Close this search box.

3 AWS Data Protection Capabilities Explained

AWS includes at least three (3) data protection capabilities that organizations can and often should use to protect their data. Each one offers distinct benefits for any organization that uses them. However, to account for each one’s limitations, organizations may need a third-party solution to best meet their AWS data protection requirements.

AWS Data Protection Capability #1: Highly Available, Secure Data Centers

AWS designs and manages its AWS data centers to remain highly available and secure from physical and cyber security intrusions. AWS built its core infrastructure to satisfy the security requirements of global banks and other high-sensitivity organizations.

AWS LogoHowever, applications and data hosted in highly available, secure data centers may still become compromised or experience issues for multiple reasons. These include, but are not limited to:

  • Simple human error. Humans can and do make mistakes. These errors may result in data becoming compromised or lost. When these errors occur, the responsibility to restore and recover from any data corruption or loss falls to the organization.
  • Ransomware events. Ransomware can attack applications and data that organizations host in AWS. Should an attack occur, restore and recovery responsibilities fall to the organization to perform.
  • Unplanned storage costs. Amazon Simple Storage Service (Amazon S3) represents one of AWS’s most subscribed-to services. While many organizations store their archives and backups in S3, other applications store active data in S3. In this use case, data stored in S3 may change frequently which may necessitate that organizations back it up. While Amazon S3 versioning can make copies when data changes occur, this technique may incur substantial storage overhead and costs. Using backup software to back up this data is often more cost-effective.

AWS Data Protection Capability #2: AWS Backup

AWS Backup LogoAWS offers its own AWS Backup for AWS data protection. Organizations that primarily need to protect data in select AWS databases and Amazon Machine Images (AMIs) may find AWS Backup meets those needs.

However, AWS Backup has limited abilities to protect any applications or data originating from outside AWS. For instance, an organization may need to protect non-AWS databases, hypervisors, or SaaS applications.

If AWS Backup does support them, an organization must typically employ various AWS Backup workarounds. For instance, to protect a database such as Oracle, AWS recommends using AWS Backup in conjunction with Oracle Recovery Manager (RMAN). To protect and recover VMware VMs, an organization must utilize an AWS Backup gateway.

AWS Backup’s capabilities also do not extend to protect all AWS services. AWS offers multiple services that store data and generate metadata, to include AWS’:

  • Database-as-a-service (DBaaS) offerings (Aurora, DocumentDB, etc.)
  • Infrastructure-as-a-service (IaaS) offerings (EBS, EC2, VPC, etc.)
  • Platform-as-a-service (PaaS) offerings (Elastic Beanstalk, Lightsail.)
  • Many other as-a-servi6ce (aaS) offerings.

Even though each of these services stores data, AWS offers varying degrees of support for each one. It may fully protect it, only partially protect it, or not protect the data stored in the aaS at all.

Identity and Access Management (IAM) and Key Management Service (KMS) represent two such AWS web services. These two services contain configuration data that is critical to keep applications built on AWS up and running as intended. Yet AWS Backup provides no options to protect and restore the configuration data for these two services nor any others.

AWS Data Protection Capability #3: AWS Backup Management

Even with these shortcomings, organizations might still consider AWS Backup if they could centrally and easily manage it. However, AWS Backup only partially checks this box.

It does offer a centralized console as well as APIs and a command line interface (CLI) for backup management. It also supports the cross-region copies of backups and the creation and implementation of lifecycle management policies.

However, organizations may only control cross-region backups at the backup vault level. It also can only perform filesystem-level restores with no options to restore at the item level. Then, if an organization wants to use any AWS Backup automation services, they must script these activities.

These and other limitations of AWS’ data protection services lead many organizations to seek out a third-party solution.

The Necessity for a Third-party AWS Data Protection Solution

Both AWS and third-party providers offer solutions that protect some data and metadata in AWS. However, no software from any provider – AWS or third-party provider – completely protects all the data types found in AWS. This leaves an opening for a third-party provider to emerge to enhance AWS’ inherent data protection capabilities.

While AWS could build a data protection solution that embraces other cloud providers and on-premises IT, this seems unlikely. AWS generally takes an AWS-first approach in the design of its data protection solutions. This makes it more probable that a comprehensive AWS data protection solution must come from a third-party provider.

This solution should first capitalize on AWS’ existing features in delivering data protection. AWS already offers its multiple, robust high availability and data protection features. Therefore, it only makes sense for a third-party data protection solution to utilize them whenever possible.

It should also build on other features available in AWS, specifically its IaaS services. These may minimally include utilizing AWS’ compute, storage, IAM, and KMS services. Using these and other IaaS services available in AWS, the solution can and should operate as a cloud service in AWS.

This design facilitates ease of subscription, fast setup, and configuration, and simplified backup management. Properly designed, the provider could also deploy and run its data protection solution in other public and private clouds.

This flexibility to run in multiple clouds would then, by default, extend to storing backups inside and outside of AWS. It should also facilitate protecting data stored in non-AWS applications, whether they got hosted inside or outside of AWS.

HYCU R-Cloud Enhances AWS Data Protection

Organizations operating solely in AWS may find AWS’ data protection features insufficient to meet their needs. Organizations want a solution that positions them to enhance their AWS data protection. To do so, the solution must leverage the HA and data protection services that AWS offers. It must also protect the:

  • Data of applications they introduce into and host in AWS.
  • Data stored in AWS’ native services.
  • Configuration data and metadata that these services create.

Equally important, it should possess the intangible attributes that make the solution practical for organizations to manage and operate. It must operate as a cloud service. It should be available in other clouds and on-premises. It should give organizations options to store and manage backups in AWS, other providers’ clouds, and on-premises.

hycu logoHYCU purpose-built R-Cloud to protect AWS workloads and services, leveraging native AWS snapshots and adding enhanced item-level restore capabilities for supported services. From restoring AWS EC2 files to specific roles in AWS IAM, HYCU R-Cloud offers script-free automation, fully managed backups, and item-level restores.

HYCU R-Cloud for the first time brings these different requirements for AWS data protection together into one solution. In so doing, HYCU does more than position organizations to enhance AWS data protection. They may confidently adopt AWS more broadly knowing the applications and data they host in it are both protected and recoverable.


To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.

To learn about DCIG’s future research and publications, see the DCIG Editorial Calendar.

Technology providers interested in licensing DCIG TOP 5 reports or having DCIG produce custom reports on their behalf, please contact DCIG for more information.


This blog entry was excerpted from the following DCIG Technology Report available for download at this trusted third-party link.

HYCU is a client of DCIG.


Click Here to Signup for the DCIG Newsletter!


DCIG Newsletter Signup

Thank you for your interest in DCIG research and analysis.

Please sign up for the free DCIG Newsletter to have new analysis delivered to your inbox each week.