DEV Community

Cover image for Why You Should Use AWS Backup Instead of Custom Lambda Solutions
Hasan Ashab
Hasan Ashab

Posted on

Why You Should Use AWS Backup Instead of Custom Lambda Solutions

Stop reinventing the wheel.
Here's why AWS Backup is the superior choice over custom Lambda functions for EC2 backups — and how to migrate your existing solution in minutes.

Jump To:

The Problem with Custom Solutions

I used to think building custom backup solutions was the way to go. Lambda functions, EventBridge rules, custom IAM policies, S3 logging buckets — it felt like I was in control of every aspect of my backup strategy.

But here's what I learned the hard way: you're reinventing a wheel that AWS has already perfected.

After migrating from a custom Lambda-based backup solution to AWS Backup, I realized I had been:

  • Writing hundreds of lines of code that AWS already maintains
  • Managing complex IAM policies when service-linked roles exist
  • Building monitoring and alerting that's built into AWS Backup
  • Debugging custom logic instead of focusing on business value

Today, I'll show you why AWS Backup is superior and how to migrate your existing custom solution in under 30 minutes.

Why AWS Backup Wins

Let me break down why AWS Backup is objectively better than custom Lambda solutions:

Zero Code Maintenance

  • Custom Lambda: 200+ lines of Python code to maintain, debug, and update
  • AWS Backup: Zero lines of code. It's a managed service.

Enterprise Features Out of the Box

  • Cross-region replication: Built-in, no custom logic needed
  • Point-in-time recovery: Supported natively
  • Compliance reporting: Built into the console
  • Backup verification: Automatic integrity checks

Better Security

  • Service-linked roles: AWS manages permissions automatically
  • Encryption: KMS integration with no custom key management
  • Audit trails: CloudTrail integration by default

Superior Monitoring

  • Built-in dashboards: No custom CloudWatch setup needed
  • Native alerting: SNS integration without custom Lambda triggers
  • Job status tracking: Real-time backup job monitoring

Migration Guide

If you're currently using a custom Lambda solution, here's how to migrate to AWS Backup:

Before: Custom Lambda Architecture

Lambda

EventBridge → Lambda Function → EC2 API calls → S3 Logging
Enter fullscreen mode Exit fullscreen mode
  • 200+ lines of Python code
  • Custom IAM policies
  • Manual error handling
  • Custom monitoring setup

After: AWS Backup Architecture

AWS Backup Plan → Backup Vault → Encrypted Recovery Points
Enter fullscreen mode Exit fullscreen mode
  • Zero lines of code
  • Service-linked roles
  • Built-in error handling
  • Native monitoring

The New Architecture

AWS Backup simplifies everything:

  1. Backup Plan: Defines schedule and retention rules
  2. Backup Vault: Secure, encrypted storage for recovery points
  3. Backup Selection: Tag-based resource targeting
  4. Service Role: AWS-managed permissions

AWS Backup

That's it. Four components instead of a dozen.

Implementation

Here's the complete Terraform configuration for AWS Backup. Compare this to the 300+ lines needed for a custom Lambda solution:

# IAM role for AWS Backup
resource "aws_iam_role" "backup_role" {
  name = "aws-backup-service-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "backup.amazonaws.com" }
    }]
  })
}

# Attach AWS managed policies
resource "aws_iam_role_policy_attachment" "backup_policy" {
  role       = aws_iam_role.backup_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
}

# Backup vault with encryption
resource "aws_backup_vault" "main" {
  name        = "primary-backup-vault"
  kms_key_arn = aws_kms_key.backup.arn
}

# Backup plan with lifecycle rules
resource "aws_backup_plan" "main" {
  name = "daily-backup-plan"

  rule {
    rule_name         = "daily_backup_rule"
    target_vault_name = aws_backup_vault.main.name
    schedule          = "cron(0 2 * * ? *)"  # 2 AM daily

    lifecycle {
      delete_after = 7  # 7 day retention
    }
  }
}

# Backup selection - which resources to backup
resource "aws_backup_selection" "ec2_backup" {
  iam_role_arn = aws_iam_role.backup_role.arn
  name         = "ec2-backup-selection"
  plan_id      = aws_backup_plan.main.id

  selection_tag {
    type  = "STRINGEQUALS"
    key   = "BackupPlan"
    value = "daily-backup"
  }

  resources = ["*"]
}
Enter fullscreen mode Exit fullscreen mode

That's it. 50 lines of Terraform vs 300+ lines for a custom solution.

Check the source code here.

Benefits Comparison

Let me show you the concrete benefits of switching:

Feature Custom Lambda AWS Backup
Code Maintenance 200+ lines of Python 0 lines
IAM Complexity Custom policies, 50+ lines Service-linked roles
Error Handling Manual try/catch blocks Built-in retry logic
Monitoring Custom CloudWatch setup Native dashboards
Cross-region Complex custom logic One checkbox
Compliance Manual reporting Built-in compliance reports
Point-in-time Recovery Not supported Native support
Backup Verification Manual testing Automatic integrity checks

Cost Analysis

Custom Lambda Solution Monthly Costs:

  • Lambda execution: ~$2-5
  • EventBridge: ~$1
  • S3 storage for logs: ~$1-3
  • CloudWatch logs: ~$1-2
  • Total: $5-11/month

AWS Backup Solution Monthly Costs:

  • Backup storage: Same as EBS snapshots
  • AWS Backup service: $0.50 per backup job
  • Total: ~$2-4/month

AWS Backup is actually cheaper because it eliminates Lambda execution costs and reduces operational overhead.

Migration Steps

Ready to migrate? Here's your step-by-step guide:

1. Update Your Tags

Change your EC2 instance tags from:

Backup = "true"
Enter fullscreen mode Exit fullscreen mode

To:

BackupPlan = "daily-backup"
Enter fullscreen mode Exit fullscreen mode

2. Deploy AWS Backup Resources

Use the Terraform configuration above to create:

  • Backup vault with KMS encryption
  • Backup plan with your schedule
  • Backup selection targeting your tagged resources
  • Service-linked IAM role

3. Test the Migration

  1. Deploy the AWS Backup resources
  2. Wait for the first scheduled backup
  3. Verify recovery points in the AWS Backup console
  4. Test a restore operation

Real-World Results

After migrating to AWS Backup, here's what I experienced:

Operational Benefits:

  • ✅ Zero code maintenance (was spending 2-3 hours/month debugging Lambda issues)
  • ✅ Built-in monitoring eliminated custom CloudWatch setup
  • ✅ Automatic retry logic reduced backup failures by 90%
  • ✅ Cross-region replication setup took 5 minutes vs. days of custom development

Cost Savings:

  • ✅ 40% reduction in monthly backup costs
  • ✅ Eliminated Lambda execution charges
  • ✅ Reduced CloudWatch log storage costs
  • ✅ No more S3 storage for custom backup logs

Security Improvements:

  • ✅ Service-linked roles eliminated custom IAM policy maintenance
  • ✅ Built-in encryption with customer-managed KMS keys
  • ✅ Automatic compliance reporting for audits

Contact

Have questions about this setup? Found a bug in the code? Drop a comment below

or reach out:

Top comments (0)