AWS Database Blog

Enhanced AWS Backup features for Amazon DynamoDB

Amazon Web Services (AWS) recently announced new features in AWS Backup for Amazon DynamoDB on-demand backups that can help you meet your compliance, business continuity, and cost-optimization needs.

In this post, we describe these features and provide a step-by-step guide for using them to copy DynamoDB backups across AWS Regions and across accounts, configure your backup lifecycle, and configure an additional layer of encryption for backups.

What’s new

You can now copy your DynamoDB backups across Regions and across AWS accounts, move your DynamoDB backups to a cold storage tier, and add cost-allocation tags to the backups. You can also encrypt your backups using different encryption settings than are used on your source DynamoDB tables.

You might have to store copies of backups in a secondary Region or account to help meet your organizational requirements, especially if the organization is in a regulated industry. Support for cross-Region and cross-account copy for DynamoDB on-demand backups can help you meet your business continuity and disaster recovery requirements. Additionally, if you have long-term retention needs for backups, you can use the cold storage tiering and cost allocation features to help decrease costs and improve cost management. Finally, if you have security requirements around using different encryption for primary and secondary workloads, the new features can help you comply with those requirements.

Solution overview

This solution includes the following high-level steps:

  1. Enable AWS Backup for DynamoDB.
  2. Configure an AWS Backup vault and set up secondary encryption.
  3. Configure a DynamoDB backup.
  4. Configure a DynamoDB backup lifecycle and add tags.
  5. Copy the DynamoDB backup across Regions and accounts.

Enable AWS Backup settings for DynamoDB

You can use the AWS Management Console for either AWS Backup or DynamoDB to use the new features. In this post, you’ll learn how to configure and use the advanced backup features including cross account backup and adding cost-allocation tags to the backups on the DynamoDB console, starting with enabling backups.

To enable AWS Backup

On the DynamoDB console, choose Backups in the navigation pane and then choose Enable (if not already enabled).

Figure 1: Enable backups

Figure 1: Enable backups

Configure an AWS Backup vault and set up secondary encryption

To use cross account backup and cost allocation tags, you must configure a backup vault in AWS Backup. A backup vault is a container that stores and organizes your backups.

To configure an AWS Backup vault and secondary encryption

  1. On the AWS Backup console, choose Backup vaults in the navigation pane and then choose Create Backup vault.

    Figure 2: Use the AWS Backup console to create a Backup vault

    Figure 2: Use the AWS Backup console to create a Backup vault

  2. On the Create Backup vault page:
    1. Enter a backup vault name (for this post, enter DynamoDBVault).
    2. Choose an encryption key.
      Note: We recommend adding an extra layer of security by encrypting your backups with a different encryption key than that of the source DynamoDB table. You can choose either the default encryption key—called (default) aws/backup—or a key you previously created in the AWS Key Management Service (AWS KMS).
    3. Choose Create Backup vault.
Figure 3: Create backup vault

Figure 3: Create backup vault

Note: For this solution, we use DynamoDBVault to store backups, which are encrypted using the key configured during vault creation.

Configure a DynamoDB backup

Now that you’ve set up a backup vault, you can create an on-demand backup of our DynamoDB table.

To configure a DynamoDB backup

  1. On the DynamoDB console, navigate to the Tables page and select the table you want to configure for cross-Region and cross-account backup.
    Note: If you need to create a new DynamoDB table and populate it with sample data, refer to Create Example Tables for instructions. These instructions use an existing table called order_detail.
  2. [Optional] On the Overview tab, choose Additional Info. You’ll see that the encryption type for the table shows Owned by Amazon, meaning that the table is encrypted using the AWS owned key, which isn’t stored in your AWS account.
  3. On the Backups tab, in the Backups section, choose Create backup, and then select Create on-demand backup.

    Figure 4: Create a new on-demand backup

    Figure 4: Create a new on-demand backup

  4. Select Customize settings, Backup with AWS Backup, and then select Create Backup now to start backup creation immediately.

    Figure 5: Configure on-demand backup settings

    Figure 5: Configure on-demand backup settings

For more information about scheduling a backup, refer to Set up scheduled backups for Amazon DynamoDB using AWS Backup.

Configure a DynamoDB backup lifecycle and add tags

You now configure the lifecycle, which defines when a backup is transitioned to cold storage and when it expires.

To configure a DynamoDB backup lifecycle and add tags

  1. On the schedule section of the Create Backup Plan page, select the following:
    1. For Transition to cold storage select Days and enter 31.
    2. For Retention period, select Days and enter 366.
    3. For Backup vault, select the vault you created earlier.
    4. [Optionally] For Tags, set the Key to dept and the Value to sales.
    5. Choose Create backup.

      Figure 6: Configure lifecycle and add tags

      Figure 6: Configure lifecycle and add tags

  2. You should now see a status message that your backup request has been submitted. Wait a few moments and choose the refresh icon until your backup appears in the list. Select your new backup to view its details.

    Figure 7: View backup details

    Figure 7: View backup details

  3. In the Backup job summary section, choose DynamoDBVault. This redirects you to the AWS Backup console, where you can see all the backups in this vault. Each is identified by a recovery point ID.

    Figure 8: DynamoDBVault backups

    Figure 8: DynamoDBVault backups

Copy the DynamoDB backup across Regions and accounts

Now that you have created a backup, you can copy it across different Regions or accounts.

To copy the DynamoDB backup

  1. On the AWS Backup console, go to the DynamoDBVault vault details page and select the backup you want to copy. Choose the Actions menu and select Copy.

    Figure 9: Copy the DynamoDB backup

    Figure 9: Copy the DynamoDB backup

  2. On the Copy configuration page:
    1. For Copy to destination, choose the Region where you want to copy the backup. These instructions use Europe (Ireland) as the destination Region.
      Note: The Region you’re copying from is shown in the upper corner of the console.
    2. For Destination Backup vault, choose Default.
    3. Configure the retention period to expire the backup copy after 366 days.
    4. Choose Copy.

      Figure 10: Configure the backup copy

      Figure 10: Configure the backup copy

  3. Turn on Copy to another account’s vault to configure cross-account backup and enter the ARN of the backup vault in the destination account, provided you have appropriate permissions. Both the source and destination AWS accounts must be members of the same organization in your AWS Organizations for a cross-account copy.

    Figure 11: Copy to another account’s vault

    Figure 11: Copy to another account’s vault

  4. Wait for the Status of the copy to change to Completed. Depending on the size of the backup, it may take a few minutes or several hours for the copy to complete.

    Figure 12: Verify that the copy has completed

    Figure 12: Verify that the copy has completed

  5. Go to the destination Region.
  6. On the AWS Backup console, choose Backup vaults in the navigation pane and choose the Default vault to verify that the backup has been copied successfully to our destination Region. You can now restore the table in the secondary Region as well.

    Figure 13: Check destination Region to verify that the backup copy is completed

    Figure 13: Check destination Region to verify that the backup copy is completed

Clean up

To avoid incurring future charges, follow these steps to remove the example resources:

  1. Delete the source and the restored DynamoDB tables if you created them for this post.
  2. Delete the backup plans and recovery points. For instructions, see Clean up resources.

Conclusion

In this post, we provided a step-by-step guide to copy DynamoDB backups across Regions to meet your compliance and regulatory requirements, and we explained how you can copy DynamoDB backups across accounts to enable global disaster recovery. We also provided a walkthrough of how you can add tags to DynamoDB backups, and lifecycle backups to cold storage.

To learn more about AWS Backup, check out the Developer Guide.

About the Authors

Dhiraj Thakur is a Solutions Architect with Amazon Web Services. He works with AWS customers and partners to provide guidance on enterprise cloud adoption, migration, and strategy. He is passionate about technology and enjoys building and experimenting in the analytics and AI and ML space.

Juhi Patil is a London-based DynamoDB Specialist Solutions Architect with a background in big data technologies. She helps customers design, evaluate, and optimize their DynamoDB-based solutions.