Enabling S3 Versioning is not a backup strategy
Here are three reasons why enabling S3 Versioning is not a backup strategy. Instead, you should consider AWS Backup for S3, which AWS released on February 18th, 2022. AWS Backup enables you to control and automate managing backups centrally. To do so, AWS Backup supports EC2/EBS, EFS, FSx, RDS, DynamoDB, Neptune, DocumentDB, and Storage Gateway.
Do you use S3 Versioning to protect against data loss? Here are three reasons why this is not enough.
Warning I had issues with backing up and restoring data. Check out my Twitter thread to learn more.
So you enabled S3 Versioning for all your buckets. S3 will not delete the data but create a deletion marker for the object when someone deletes an object. So in case you delete an object accidentally, you can recover the data quickly. But what, when you delete not only the object but all of its versions accidentally? In this case, something comparable to an offsite backup becomes essential.
Think of AWS Backup as an offsite backup for your data stored on S3.
And it can get even worse. What if an attacker tries to delete all data from your AWS account? An attacker also could delete all objects and versions. S3 Versioning does not mitigate the risk of malicious data deletion.
Looking for a new challenge?
Again, consider AWS Backup for S3 instead. AWS Backup supports vault locks an effective countermeasures against the malicious deletion of your backup.
Imagine you rolled out a change to the batch job, which processes data stored on S3 every night. Due to a mistake in the code, the batch job corrupts a lot of objects. As you have S3 Versioning enabled, you want to roll back all the objects within a bucket to a specific point-in-time. However, doing so requires a lot of API calls to S3 -
PutObject. Recovering to a certain point in time is quite complicated and error-prone.
AWS Backup for S3 comes with point-in-time recovery for S3 out-of-the-box. Recovering a bucket becomes quite simple.
I hope I could convince you that AWS Backup for S3 has some advantages over S3 Versioning for backing up data. Check out my unboxing video, including a demo, pricing, and limitations.
Update 2022/03/02: Correction related to AWS Backup for S3: copying backups cross-region and cross-account is currently not supported. The Management Console let’s you create a backup job with a copy configuration, but it will fail. The official documentation mentions this limitation.