Build AWS Backup plan configurations with schedules, lifecycle rules, and cross-region copy.
Last verified: May 2026
Build AWS Backup plan configurations with schedules, lifecycle rules, and cross-region copy actions.
Required Fields
BackupPlanNameRulesRules[0].RuleNameRules[0].TargetBackupVaultNameRules[0].ScheduleExpressionOutput will appear here...The builder constructs AWS Backup plan definitions with: rules (rule name, target backup vault, schedule expression in cron format, start window, completion window, lifecycle with cold-storage and delete days, copy actions for cross-region/cross-account, recovery point tags), and resource assignments (selection by ARN list or tag-based). Output is generated as aws backup create-backup-plan + create-backup-selection commands and Terraform aws_backup_plan + aws_backup_selection resources.
AWS Backup provides a centralized, policy-driven service for automating backups across EC2, EBS, RDS, DynamoDB, EFS, FSx, S3, and other AWS services. Backup plans define schedules (using cron expressions), retention periods, lifecycle transitions to cold storage, cross-region copy rules, and resource assignments via tags or resource ARNs. Writing backup plans requires understanding the interplay between backup frequency, retention windows, cold storage transition timing, and compliance requirements. The Backup Plan Builder helps you assemble backup plans with correct schedule expressions, lifecycle rules, and vault configurations.
Your team needs to meet a compliance requirement: daily backups for 30 days, weekly for 90 days, monthly for 7 years, all encrypted, with cross-region DR copies for production data. The builder generates a 3-rule backup plan: daily (cron: 0 5 * * ? *, retention 30 days), weekly (cron: 0 5 ? * SUN *, retention 90 days, transition to cold at 7 days), monthly (cron: 0 5 1 * ? *, retention 2,555 days = 7 years, transition to cold at 7 days, copy to us-west-2). Plus a tag-based selection 'backup:daily AND env:prod'. Total time to compliance: 1 day vs the week-long roadmap to hand-build all the rules.
Cold storage transitions have a 90-day MINIMUM retention. If your lifecycle rule moves backups to cold after 7 days but retention is 30 days, you'll pay 90-day cold rate even though the backup only existed for 23 days in cold. Set transitions such that the cold period is at least 90 days, OR skip cold storage entirely for short-retention plans.
Cross-region copies are essentially full backups in the destination region — they're priced separately and consume storage in both regions. For a daily backup with 30-day retention copied to 2 regions, you're paying 3x the storage. Use copy rules sparingly for genuinely critical data.
Tag-based resource assignment is the right pattern for scale. Tag resources with `backup:daily` (or similar) and let the backup plan auto-include them. This avoids hand-maintaining ARN lists across hundreds of resources, and new resources get backed up automatically as long as they're tagged correctly.
AWS Backup provides a unified control plane across all supported services, while service-native backups (like RDS automated snapshots or DynamoDB point-in-time recovery) are configured individually per service. AWS Backup adds cross-region and cross-account copy, centralized compliance reporting, Backup Audit Manager for auditing, and consistent lifecycle management. Service-native features may offer capabilities AWS Backup does not, like RDS's automated binlog backups, so both approaches can complement each other.
Warm storage provides immediate restore capability and is priced at standard backup storage rates. Cold storage costs significantly less but has a minimum retention of 90 days and restores take longer. Not all resource types support cold storage transitions — currently EBS, EFS, and DynamoDB backups support cold storage, while RDS and S3 backups do not. The lifecycle transition timing should account for the 90-day minimum to avoid paying for both warm and cold copies.
AWS Backup supports copying backups to backup vaults in other AWS accounts within your organization, providing protection against account compromise. You configure a cross-account copy rule in the backup plan and specify the destination vault ARN in the target account. The source and destination accounts must both be in the same AWS Organization, and the destination vault must have a resource policy allowing access from the source account. This creates an isolated copy that survives even if the source account is compromised.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.