# Using AWS Backup with DynamoDB
Amazon DynamoDB can help you meet regulatory compliance and business continuity requirements through enhanced backup features in AWS Backup. AWS Backup is a fully managed data protection service that makes it easy to centralize and automate backups across AWS services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your AWS resources in one place. To use AWS Backup, you must affirmatively [opt-in](https://docs.aws.amazon.com/aws-backup/latest/devguide/service-opt-in.html). Opt-in choices apply to the specific account and AWS Region, so you might have to opt in to multiple Regions using the same account. For more information, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html).
Amazon DynamoDB is natively integrated with AWS Backup. You can use AWS Backup to schedule, copy, tag and life cycle your DynamoDB on-demand backups automatically. You can continue to view and restore these backups from the DynamoDB console. You can use the DynamoDB console, API, and AWS Command Line Interface (AWS CLI) to enable automatic backups for your DynamoDB tables.
**Note**
Any backups made through DynamoDB will remain unchanged. You will still be able to create backups through the current DynamoDB workflow.
Enhanced backup features available through AWS Backup include:
**Scheduled backups** - You can set up regularly scheduled backups of your DynamoDB tables using backup plans.
**Cross-account and cross-Region copying** - You can automatically copy your backups to another backup vault in a different AWS Region or account, which allows you to support your data protection requirements.
**Cold storage tiering** - You can configure your backups to implement life cycle rules to delete or transition backups to colder storage. This can help you optimize your backup costs.
**Tags** - You can automatically tag your backups for billing and cost allocation purposes.
**Encryption** – DynamoDB on-demand backups managed through AWS Backup are now stored in the AWS Backup vault. This allows you to encrypt and secure your backups by using an AWS KMS key that is independent from your DynamoDB table encryption key.
**Audit backups** – You can use AWS Backup Audit Manager to audit the compliance of your AWS Backup policies and to find backup activity and resources that are not yet compliant with the controls that you defined. You can also use it to automatically generate an audit trail of daily and on-demand reports for your backup governance purposes.
**Secure backups using the WORM model ** – You can use AWS Backup Vault Lock to enable a write-once-read-many (WORM) setting for your backups. With AWS Backup Vault Lock, you can add an additional layer of defense that protects backups from inadvertent or malicious delete operations, changes to backup recovery periods, and updates to lifecycle settings. To learn more, see [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html).
These enhanced backup features are available in all AWS Regions. To learn more about these features, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html).
**Topics**
+ [Backing up and restoring DynamoDB tables with AWS Backup: How it works](GettingStartedBackupsAWS.md)
+ [Creating backups of DynamoDB tables with AWS Backup](CreateBackupAWS.md)
+ [Copying a backup of a DynamoDB table with AWS Backup](CrossRegionAccountCopyAWS.md)
+ [Restoring a backup of a DynamoDB table from AWS Backup](Restore.TutorialAWS.md)
+ [Deleting a backup of a DynamoDB table with AWS Backup](Delete.TutorialAWS.md)
+ [Usage note differences between on-demand backups managed by AWS Backup and DynamoDB](UsageNotesAWS.md)
# Backing up and restoring DynamoDB tables with AWS Backup: How it works
You can use the on-demand backup feature to create full backups of your Amazon DynamoDB tables. This section provides an overview of what happens during the backup and restore process.
## Backups
When you create an on-demand backup with AWS Backup, a time marker of the request is cataloged. The backup is created asynchronously by applying all changes until the time of the request to the last full table snapshot.
Each time you create an on-demand backup, the entire table data is backed up. There is no limit to the number of on-demand backups that can be taken.
**Note**
Unlike DynamoDB Backups, backups made with AWS Backup are not instantaneous.
While a backup is in progress, you can't do the following:
+ Pause or cancel the backup operation.
+ Delete the source table of the backup.
+ Disable backups on a table if a backup for that table is in progress.
AWS Backup provides automated backup schedules, retention management, and lifecycle management. This removes the need for custom scripts and manual processes. AWS Backup runs the backups and deletes them when they expire. For more information, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html).
If you're using the console, any backups created using AWS Backup are listed on the **Backups** tab with the **Backup type** set to `AWS_BACKUP`.
**Note**
You can't delete backups marked with a **Backup type** of `AWS_BACKUP` using the DynamoDB console. To manage these backups, use the AWS Backup console.
To learn how to perform a backup, see [Backing up a DynamoDB table](Backup.Tutorial.md).
## Restores
You restore a table without consuming any provisioned throughput on the table. You can do a full table restore from your DynamoDB backup, or you can configure the destination table settings. When you do a restore, you can change the following table settings:
+ Encryption settings
**Important**
When you do a full table restore, the destination table is set with the same provisioned read capacity units and write capacity units that the source table had when the backup was requested. The restore process also restores the local secondary indexes and the global secondary indexes.
You can copy a backup of your DynamoDB table data to a different AWS Region and then restore it in that new Region. You can copy and then restore backups between AWS commercial Regions, AWS China Regions, and AWS GovCloud (US) Regions. You pay only for the data you copy from the source Region and the data you restore to a new table in the destination Region.
AWS Backup will restore the tables with all the original indexes.
You must manually set up the following on the restored table:
+ Auto scaling policies
+ AWS Identity and Access Management (IAM) policies
+ Amazon CloudWatch metrics and alarms
+ Tags
+ Stream settings
+ Time to Live (TTL) settings
+ Deletion protection settings
+ Point in time recovery (PITR) settings
You can only restore the entire table data to a new table from a backup. You can write to the restored table only after it becomes active.
**Note**
AWS Backup restores are nondestructive. You can't overwrite an existing table during a restore operation.
Restore times are directly related to the configuration of your tables (such as the size of your tables and the number of underlying partitions) and other related variables. A best practice when planning for disaster recovery is to regularly document average restore completion times and establish how these times affect your overall Recovery Time Objective.
To learn how to perform a restore, see [Restoring a DynamoDB table from a backup](Restore.Tutorial.md).
You can use IAM policies for access control. For more information, see [Using IAM with DynamoDB backup and restore](backuprestore_IAM.md).
All backup and restore console and API actions are captured and recorded in AWS CloudTrail for logging, continuous monitoring, and auditing.
# Creating backups of DynamoDB tables with AWS Backup
This section describes how to turn on AWS Backup to create on-demand and scheduled backups from your DynamoDB tables.
** [Turning on AWS Backup features](#CreateBackupAWS_enabling) [On-demand backups](#CreateBackupAWS_on-demand) [Scheduled backups](#CreateBackupAWS_scheduled)**
+ [Turning on AWS Backup features](#CreateBackupAWS_enabling)
+ [On-demand backups](#CreateBackupAWS_on-demand)
+ [Scheduled backups](#CreateBackupAWS_scheduled)
## Turning on AWS Backup features
You must turn on AWS Backup to use it with DynamoDB.
To turn on AWS Backup, go through the following steps:
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. In the navigation pane on the left side of the console, choose **Backups**.
1. In the Backup Settings window, choose **Turn on**.
1. A confirmation screen will appear. Choose **Turn on features**.
AWS Backup features are now available for your DynamoDB tables.
If you choose to turn off AWS Backup features after they’ve been turned on, follow these steps:
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. In the navigation pane on the left side of the console, choose **Backups**.
1. In the Backup Settings window, choose **Turn off**.
1. A confirmation screen will appear. Choose **Turn off features**.
If you can’t turn the AWS Backup features on or off, your AWS admin may need to perform those actions.
## On-demand backups
To create an on-demand backup of a DynamoDB table, follow these steps:
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. In the navigation pane on the left side of the console, choose **Backups**.
1. Choose **Create backup**.
1. From the dropdown menu that appears, choose **Create an on-demand backup**.
1. To create a backup managed by AWS Backup with warm storage and other basic features, choose **Default Settings.** To create a backup that can be transitioned to cold storage, or to create a backup with DynamoDB features instead of AWS Backup, choose **Customize settings**.
If you want to create this backup with previous DynamoDB features instead, choose **Customize settings** and then choose **Backup with DynamoDB**.
1. When you have completed the settings, choose **Create backup.**
## Scheduled backups
To schedule a backup, follow these steps.
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. In the navigation pane on the left side of the console, choose **Backups**.
1. From the dropdown menu that appears, choose **Schedule backups with AWS Backup**.
1. You will be taken to AWS Backup to create a backup plan.
# Copying a backup of a DynamoDB table with AWS Backup
You can make a copy of a current backup. You can copy backups to multiple AWS accounts or AWS Regions on demand or automatically as part of a scheduled backup plan. You can also automate a sequence of cross-account and cross-Region copies for Amazon DynamoDB Encryption Client.
Cross-Region replication is especially valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data.
Cross-account backups are useful for securely copying your backups to one or more AWS accounts in your organization for operational or security reasons. If your original backup is inadvertently deleted, you can copy the backup from its destination account to its source account, and then start the restore. Before you can do this, you must have two accounts that belong to the same organization in the Organizations service.
Copies inherit the source backup's configuration unless you specify otherwise, with one exception: if you specify that your new copy "Never" expire. With this setting, the new copy still inherits its source expiration date. If you want your new backup copy to be permanent, either set your source backups to never expire, or specify your new copy to expire 100 years after its creation.
**Note**
If you're copying to another account, you must first have permission from that account.
To copy a backup, do the following:
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. In the navigation pane on the left side of the console, choose **Backups**.
1. Select the check box next to the backup you want to copy.
+ If the backup you want to copy is grayed out, you must enable [advanced features with AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/advanced-ddb-backup.html). Then create a new backup. You can now copy this new backup to other Regions and accounts, and copy any other new backups going forward.
1. Choose **Copy.**
1. If you want to copy the backup to another account or Region, select the check box next to **Copy the recovery point to another destination**. Then select whether you will to copy to another Region in your account, or to a different account in a different Region.
**Note**
To restore a backup to another Region or account, you must first copy the backup to that Region or account.
1. Select the desired vault the file will be copied into. You can also create a new backup vault if desired.
1. Choose **Copy backup**.
# Restoring a backup of a DynamoDB table from AWS Backup
This section describes how to restore a backup of a DynamoDB table from AWS Backup.
** [Restoring a DynamoDB table from AWS Backup](#Restore.TutorialAWS.simple) [Restoring a DynamoDB table to another Region or account](#Restore.TutorialAWS.another)**
+ [Restoring a DynamoDB table from AWS Backup](#Restore.TutorialAWS.simple)
+ [Restoring a DynamoDB table to another Region or account](#Restore.TutorialAWS.another)
## Restoring a DynamoDB table from AWS Backup
To restore your DynamoDB tables from AWS Backup, follow these steps:
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/)
1. In the navigation pane on the left side of the console, choose **Tables.**
1. Choose the **Backups** tab.
1. Select the check box next to the previous backup that you want to restore from.
1. Choose **Restore**. You will be taken to the **Restore table from backup** screen.
1. Enter the name for the newly restored table, the encryption that this new table will have, the key you want the restore to be encryped with, and other options.
1. When you're finished, choose **Restore.**
## Restoring a DynamoDB table to another Region or account
To restore a DynamoDB table to another Region or account, you will first need to copy the backup to that new Region or account. In order to copy to another account, that account must first grant you permission. After you have copied your DynamoDB backup to the new Region or account, it can be restored with the process in the previous section.
# Deleting a backup of a DynamoDB table with AWS Backup
This section describes how to delete a backup of a DynamoDB table with AWS Backup.
A DynamoDB backup created through AWS Backup features is stored in an AWS Backup vault.
In order to delete this kind of backup, do the following:
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. In the navigation pane on the left side of the console, choose **Backups**.
1. On the screen that follows, choose **Continue to AWS Backup**.
You will be taken to the AWS Backup console. To learn more on how to delete backups on the AWS Backup console, see [Deleting backups](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-backups.html).
For more information about AWS Backup see [Backup and recovery using AWS Backup](https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/aws-backup.html) in the *AWS Prescriptive Guidance*.
# Usage note differences between on-demand backups managed by AWS Backup and DynamoDB
This section describes the technical differences between on-demand backups managed by AWS Backup and DynamoDB.
AWS Backup has some different workflows and behaviors than DynamoDB. These include:
**Encryption** - Backups created with the AWS Backup plan are stored in an encrypted vault with a key that is managed by the AWS Backup service. The vault has access control policies for additional security.
**Backup ARN** - The backup files created by AWS Backup will now have an AWS Backup ARN, which could impact the user permission model. Backup resource names (ARNs) will change from `arn:aws:dynamodb` to `arn:aws:backup`.
**Deleting backups** - Backups that are created with AWS Backup can only be deleted from the AWS Backup vault. You will not be able to delete AWS Backup files from the DynamoDB console.
**Backup process** - Unlike DynamoDB backups, backups made with AWS Backup are not instantaneous.
**Billing** - Backups of DynamoDB tables with AWS Backup features are billed from AWS Backup.
**IAM roles** - If you're managing access through IAM roles, you will also need to configure a new IAM role with these new permissions:
```
1. "dynamodb:StartAwsBackupJob",
2. "dynamodb:RestoreTableFromAwsBackup"
```
`dynamodb:StartAwsBackupJob` is needed for a successful backup with AWS Backup features, and `dynamodb:RestoreTableFromAwsBackup` is needed to restore from a backup made with AWS Backup features.
To see these permissions in a complete IAM policy, see Example 8 in [Using IAM](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/backuprestore_IAM.html).