Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. Introduction
Data is one of the most important assets in any IT system. If data is lost, corrupted, deleted, or encrypted by ransomware, the business can stop functioning.
For the SAA-C03 exam, you must understand:
- What backups are
- What replication is
- The difference between backup and replication
- Which AWS services provide backup and replication
- How to design solutions for high availability and disaster recovery
- Cost, performance, and security considerations
This topic is heavily tested in scenario-based questions.
2. What Is a Data Backup?
A backup is a copy of data stored separately so it can be restored later if the original data is lost or damaged.
Backup protects against:
- Accidental deletion
- Ransomware
- Data corruption
- Application bugs
- Infrastructure failure
- Insider threats
Backups are usually:
- Stored in a different location
- Stored in another Availability Zone (AZ)
- Stored in another AWS Region
- Kept for a defined retention period
3. What Is Replication?
Replication means copying data automatically from one system to another system, usually in near real time.
Replication is mainly used for:
- High availability
- Disaster recovery
- Low latency access
- Business continuity
4. Backup vs Replication (Important for Exam)
| Feature | Backup | Replication |
|---|---|---|
| Purpose | Restore lost data | Keep systems running |
| Speed | Scheduled | Near real-time |
| Protects from deletion? | Yes | Usually No |
| Protects from ransomware? | Yes (if isolated) | No (damage replicates) |
| Used for DR? | Yes | Yes |
| Storage cost | Lower | Higher |
Very Important Exam Point:
If data is deleted accidentally:
- Replication will copy the deletion.
- Backup will allow restoration.
5. AWS Services for Backups
You must know the major AWS services used for backups.
5.1 Amazon S3 Backup Features
S3 Versioning
- Keeps multiple versions of an object.
- Protects against accidental deletion or overwrite.
- Must be enabled manually.
S3 Cross-Region Replication (CRR)
- Automatically replicates objects to another Region.
- Used for disaster recovery.
S3 Lifecycle Policies
- Move data to cheaper storage classes:
- S3 Standard
- S3 Standard-IA
- S3 Glacier
- S3 Glacier Deep Archive
S3 Object Lock
- Prevents deletion for a defined period.
- Used for compliance (WORM – Write Once Read Many).
Exam Tip:
If question mentions protection against accidental deletion, answer is often S3 Versioning.
5.2 Amazon EBS Snapshots
- Snapshots are incremental backups.
- Stored in S3 (managed by AWS).
- Can restore entire volumes.
- Can copy snapshots to another Region.
Key Concepts:
- First snapshot = full backup
- Later snapshots = incremental
- Can create AMIs from snapshots
Exam Tip:
If EC2 data must be backed up → Use EBS snapshots.
5.3 Amazon RDS Backups
RDS provides:
Automated Backups
- Enabled by default
- Point-in-time recovery (PITR)
- Retention: 0–35 days
Manual Snapshots
- Must be deleted manually
- Used for long-term retention
Cross-Region Snapshot Copy
- Used for disaster recovery
Important:
Multi-AZ is replication, not backup.
5.4 Amazon DynamoDB Backups
Two types:
On-Demand Backups
- Full backup
- Long-term storage
Point-in-Time Recovery (PITR)
- Continuous backup
- Restore to any second in last 35 days
5.5 AWS Backup
Centralized backup management for:
- EBS
- RDS
- DynamoDB
- EFS
- FSx
- EC2
- Storage Gateway
Features:
- Backup policies
- Cross-account backups
- Cross-Region backups
- Lifecycle management
- Encryption support
Exam Tip:
If question asks for centralized backup across multiple services → Answer is AWS Backup.
6. AWS Services for Replication
6.1 RDS Multi-AZ (High Availability)
- Synchronous replication
- Standby in another AZ
- Automatic failover
- Used for high availability, NOT read scaling
If question says:
- “Automatic failover”
- “High availability”
Answer is Multi-AZ.
6.2 RDS Read Replicas
- Asynchronous replication
- Used for read scaling
- Can be cross-Region
- Can promote to standalone DB
6.3 S3 Replication
- Same-Region Replication (SRR)
- Cross-Region Replication (CRR)
- Asynchronous
6.4 Amazon EFS Replication
- Automatic cross-Region replication
- Used for disaster recovery
6.5 AWS Elastic Disaster Recovery
- Continuous replication of servers
- Minimal downtime
- Supports on-premises to AWS
- Supports cross-Region recovery
Exam Scenario:
If company wants low RPO and low RTO for entire application → Use Elastic Disaster Recovery.
7. Disaster Recovery Concepts (Very Important)
You must understand:
RPO (Recovery Point Objective)
How much data loss is acceptable?
Example:
RPO = 5 minutes
Maximum 5 minutes data loss allowed.
RTO (Recovery Time Objective)
How fast system must recover?
Example:
RTO = 10 minutes
System must be restored within 10 minutes.
8. DR Strategies in AWS (Exam Favorite)
1. Backup and Restore
- Lowest cost
- Highest RTO
- Suitable for non-critical workloads
2. Pilot Light
- Core services running
- Scale up during disaster
3. Warm Standby
- Small but fully working environment
- Faster recovery
4. Multi-Site (Active-Active)
- Fully running in multiple Regions
- Lowest RTO
- Highest cost
Exam Tip:
If question says:
- “Lowest cost” → Backup & Restore
- “Minimal downtime” → Multi-site
9. Cross-Region vs Cross-AZ
Multi-AZ
- Protects from AZ failure
- Same Region
Cross-Region
- Protects from Region failure
- Used for disaster recovery
Important:
Compliance rules may require cross-Region backups.
10. Security Best Practices for Backups
For the exam, remember:
1. Encrypt Backups
Use KMS encryption.
2. Enable Versioning
Protects from deletion.
3. Use MFA Delete (S3)
Adds extra protection.
4. Cross-Account Backups
Protect against account compromise.
5. Restrict Access with IAM
Only authorized users can delete backups.
6. Test Restores
Backup without testing restore = risky design.
11. Common Exam Trap Scenarios
- “Database must be highly available”
→ Multi-AZ - “Database must scale read traffic”
→ Read Replica - “Data must be protected against accidental deletion”
→ Backup or Versioning - “Centralized backup across multiple services”
→ AWS Backup - “Lowest cost DR”
→ Backup and Restore - “Minimal data loss”
→ Synchronous replication
12. Cost Considerations
Backups cost:
- Storage
- Data transfer (cross-Region)
- Snapshot storage
Replication costs:
- Additional infrastructure
- Data transfer
- Compute resources
Exam Tip:
Always choose most cost-effective solution that meets requirements.
13. Final Exam Summary – What You Must Remember
You must clearly understand:
- Difference between backup and replication
- RPO and RTO
- Multi-AZ vs Read Replica
- Snapshot vs Automated Backup
- Versioning vs Replication
- Cross-Region vs Cross-AZ
- AWS Backup capabilities
- Disaster recovery strategies
- Encryption of backups
Final Advice for the Exam
When reading a scenario:
- Identify if it is about:
- High availability
- Disaster recovery
- Data protection
- Compliance
- Cost optimization
- Check:
- Required RPO
- Required RTO
- Budget constraints
- Then select:
- Backup
- Replication
- Multi-AZ
- Cross-Region
- Or combination
