Three AWS Data Protection Capabilities Explained

This report was written on May 30, 2024 by Jerome M. Wendt, CEO and principal data protection analyst, Data Center Intelligence Group LLC (DCIG).

Three AWS Data Protection Capabilities Explained

AWS includes at least 3 data protection capabilities that organizations can and often should use to protect their data. Each one offers distinct benefits for any organization that uses them. However, to account for each one’s limitations, organizations may need a 3rd-party solution to best meet their AWS data protection requirements.

AWS data protection capability #1: highly available, secure data centers
AWS designs and manages its AWS data centers to remain highly available and secure from physical and cyber security intrusions. AWS built its core infrastructure to satisfy the security requirements of global banks and other high-sensitivity organizations.

However, applications and data hosted in highly available, secure data centers may still become compromised or experience issues for multiple reasons.

These include, but are not limited to:

• Simple human error. Humans can and do make mistakes. These errors may result in data becoming compromised or lost. When these errors occur, the responsibility to restore and recover from any data corruption or loss falls to the organization.
• Ransomware events. Ransomware can attack applications and data that organizations host in AWS. Should an attack occur, restore and recovery responsibilities fall to the organization to perform.
• Unplanned storage costs. Amazon S3 represents one of AWS’s most subscribed-to services. While many organizations store their archives and backups in S3, other applications store active data in S3. In this use case, data stored in S3 may change frequently which may necessitate that organizations back it up. While S3 versioning can make copies when data changes occur, this technique may incur substantial storage overhead and costs. Using backup software to back up this data is often more cost-effective.

AWS data protection capability #2: AWS Backup
AWS offers its own AWS Backup for AWS data protection. Organizations that primarily need to protect data in select AWS databases and Amazon Machine Images (AMIs) may find AWS Backup meets those needs.

However, AWS Backup has limited abilities to protect any applications or data originating from outside AWS. For instance, an organization may need to protect non-AWS databases, hypervisors, or SaaS applications.

If AWS Backup does support them, an organization must typically employ various AWS Backup workarounds. For instance, to protect a database such as Oracle, AWS recommends using AWS Backup in conjunction with Oracle Recovery Manager (RMAN). To protect and recover VMware VMs, an organization must utilize an AWS Backup gateway.

AWS Backup’s capabilities also do not extend to protect all AWS services. AWS offers multiple services that store data and generate metadata, to include AWS:

• Database-as-a-service (DBaaS) offerings (Aurora, DocumentDB, etc.)
• IaaS offerings (EBS, EC2, VPC, etc.)
• Platform-as-a-service offerings (Elastic Beanstalk, Lightsail.)
• Many other as-a-service offerings.

Even though each of these services stores data, AWS offers varying degrees of support for each one. It may fully protect it, only partially protect it, or not protect the data stored in the aaS at all.

Identity and Access Management (IAM) and Key Management Service (KMS) represent 2 such AWS web services. These 2 services contain configuration data that is critical to keep applications built on AWS up and running as intended. Yet AWS Backup provides no options to protect and restore the configuration data for these 2 services nor any others.

AWS data protection capability #3: AWS Backup management
Even with these shortcomings, organizations might still consider AWS Backup if they could centrally and easily manage it. However, AWS Backup only partially checks this box.

It does offer a centralized console as well as APIs and a command line interface (CLI) for backup management. It also supports the cross-region copies of backups and the creation and implementation of lifecycle management policies.

However, organizations may only control cross-region backups at the backup vault level. It also can only perform filesystem-level restores with no options to restore at the item level. Then, if an organization wants to use any AWS Backup automation services, they must script these activities.

These and other limitations of AWS’ data protection services lead many organizations to seek out a third-party solution.

Necessity for 3rd-party AWS data protection solution
Both AWS and 3rd-party providers offer solutions that protect some data and metadata in AWS. However, no software from any provider – AWS or 3rd-party provider – completely protects all the data types found in AWS. This leaves an opening for a 3rd-party provider to emerge to enhance AWS’ inherent data protection capabilities.

While AWS could build a data protection solution that embraces other cloud providers and on-premises IT, this seems unlikely. AWS generally takes an AWS-first approach in the design of its data protection solutions. This makes it more probable that a comprehensive AWS data protection solution must come from a 3rd-party provider.

This solution should first capitalize on AWS’ existing features in delivering data protection. AWS already offers its multiple, robust high availability and data protection features. Therefore, it only makes sense for a 3rd-party data protection solution to utilize them whenever possible.

It should also build on other features available in AWS, specifically its IaaS services. These may minimally include utilizing AWS’ compute, storage, IAM, and KMS services. Using these and other IaaS services available in AWS, the solution can and should operate as a cloud service in AWS.

This design facilitates ease of subscription, fast setup, and configuration, and simplified backup management. Properly designed, the provider could also deploy and run its data protection solution in other public and private clouds.

This flexibility to run in multiple clouds would then, by default, extend to storing backups inside and outside of AWS. It should also facilitate protecting data stored in non-AWS applications, whether they got hosted inside or outside of AWS.

HYCU R-Cloud enhances AWS data protection
Organizations operating solely in AWS may find AWS’ data protection features insufficient to meet their needs. Organizations want a solution that positions them to enhance their AWS data protection. To do so, the solution must leverage the HA and data protection services that AWS offers.

It must also protect the:

• Data of applications they introduce into and host in AWS.
• Data stored in AWS’ native services.
• Configuration data and metadata that these services create.

Equally important, it should possess the intangible attributes that make the solution practical for organizations to manage and operate. It must operate as a cloud service. It should be available in other clouds and on-premises. It should give organizations options to store and manage backups in AWS, other providers’ clouds, and on-premises.

HYCU, Inc. purpose-built R-Cloud to protect AWS workloads and services, leveraging native AWS snapshots and adding enhanced item-level restore capabilities for supported services. From restoring AWS EC2 files to specific roles in AWS IAM, R-Cloud offers script-free automation, fully managed backups, and item-level restores.

For the first time, it brings these different requirements for AWS data protection together into one solution. In so doing, HYCU does more than position organizations to enhance AWS data protection. They may confidently adopt AWS more broadly knowing the applications and data they host in it are both protected and recoverable.

HYCU is a client of DCIG.