AWS has announced a major enhancement to its cloud-native data protection capabilities: AWS Backup now supports Amazon Elastic Kubernetes Service (EKS). With this release, customers can protect their entire EKS environments—including cluster state and persistent application data—using a fully managed, centralized, and policy-driven backup service.
This new integration eliminates the need for home-grown scripts or third-party tools, providing an agent-free, native AWS solution for Kubernetes backups at scale.
Why This Matters
As organizations run more production workloads on Amazon EKS, secure, automated, and compliant backup strategies become critical. AWS Backup now provides:
- Centralized backup management across EKS and other AWS services
- Automated scheduling and retention policies
- Immutable backup vaults for ransomware resilience
- Cross-Region & cross-account backup copies
- Point-in-time recovery with the ability to restore entire clusters or specific resources
With this update, AWS Backup becomes a one-stop solution for protecting Kubernetes data across the entire AWS cloud.
What’s Included in an Amazon EKS Backup?
When AWS Backup captures an EKS cluster, it includes:
✔️ 1. Amazon EKS Cluster State
This captures configuration metadata, including:
- Cluster name and IAM roles
- VPC/network settings
- Logging and encryption configurations
- Add-ons, access entries, managed node groups
- Fargate profiles
- Kubernetes manifests for workloads
- Pod identity associations
✔️ 2. Persistent Storage
AWS Backup supports backup of persistent volumes hosted on:
- Amazon EBS (via CSI driver)
- Amazon EFS
- Amazon S3 (bucket-level snapshot only)
❌ Not Included:
- Container images in repositories (ECR/Docker Hub)
- Underlying infrastructure (VPC, subnets, NAT, nodes)
- Auto-generated Kubernetes objects (temporary pods, events, leases, jobs)
Prerequisites: What You Need Before Backing Up
EKS Cluster Authorization Mode
Set to:
API, orAPI_AND_CONFIG_MAP
This ensures AWS Backup can create Access Entries for cluster operations.
Permissions
Ensure the AWS Backup service role includes:
AWSBackupServiceRolePolicyForBackupAWSBackupServiceRolePolicyForS3Backup(only if S3 bucket data is present)
Encryption
- EKS cluster state backups use the target vault’s AWS KMS key
- Persistent volumes follow existing encryption rules based on EBS/EFS/S3
How to Create an On-Demand EKS Backup
- Open AWS Backup Console
- Go to Protected Resources
- Select Amazon EKS
- Choose your cluster
- Click Create on-demand backup
- Configure backup window, cold storage, and retention
- Confirm to start the backup job
Once completed successfully, the backup becomes available as a Composite Recovery Point.
Understanding EKS Recovery Points
Each backup generates:
1. Composite Recovery Point (Parent)
Represents the entire cluster backup
Status: Completed, Partial, or Failed
2. Child Recovery Points
- Cluster state
- Persistent volumes
Each has its own status and can be restored independently.
Meaning of Statuses
- Completed → full protection
- Partial → some components weren’t backed up
- Failed → backup unsuccessful; retry after fixing issues
Managing Recovery Points
You Can:
- Copy composite or nested backups (same region, cross-region, or cross-account)
- Delete nested recovery points
- Disassociate child components from composite backups
- Transition persistent volume snapshots to cold storage
You cannot:
- Copy or delete the cluster state child recovery point
- Delete a composite backup without first handling nested resources
Limitations to Note
- Persistent volumes not backed by CSI drivers are currently unsupported
- S3 backups only work at the bucket level, not prefixes
- Amazon FSx via the CSI driver is not supported
- Subject to AWS Backup quotas
Frequently Asked Questions
Do EKS backups require agents or add-ons?
No. AWS Backup works agent-free.
Are EKS backups incremental?
- Cluster state → Full
- EBS/EFS/S3 → Incremental where supported
Can I index or search EKS backups?
Not for EKS cluster state, but you can index persistent volumes where supported.
Regional Availability
EKS backup support is available in all AWS Regions where both Amazon EKS and AWS Backup operate.
Conclusion
The integration of Amazon EKS with AWS Backup marks a significant milestone for teams running containerized applications on AWS. With centralized policies, cross-region backup copies, and agent-free operation, this feature streamlines Kubernetes data protection while strengthening security and compliance.
