivateSubnet2Cidr	Private subnet CIDR (AZ2)	10.0.2.0/24
EC2InstanceType	PoC instance type	t3.small
AuroraEngineVersion	Engine version	8.0.mysql_aurora.3.10.0
AmiId	EC2 AMI (SSM Parameter)	/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64
DBInstanceClass	Aurora instance class	db.t3.medium
DBUsername	Aurora admin user	—
DBPassword	Aurora admin password	—
DataBucketName	S3 data bucket	(blank)
PrimaryVaultKmsAlias	KMS alias (primary vault)	alias/backup-poc-vault-primary
SecondaryVaultKmsAlias	KMS alias (secondary vault)	alias/backup-poc-vault-secondary
DataServicesKmsAlias	KMS alias (data services)	alias/backup-poc-data
RetentionDays	Backup retention	7
StartWindowMinutes	Start window	60
CompleteWithinMinutes	Complete within	720
BackupTagKey	Selection tag key	Backup
BackupTagValue	Selection tag value	Hourly7
ReportBucketName	Reports bucket	Autocreate if left blank

Note: The template creates a backup plan named "BackupPoC-6HourlyPlan" that runs every 6 hours. Same-Region copy and three BAM report plans (BackupJobs, RestoreJobs, CopyJobs) are always enabled in this template.

Intentionally not in this template: automatic Restore Testing plan creation. You’ll add this in the console after deployment so you can choose “Start within” and “Retain for” values that fit your environment.

Stack outputs

Output	What you might need it for
VpcId, PrivateSubnetId, PrivateSubnet2Id	Network checks and connectivity.
Ec2InstanceId, EbsVolumeId	Session Manager access; selection/tag checks.
AuroraEndpoint	Connectivity from EC2; optional sample data load.
DataBucketNameOut	Path for sample objects; BAM reports (if shared bucket).
PrimaryVaultArn, SecondaryVaultArn	Verify encryption and copies.
BackupPlanId, BackupSelectionId	Confirm schedule/retention and tag inclusion.
ReportsBucketNameOut	Retrieve BAM reports.
BackupJobReportPlanArn	Backup Jobs report plan ARN.
RestoreJobReportPlanArn	Restore Jobs report plan ARN.
CopyJobReportPlanArn	Copy Jobs report plan ARN.

Quick tag check

Ensure the selection tag is present on all three resources:

• EC2 instance and its attached EBS data volume
• Aurora DB cluster
• S3 data bucket

Default tag: Backup=Hourly7

Missing tags are the most common reason resources don’t get protected in tag-based PoCs.

Post-deploy: add sample data (you choose the size & shape)

Important: The template creates empty resources initially. EBS and Aurora storage costs are based on allocated capacity, while S3 costs depend on actual objects stored.

Load a small, representative dataset so backups create non-trivial recovery points. Use your own sample data or synthetic data generators you’re comfortable with:

• S3 objects: generate CSV/JSON with tools like Mockaroo or Faker, then upload with aws s3 cp / aws s3 sync.
• Aurora MySQL v3: load a realistic schema or use sample such as the Amazon Aurora MySQL sample HR schema
• EC2/EBS files: create files of desired sizes (e.g., on the EC2 instance via Session Manager):

  # Example: create a 100 MiB file on /data
  sudo mkdir -p /data
  dd if=/dev/urandom of=/data/large_file.bin bs=1M count=100 status=progress

  Keep data volumes modest for the PoC; increase only if you’re evaluating job duration or storage cost behavior.

Post-deploy: create a Restore Testing plan (console)

• Open AWS Backup → Restore testing → Create plan.
• Name the plan (e.g., PoC-RestoreTesting), set Frequency (e.g., weekly), Start within (e.g., 4 hours), and Retain for (e.g., 2 hours).
• Add selections:
  • EC2/EBS: select the EBS volume (or instance) used in this PoC.
  • Aurora: select the cluster (connects on port 3307).
  • S3: select the data bucket and a test prefix for restores.
• Create plan and Run on-demand once to capture initial evidence.
• After completion, review restore job results and note durations. Test resources are auto-removed after the retain-for window.

Verify protection & reporting

• Backup jobs / Copy jobs: confirm recent jobs show COMPLETED.
• Backup vaults: verify recovery points in Primary and copies in Secondary.
• Reports: open AWS Backup → Reports and run the BAM report plans on demand; fetch the latest CSV/JSON from the reports bucket/prefix.

Deployment Validation

You can validate a successful deployment by:

Navigate to the AWS CloudFormation console and verify that the status of the CloudFormation stack that you deployed is showing CREATE_COMPLETE.

Running the Guidance and PoC testing

Goal: turn the deployed PoC into evidence that baseline protection works across EC2/EBS, Aurora MySQL v3, and S3.

Before you start — quick checks

• Tags present: Backup=Hourly7 on EC2 instance and its EBS volume, Aurora DB cluster, and S3 data bucket.
• Windows set: Start window 60 minutes, Complete within 720 minutes.
• Endpoints up: VPC endpoints show Available.
• KMS access: CMK key policies allow use by AWS Backup and data services.

Baseline run

1. Confirm coverage
   AWS Backup → Protected resources. Verify EC2/EBS, Aurora, and S3 appear via tag-based selection.

2. Start initial backups on demand
   For each service select Create on-demand backup using the backup rule (every 6 hours). Monitor Backup jobs to COMPLETED.

3. Verify copies and encryption
   Copy jobs show COMPLETED. In Backup vaults verify recovery points in Primary and copies in Secondary with SSE-KMS (CMK).

4. Run one restore testing cycle
   Create a plan if not already present. Frequency weekly, Start within ~4 hours, Retain for ~2 hours.
   Add selections for EC2/EBS, Aurora, and S3, then Run on-demand once. After COMPLETED:

   • EC2/EBS: restored volume shows Available; attach/read if you want a quick spot check.
   • Aurora: restored cluster shows Available; connect from the EC2 instance and run a simple SELECT COUNT(*).
   • S3: restored objects appear under the chosen test prefix.
     Allow retain-for to clean up test resources automatically.

5. Produce audit evidence
   Reports → run the AWS Backup Audit Manager report plans on demand. Download Control and Resource Compliance, BackupJobs, RestoreJobs, and CopyJobs reports from the reports S3 bucket/prefix.

Capture for the PoC matrix

• Coverage: resources present under Protected resources.
• Backups: job status, start and end, recovery point IDs.
• Copies: job status, destination vault, copy retention.
• Encryption: CMK on vaults and recovery points.
• Restore tests: pass or fail per service and duration vs RTO.
• Reports: on-demand run time, files present in S3, any non-compliant controls.

Expected observations and deeper references

• Amazon EC2 and EBS: multi-volume backups are crash-consistent; EBS snapshots are incremental. Deeper dive → Section 4.1 – Amazon EC2/EBS
• Amazon Aurora MySQL v3: snapshot-based backups in this PoC; restores create a new cluster reachable from EC2. Deeper dive → Section 4.2 – Amazon RDS & Aurora
• Amazon S3: backups at bucket scope; restores land under the selected test prefix. Deeper dive → Section 4.3 – Amazon S3

Interpreting results

• If jobs queue or overlap, widen Start window or Complete within and retest.
• If RTO is tight, compare observed restore times and adjust frequency or selection scope.
• If reports flag gaps, fix tags or retention and rerun to confirm.

Next Steps and testing for different scenarios

Use the baseline results to decide where to go deeper. Pick one theme at a time, change a small number of settings, and re-run your PoC matrix.

Protection policy variations

• Increase backup frequency for tighter RPO (e.g., multiple times per day for EC2/EBS and S3).
• Split selections by tag to isolate tiers or apps and reduce job contention.
• Align retention by data class; test shorter retention for dev/test and longer for prod-like data.

Copy and disaster recovery

• Add a cross-Region copy to a second vault; repeat evidence capture for copy jobs and restores.
• Add a cross-account copy with a destination CMK; confirm key separation and access boundaries.
• Validate restore in the destination Region/account and record new RTO/RPO observations.

Lifecycle and cost control

• Enable warm-to-cold lifecycle with conservative transition and delete-after values.
• Measure storage and copy costs with and without cold tier; record retrieval behavior during restore.
• Test different data sizes to see how job duration and storage growth scale.

Service-specific extensions

• EC2/EBS: test multi-volume workloads and, if applicable, Windows VSS for application-consistent backups.
• Aurora MySQL: compare snapshot-based backups with continuous backup and PITR; note retention and copy trade-offs.
• S3: enable versioning or Object Lock in a controlled test bucket; validate backup and restore behaviors on versions.

Governance and security

• Enable Backup Vault Lock or Legal hold on a non-production vault; verify delete protections.
• Try delegated admin or organization-level controls in a sandbox account; confirm selections and report scope.
• Separate CMKs per vault or per data class; verify encryption posture in reports.

Restore testing at scale

• Increase the restore testing cadence temporarily to collect more samples.
• Add simple health checks and publish results with PutRestoreValidationResult via EventBridge.
• Track restore durations and success rates over a week to build confidence intervals.

Reporting and evidence

• The template includes three BAM report plans (BackupJobs, RestoreJobs, CopyJobs) that are already enabled.
• Add S3 lifecycle for reports to control cost while keeping enough history for audits.
• Build a lightweight dashboard from report outputs to visualize coverage and compliance over time.

Keep each scenario focused. Adjust one theme, run backups and copies, run a restore testing cycle, generate reports, and update the PoC matrix. Promote only the patterns that meet your RPO/RTO, compliance, and cost goals.

Cleanup

Before deleting the deployed CloudFormation stack, you need to manually delete any new AWS resources you have manually created in the PoC VPC after deployment (i.e. additional EC2 compute instances, or new/updated IAM roles), and delete or expire recovery points and empty S3 buckets before deleting the stack; vaults with recovery points cannot be removed.

To delete the PoC Guidance:

• Navigate to the AWS CloudFormation console
• Select the CloudFormation stack that you deployed as part of this Guidance, then select Delete
  • Note: AWS resources deployed by the PoC guidance CloudFormation template will be tagged with the name of the CloudFormation stack name you provided during deployment. (i.e. aws:cloudformation:stack-name: <your-stack-name>)

Notices

Include a legal disclaimer

Example: Customers are responsible for making their own independent assessment of the information in this Guidance. This Guidance: (a) is for informational purposes only, (b) represents AWS current product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.

Authors

1. Sravan Rachiraju
2. Rucha Kiwlekar
3. Suman Rajotia