AWS Backup

Name: AWS Backup API
Brand: AWS Backup
Availability: InStock

★ Only Publicly Available OpenAPI DocumentStorageBackup RecoveryapiKey72 EndpointsREST

For Agents

Schedule, run, and restore backups across AWS resources, manage backup vaults and retention policies, and surface compliance reports so an agent can keep customer data recoverable.

Quickstart

Get started with AWS Backup in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create an AWS Backup plan"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with AWS Backup API.

Define backup plans with schedule expressions, retention windows, lifecycle to cold storage, and copy actions to other regions

Group resources into backup selections by ARN list or tag rules so the right resources are protected automatically

Create encrypted backup vaults and apply vault locks for write-once-read-many immutability against ransomware

Start an on-demand backup job, check job status, and stop a job mid-flight

GET STARTED

Start building with AWS Backup API

Explore with Jentic

View OpenAPI Document

Jentic publishes the only available OpenAPI document for AWS Backup, keeping it validated and agent-ready.

AWS Backup is a unified, policy-based backup service for AWS resources, including EBS volumes, EC2 instances, RDS and Aurora databases, DynamoDB tables, EFS, FSx, S3, and Storage Gateway. The API lets you define backup plans with schedules and retention rules, group resources via selections and tags, store recovery points in encrypted backup vaults with vault locks for immutability, restore on demand, and run audit frameworks with reports for compliance evidence. It also supports legal holds that block deletion of designated recovery points.

Use Cases

Patterns agents use AWS Backup API for, with concrete tasks.

★ Daily RDS Backup with 35-Day Retention

Protect production RDS databases with a daily backup plan and 35-day retention without writing custom Lambda jobs. Create a backup plan with a daily cron schedule and a lifecycle that moves recovery points to cold storage after 30 days, then create a backup selection that targets RDS instances tagged Backup=daily. AWS Backup runs the schedule, encrypts recovery points in the vault, and lets you restore to a new instance on demand. Initial setup takes about an hour.

Create a backup plan named rds-daily with a rule scheduled cron(0 2 * * ? *), DeleteAfterDays=35, and a backup selection IamRoleArn=arn:..., conditions targeting tag Backup=daily.

Ransomware-Resistant Vault Lock

Make backups truly immutable so a compromised IAM identity cannot delete or shorten retention on recovery points. Apply a vault lock to a backup vault with PutBackupVaultLockConfiguration and a minimum and maximum retention period; once the cooldown elapses the lock is permanent. Suitable for regulated industries and for recovery from ransomware attacks that target backups first.

Call PutBackupVaultLockConfiguration on vault prod-vault with MinRetentionDays=30, MaxRetentionDays=3650, and ChangeableForDays=3.

Disaster Recovery Restore

Recover a production resource from a recovery point during an incident, such as a corrupted EBS volume, a deleted DynamoDB table, or an unintentionally truncated EFS share. Use ListRecoveryPointsByBackupVault to find the right point, then StartRestoreJob with the resource-specific metadata to create a new resource. AWS Backup tracks the job status and the operator can attach the restored resource once the job completes.

Find the latest recovery point for resource arn:aws:ec2:...:volume/vol-0abc, then call StartRestoreJob with metadata including AvailabilityZone and encrypted=true to create a new EBS volume.

Agent-Driven Compliance Sweep

Let a compliance agent verify that every tagged production database, file system, and table has a recent successful backup, raising an alert otherwise. The agent calls AWS Backup through Jentic to list protected resources, fetch their last successful backup time, and compare against policy thresholds. AWS credentials never leave the Jentic vault, and the same agent logic runs unmodified across customer accounts.

Search Jentic for 'list protected resources in AWS Backup', execute it filtered by tag Environment=production, and for each resource fetch the latest recovery point with ListRecoveryPointsByResource, raising an alert if no recovery point is younger than 24 hours.

Key Endpoints

72 endpoints — aws backup is a unified, policy-based backup service for aws resources, including ebs volumes, ec2 instances, rds and aurora databases, dynamodb tables, efs, fsx, s3, and storage gateway.

METHOD

PATH

DESCRIPTION

PUT

/backup/plans/

Create a backup plan

GET

/backup/plans/

List backup plans

PUT

/backup/plans/{backupPlanId}/selections/

Create a backup selection

PUT

/backup-vaults/{backupVaultName}

Create a backup vault

GET

/backup-vaults/{backupVaultName}

Describe a backup vault

POST

/legal-holds/

Create a legal hold

POST

/audit/frameworks

Create an audit framework

GET

/audit/frameworks

List audit frameworks

PUT

/backup/plans/

Create a backup plan

GET

/backup/plans/

List backup plans

PUT

/backup/plans/{backupPlanId}/selections/

Create a backup selection

PUT

/backup-vaults/{backupVaultName}

Create a backup vault

GET

/backup-vaults/{backupVaultName}

Describe a backup vault

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access key ID and secret access key for AWS Backup are stored encrypted in the Jentic vault. Agents receive scoped, short-lived signing credentials and the raw IAM secrets never enter the agent context. Jentic computes the AWS Signature Version 4 signature server-side for every request.

Intent-based discovery

Agents search Jentic by intent (for example, 'create a backup plan') and Jentic returns matching AWS Backup operations with their input schemas, the correct AWS service endpoint, and the required IAM action, so the agent can invoke the right call without crawling the AWS docs.

Time to first call

Direct AWS Backup integration: 1-3 days for AWS SDK setup, IAM role configuration, Sigv4 signing, and error handling. Through Jentic: under 1 hour, search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

AWS Support API

Open and track support cases when a backup job fails or a restore needs hands-on AWS engineering help.

Use AWS Support when the agent needs to escalate a stuck restore or AWS-side issue; use AWS Backup for the protection state itself.

Alternative

Amazon EC2 (EBS Snapshots)

Direct EBS snapshot APIs for ad-hoc point-in-time copies without the policy framework.

Choose EBS snapshots for one-off forensic copies; choose AWS Backup for centrally managed, scheduled, multi-resource protection.

Complementary

AWS CloudTrail

Audit trail of every backup plan, vault, and recovery point change for compliance review.

Use CloudTrail when the agent needs to investigate who modified a backup policy; use AWS Backup for the live protection state.

FAQs

Specific to using AWS Backup API through Jentic.

What authentication does the AWS Backup API use?

All requests are signed with AWS Signature Version 4 using an AWS access key ID and secret access key. Through Jentic, the keys live encrypted in the vault and Jentic computes the signature server-side; the agent only holds a scoped Jentic credential.

Which AWS services can AWS Backup protect?

AWS Backup supports EBS volumes, EC2 instances, RDS and Aurora databases, DynamoDB tables, EFS file systems, FSx file systems, Amazon S3 buckets, AWS Storage Gateway, Amazon Neptune, Amazon DocumentDB, Amazon Redshift, and Amazon Timestream, among others, all from a single backup plan.

Can I make backups immutable to defend against ransomware?

Yes. Apply a vault lock to a backup vault with PutBackupVaultLockConfiguration and a minimum retention. Once the cooldown elapses (governance lock) or immediately (compliance lock), even root cannot delete or shorten retention until the recovery point reaches its expiry.

How do I restore a resource from a backup through Jentic?

Search Jentic for 'restore from an AWS Backup recovery point', load the StartRestoreJob schema, and execute it with the recovery point ARN, the IAM role, and the service-specific metadata. The operation maps to POST /restore-jobs and Jentic returns the job ID so the agent can poll DescribeRestoreJob until completion.

What are the rate limits for the AWS Backup API?

AWS Backup applies standard AWS throttling and returns ThrottlingException when exceeded. Heavy job listings should be paginated with NextToken; high-volume restore creation should be batched and retried with exponential backoff.

How is AWS Backup priced?

You pay for storage of recovery points (with separate warm and cold pricing), restore charges per service, and any cross-region copy data transfer. The backup plan, vault, and policy infrastructure itself has no separate charge.