Stop reinventing the wheel.
Here's why AWS Backup is the superior choice over custom Lambda functions for EC2 backups — and how to migrate your existing solution in minutes.
Jump To:
- The Problem with Custom Solutions
- Why AWS Backup Wins
- Migration Guide
- The New Architecture
- Implementation
- Benefits Comparison
- Cost Analysis
- Contact
The Problem with Custom Solutions
I used to think building custom backup solutions was the way to go. Lambda functions, EventBridge rules, custom IAM policies, S3 logging buckets — it felt like I was in control of every aspect of my backup strategy.
But here's what I learned the hard way: you're reinventing a wheel that AWS has already perfected.
After migrating from a custom Lambda-based backup solution to AWS Backup, I realized I had been:
- Writing hundreds of lines of code that AWS already maintains
- Managing complex IAM policies when service-linked roles exist
- Building monitoring and alerting that's built into AWS Backup
- Debugging custom logic instead of focusing on business value
Today, I'll show you why AWS Backup is superior and how to migrate your existing custom solution in under 30 minutes.
Why AWS Backup Wins
Let me break down why AWS Backup is objectively better than custom Lambda solutions:
Zero Code Maintenance
- Custom Lambda: 200+ lines of Python code to maintain, debug, and update
- AWS Backup: Zero lines of code. It's a managed service.
Enterprise Features Out of the Box
- Cross-region replication: Built-in, no custom logic needed
- Point-in-time recovery: Supported natively
- Compliance reporting: Built into the console
- Backup verification: Automatic integrity checks
Better Security
- Service-linked roles: AWS manages permissions automatically
- Encryption: KMS integration with no custom key management
- Audit trails: CloudTrail integration by default
Superior Monitoring
- Built-in dashboards: No custom CloudWatch setup needed
- Native alerting: SNS integration without custom Lambda triggers
- Job status tracking: Real-time backup job monitoring
Migration Guide
If you're currently using a custom Lambda solution, here's how to migrate to AWS Backup:
Before: Custom Lambda Architecture
EventBridge → Lambda Function → EC2 API calls → S3 Logging
- 200+ lines of Python code
- Custom IAM policies
- Manual error handling
- Custom monitoring setup
After: AWS Backup Architecture
AWS Backup Plan → Backup Vault → Encrypted Recovery Points
- Zero lines of code
- Service-linked roles
- Built-in error handling
- Native monitoring
The New Architecture
AWS Backup simplifies everything:
- Backup Plan: Defines schedule and retention rules
- Backup Vault: Secure, encrypted storage for recovery points
- Backup Selection: Tag-based resource targeting
- Service Role: AWS-managed permissions
That's it. Four components instead of a dozen.
Implementation
Here's the complete Terraform configuration for AWS Backup. Compare this to the 300+ lines needed for a custom Lambda solution:
# IAM role for AWS Backup
resource "aws_iam_role" "backup_role" {
name = "aws-backup-service-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "backup.amazonaws.com" }
}]
})
}
# Attach AWS managed policies
resource "aws_iam_role_policy_attachment" "backup_policy" {
role = aws_iam_role.backup_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
}
# Backup vault with encryption
resource "aws_backup_vault" "main" {
name = "primary-backup-vault"
kms_key_arn = aws_kms_key.backup.arn
}
# Backup plan with lifecycle rules
resource "aws_backup_plan" "main" {
name = "daily-backup-plan"
rule {
rule_name = "daily_backup_rule"
target_vault_name = aws_backup_vault.main.name
schedule = "cron(0 2 * * ? *)" # 2 AM daily
lifecycle {
delete_after = 7 # 7 day retention
}
}
}
# Backup selection - which resources to backup
resource "aws_backup_selection" "ec2_backup" {
iam_role_arn = aws_iam_role.backup_role.arn
name = "ec2-backup-selection"
plan_id = aws_backup_plan.main.id
selection_tag {
type = "STRINGEQUALS"
key = "BackupPlan"
value = "daily-backup"
}
resources = ["*"]
}
That's it. 50 lines of Terraform vs 300+ lines for a custom solution.
Check the source code here.
Benefits Comparison
Let me show you the concrete benefits of switching:
Feature | Custom Lambda | AWS Backup |
---|---|---|
Code Maintenance | 200+ lines of Python | 0 lines |
IAM Complexity | Custom policies, 50+ lines | Service-linked roles |
Error Handling | Manual try/catch blocks | Built-in retry logic |
Monitoring | Custom CloudWatch setup | Native dashboards |
Cross-region | Complex custom logic | One checkbox |
Compliance | Manual reporting | Built-in compliance reports |
Point-in-time Recovery | Not supported | Native support |
Backup Verification | Manual testing | Automatic integrity checks |
Cost Analysis
Custom Lambda Solution Monthly Costs:
- Lambda execution: ~$2-5
- EventBridge: ~$1
- S3 storage for logs: ~$1-3
- CloudWatch logs: ~$1-2
- Total: $5-11/month
AWS Backup Solution Monthly Costs:
- Backup storage: Same as EBS snapshots
- AWS Backup service: $0.50 per backup job
- Total: ~$2-4/month
AWS Backup is actually cheaper because it eliminates Lambda execution costs and reduces operational overhead.
Migration Steps
Ready to migrate? Here's your step-by-step guide:
1. Update Your Tags
Change your EC2 instance tags from:
Backup = "true"
To:
BackupPlan = "daily-backup"
2. Deploy AWS Backup Resources
Use the Terraform configuration above to create:
- Backup vault with KMS encryption
- Backup plan with your schedule
- Backup selection targeting your tagged resources
- Service-linked IAM role
3. Test the Migration
- Deploy the AWS Backup resources
- Wait for the first scheduled backup
- Verify recovery points in the AWS Backup console
- Test a restore operation
Real-World Results
After migrating to AWS Backup, here's what I experienced:
Operational Benefits:
- ✅ Zero code maintenance (was spending 2-3 hours/month debugging Lambda issues)
- ✅ Built-in monitoring eliminated custom CloudWatch setup
- ✅ Automatic retry logic reduced backup failures by 90%
- ✅ Cross-region replication setup took 5 minutes vs. days of custom development
Cost Savings:
- ✅ 40% reduction in monthly backup costs
- ✅ Eliminated Lambda execution charges
- ✅ Reduced CloudWatch log storage costs
- ✅ No more S3 storage for custom backup logs
Security Improvements:
- ✅ Service-linked roles eliminated custom IAM policy maintenance
- ✅ Built-in encryption with customer-managed KMS keys
- ✅ Automatic compliance reporting for audits
Contact
Have questions about this setup? Found a bug in the code? Drop a comment below
or reach out:
- Website: hasan-ashab
- LinkedIn: linkedin.com/in/hasan-ashab
Top comments (0)